Commit Graph

9793 Commits

Author SHA1 Message Date
Kareem 4472980738 Code review feedback and minor fixes.
Remove outdated RFC, refactor into single error case, guard against negative/0 len and NULL *data pointer, don't set ownStatus until status is confirmed non-NULL.
2026-05-27 16:54:14 -07:00
Kareem 1e338487db Code review feedback 2026-05-27 16:54:14 -07:00
Kareem a28ea7ac1c NULL *response on error in wolfSSL_d2i_OCSP_RESPONSE.
Thanks to Zou Dikai for the report.
2026-05-27 16:54:14 -07:00
Kareem 872a03a056 Disallow matching URI type in CheckForAltNames.
Thanks to Haruki Oyama (Waseda University) for the report.
2026-05-27 16:54:14 -07:00
Sean Parkinson 713a220fc9 Merge pull request #10426 from JeremiahM37/fenrir-8
protocol correctness, OpenSSL-compat hardening, and sensitive-memory zeroization
2026-05-28 09:48:10 +10:00
Sean Parkinson c92208076f Merge pull request #10374 from kareem-wolfssl/zd21699
Enable all-zero shared secret check for Curve448/25519 by default.  Ensure post_handshake_auth extension was sent before accepting post-handshake CertificateRequest message.
2026-05-28 09:29:49 +10:00
Sean Parkinson 70f8bd9831 Merge pull request #10492 from rizlik/legacy_session_id_bad_client
Add compatibility flag and tests for pre-5.9.0 DTLSv1.3 clients
2026-05-28 08:57:48 +10:00
Sean Parkinson 91f3e7e063 Merge pull request #10332 from jackctj117/SNI
tls.c: send missing_extension alert on TLS 1.3 SNI absence
2026-05-27 08:37:05 +10:00
David Garske 8199fda0a4 Merge pull request #10160 from Roy-Carter/feature/integrate_openssl_comp_fixes
OpenSSL compatibility layer extension
2026-05-26 10:39:14 -07:00
Tobias Frauenschläger 637c07798a Finalize ML-DSA renaming 2026-05-26 14:54:30 +02:00
Marco Oliverio bc574f7930 dtls13: WOLFSSL_DTLS13_5_9_0_COMPAT -> WOLFSSL_DTLS13_ECHO_LEGACY_SESSION_ID 2026-05-26 09:16:56 +02:00
Marco Oliverio 8f477356ce dtls: add compat flag for buggy pre 5.9.0 DTLSv1.3 clients 2026-05-26 09:15:58 +02:00
Roy Carter 56e4612e4e Fix : apply Julek pr notes 2026-05-22 19:01:05 +03:00
Roy Carter 7561911cba fix: Fix build errors for some tests on pipeline 2026-05-22 19:01:05 +03:00
Roy Carter c1a507e175 Feature: allow the usage of
wolfSSL_alert_type_string
wolfSSL_alert_desc_string
wolfSSL_EVP_DigestSign
wolfSSL_EVP_DigestVerify

