Commit Graph

458 Commits

Author SHA1 Message Date
Sean Parkinson 0b88017e20 Merge pull request #10181 from embhorn/zd21567
Fix ReqCertFromX509 to check bounds
2026-04-15 09:01:25 +10:00
Sean Parkinson 409b5fcf38 Merge pull request #10172 from embhorn/zd21568
Fix pkcs12 parse issue
2026-04-15 09:00:12 +10:00
Sean Parkinson 14ebd3d649 Merge pull request #10170 from embhorn/zd21566
Fix partial chain verification
2026-04-15 08:58:28 +10:00
David Garske e3e95c0454 Merge pull request #10213 from SparkiDev/api_test_cipher_algs_2
Unit testing: Add Monte Carlo testing to ciphers
2026-04-14 13:05:08 -07:00
Eric Blankenhorn 68b3bbb16f Fix from review 2026-04-14 07:47:29 -05:00
Eric Blankenhorn 2b503dae54 Fix from review 2026-04-14 07:41:30 -05:00
Eric Blankenhorn a6fd25b94e Fix partial chain verification 2026-04-14 07:25:11 -05:00
Sean Parkinson 59a17dd598 Unit testing: Add Monte Carlo testing to ciphers
Monte Carlo testing is randomized test data.
These new tests have random keys, IVs, nonce, etc and random data to
encrypt.
100 sets of random test data are encrypted and decrypted with a check to
ensure the input to encrypt is the same as the output of decrypt.
Tags are generated and checked in the calls to encrypt and decrypt.
2026-04-14 13:25:15 +10:00
Sean Parkinson 649a32fd6e Merge pull request #10169 from embhorn/zd21565
Fix for peer cert verify with IP address
2026-04-14 08:21:23 +10:00
Eric Blankenhorn 33310010a9 Fix wolfSSL_sk_X509_OBJECT_deep_copy to check bounds 2026-04-13 17:02:51 -05:00
Eric Blankenhorn 863db50318 Fix word32 truncation and add true regression test for PKCS12 OOB read 2026-04-13 16:05:51 -05:00
Eric Blankenhorn 4cb016f434 Fix pkcs12 parse issue 2026-04-13 15:11:15 -05:00
David Garske b17755b63f Merge pull request #10164 from rizlik/bio
BIO improvements and fixes
2026-04-13 12:40:02 -07:00
David Garske a143369522 Merge pull request #10138 from padelsbach/cobalt-fixes-2026-04-06
Use size_t in wolfSSL_strnstr and reject negative indices in mp_get_digit
2026-04-13 12:37:59 -07:00
David Garske c36beba9b7 Merge pull request #10174 from SparkiDev/api_test_cipher_algs_1
API testing additions: cipher tests
2026-04-13 09:54:23 -07:00
Sean Parkinson a50a5403a7 Merge pull request #10199 from douzzer/20260412-clang-23_pre20260331
20260412-clang-23_pre20260331
2026-04-13 10:39:11 +10:00
Sean Parkinson 0434139967 Merge pull request #10186 from Frauschi/f-159
Error out in case of unknown extensions in response message in TLS 1.3
2026-04-13 09:18:46 +10:00
David Garske 3d4e929869 Merge pull request #10173 from SparkiDev/init_cert_sha1
Initialize certificate: default to SHA-1 when necessary
2026-04-12 14:46:53 -07:00
Daniel Pouzzner 1b692b8063 fixes for clang -Wunused-but-set-globals (coverage added by LLVM 23_pre20260331). 2026-04-12 12:07:33 -05:00
David Garske ae0a3877ca Merge pull request #10122 from miyazakh/f-1370_SigGetSize
F-1370 : Tighten key_len check from `>=` to `==`
2026-04-10 14:27:16 -07:00
Paul Adelsbach 6f7e5d030b Use size_t in wolfSSL_strnstr and reject negative indices in mp_get_digit 2026-04-10 10:48:17 -07:00
Tobias Frauenschläger b0763ea4d1 Error out in case of unknown extensions in response message in TLS 1.3 2026-04-10 17:43:35 +02:00
Tobias Frauenschläger 062ef3e93b Remove some duplicate CI tests 2026-04-10 12:50:24 +02:00
Sean Parkinson b764aac074 API testing additions: cipher tests
Fixed wc_AesEaxAuthDataUpdate to check eax for NULL before
dereferencing.

Fix AesSivCipher to delete/free AES if new/initialization succeeded.
Memsetting to 0 doesn't work when WC_DEBUG_CIPHER_LIFECYCLE is defined.

