Commit Graph

4068 Commits

Author SHA1 Message Date
JacobBarthelmeh 68a1f6f756 remove special characters, use simple ASCII characters 2026-03-06 17:30:48 -07:00
JacobBarthelmeh 013e2c8fdf remove special characters, use simple ASCII characters 2026-03-06 17:22:25 -07:00
Daniel Pouzzner b08f959412 tests/api/test_ocsp.c: don't build test_ocsp_cert_unknown_crl_fallback and related helpers if NO_SHA. 2026-03-06 17:01:40 -06:00
Tobias Frauenschläger a2622746cd Error out in case of unknown extensions in response message in TLS 1.3 2026-03-06 17:09:49 +01:00
Juliusz Sosinowicz 1537f83c24 Enforce null compression in compression_methods list`
F-365
2026-03-06 16:56:09 +01:00
Juliusz Sosinowicz fb82496244 Add Python CI workflow and Blake2 EVP support
- Add a GitHub Actions workflow to automate testing of Python integration
- Implement Blake2b and Blake2s hash functions into the EVP API.
- Improve OpenSSL compatibility by standardizing ASN.1 encoding for
serial numbers and registered IDs, streamlining cipher stack management, and optimizing stack node copying.
- Enforce maximum fragment size during data transmission to ensure proper TLS/DTLS record fragmentation.
2026-03-06 08:27:41 +01:00
Hideki Miyazaki cfb7f35e72 fix lareger(>57 octets) crlnum 2026-03-06 10:51:54 +09:00
Daniel Pouzzner ed8f67cb37 Merge pull request #9858 from JacobBarthelmeh/ticket
additional sanity check with session ticket size
2026-03-05 16:35:51 -06:00
Daniel Pouzzner 63bee12c92 Merge pull request #9875 from Frauschi/f-158
Treat alerts as fatal errors regardless of level in TLS1.3
2026-03-05 16:06:40 -06:00
Daniel Pouzzner 663187150e Merge pull request #9878 from embhorn/f377
Fix checkPad to test for zero padding
2026-03-05 15:38:54 -06:00
Daniel Pouzzner 13c02b92b2 Merge pull request #9839 from padelsbach/crl-enhancements-ossl
CRL enhancements for revoked entries
2026-03-05 15:35:53 -06:00
Daniel Pouzzner ff493c2979 Merge pull request #9834 from padelsbach/padelsbach/finding-23
Fix OCSP->CRL fallback
2026-03-05 15:33:25 -06:00
JacobBarthelmeh 37e3a8f3bd fix for sanity checks on serial input 2026-03-05 14:23:44 -07:00
Daniel Pouzzner c65e3e50fd Merge pull request #9825 from embhorn/zd21240
Fix issue in TLS_hmac size calculation
2026-03-05 15:16:47 -06:00
Daniel Pouzzner 178f96c483 Merge pull request #9854 from sameehj/rsa-pss-fix
Add RSA-PSS certificate support for PKCS7 EnvelopedData KTRI
2026-03-05 15:03:46 -06:00
Daniel Pouzzner 26e2f05bfd Merge pull request #9848 from Frauschi/dtls_hrr_group
Fix for DTLS1.3 HRR group handling
2026-03-05 15:02:16 -06:00
Tobias Frauenschläger 11fc781d0d Treat alerts as fatal errors regardless of level in TLS1.3 2026-03-05 18:21:02 +01:00
Eric Blankenhorn 998967ea41 Fix review feedback 2026-03-05 08:51:52 -06:00
Eric Blankenhorn 7f487b9869 Fix checkPad to test for zero padding 2026-03-05 08:32:18 -06:00
Paul Adelsbach 569a96fbd2 Fix for C++ compilers 2026-03-04 15:01:08 -08:00
Paul Adelsbach 22d7550f8e CRL enhancements for revoked entries 2026-03-04 14:53:28 -08:00
Daniel Pouzzner f04e6e8718 tests/api.c and tests/api/test_pkcs7.c: fixes for CFLAGS="-Og" --enable-all (PRB-single-flag.txt line 3). 2026-03-04 14:46:20 -06:00
JacobBarthelmeh be245dc4d7 adjust macro guard on test case 2026-03-04 11:20:08 -07:00
JacobBarthelmeh 6b3dec4898 additional sanity check on number of groups passed to set groups function 2026-03-04 10:20:09 -07:00
JacobBarthelmeh e7e1d0e5f7 adjust test for edge case builds 2026-03-04 10:01:45 -07:00
Tobias Frauenschläger 7842bf30f4 Fix for DTLS1.3 HRR group handling
When a server uses a HRR to negotiate the key exchange group to use, the
selected group is advertised in the HRR key share extension.
Furthermore, this group is also stored in the Cookie that is sent to the
client. When the server receives the second CH, the group used in the
key share extension MUST be the one of the HRR.