in the openssl compatiility layer for wolfssl
2026-05-22 19:01:04 +03:00
Sean Parkinson abe15d260b Merge pull request #10487 from embhorn/zd21842
Add check for ARM to set WOLFSS_USE_ALIGN
2026-05-23 00:11:00 +10:00
Sean Parkinson b1e04464fc Merge pull request #10469 from sebastian-carpenter/tls-ech-server-improvements
Enhancement (ECH): Trial decryption and ECH connection status
2026-05-23 00:07:40 +10:00
Sean Parkinson fc2f4fc7cc Merge pull request #10435 from Frauschi/pqc_default_curve
Improved handling for ClientHello default key share group
2026-05-22 08:13:35 +10:00
Tobias Frauenschläger 2a30ce3c04 Rename ML-DSA wc_PqcSignatureType entry 2026-05-20 09:06:54 -07:00
Eric Blankenhorn 40de65785c Address warning in wolfDTLS_SetChGoodCb 2026-05-19 13:05:12 -05:00
David Garske ec101bae98 Merge pull request #10149 from julek-wolfssl/refactor-middle-padding
Refactor record padding handling to eliminate middle padding pattern
2026-05-18 16:34:10 -07:00
David Garske 064ebaa7b6 Merge pull request #10493 from kareem-wolfssl/zd21852
NULL the correct key in TLSX_KeyShare_ProcessPqcHybridClient when using WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ.
2026-05-18 16:23:58 -07:00
David Garske be67bf88f7 Merge pull request #10436 from Frauschi/mldsa_rename
Rename Dilithium to canonical ML-DSA (FIPS 204) names
2026-05-18 11:44:21 -07:00
David Garske 1ccd462ea1 Merge pull request #10482 from rlm2002/coverity
13052026 Coverity Fixes
2026-05-18 10:35:42 -07:00
Kareem 9467d82ae6 NULL the correct key in TLSX_KeyShare_ProcessPqcHybridClient when using WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ.
Thanks to Haiyang Huang for the report.
2026-05-18 10:25:02 -07:00
David Garske 9096bcc8fa Merge pull request #10393 from JacobBarthelmeh/opensslextra
support build --enable-opensslextra with NO_BIO and NO_FILESYSTEM
2026-05-17 22:33:23 -07:00
David Garske ec2222964f Merge pull request #10481 from padelsbach/x509-set-double-free
Fix double free possibility in wolfSSL_X509_set_ext
2026-05-17 22:26:20 -07:00
David Garske 4c9116c743 Merge pull request #10462 from kareem-wolfssl/zd21507
Fix alert type for missing cert.  Prevent building with RNG disabled and blinding enabled by default.  Enforce bounds for AES CMAC size in verify.
2026-05-17 22:25:09 -07:00
David Garske e7f5c99115 Merge pull request #10398 from julek-wolfssl/fenrir/20260430
Fenrir fixes
2026-05-17 22:21:06 -07:00
Tobias Frauenschläger fb6b62dd8e Rename Dilithium to canonical ML-DSA (FIPS 204) names
NIST standardized the pre-standardization Dilithium signature scheme as
ML-DSA in FIPS 204. Migrate the provider's user-visible surface to
canonical spellings, with a temporary shim that preserves source-level
backward compatibility for existing consumers.

Renames
-------
* File: wolfcrypt/src/dilithium.c -> wolfcrypt/src/wc_mldsa.c
* New canonical header: wolfssl/wolfcrypt/wc_mldsa.h
* Types: dilithium_key -> MlDsaKey, wc_dilithium_params -> MlDsaParams
* Functions: wc_dilithium_* / wc_Dilithium_* -> wc_MlDsaKey_*
* Build gates: HAVE_DILITHIUM -> WOLFSSL_HAVE_MLDSA,
  WOLFSSL_DILITHIUM_* / WC_DILITHIUM_* -> WOLFSSL_MLDSA_* / WC_MLDSA_*
* Configure flag: --enable-mldsa (legacy --enable-dilithium still works)
* CMake option: WOLFSSL_MLDSA (legacy WOLFSSL_DILITHIUM emits a
  DEPRECATION message)

Backward compatibility
----------------------
wolfssl/wolfcrypt/dilithium.h is now a temporary compatibility shim:
* Forward-translates legacy build gates to canonical (the two sub-gates
  read by certs_test.h are translated in settings.h so the auto-generated
  header is reachable without including dilithium.h; the remainder lives
  in dilithium.h itself).
* Reverse-translates canonical gates back to legacy so unmigrated
  consumer code keying off HAVE_DILITHIUM / WOLFSSL_DILITHIUM_* keeps
  compiling.
* Provides macro / static-inline aliases for the legacy type and
  function names so source-level callers compile unchanged. Sets
  WC_DILITHIUMKEY_TYPE_DEFINED to suppress strict-C99 typedef
  redefinition in asn_public.h.

Two opt-outs are honored: WOLFSSL_NO_DILITHIUM_LEGACY_GATES disables
build-gate translation; WOLFSSL_NO_DILITHIUM_LEGACY_NAMES disables the
symbol aliases. Both are temporary and the shim will be removed in a
future release. doc/dilithium-to-mldsa-migration.md describes the
migration path for downstream consumers.

ABI note
--------
The library now exports wc_MlDsaKey_* instead of wc_dilithium_*.
Pre-built binaries that linked against the legacy symbols need to
recompile against the shim header (which resolves to the new symbols at
compile time) or migrate to the canonical names directly. Source code
keeps building unchanged.

