Commit Graph

4413 Commits

Author SHA1 Message Date
Daniel Pouzzner 3afa9018f4 Merge pull request #10450 from Frauschi/slhdsa_pre_hash
HashSLH-DSA APIs take the pre-hashed digest, not the raw message
2026-05-11 16:29:32 -05:00
David Garske 01ba609f0d Merge pull request #9702 from danielinux/ta100_2025
[Microchip TA-100] Fix port + update to cryptoauthlib v3.6.0
2026-05-11 07:26:43 -07:00
Tobias Frauenschläger f16216e5b8 HashSLH-DSA APIs now take the pre-hashed digest, not the raw message
wc_SlhDsaKey_{Sign,Verify}Hash* previously accepted the raw message and
performed the pre-hash internally. They now require the caller to hash the
message first and pass the resulting digest -- the functions no longer call
wc_*Hash() themselves and feed the supplied digest directly into the M'
construction. Parameters are renamed from msg/msgSz to hash/hashSz to reflect
this, and hashSz is validated against wc_HashGetDigestSize(hashType) per
FIPS 205 Section 10.2.2 (32 for SHAKE128, 64 for SHAKE256), returning
BAD_LENGTH_E on mismatch.

This matches ML-DSA's wc_dilithium_{sign,verify}_ctx_hash, NIST ACVP
signatureInterface=external / preHash=preHash vectors, and other libraries
(OpenSSL HASH-ML-DSA, leancrypto, mldsa-native). It also enables distributed
signers and HSM-style flows where the digest is computed separately from the
signing operation.

Migration: callers must now hash the message before invoking these APIs;
passing the raw message will either fail length validation or produce
signatures over the wrong input. The M'-supplied wc_SlhDsaKey_SignMsg* /
VerifyMsg family (FIPS 205 internal interface, Algorithms 19/20) is
unchanged but gains stricter input validation and doxygen coverage.
2026-05-11 10:14:13 +02:00
David Garske 3351eb429a Merge pull request #10354 from embhorn/zd21725
Fix IPSAN and registeredID handling
2026-05-08 12:15:37 -07:00
Daniel Pouzzner f1fff73352 tests/api.c: fix readability-uppercase-literal-suffix in rfc9802_verify_one_cert();
tests/api/test_mldsa.c: fix misplaced PRIVATE_KEY_UNLOCK() in dilithium_oneasymkey_version_check();

wolfcrypt/test/test.c: fix valgrind-detected "Conditional jump or move depends on uninitialised value(s)" in ecc_test_curve_size() negative test on all-zeros digest.
2026-05-08 18:53:57 +02:00
Tesfa Mael fbfc3ba8c2 Fix formatting 2026-05-08 18:50:44 +02:00
Tesfa Mael 4d94b8e8d5 [TA-100] Fix build/test regressions in non-TA100 builds 2026-05-08 18:50:44 +02:00
Tesfa Mae dbf4aaa5be TA100: follow-up changes (squash after 4e64cb56) 2026-05-08 18:50:43 +02:00
Tesfa Mae 00cca3e25b TA100: Microchip Trust Anchor support RSA/ECC 2026-05-08 18:50:43 +02:00
Sean Parkinson 69a378461a Merge pull request #10406 from Frauschi/lms_xmss_certs
Support RFC 9802 LMS and XMSS in X.509 verification
2026-05-08 11:48:34 +10:00
Sean Parkinson 5fce8025bb Merge pull request #10386 from JeremiahM37/fenrir-4
Harden TLS handshake validation, OpenSSL-compat defaults, and stale code paths
2026-05-08 10:50:55 +10:00
David Garske 2b042709f2 Merge pull request #10427 from cconlon/setAsymKeyDerVersion
Set PKCS#8 version correctly in SetAsymKeyDer() when publicKey is bundled
2026-05-07 16:12:18 -07:00
David Garske 7b34be3945 Merge pull request #10331 from embhorn/zd21706
Fix IDNA matching
2026-05-07 16:09:33 -07:00
David Garske bf6c870889 Merge pull request #10304 from JeremiahM37/fenrir-2
Zero DH keys, tighten SSL APIs, harden TLS extensions
2026-05-07 14:51:28 -07:00
David Garske fea8d1b5bc Merge pull request #10413 from JeremiahM37/fenrir-7
zeroize sensitive memory and validate public API inputs
2026-05-07 14:47:32 -07:00
David Garske 58ca6a1fa7 Merge pull request #10302 from JacobBarthelmeh/ecc
additional sanity checks on invalid input
2026-05-07 14:39:21 -07:00
David Garske 8ac2a1ae1b Merge pull request #10418 from rlm2002/coverity
20260506 Coverity
2026-05-07 14:11:32 -07:00
David Garske 52847ed7e0 Merge pull request #10420 from SparkiDev/mldsa_small_1
ML-DSA fixes: small vfy key object, small SHA-3, fix test
2026-05-07 13:52:50 -07:00
Chris Conlon 7cc84d38fb fix SetAsymKeyDer to set PKCS#8 version=1 when bundling publicKey (RFC 5958) 2026-05-07 14:05:51 -06:00
Tobias Frauenschläger 28468b44f5 Support RFC 9802 LMS and XMSS in X.509 verification
Wire the stateful hash-based signature schemes HSS/LMS (RFC 8554) and
XMSS / XMSS^MT (RFC 8391) into the X.509 cert-verification path per
RFC 9802.

