Commit Graph

3481 Commits

Author SHA1 Message Date
David Garske 3351eb429a Merge pull request #10354 from embhorn/zd21725
Fix IPSAN and registeredID handling
2026-05-08 12:15:37 -07:00
Daniel Pouzzner f1fff73352 tests/api.c: fix readability-uppercase-literal-suffix in rfc9802_verify_one_cert();
tests/api/test_mldsa.c: fix misplaced PRIVATE_KEY_UNLOCK() in dilithium_oneasymkey_version_check();

wolfcrypt/test/test.c: fix valgrind-detected "Conditional jump or move depends on uninitialised value(s)" in ecc_test_curve_size() negative test on all-zeros digest.
2026-05-08 18:53:57 +02:00
Sean Parkinson 69a378461a Merge pull request #10406 from Frauschi/lms_xmss_certs
Support RFC 9802 LMS and XMSS in X.509 verification
2026-05-08 11:48:34 +10:00
Sean Parkinson 5fce8025bb Merge pull request #10386 from JeremiahM37/fenrir-4
Harden TLS handshake validation, OpenSSL-compat defaults, and stale code paths
2026-05-08 10:50:55 +10:00
David Garske bf6c870889 Merge pull request #10304 from JeremiahM37/fenrir-2
Zero DH keys, tighten SSL APIs, harden TLS extensions
2026-05-07 14:51:28 -07:00
Tobias Frauenschläger 28468b44f5 Support RFC 9802 LMS and XMSS in X.509 verification
Wire the stateful hash-based signature schemes HSS/LMS (RFC 8554) and
XMSS / XMSS^MT (RFC 8391) into the X.509 cert-verification path per
RFC 9802.

asn:
- Register id-alg-hss-lms-hashsig (1.2.840.113549.1.9.16.3.17),
  id-alg-xmss-hashsig (1.3.6.1.5.5.7.6.34) and id-alg-xmssmt-hashsig
  (1.3.6.1.5.5.7.6.35) in oid_sum.h, asn.c and asn1_oid_sum.pl.
- Plumb the new keyOIDs through GetCertKey, SigOidMatchesKeyOid,
  HashForSignature, FreeSignatureCtx and ConfirmSignature so leaf
  and CA certificates parse, load and verify end-to-end.
- Rename IsSigAlgoECC -> IsSigAlgoNoParams; the function has tested
  "AlgorithmIdentifier omits NULL parameters" since PQC algos were
  added, and HSS/LMS + XMSS only made the original name more
  misleading.

wc_lms / wc_xmss:
- Add wc_XmssKey_ImportPubRaw_ex which derives parameters from the
  4-byte OID prefix at the start of the raw public key, taking an
  is_xmssmt hint to disambiguate the overlapping XMSS / XMSS^MT OID
  spaces.
- Extend wc_LmsKey_ImportPubRaw with the same auto-derive from
  u32str(L) || lmsType || lmOtsType when key->params is NULL; this
  also fixes a latent NULL-deref when the legacy precondition was
  violated.
- Reject WC_*_STATE_OK in both ImportPubRaw paths so re-importing
  on a private-key-loaded handle can't desync priv/pub.
- Tighten wc_XmssKey_Verify's length check to strict equality,
  matching wc_LmsKey_Verify and the documented contract of using
  wc_XmssKey_GetSigLen for the buffer size.