Other changes
-------------
* wolfssl/wolfcrypt/memory.h: drop ML-DSA sub-gate branching for static
  memory pool sizing; WOLFSSL_HAVE_MLDSA builds now pick the larger
  LARGEST_MEM_BUCKET / WOLFMEM_BUCKETS / WOLFMEM_DIST unconditionally.
  Override these macros for small-mem builds.
* gencertbuf.pl + wolfssl/certs_test.h: outer guards migrated to the
  canonical WOLFSSL_HAVE_MLDSA spelling.
* tests/api/test_mldsa.c: adds compile-time API surface validators
  (canonical wc_MlDsaKey_* surface plus legacy alias surface) so
  signature drift produces a build error during make check.
* IDE files (Xcode, INTIME-RTOS, WIN10, VS2022, CSharp wrapper), Zephyr
  CMakeLists.txt, and autotools include.am updated for the rename.
* DYNAMIC_TYPE_DILITHIUM and ML_DSA_PCT_E retained as internal symbols;
  scheduled to be renamed alongside the eventual shim removal.
2026-05-16 09:48:35 -05:00
Tobias Frauenschläger 5915e39b7f Add WOLFSSL_KEY_SHARE_DEFAULT_GROUP for ClientHello key share default
Decouples the speculative key share group from preferredGroup[0]. The new
macro prefers widely deployed groups (PQ/T hybrids with X25519 or SECP256R1,
then SECP256R1/X25519/SECP384R1, then FFDHE 2048/3072) to reduce the chance
of a HelloRetryRequest, and falls back to preferredGroup[0] for
configurations not covered explicitly. Users can override the default via
user_settings.h or a manually passed -DWOLFSSL_KEY_SHARE_DEFAULT_GROUP=x via
autoconf.

Furthermore, an empty key_share is now sent when the user's group list does
not intersect preferredGroup[], keeping TLS 1.3 negotiation alive instead
of allowing a silent TLS 1.2 downgrade or handshake failure due to a
missing key share extension.
2026-05-16 10:41:27 +02:00
Tobias Frauenschläger 9b0ea68ab8 Minor refactoring in TLSX_PopulateExtensions 2026-05-16 10:41:27 +02:00
Tobias Frauenschläger 9f85d21ee3 Align preferredGroup array with TLSX_PopulateSupportedGroups() 2026-05-16 10:41:27 +02:00
JacobBarthelmeh c0ba788cb1 support of NO_BIO and NO_FILESYSTEM build with opensslextra 2026-05-15 10:37:46 -06:00
Kareem 6c14129b16 Send correct alert type when server requests certificate and client has none set.
Thanks to Cal Page for the report.
2026-05-14 12:45:17 -07:00
Jeremiah Mackey a3baac7dbe zero sensitive material before free 2026-05-14 16:59:48 +00:00
Jeremiah Mackey c61fa7d633 honor OpenSSL fail-open contracts 2026-05-14 16:59:12 +00:00
Jeremiah Mackey a5ee9604c7 tls13: alert illegal_parameter for ctx 2026-05-14 16:59:12 +00:00
Jeremiah Mackey b023a719b1 dtls13: fix window and rtx 2026-05-14 16:59:12 +00:00
Jeremiah Mackey 88fde0fff7 fix copy-paste constant mismatches 2026-05-14 16:59:12 +00:00
David Garske d0073d9e5c Merge pull request #10326 from sebastian-carpenter/tls-ech-maxnamelen
Add maximum_name_length to TLS ECH padding
2026-05-14 09:15:38 -07:00
Paul Adelsbach 645996e8ed Fix double free possibility in wolfSSL_X509_set_ext 2026-05-14 07:12:27 -07:00
Juliusz Sosinowicz fd91f681e5 Fail closed in CheckOcspRequest when ocspCheckAll and no URL
CheckOcspRequest used to return CERT_GOOD whenever a certificate
lacked an AIA extension and no override URL was configured, with
the rationale 'Cert has no OCSP URL, assuming CERT_GOOD'. That is
a fail-open soft-fail: an operator who turned on
WOLFSSL_OCSP_CHECKALL expecting every certificate in the chain to
be revocation-checked would still silently accept a certificate
that omits its OCSP responder URL, letting a misconfigured (or
attacker-controlled) issuer bypass revocation for non-stapled
flows.

Gate the fail-open path on cm->ocspCheckAll. When the caller has
asked for full-chain OCSP checking, return OCSP_NEED_URL so the
chain is refused. The legacy behavior is preserved when
ocspCheckAll is not set, keeping the soft-fail default for plain
WOLFSSL_OCSP_ENABLE users.