For stateless DTLS servers, the handling of this check had a bug. The
key share group of the HRR is stored in the ssl->hrr_keyshare_group
variable and is checked against the received key share of the second CH.
However, in the stateless server case, another CH message may be
received inbetween the two CH message of the desired client, potentially
overwriting the ssl->hrr_keyshare_group variable. This then causes
handshake failures when the ssl->hrr_keyshare_group variable contains
another group than the second CH message of the desired client.

To fix this, the following changes are conducted:
1. Disable the ssl->hrr_keyshare_group check for stateless DTLS 1.3
   servers. As long as the server is stateless, CHs from multiple
   clients may be received that individually cause HRRs with different
   groups. For each of these clients, the HRR group is properly stored
   in the cookie.
2. When a valid cookie is received from the client, the server becomes
   stateful. In this case, we now parse the cookie for a stored HRR
   group in the RestartHandshakeHashWithCookie() method. If present,
   we restore the ssl->hrr_keyshare_group variable to this group to
   ensure the error checks succeed.
3. Move the check of ssl->hrr_keyshare_group of the the KeyShare
   extension parsing logic into the general TLS1.3 ClientHello parsing
   after extension handling. This ensures that the order of the cookie
   and key share extensions does not matter.

A new test is added to check for this behavior.
2026-03-04 15:58:45 +01:00
Sameeh Jubran 441bcbb680 Add RSA-PSS certificate support for PKCS7 EnvelopedData KTRI
RSA-PSS signed certificates contain a valid RSA public key that can be
used for key transport, but wc_PKCS7_AddRecipient_KTRI and the
EnvelopedData/AuthEnvelopedData encode paths rejected them because they
only checked for RSAk. Allow RSAPSSk to fall through to the RSAk key
transport path, and always use RSAk as the KeyEncryptionAlgorithmIdentifier
since the operation is RSA encryption, not RSA-PSS signing.

Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
2026-03-04 12:24:08 +02:00
JacobBarthelmeh a4c4740ea8 additional sanity check with session ticket size 2026-03-04 00:17:42 -07:00
JacobBarthelmeh 5a26692ee9 Merge pull request #9818 from julek-wolfssl/sssd-2.10.2
sssd 2.10.2 changes
2026-02-26 16:23:00 -07:00
Sean Parkinson b9838aa563 Merge pull request #9711 from julek-wolfssl/nginx-1.28.0
nginx 1.28.1 fixes
2026-02-27 08:39:10 +10:00
Eric Blankenhorn 1cdb2974a9 Fix test cleanup 2026-02-26 14:51:49 -06:00
JacobBarthelmeh 85228f088e Merge pull request #9824 from embhorn/zd21239
Fix issues in TLS Extension size calculations
2026-02-26 13:47:54 -07:00
Paul Adelsbach ebda79fadb Fix OCSP->CRL fallback 2026-02-26 11:44:50 -08:00
JacobBarthelmeh ba859d21fa Merge pull request #9817 from LinuxJedi/static-fixes4
Static code analysis fixes
2026-02-26 12:03:24 -07:00
Eric Blankenhorn e6a4cb232c Fix issue in TLS_hmac size calculation 2026-02-26 10:26:20 -06:00
Eric Blankenhorn be7f934157 Add test case 2026-02-26 10:18:31 -06:00
Juliusz Sosinowicz fe85ca643a Add test for EC_POINT_dup 2026-02-26 15:18:36 +01:00
JacobBarthelmeh 76816a0e11 Merge pull request #9823 from embhorn/zd21242
Add sanity checks in key export
2026-02-25 14:38:46 -07:00
JacobBarthelmeh e317aa2b70 Merge pull request #9827 from embhorn/zd21241
Fix cert chain size issue
2026-02-25 14:30:58 -07:00
JacobBarthelmeh ee616b4774 Merge pull request #9828 from rizlik/sigalgofix
tls13: don't create a new suite in CertificateRequest, fallback to WOLFSSL_SUITES(sa->ssl)
2026-02-25 14:08:09 -07:00
Eric Blankenhorn 41ebc92fa5 Replace macros from stdint.h with literals to make code more generic 2026-02-25 09:00:57 -06:00
Eric Blankenhorn 4f8f11bcba Add test case 2026-02-25 09:00:57 -06:00
Juliusz Sosinowicz 38b52d8079 nginx 1.28.1
### `wolfssl/internal.h`

