Commit Graph

30153 Commits

Author SHA1 Message Date
David Garske 29f14ed2ee Merge pull request #10582 from julek-wolfssl/fenrir-20260602
Fenrir 2026-06-02: TLS/DTLS correctness, resumption & renegotiation safety fixes
2026-06-11 15:29:51 -07:00
David Garske 74c3b50080 Merge pull request #10669 from night1rider/Zephyr-4-4-0-PRB-fix
Switch to use merge branch for PR testing instead of HEAD Branch
2026-06-11 15:29:27 -07:00
night1rider aa7b7defba Switch to use merge branch for PR testing instead of HEAD Branch 2026-06-11 15:57:29 -06:00
Aidan Keefe 744d25fdc3 Merge pull request #10648 from aidankeefe2022/fix-Der-to-Oid-coversion
Fix EncodedDottedForm to handle when first arc is 2
2026-06-11 15:12:53 -06:00
Juliusz Sosinowicz e68cc75ecd F-5813: clarify BuildMessage sequence-number wrap comment
The sequence number 2^64-1 is itself RFC 5246 6.1-legal; only the wrap to 0
is forbidden. GetSEQIncrement reads the current counter then post-increments
it, so the check refuses the final legal sequence number to avoid the
wrapping post-increment. Document that this last value is deliberately
sacrificed rather than implying 2^64-1 is itself unusable.
2026-06-11 19:22:36 +00:00
Juliusz Sosinowicz 108afdf1c3 F-5633: use explicit NULL comparison in FreeCiphers
Use the project's preferred `ptr != NULL` form for the new DTLS 1.3 ChaCha
record-number zeroization guards instead of relying on truthiness.
2026-06-11 19:22:36 +00:00
Juliusz Sosinowicz 5e76c66977 F-5818: don't invalidate the session on an unauthenticated alert
DoAlert evicted the cached session from the fatal-alert handling that runs
before the plaintext-under-encryption validation, so a forged TLS 1.3
plaintext alert injected on an established connection evicted the session
(forcing a full handshake on reconnect) even though the alert is then
rejected as PARSE_ERROR. The unexpected_message teardown sent in response
also evicted through the SendAlert hook.

Move the receive-side eviction past the validation, into the branch that
processes a genuine alert, and have InvalidateSessionOnFatalAlert refuse to
evict for a TLS 1.3 plaintext alert received while encryption is on (the
current record was not decrypted) - covering both the receive path and the
unexpected_message teardown sent in response. RFC 8446 6.2 does not require
TLS 1.3 invalidation, so this loses nothing; TLS 1.2 (RFC 5246 7.2.2) is
unaffected.
2026-06-11 19:22:35 +00:00
Juliusz Sosinowicz 2352d73f7f F-5811: defer resumed-session consistency checks to confirmed resumption
The client's resumed-session EMS (F-5807) and cipher-suite (F-5811) checks
were enforced in CompleteServerHello at ServerHello-parse time. For stateless
ticket resumption the client sends an empty session ID and cannot yet tell
whether the server accepted the ticket (RFC 5077 3.4): a server that declines
the ticket falls back to a full handshake under a freshly negotiated
suite/EMS state, which these checks wrongly aborted with MATCH_SUITE_ERROR,
breaking the RFC 5077 ticket-decline fallback to a full handshake.

Move both checks into CheckResumptionConsistency and run it only once
resumption is confirmed - from whichever the server sends first in the
abbreviated flight: a renewed NewSessionTicket (before SetupSession refreshes
the cached suite/EMS to the current values) or its ChangeCipherSpec. By then
the "Not resuming as thought" path has cleared 'resuming' for any ticket
decline, so the full-handshake fallback proceeds.