tests / fixtures:
- Bouncy Castle 1.81 fixtures in certs/lms and certs/xmss covering
  every supported parameter set, plus CA->leaf chains per family
  and one BC-native LMS fixture as a cross-impl interop gate.
- New api tests verify each fixture end-to-end, tamper TBS and
  signature bytes, exercise the wolfCrypt-level negative paths
  (NOT_COMPILED_IN, BUFFER_E, BAD_FUNC_ARG, BAD_STATE_E, OID/family
  mismatch, partial-write invariants, lenient VERIFYONLY re-import,
  strict sigLen check) and confirm the outer signatureAlgorithm
  OID is rejected when it disagrees with the SPKI in both
  XMSS<->XMSS^MT directions.
2026-05-07 17:14:31 +02:00
Eric Blankenhorn 9802b35fa8 Fixes from rebase 2026-05-07 07:33:56 -05:00
Eric Blankenhorn 6689397eec Fix from review 2026-05-07 07:33:56 -05:00
Eric Blankenhorn 9ac4a001fa Fix from review 2026-05-07 07:33:56 -05:00
Jeremiah Mackey 18c627c2bf tests 2026-05-07 02:34:41 +00:00
Jeremiah Mackey 3d489d1c10 tests 2026-05-07 02:33:58 +00:00
Jeremiah Mackey 51072bbce9 tests: cover input validation fixes 2026-05-07 02:31:25 +00:00
Juliusz Sosinowicz 061311d6ca zd/21661: harden X.509 chain validation, session ticket identity binding, and peer cert restore
- x509_str: require CA:TRUE unconditionally in wolfSSL_X509_verify_cert;
  verify leaf signature even when verify_cb overrides INVALID_CA
- x509_str: align WOLFSSL_X509_V_ERR_INVALID_CA with OpenSSL value (79)
  so OPENSSL_COEXIST builds compile; bump WC_OSSL_V509_V_ERR_MAX to 80
  and extend error_test() missing-value table for the new gaps
- asn: reject embedded NUL in dNSName / rfc822Name / URI SAN entries
- internal: re-verify restored ticket peer cert against trust store with
  CRL/OCSP checks; clear stale state from session cache on verification
  failure
- ticket: bind SNI and ALPN into session ticket via compile-time selected
  hash (TICKET_BINDING_HASH_TYPE); reject resumption on mismatch in both
  TLS 1.3 and TLS 1.2 paths
- ticket: defer SNI/ALPN binding check until after extensions are parsed
  by consolidating into VerifyTicketBinding(), called once after
  ALPN_Select in DoTls13ClientHello and DoClientHello; the early
  per-call sites ran before extensions were parsed and rejected valid
  resumptions in nginx, haproxy, grpc, and CPython integration tests
- ssl_sess: free previous session in wolfSSL_d2i_SSL_SESSION before
  overwrite
- examples/client: increase SESSION_TICKET_LEN fallback from 256 to 2048
  to support larger tickets
- tests: update SAN NUL fixtures and add parse-time rejection coverage;
  add test_tls13_ticket_peer_cert_reverify for CA-removal scenario; skip
  it under WOLFSSL_NO_DEF_TICKET_ENC_CB
2026-05-06 16:45:58 +02:00
David Garske 44564dd5fd Merge pull request #10368 from holtrop-wolfssl/gh10359
Allow SubjectInfoAccess extension without id-ad-caRepository entry
2026-05-05 12:49:19 -07:00
David Garske e3285850f9 Merge pull request #10289 from julek-wolfssl/zd/21652
TLS 1.3: gate 0-RTT on a cache-backed resumption ticket
2026-05-05 12:46:26 -07:00
David Garske 3147a10f23 Merge pull request #10141 from sebastian-carpenter/tls-ech-downgrade
TLS ECH Compliance Fixes
2026-05-05 12:14:20 -07:00
David Garske 00abce3474 Merge pull request #10310 from cconlon/d2iMLDSA
Add ML-DSA SPKI/PKCS#8 DER support to d2i_PUBKEY and d2i_PrivateKey
2026-05-05 12:11:49 -07:00
David Garske e38a120043 Merge pull request #10387 from Frauschi/fix-windows-tcp-bind-flaky
Fix flaky tcp bind on Windows test runs
2026-05-05 12:06:44 -07:00
David Garske 309ada27a7 Merge pull request #10370 from cconlon/setAKID
Fix malformed AKID extension from wolfSSL_X509_set_authority_key_id()
2026-05-05 11:55:38 -07:00
David Garske 678ddd6c73 Merge pull request #10339 from embhorn/zd21707
Fix handling of otherName in ConfirmNameConstraints
2026-05-05 11:41:28 -07:00
David Garske 403f0fe637 Merge pull request #10230 from julek-wolfssl/fenrir/20260415
Fenrir fixes
2026-05-05 11:34:43 -07:00
David Garske c278b614dd Merge pull request #10337 from embhorn/zd21709
Fix DupSSL issue with Poly1305 auth
2026-05-05 11:26:29 -07:00
sebastian-carpenter 61ba5378fe TLS ECH compliance fixes 2026-05-04 15:46:18 -06:00
Chris Conlon fe4473fbea Add ML-DSA SPKI/PKCS#8 DER support to d2i_PUBKEY and d2i_PrivateKey. 2026-05-04 09:24:02 -06:00
Tobias Frauenschläger 1093a36bc3 Fix flaky tcp bind on Windows test runs
Windows test code pre-picked a random port via GetRandomPort() (returning
a value in [49152, 65535]) before calling bind(), with no check that the
port was free and no retry on collision. Under load this occasionally
collided with an already-bound port and aborted the test with
"tcp bind failed", producing intermittent Jenkins failures (e.g. PRB
windows-test-v2 #17140 in the OCSP responder test).