- **`InternalTicket` struct gains a flexible array member**: A new `peerCert[]` field (with a preceding `peerCertLen[2]`) is added to `InternalTicket`. This allows the peer's DER-encoded certificate to be stored directly inside the session ticket.
- **`ExternalTicket` struct becomes variable-length**: The `enc_ticket` field is changed from a fixed-size array to a flexible array member (`byte enc_ticket[]`). The `mac` field is removed from the struct — the MAC is now placed dynamically after the encrypted data in `enc_ticket`.

### `src/internal.c`

- The `GetRecordHeader` function now only adds `MAX_COMP_EXTRA` to the maximum allowed record size when `ssl->options.usingCompression` is true, tightening the length validation. The max fragment length extension check is now much stricter.
- **Peer certificate is serialized into the ticket**: During ticket creation, the code attempts to find the peer certificate from `ssl->peerCert` or from `ssl->session->chain` (fallback). If found and within `MAX_TICKET_PEER_CERT_SZ`, it's copied into `it->peerCert`. DTLS is explicitly excluded (peer cert length set to 0) to keep ticket size small for MTU constraints. If `HAVE_MAX_FRAGMENT` is defined and max fragment is not `MAX_RECORD_SIZE` for TLS 1.3, the cert is also skipped since `SendTls13NewSessionTicket` doesn't support fragmentation yet.
- **Peer certificate restoration from ticket**: On successful ticket decryption, if the ticket contains a peer certificate (`peerCertLen > 0`), it is decoded back into `ssl->peerCert` via `ParseCertRelative`/`CopyDecodedToX509`, and also added to `ssl->session->chain` via `AddSessionCertToChain`.
- The `CLEAR_ASN_NO_PEM_HEADER_ERROR` macro was rewritten to loop and remove all consecutive PEM no-start-line errors (not just the last one), wrapped in a `do { ... } while(0)` for safety.
- The `SendTicket` function is simplified to use `SendHandshakeMsg` to support fragmenting the larger ticket.

---

### `src/x509.c`

- `loadX509orX509REQFromPemBio` now accepts `TRUSTED_CERT_TYPE` in addition to `CERT_TYPE` and `CERTREQ_TYPE`.
- **Streaming BIO support**: When `wolfSSL_BIO_get_len()` returns ≤ 0 (e.g., pipes/FIFOs), the function no longer returns an error. Instead, it sets an initial buffer of `MAX_X509_SIZE` and dynamically grows (doubling) up to `MAX_BIO_READ_BUFFER` (`MAX_X509_SIZE * 16`) as data is read byte-by-byte.
- **Alternate footer detection**: For `TRUSTED_CERT_TYPE`, the PEM reader also checks for the regular `CERT_TYPE` footer (`-----END CERTIFICATE-----`) in addition to the trusted cert footer (`-----END TRUSTED CERTIFICATE-----`), so it can parse either format.
- Removed two lines that set `cert->srcIdx` to `SIGALGO_SEQ` offset. This makes `cert->srcIdx` reflect the end of parsed certificate data. This is used by `loadX509orX509REQFromBuffer` to detect where auxiliary trust data begins in trusted certificates.

---

### `src/ssl_sk.c`

- Added a `STACK_TYPE_X509_CRL` case to `wolfssl_sk_dup_data` that calls `wolfSSL_X509_CRL_dup` for deep-copying CRL stack elements. Previously, `STACK_TYPE_X509_CRL` fell through to the unsupported default case.