Add test_tls12_resume_ticket_decline_fallback (ticket declined by a fresh
server CTX, full handshake under a different suite must succeed) and gate
test_tls12_resume_ticket_wrong_suite on WOLFSSL_NO_DEF_TICKET_ENC_CB so it
skips rather than fails in builds without the default ticket encryption
callback.
2026-06-11 19:22:35 +00:00
David Garske bd78a42e9a Merge pull request #10097 from kareem-wolfssl/gh9936
Define HAVE_LIMITS_H in options.h rather than config.h.
2026-06-11 10:25:41 -07:00
David Garske 4b8fd23ae7 Merge pull request #10606 from miyazakh/fix_tls_bench_dtls
fix tls_bench DTLS mode failures
2026-06-11 10:12:45 -07:00
David Garske 262a2e199a Merge pull request #10662 from Frauschi/zephyr_4_4_fixes
Fixes for Zephyr 4.4
2026-06-11 09:51:11 -07:00
David Garske e0324866bc Merge pull request #10654 from douzzer/20260610-ssl_api_ext-revert-ret-cascades
20260610-ssl_api_ext-revert-ret-cascades
2026-06-11 09:49:08 -07:00
philljj b1330f75d9 Merge pull request #10658 from douzzer/20260608-linuxkm-fenrir
20260608-linuxkm-fenrir
2026-06-11 11:19:46 -05:00
Tobias Frauenschläger c73afe67a5 Fixes for Zephyr 4.4 2026-06-11 13:33:27 +02:00
Hideki Miyazaki 20dadc8d86 Addressed code review 2026-06-11 08:38:00 +09:00
Daniel Pouzzner 486e8eefc0 .wolfssl_known_macro_extras: fix lexical order. 2026-06-10 17:32:20 -05:00
Daniel Pouzzner 0f3d3bedb0 fix F-5334: AEAD decrypt accepts ciphertext shorter than authentication tag before unsigned length subtraction 2026-06-10 17:28:06 -05:00
Daniel Pouzzner e98a03b80e fix F=3524: Heap Buffer Overflow in km_direct_rsa_dec When req->dst_len < ctx->key_len 2026-06-10 17:28:06 -05:00
Daniel Pouzzner 1e888383bb fix F-3025: Missing buffer-length validation in km_ecdh_decode_secret enables out-of-bounds read 2026-06-10 17:28:06 -05:00
Daniel Pouzzner 9b723b9e11 fix F-3024: Missing buffer-length validation in km_dh_decode_secret enables out-of-bounds read 2026-06-10 17:28:05 -05:00
Daniel Pouzzner b4139b1a90 fix F-706: AES-CTR and AES-OFB Encrypt Leak Aes Context Containing Key Schedule on skcipher_walk_done Error 2026-06-10 17:28:05 -05:00
Daniel Pouzzner afc2137351 fix F-682: Incorrect tolower/toupper Macros Produce Wrong Results for Non-Alpha Characters 2026-06-10 17:28:05 -05:00
Daniel Pouzzner c9cc79f9ae cleanup inspired by false positive F-675: AES-CTR and AES-OFB Modes Bypass WC_C_DYNAMIC_FALLBACK Selection Logic 2026-06-10 17:28:05 -05:00
Daniel Pouzzner da1b7fe236 fixes for F-674: Non-Constant-Time memcmp in RSA PKCS#1 v1.5 Signature Verification 2026-06-10 17:28:05 -05:00
Daniel Pouzzner ad98438baa fixes for
F-5335: ECDH overflow paths do not report the required output length
F-5336: RSA PKCS#1 overflow paths do not report the required output length
2026-06-10 17:28:05 -05:00
Daniel Pouzzner 67c1d65ef7 fixes for
F-2554 Missing wc_ecc_free Before free in km_ecdh_init When wc_ecc_set_rng Fails
F-2555 Missing wc_FreeDhKey Before free in km_ffdhe_init When wc_DhSetNamedKey Fails
2026-06-10 17:28:05 -05:00
Daniel Pouzzner 05fc258ca2 fix F-1423: AES-XTS Encrypt/Decrypt Missing skcipher_walk Cleanup on 6 Early-Return Error Paths 2026-06-10 17:28:05 -05:00
Daniel Pouzzner 19a9670aaa fix F-1234: IS_ERR Used on NULL-Returning Kernel Crypto Request Allocation Functions. 2026-06-10 17:28:05 -05:00
Sean Parkinson 63fd322382 Merge pull request #10641 from rlm2002/zd21890
Fixes for SM2/3 and FindMultiAttrib
2026-06-11 08:01:20 +10:00
David Garske d56fa7972d Merge pull request #10639 from julek-wolfssl/fix-current-cipher-kx-nid
Fix cipher property NIDs for SSL_get_current_cipher and add PSK kx mapping
2026-06-10 14:50:02 -07:00
Juliusz Sosinowicz 748678715a F-5807: extend EMS resumption check to ticket resumption
Address review on PR #10582:

- The client-side extended_master_secret consistency check skipped all
  session-ticket resumptions, leaving a generic ticket resumption open to
  an undetected EMS downgrade by a malicious server or MITM. The client
  retains the EMS state for ticket sessions too (SetupSession), so the
  check now applies to ticket resumption as well, mirroring the adjacent
  cipher-suite check. Only EAP-FAST style resumption - where the
  session-secret callback supplies the master secret for an opaque PAC
  ticket - is exempt, matched precisely via ssl->sessionSecretCb just as
  the callback invocation in DoServerHello does.