The Unix path already does the right thing: bind to port 0 (OS-assigned
ephemeral) and read the port back via getsockname(). The same primitives
exist in Winsock 1.1, so drop the USE_WINDOWS_API guard around the
getsockname block in tcp_listen()/udp_accept() and remove the per-caller
GetRandomPort() workarounds in the OCSP responder, server example, and
the api.c / test_ossl_bio.c test sites. socklen_t is already typedef'd
as int on Windows in test.h.

GetRandomPort() itself is left in place since it is a static inline in a
shipped public test header.
2026-05-04 10:35:04 +02:00
Chris Conlon df8e2eedb3 x509: fix malformed AKID extension from wolfSSL_X509_set_authority_key_id 2026-05-01 10:04:31 -06:00
Josh Holtrop 3ca70e585a Allow SubjectInfoAccess extension without id-ad-caRepository entry
Previously parsing a SubjectInfoAccess certificate containing a
SubjectInfoAccess extension that did not contain an id-ad-caRepository
resulted in an error.
2026-05-01 07:57:04 -04:00
Ruby Martin d34ee11797 tests set null on EXPECT_SUCCESS 2026-04-30 14:00:15 -06:00
Daniel Pouzzner a057975347 Merge pull request #10293 from Frauschi/liboqs_removal
Remove liboqs for ML-KEM and ML-DSA, update for Falcon
2026-04-30 09:04:11 -05:00
Daniel Pouzzner 76080d0b19 Merge pull request #10292 from Frauschi/liblms_libxmss_removal
Remove deprecated liblms and libxmss
2026-04-30 09:01:24 -05:00
Tobias Frauenschläger 7a2cf5b655 Remove liboqs for ML-KEM and ML-DSA, update for Falcon 2026-04-30 11:03:06 +02:00
Tobias Frauenschläger e1fefcca4f Remove deprecated liblms and libxmss 2026-04-29 19:52:09 +02:00
Eric Blankenhorn d2c33cbc9f Fix from review 2026-04-28 15:34:26 -05:00
Lealem Amedie 2a0a5cc610 Multi-test fixes 2026-04-28 13:25:14 -06:00
Eric Blankenhorn 262737d63f Fixes from review 2026-04-28 11:54:46 -05:00
Eric Blankenhorn 6fdd0de0ca Fix handling of otherName in ConfirmNameConstraints 2026-04-28 11:05:37 -05:00
Eric Blankenhorn ba20e380bf Fix DupSSL issue with Poly1305 auth 2026-04-28 09:30:14 -05:00
Juliusz Sosinowicz b0fdaa2a6d TLS 1.3: gate 0-RTT on a cache-backed resumption ticket
RFC 8446 section 8 requires any server instance to accept 0-RTT for a
given ClientHello at most once. Prior to this change wolfSSL's behaviour
diverged from that requirement in several ways:

  * ctx->maxEarlyDataSz defaulted to MAX_EARLY_DATA_SZ whenever the
    library was built with WOLFSSL_EARLY_DATA, so servers auto-
    advertised 0-RTT in NewSessionTicket without the application
    asking. RFC 8446 E.5 says 0-RTT MUST NOT be enabled unless
    specifically requested.
  * The post-accept eviction is compiled out under NO_SESSION_CACHE,
    so builds without the cache accepted 0-RTT with no replay defence.
  * Stateless self-encrypted tickets do not carry a session ID on the
    stateless DoClientTicket decrypt path, so wolfSSL_SSL_CTX_remove_
    session could not locate them to evict.
  * wolfSSL_SSL_CTX_remove_session always returned 0 on success
    regardless of whether the session was actually in the cache,
    diverging from OpenSSL's SSL_CTX_remove_session (1 on success,
    0 on not-found).

Changes:
  * src/internal.c: ctx->maxEarlyDataSz defaults to 0; applications
    must opt in with wolfSSL_CTX_set_max_early_data.
  * src/tls13.c: #error when WOLFSSL_EARLY_DATA is built with
    HAVE_SESSION_TICKET and NO_SESSION_CACHE. Escape hatch
    WOLFSSL_EARLY_DATA_NO_ANTI_REPLAY for deployments that take
    application-layer responsibility.
  * wolfssl/internal.h: imply WOLFSSL_TICKET_HAVE_ID from
    WOLFSSL_EARLY_DATA so stateless-ticket issuance populates the
    cache under an ID that eviction can find.
  * src/ssl_sess.c: wolfSSL_SSL_CTX_remove_session returns 1 when the
    session was found (internal-cache hit, or ctx->rem_sess_cb fired
    for an external cache), 0 otherwise. Matches OpenSSL semantics.
  * src/tls13.c: the 0-RTT acceptance condition in CheckPreSharedKeys
    now calls wolfSSL_SSL_CTX_remove_session and checks its return:
    the eviction is the check. If the session was in the cache, 0-RTT
    is accepted and the single-use requirement is satisfied. If not,
    the early_data extension is rejected through the normal path so
    the record layer correctly skips in-flight 0-RTT records.
    WOLFSSL_MSG at each rejection site.
  * doc/dox_comments/header_files/ssl.h: document runtime opt-in.
  * tests: four new tests —
    test_tls13_0rtt_default_off (fails without default-to-0 fix),
    test_tls13_0rtt_stateless_replay (fails without TICKET_HAVE_ID
    implication and remove_session gate),
    test_tls13_remove_session_return (fails without return-value fix),
    test_tls13_0rtt_ext_cache_eviction (fails without ext-cache
    counts-as-found fix).
    test_tls13_early_data explicitly opts in via
    wolfSSL_CTX_set_max_early_data.
    tests/api.c: two SSL_CTX_remove_session == 0 assertions updated
    to == 1.
2026-04-28 14:14:16 +02:00
Lealem Amedie 1f260ccb0a Add TLS-ALPN-01 challenge cert support (RFC 8737 acmeId extension) 2026-04-27 17:15:06 -06:00
Juliusz Sosinowicz ff60134ff0 tests: add TLS 1.3 ticket age out-of-window test (F-1824)
DoClientTicketCheck's ticket-age bounds (-1000 ms low bound and
MAX_TICKET_AGE_DIFF*1000+1000 ms high bound) were never exercised by
any integration test, so mutations of the constants went undetected.
Establish a TLS 1.3 session, read the NewSessionTicket, then shift the
client's cached ageAdd by well over 1 second so the server's
unobfuscated diff falls outside the valid window on resumption. The
server must reject the PSK — session_reused stays 0.
2026-04-27 14:03:14 +02:00
Juliusz Sosinowicz 2df4936092 tests: add HRR cipher-suite mismatch negative test (F-2126)
DoTls13ClientHello enforces RFC 8446 Section 4.1.4 by comparing the