Added tests for:
 - AES-EAX streaming
 - AES-SIV
 - Poly1305
 - DES-CBC
2026-04-10 15:43:21 +10:00
Sean Parkinson ecd925f10e Initialize certificate: default to SHA-1 when necessary
Make SHA-1 with RSA signature type the last option.
SHA-1 signatures are deprecated as weak.
2026-04-10 07:58:37 +10:00
Sean Parkinson abfff1ec2f Merge pull request #10167 from embhorn/zd21571
Fix ETM on resumption
2026-04-10 07:45:20 +10:00
Eric Blankenhorn 4d79d1efd9 Improve tests 2026-04-09 16:24:12 -05:00
David Garske 8059fbdbe8 Merge pull request #10129 from rlm2002/coverity_fix
03042026 Coverity tests fix
2026-04-09 13:35:36 -07:00
Eric Blankenhorn 31eb54f950 Fix from review 2026-04-09 11:32:47 -05:00
Eric Blankenhorn 191b827579 Fix from review 2026-04-09 10:14:45 -05:00
Eric Blankenhorn b218b29403 Fix from review 2026-04-08 16:13:23 -05:00
Eric Blankenhorn 1e1e34ce8c Fix for peer cert verify with IP address 2026-04-08 15:47:57 -05:00
Eric Blankenhorn af5369636a Fix ETM on resumption 2026-04-08 15:06:11 -05:00
Marco Oliverio 5107613025 bio: add tests 2026-04-08 18:49:40 +02:00
Marco Oliverio 7802a75acd bio: various fixes and improvements
* simplify wolfSSL_BIO_set_conn_hostname, fixing OOB read
* restructure wolfSSL_BIO_ctrl_pending, fixing inverted check and
* ctrlCB checking
* return WOLFSSL_FAILURE in wolfSSL_BIO_up_ref when refInc fails,
  updated test to reflect this
* check arguments for NULL in wolfSSL_BIO_ADDR_size
* replace non-portable type long usigned int with size_t
* wolfSSL_BIO_MEMORY_write: return WOLFSSL_BIO_ERROR on failure instead
  of WOLFSSL_FAILURE, return 0 when len is 0
* wolfSSL_BIO_get_fp: fix type mismatch comparing XFILE* pointer against
  XBADFILE
* wolfSSL_BIO_ctrl: add NULL check on bio before switch
* wolfSSL_BIO_pop: clear bio prev and next pointers after unlinking
* wolfSSL_BIO_gets: place null terminator after actual bytes read from
  BIO_BIO nread
2026-04-08 18:49:40 +02:00
Hideki Miyazaki e3fd4cc24d fix f-1370 key_len size check for void* in wc_SignatureGetSize 2026-04-08 17:07:42 +09:00
Daniel Pouzzner 60d1e222b2 globally fix all "BLAKE2" references (implicit BLAKE2B) to explicit "BLAKE2B":
* implement legacy compatibility in settings.h and configure.ac (adds --enable-blake2b while retaining --enable-blake2);
* fix incorrect Blake2 gates in wolfcrypt/src/hash.c wc_HashGetDigestSize() and wc_HashGetBlockSize();
* in wolfcrypt/test/test.c hash_test(), backfill missing Blake2 test coverage and separate blake2b from blake2s in typesHashBad[];
* in tests/api/test_hash.c, separate blake2b from blake2s in notCompiledHash[], sizeSupportedHash[], and sizeNotCompiledHash[].
2026-04-07 13:18:53 -05:00
JacobBarthelmeh 7aac9e5766 Merge pull request #10139 from philljj/fix_nightly_mem
Fix nightly mem
2026-04-07 09:08:01 -06:00
Daniel Pouzzner 9347c895fc Merge pull request #10133 from Frauschi/ecc_curve_validation
Improved ECC curve validation
2026-04-06 20:20:35 -05:00
Daniel Pouzzner 32502e9963 Merge pull request #10102 from Frauschi/zd21460
Various fixes
2026-04-06 18:41:31 -05:00
Tobias Frauenschläger 0fb2d2ec11 ecc: fix invalid-curve attack via missing on-curve validation
wc_ecc_import_x963_ex2 only checked whether an imported public point
lies on the intended curve when both USE_ECC_B_PARAM was compiled in
and the caller passed untrusted=1. In a default ./configure build,
USE_ECC_B_PARAM is not defined, so the check was compiled out entirely.
Additionally, the legacy wrapper wc_ecc_import_x963_ex unconditionally
passed untrusted=0, meaning ECIES (wc_ecc_decrypt), PKCS#7 KARI, and
the EVP ECDH layer never triggered the check even when the macro was
present. In the OpenSSL compatibility layer, wolfSSL_ECPoint_d2i
guarded its on-curve check behind !wolfSSL_BN_is_one(point->Z), but
wc_ecc_import_point_der_ex always sets Z=1 for uncompressed points,
making the check dead code.

An attacker who can supply an EC public key (e.g. via an ECIES
ciphertext, PKCS#7 enveloped-data, EVP_PKEY_derive, or
EC_POINT_oct2point + ECDH_compute_key) can choose a point on a twist
of the target curve with a smooth-order subgroup. Each ECDH query
leaks the victim's static private scalar modulo a small prime; CRT
reconstruction across enough queries recovers the full key
(Biehl-Meyer-Müller invalid-curve attack). Static-key ECIES and PKCS#7
KARI are directly affected; TLS is affected in default builds because
the USE_ECC_B_PARAM gate defeated the untrusted=1 flag that the
handshake does pass.