- Add test_tls_ems_resumption_server_downgrade, exercising the
  client-direction downgrade (server resumes but omits EMS from its
  ServerHello) for both session-ID and session-ticket resumption. This
  client-side branch previously had no test coverage.
2026-06-10 20:50:51 +00:00
Aidan Keefe b810bba09b added case to handel when second arc of byte encoding is greater than 39 when first arc is 2 2026-06-10 12:39:18 -06:00
Kareem 1b78eff3cd Revert moving SIZEOF_LONG and SIZEOF_LONG_LONG to fix a build issue with Windows FIPS ready. Instead add detection for SIZEOF_LONG == 8 in types.h. 2026-06-10 11:19:10 -07:00
Kareem d3d5824bcb Fix HAVE_LIMITS_H definition in CMake. Also move SIZEOF_LONG and SIZEOF_LONG_LONG definitions to options.h. 2026-06-10 11:19:10 -07:00
Kareem d263987bfd Move HAVE_LIMITS_H outside of WOLFSSL_OPTIONS_IGNORE_SYS. 2026-06-10 11:19:10 -07:00
Kareem a11ab0e46b Define HAVE_LIMITS_H in options.h rather than config.h since types.h depends on this definition and config.h isn't consistently available at runtime.
Fixes #9936.
2026-06-10 11:19:10 -07:00
David Garske fdfb0a9fe7 Merge pull request #10627 from julek-wolfssl/fenrir-fixes-20260601-dtls13-recv-epoch
F-5606: don't enforce DTLS 1.3 2^48-1 epoch cap on the receive side
2026-06-10 10:06:26 -07:00
David Garske 10e2afa20a Merge pull request #10595 from miyazakh/f5381_RSASSA-PSS_trailerField
f5381 enforce trailerField==1 in DecodeRsaPssParams
2026-06-10 10:05:22 -07:00
Daniel Pouzzner 37511b484e tests/api/test_ssl_cert.c, tests/api/test_ssl_ext.c, tests/api/test_ssl_pk.c: add missing gates on !NO_TLS. 2026-06-10 12:05:00 -05:00
Daniel Pouzzner 4ce3baa307 wolfssl/ssl.h: add !NO_TLS gate around prototypes for wolf*_{client,server}_method*() to induce compile-time failures for TLS/SSL usage in NO_TLS configurations. 2026-06-10 12:05:00 -05:00
Daniel Pouzzner 03825c17f8 src/ssl_api_ext.c and src/ssl_api_pk.c: restore early BAD_FUNC_ARG returns that were refactored away in 359e688dc3, fixing null pointer deref regression in wolfSSL_UseALPN() (possibly others too). 2026-06-10 12:05:00 -05:00
David Garske 73f78dd3cb Merge pull request #10646 from ColtonWilley/openwrt-ci-tls-reset
Docker/OpenWrt: accept exit 4 or 5 in negative TLS tests
2026-06-10 09:56:41 -07:00
Daniel Pouzzner 332c249c7a Merge pull request #10572 from Frauschi/lms_xmss_cert_gen
Support RFC 9802 LMS and XMSS in X.509 certificate and CSR generation
2026-06-10 11:14:43 -05:00
David Garske 953467875f Merge pull request #10560 from philljj/fix_dh_agree
dh: fix subgroup check in wc_DhAgree.
2026-06-10 09:13:31 -07:00
David Garske 760392f403 Merge pull request #10636 from embhorn/zd21942
Harden PKCS#7 FlattenEncodedAttribs
2026-06-10 08:57:39 -07:00
David Garske 791224b3c5 Merge pull request #10632 from Frauschi/fenrir
Fenrir fixes
2026-06-10 08:14:30 -07:00
Tobias Frauenschläger 11270fc465 Check for EC_PF_UNCOMPRESSED in TLS 1.2 ClientHello
Fixes F-4892
2026-06-10 11:37:40 +02:00
Tobias Frauenschläger e407dba23b Improve supported_groups handling
Fixes F-4891
2026-06-10 11:37:40 +02:00
Tobias Frauenschläger e1413a177f Add missing ForceZero() calls
Fixes  F-5437 and F-5438
2026-06-10 11:37:40 +02:00
Tobias Frauenschläger c01152d35a Minor fix in liboqs GetRandomData
Fixes F-4443
2026-06-10 11:37:40 +02:00