---

### `wolfssl/openssl/ssl.h`

- `sk_X509_dup` now maps to `wolfSSL_shallow_sk_dup` (was `wolfSSL_sk_dup`/deep copy). This matches OpenSSL's behavior where `sk_X509_dup` does a shallow copy.
- `sk_SSL_CIPHER_dup` similarly changed to `wolfSSL_shallow_sk_dup`.

---

### `src/ssl_api_cert.c`

- When `ssl->ourCert` is `NULL` and the SSL owns its cert, the function now checks if `ssl->ctx->ourCert` points to the same certificate (by comparing DER buffers). If so, it returns the ctx's `X509` pointer directly. This maintains pointer compatibility for applications (like nginx OCSP stapling) that use the `X509*` from `SSL_CTX_use_certificate` as a lookup key.

### `src/bio.c`

- When `wolfssl_file_len` returns `WOLFSSL_BAD_FILETYPE` (now returned for pipes/FIFOs), `wolfSSL_BIO_get_len` treats it as length 0 instead of propagating the error.

---

### `tests/test-maxfrag.conf` and `tests/test-maxfrag-dtls.conf`

- Removed `DHE-RSA-AES256-GCM-SHA384` test entries because the ClientKeyExchange doesn't fit in the selected max fragment length.
2026-02-25 15:19:13 +01:00
Marco Oliverio 20eeba3d89 test: tls13: add wolfSSL_set1_sigalgs_list test 2026-02-25 12:10:48 +01:00
Sameeh Jubran deb668ca4b pkcs7: add RSA-PSS support for SignedData
Add full RSA-PSS (RSASSA-PSS) support to PKCS#7 SignedData
encoding and verification.

This change enables SignerInfo.signatureAlgorithm to use
id-RSASSA-PSS with explicit RSASSA-PSS-params (hash, MGF1,
salt length), as required by RFC 4055 and CMS profiles.

Key changes:
- Add RSA-PSS encode and verify paths for PKCS7 SignedData
- Encode full RSASSA-PSS AlgorithmIdentifier parameters
- Decode RSA-PSS parameters from SignerInfo for verification
- Treat RSA-PSS like ECDSA (sign raw digest, not DigestInfo)
- Fix certificate signatureAlgorithm parameter length handling
- Add API test coverage for RSA-PSS SignedData

This resolves failures when using RSA-PSS signer certificates
(e.g. -173 invalid signature algorithm) and maintains backward
compatibility with RSA PKCS#1 v1.5 and ECDSA.

Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
2026-02-25 11:02:47 +02:00
Eric Blankenhorn 5536ecf026 Fix issue from review 2026-02-24 12:43:46 -06:00
Eric Blankenhorn 2ae3164c6f Fix cert chain size issue 2026-02-24 09:27:42 -06:00
Tobias Frauenschläger 96fc896265 Wdeclaration-after-statement fixes 2026-02-24 16:20:10 +01:00
Andrew Hutchings 599eec673e Fix ImportKeyState wordAdj always-zero bug in DTLS session import
In ImportKeyState(), wordAdj was always zero because it was computed
after clamping wordCount, and the subtraction direction was reversed.
This caused misaligned parsing of all subsequent fields when importing
state from a peer compiled with a larger WOLFSSL_DTLS_WINDOW_WORDS.

Fix both window and prevWindow blocks to compute the adjustment before
clamping, with the correct subtraction direction.

Add test that imports a state buffer with wordCount > WOLFSSL_DTLS_WINDOW_WORDS
to verify the fix.
2026-02-23 16:52:52 +00:00
Andrew Hutchings af329b38a8 Fix heap buffer over-read in wolfSSL_select_next_proto
Add missing bounds validation in wolfSSL_select_next_proto. Three
issues fixed:

1. Outer loop: no check that length byte + position stays within inLen,
   allowing XMEMCMP to read past the server protocol list buffer.

2. Inner loop: same missing check for clientNames/clientLen boundary.

3. No-overlap fallback unconditionally dereferences clientNames[0] even
   when clientLen is 0, and returns an outLen that may exceed the buffer.

Also reject zero-length protocol entries (invalid per RFC 7301) to
prevent infinite loops.

Add unit test test_wolfSSL_select_next_proto with 8 cases covering NULL
params, normal match, no overlap, malformed length overruns, zero-length
entries, and empty client lists.
2026-02-23 16:52:52 +00:00