Four changes close the attack:

1. Remove the USE_ECC_B_PARAM gate completely in the code base so that
   wc_ecc_point_is_on_curve() is compiled in all builds, not only
   those with HAVE_COMP_KEY or OPENSSL_EXTRA (only set for legacy FIPS
   builds in settings.h).

2. wc_ecc_import_x963_ex: pass untrusted=1 to wc_ecc_import_x963_ex2
   so that ECIES, PKCS#7 KARI, and EVP callers that go through the
   four-argument wrapper always validate the imported point.

3. wc_ecc_import_x963_ex2: use the lightweight sp_ecc_is_point_NNN
   helpers (curve-equation check only) instead of sp_ecc_check_key_NNN
   (which additionally performs a full point*order scalar multiply).
   For prime-order curves (P-256, P-384, P-521, SM2) the on-curve
   equation check y^2 = x^3 + ax + b is sufficient to defeat
   invalid-curve attacks — every non-identity point on a prime-order
   curve has the full group order, so the expensive order-multiply
   check is unnecessary. This avoids the ~50% ECDH performance
   regression caused by the redundant scalar multiplication.

4. wolfSSL_ECPoint_d2i (pk_ec.c): add unconditional on-curve
   validation via wolfSSL_EC_POINT_is_on_curve after import. The
   existing check was gated on !wolfSSL_BN_is_one(point->Z) and
   therefore dead code for all uncompressed-point imports. This closes
   the OpenSSL compat layer attack path (EC_POINT_oct2point followed
   by ECDH_compute_key).

Non-SP curves fall back to wc_ecc_point_is_on_curve which performs the
same equation check using mp_int arithmetic.

Reported by: Nicholas Carlini (Anthropic) & Thai Duong (Calif.io)
2026-04-06 21:18:32 +02:00
jordan f48fd9595d test_pkcs7: use XFREE instead of free. 2026-04-06 13:53:11 -05:00
Daniel Pouzzner abce5be989 wolfcrypt: add additional enforcement of correct digest sizes in signature gen and verify ops:
* add WC_FIPS_186_4, WC_FIPS_186_4_PLUS, WC_FIPS_186_5, and WC_FIPS_186_5_PLUS feature macros.
* add support for WC_HASH_CUSTOM_MIN_DIGEST_SIZE, WC_HASH_CUSTOM_MAX_DIGEST_SIZE, and
  WC_HASH_CUSTOM_MAX_BLOCK_SIZE, for use with custom digest algorithms.
* add SigOidMatchesKeyOid() helper function and WC_MIN_DIGEST_SIZE macro.
* add additional size and OID agreement checks for sig gen and verify ops.
* update ecc_test_vector() with FIPS 186-5 vectors.

Co-authored-by: Tobias Frauenschläger <tobias@wolfssl.com>
2026-04-06 00:53:57 -05:00
Ruby Martin 5e79661aa3 prevent resource leak if ASN1_INTEGER_to_BN() != null if expected 2026-04-03 17:13:29 -06:00
Ruby Martin f59d50f18a bound notBeforeDataEnd with origSz 2026-04-03 17:12:27 -06:00
Daniel Pouzzner 0c9b6397be Merge pull request #10103 from gasbytes/fix-dtls13-oversized-cert-chain
Fix DTLS 1.3 extSz out-of-bounds and word16 truncation on oversized certificate chains
2026-04-03 11:55:03 -05:00
Reda Chouk 1653ecd07e Fix DTLS 1.3 extSz out-of-bounds and word16 truncation on oversized certificate chains 2026-04-03 12:10:42 +02:00
Tobias Frauenschläger e5ab7fa745 x509: fix CA:FALSE bypass in wolfSSL_X509_verify_cert
When an untrusted issuer has CA:FALSE and no verify_cb is registered,
the !isCa branch now fails closed (ret=WOLFSSL_FAILURE, goto exit)
instead of falling through and skipping X509StoreVerifyCert for the
leaf. SetupStoreCtxError_ex is also hardened to never overwrite a
previously recorded error with success, preventing a later valid chain
link from clobbering ctx->error back to X509_V_OK. Tests added for
both the no-callback rejection and the error-preservation cases.

Reported by: Nicholas Carlini (Anthropic) & Thai Duong (Calif.io)
2026-04-02 22:38:16 -06:00
Daniel Pouzzner d278da09df Merge pull request #10112 from embhorn/zd21470
Fix CertFromX509 copy length check
2026-04-02 23:21:11 -05:00
Daniel Pouzzner 7a6e37d697 Merge pull request #10064 from julek-wolfssl/master
Fixes for wolfclu
2026-04-02 22:54:10 -05:00