asn:
- Register id-alg-hss-lms-hashsig (1.2.840.113549.1.9.16.3.17),
  id-alg-xmss-hashsig (1.3.6.1.5.5.7.6.34) and id-alg-xmssmt-hashsig
  (1.3.6.1.5.5.7.6.35) in oid_sum.h, asn.c and asn1_oid_sum.pl.
- Plumb the new keyOIDs through GetCertKey, SigOidMatchesKeyOid,
  HashForSignature, FreeSignatureCtx and ConfirmSignature so leaf
  and CA certificates parse, load and verify end-to-end.
- Rename IsSigAlgoECC -> IsSigAlgoNoParams; the function has tested
  "AlgorithmIdentifier omits NULL parameters" since PQC algos were
  added, and HSS/LMS + XMSS only made the original name more
  misleading.

wc_lms / wc_xmss:
- Add wc_XmssKey_ImportPubRaw_ex which derives parameters from the
  4-byte OID prefix at the start of the raw public key, taking an
  is_xmssmt hint to disambiguate the overlapping XMSS / XMSS^MT OID
  spaces.
- Extend wc_LmsKey_ImportPubRaw with the same auto-derive from
  u32str(L) || lmsType || lmOtsType when key->params is NULL; this
  also fixes a latent NULL-deref when the legacy precondition was
  violated.
- Reject WC_*_STATE_OK in both ImportPubRaw paths so re-importing
  on a private-key-loaded handle can't desync priv/pub.
- Tighten wc_XmssKey_Verify's length check to strict equality,
  matching wc_LmsKey_Verify and the documented contract of using
  wc_XmssKey_GetSigLen for the buffer size.