cipher suite in the second ClientHello to the hrrCipherSuite cached on
the server from the HelloRetryRequest. No existing test covers the
mismatch branch, so a deletion of the check would silently allow a
client to switch cipher suite between CH1 and CH2. Drive a partial
handshake until the server has emitted the HRR, then flip the cached
hrrCipherSuite on the server; processing CH2 must surface
INVALID_PARAMETER.
2026-04-27 14:03:13 +02:00
Juliusz Sosinowicz 9aa69f4996 tests: add default ticket key callback HMAC negative test (F-2922)
wolfSSL_TicketKeyCb is the built-in ticket callback registered by the
OpenSSL-compat wolfSSL_CTX_set_tlsext_ticket_key_cb API. Its
ConstantCompare of the ticket HMAC was never reached in any test, so a
deletion of the check would silently accept forged tickets. New test
sets up the compat callback, establishes a TLS 1.2 session, saves it,
flips a byte of the encrypted ticket, and asserts the resumption
attempt does not complete.
2026-04-27 14:03:13 +02:00
Juliusz Sosinowicz 920e175dd6 tests: add SCR verify_data mismatch test (F-2913, F-2914)
Cover both branches of TLSX_SecureRenegotiation_Parse's ConstantCompare
against the cached Finished verify_data: a single memio test loops
over client-side and server-side corruption, renegotiates, and
asserts the offending peer surfaces SECURE_RENEGOTIATION_E.
2026-04-27 14:03:13 +02:00
Juliusz Sosinowicz d97d0370d1 tests: add TLS 1.3 null cipher HMAC negative test (F-2916)
Tls13IntegrityOnly_Decrypt was completely untouched by existing tests,
so any mutation of its ConstantCompare would pass CI. Add a memio
TLS 1.3 handshake over TLS13-SHA256-SHA256 (integrity-only NULL cipher),
then corrupt the final byte of the next record body via an IORecv
wrapper and assert the server surfaces DECRYPT_ERROR.
2026-04-27 14:03:13 +02:00
Juliusz Sosinowicz 01cc5b1655 tests: add ChaCha20-Poly1305 AEAD tag negative test (F-2921)
Cover the Poly1305 ConstantCompare tag check in ChachaAEADDecrypt that
no existing test was hitting (VERIFY_MAC_ERROR never expected in the
suite). A memio-based TLS 1.2 handshake over
ECDHE-RSA-CHACHA20-POLY1305 completes, the server's IORecv is then
replaced with a wrapper that flips the final byte of the next record
body so the forged Poly1305 tag no longer matches. The server's
wolfSSL_read must surface VERIFY_MAC_ERROR.
2026-04-27 14:03:13 +02:00
Juliusz Sosinowicz ef73b3b233 tests: add EMS resumption downgrade negative test (F-2915)
Covers the HandleResumeHistory check that RFC 7627 Section 5.3 requires:
if the original session used Extended Master Secret, the server MUST
abort when a resumption ClientHello is received without EMS. The new
memio test performs a TLS 1.2 handshake with EMS, saves the session,
disables EMS on a fresh client, resumes with the saved session, and
asserts the server returns EXT_MASTER_SECRET_NEEDED_E.
2026-04-27 14:03:13 +02:00
Daniel Pouzzner aab90d7a25 tests/api.c: fix false-positive -Wmaybe-uninitialized in test_wolfSSL_clear_secure_renegotiation() with --enable-all CFLAGS=-Og. 2026-04-25 11:47:25 -05:00
Daniel Pouzzner 1f1b572548 tests/api.c: fix -Wnull-dereferences in wolfSSL_UseSecureRenegotiation(). 2026-04-25 11:47:24 -05:00
JacobBarthelmeh 734a71180c Merge pull request #10220 from embhorn/zd21596
Fix TLS ext bounds checking
2026-04-24 15:10:05 -06:00
kaleb-himes 08fd7bde58 PQ FIPS v7.0.0 Phase 2 & 3: All changes
Implement peer review feedback
2026-04-24 06:52:49 -06:00