F-3227
2026-05-14 14:07:53 +02:00
Juliusz Sosinowicz ed4f4ce826 Document SNI per-host policy gap in wolfSSL_set_SSL_CTX
wolfSSL_set_SSL_CTX is the OpenSSL-compatible entry point that an
SNI callback uses to swap in the per-vhost certificate during the
handshake. By design it only copies the certificate chain and
private key from the new CTX. Verification settings, the trusted
CA store, CRL/OCSP configuration, minimum key-size requirements,
and cipher/version policy stay attached to the original CTX. For
multi-tenant servers where each virtual host has its own security
policy, that means one host's verification rules silently apply
to a connection meant for another.

Expand the leading comment with an explicit SECURITY WARNING
that lists the settings which are NOT inherited and points at the
WOLFSSL*-level setters callers must use inside the SNI callback
when virtual hosts have different policies. The behavior of the
function is unchanged.

F-2902
2026-05-14 14:07:53 +02:00
Juliusz Sosinowicz 130f683d8c Validate minDowngrade in wolfSSL_SetSession before reusing version
When resuming a session wolfSSL_SetSession unconditionally
overwrote ssl->version with the version stored in the cached
session, even if that version was below the WOLFSSL's configured
minDowngrade. The overwritten version then fed straight into
SendClientHello, so a client configured to require TLS 1.2 or
higher could still emit a ClientHello advertising e.g. TLS 1.0
when resuming an old cached session. The ServerHello path catches
the actual downgrade, but the ClientHello version is already a
protocol-conformance issue and can confuse middleboxes.

Reject the session if its stored minor version is below
ssl->options.minDowngrade. The check is DTLS-aware: DTLS minor
versions decrease as the protocol version increases, so the
direction of the comparison is flipped for DTLS.

F-2105
2026-05-14 14:07:53 +02:00
Juliusz Sosinowicz 425d3e9628 Make DoClientTicketCheckVersion DTLS-aware
DTLS minor versions decrease as the protocol version increases
(DTLS 1.0=0xFF, DTLS 1.2=0xFD, DTLS 1.3=0xFC), but the ticket
version comparisons in DoClientTicketCheckVersion used the TLS
direction unconditionally. As a result a DTLS server resuming a
session ticket from a different DTLS version could land on the
wrong branch: a ticket from a newer DTLS version would be treated
as a downgrade instead of being rejected, and a ticket from an
older DTLS version would be flagged as 'greater version' and
refused outright. The minDowngrade check at the bottom had the
same inversion bug.

Branch on ssl->options.dtls so the greater-version, lesser-version,
and minDowngrade comparisons all use the right direction for the
active protocol family. TLS behavior is unchanged.

F-1828
2026-05-14 14:07:26 +02:00
Juliusz Sosinowicz 9d77c217f2 Stop suppressing OCSP_CERT_REVOKED in server stapling path
Server-side OCSP stapling was unconditionally folding
OCSP_CERT_REVOKED, OCSP_CERT_UNKNOWN, and OCSP_LOOKUP_FAIL into a
success result so a stapling failure would not break the handshake.
OCSP_CERT_REVOKED, however, is an explicit positive assertion of
revocation by the responder and must not be ignored: silently
suppressing it lets a server keep advertising a revoked certificate
to clients that rely on stapling for revocation status.

Drop OCSP_CERT_REVOKED from the suppression list in
CreateOcspResponse, the CSR2_OCSP_MULTI handler in
SendCertificateStatus, and ProcessChainOCSPRequest. Continue
suppressing OCSP_CERT_UNKNOWN and OCSP_LOOKUP_FAIL, which are true
soft-fail responder conditions where the responder cannot answer.

F-1820
2026-05-14 14:07:26 +02:00
Juliusz Sosinowicz 0b1b158fe2 Add a test for multi-message TLS records 2026-05-14 13:10:13 +02:00
Juliusz Sosinowicz b88eb32c1d Guard against unsigned underflow in inputLength calculation
Add bounds check before computing inputLength from curStartIdx + curSize
to prevent unsigned underflow if *inOutIdx ever exceeds the record
content boundary.
2026-05-14 13:10:13 +02:00
Juliusz Sosinowicz 38bd87591f Use curSize for content-only input length in handshake/ack handlers
Since ProcessReply already reduces curSize by padSz after decryption,
use curStartIdx + curSize to bound content data instead of recomputing
it from buffer.length - padSz. This removes three more padSz references
from message processing code.
2026-05-14 13:10:13 +02:00