tests / fixtures:
- Bouncy Castle 1.81 fixtures in certs/lms and certs/xmss covering
  every supported parameter set, plus CA->leaf chains per family
  and one BC-native LMS fixture as a cross-impl interop gate.
- New api tests verify each fixture end-to-end, tamper TBS and
  signature bytes, exercise the wolfCrypt-level negative paths
  (NOT_COMPILED_IN, BUFFER_E, BAD_FUNC_ARG, BAD_STATE_E, OID/family
  mismatch, partial-write invariants, lenient VERIFYONLY re-import,
  strict sigLen check) and confirm the outer signatureAlgorithm
  OID is rejected when it disagrees with the SPKI in both
  XMSS<->XMSS^MT directions.
2026-05-07 17:14:31 +02:00
Eric Blankenhorn 9802b35fa8 Fixes from rebase 2026-05-07 07:33:56 -05:00
Eric Blankenhorn 6689397eec Fix from review 2026-05-07 07:33:56 -05:00
Eric Blankenhorn 9ac4a001fa Fix from review 2026-05-07 07:33:56 -05:00
Eric Blankenhorn c55b77b382 Fix handling of registeredID 2026-05-07 07:33:56 -05:00
Eric Blankenhorn df7a5e8a85 Fix in CheckForAltNames to handle IPSAN 2026-05-07 07:33:55 -05:00
Eric Blankenhorn ede266acc2 Fixes from review 2026-05-07 07:32:51 -05:00
Eric Blankenhorn 0f50c225e2 Fix IDNA matching 2026-05-07 07:31:25 -05:00
Jeremiah Mackey 18c627c2bf tests 2026-05-07 02:34:41 +00:00
Jeremiah Mackey 3d489d1c10 tests 2026-05-07 02:33:58 +00:00
Jeremiah Mackey 51072bbce9 tests: cover input validation fixes 2026-05-07 02:31:25 +00:00
Sean Parkinson 55d7ed8d0e ML-DSA fixes: small vfy key object, small SHA-3, fix test
Only have the public key in the ML-DSA key object when verify-only.
Be able to leave out SHA-3 APIs when only needing SHAKE.
Fix ML-DSA testing to only have data for compiled in parameters.
2026-05-07 10:03:41 +10:00
Ruby Martin f6019467fa add unit test for NULL SHAKE parameters 2026-05-06 15:25:06 -06:00
Daniel Pouzzner 03cee6f2bf tests/api/test_ed25519.c and tests/api/test_ed448.c: add missing FIPS v7+ gating in test_wc_ed25519_export() and test_wc_ed448_export().
wolfcrypt/test/test.c: in aes_cbc_test(), use unconditional static on msg4 and verify4 to work around gcc optimizer bug (probably same bug as noted in ac11279c60).
2026-05-06 14:24:18 -05:00
David Garske 490c1062e4 Merge pull request #10274 from gasbytes/crl-idp-extension-fix-follow-up
Reject CRLs with unrecognized critical entry extensions per RFC 5280 section 5.3
2026-05-06 12:13:28 -07:00
Juliusz Sosinowicz 061311d6ca zd/21661: harden X.509 chain validation, session ticket identity binding, and peer cert restore
- x509_str: require CA:TRUE unconditionally in wolfSSL_X509_verify_cert;
  verify leaf signature even when verify_cb overrides INVALID_CA
- x509_str: align WOLFSSL_X509_V_ERR_INVALID_CA with OpenSSL value (79)
  so OPENSSL_COEXIST builds compile; bump WC_OSSL_V509_V_ERR_MAX to 80
  and extend error_test() missing-value table for the new gaps
- asn: reject embedded NUL in dNSName / rfc822Name / URI SAN entries
- internal: re-verify restored ticket peer cert against trust store with
  CRL/OCSP checks; clear stale state from session cache on verification
  failure
- ticket: bind SNI and ALPN into session ticket via compile-time selected
  hash (TICKET_BINDING_HASH_TYPE); reject resumption on mismatch in both
  TLS 1.3 and TLS 1.2 paths
- ticket: defer SNI/ALPN binding check until after extensions are parsed
  by consolidating into VerifyTicketBinding(), called once after
  ALPN_Select in DoTls13ClientHello and DoClientHello; the early
  per-call sites ran before extensions were parsed and rejected valid
  resumptions in nginx, haproxy, grpc, and CPython integration tests
- ssl_sess: free previous session in wolfSSL_d2i_SSL_SESSION before
  overwrite
- examples/client: increase SESSION_TICKET_LEN fallback from 256 to 2048
  to support larger tickets
- tests: update SAN NUL fixtures and add parse-time rejection coverage;
  add test_tls13_ticket_peer_cert_reverify for CA-removal scenario; skip
  it under WOLFSSL_NO_DEF_TICKET_ENC_CB
2026-05-06 16:45:58 +02:00
David Garske 44564dd5fd Merge pull request #10368 from holtrop-wolfssl/gh10359
Allow SubjectInfoAccess extension without id-ad-caRepository entry
2026-05-05 12:49:19 -07:00
David Garske e3285850f9 Merge pull request #10289 from julek-wolfssl/zd/21652
TLS 1.3: gate 0-RTT on a cache-backed resumption ticket
2026-05-05 12:46:26 -07:00
David Garske c73f431687 Merge pull request #10392 from JeremiahM37/fenrir-5
wolfCrypt input validation and side-channel hardening
2026-05-05 12:24:17 -07:00
Daniel Pouzzner c1b2660a08 Merge pull request #10396 from douzzer/20260501-fips-v7-fixes
20260501-fips-v7-fixes -- reviewed+approved by @Frauschi
2026-05-05 14:20:49 -05:00
David Garske b47f71678d Merge pull request #10363 from MarkAtwood/fix/curve25519-clamp-check-rule3
fix: curve25519 clamp check missing rule 3 (bit 6 of byte 31) (ZD-21731)
2026-05-05 12:16:06 -07:00
David Garske 3147a10f23 Merge pull request #10141 from sebastian-carpenter/tls-ech-downgrade
TLS ECH Compliance Fixes
2026-05-05 12:14:20 -07:00
David Garske 00abce3474 Merge pull request #10310 from cconlon/d2iMLDSA
Add ML-DSA SPKI/PKCS#8 DER support to d2i_PUBKEY and d2i_PrivateKey
2026-05-05 12:11:49 -07:00
David Garske e38a120043 Merge pull request #10387 from Frauschi/fix-windows-tcp-bind-flaky
Fix flaky tcp bind on Windows test runs
2026-05-05 12:06:44 -07:00
David Garske da038c6d51 Merge pull request #10299 from Frauschi/pqc_key_share_fix
Fix PQC key exchange with multiple KEM key shares
2026-05-05 12:03:32 -07:00
David Garske c3cd71ea02 Merge pull request #9965 from kojo1/mldsa
Add ML-DSA to X509_get_pubkey and EVP_PKEY_base_id
2026-05-05 11:57:06 -07:00
David Garske 309ada27a7 Merge pull request #10370 from cconlon/setAKID
Fix malformed AKID extension from wolfSSL_X509_set_authority_key_id()
2026-05-05 11:55:38 -07:00
David Garske 644f6171ab Merge pull request #10290 from LinuxJedi/emnet
Fix emNET support and add tests
2026-05-05 11:46:15 -07:00
David Garske 8e46221428 Merge pull request #10336 from julek-wolfssl/wolfSSL_PEM_read_bio_X509_CRL-multi-crl-fix
src/x509.c: refactor wolfSSL_PEM_read_bio_X509_CRL onto the per-block reader
2026-05-05 11:42:00 -07:00
David Garske 3b7ac9fd25 Merge pull request #10327 from embhorn/zd21704
Hardening in TLSX_KeyShare_ProcessPqcHybridClient
2026-05-05 11:41:43 -07:00
David Garske 678ddd6c73 Merge pull request #10339 from embhorn/zd21707
Fix handling of otherName in ConfirmNameConstraints
2026-05-05 11:41:28 -07:00