Commit Graph

796 Commits

Author SHA1 Message Date
Josh Holtrop 3d517841d5 Ed448: check for public key presence on export
Return PUBLIC_KEY_E for wc_ed25519_export_key if public key is not
present.
Return PUBLIC_KEY_E for wc_ed448_export_key if public key is not
present.
Rename several inLen parameters to outLen for consistency.

Fix F-4427
2026-06-12 15:58:27 -04:00
David Garske 6081106ae3 Merge pull request #10647 from philljj/misc_fixes
Misc wolfcrypt fixes
2026-06-12 09:13:26 -07:00
jordan ab09d0c95b misc_fixes: cleanup for skoll review. 2026-06-12 00:12:45 -05:00
Daniel Pouzzner 3e390b1b29 Merge pull request #10666 from douzzer/20260611-AES-XTS-key-half-inequality
20260611-AES-XTS-key-half-inequality

approved by @dgarske and @kareem-wolfssl, final by @SparkiDev.
2026-06-11 21:55:37 -05:00
David Garske 29f14ed2ee Merge pull request #10582 from julek-wolfssl/fenrir-20260602
Fenrir 2026-06-02: TLS/DTLS correctness, resumption & renegotiation safety fixes
2026-06-11 15:29:51 -07:00
Daniel Pouzzner 0097739dd8 fixes for F-3325:
wolfcrypt/src/aes.c: enforce AES-XTS K1!=K2 constraint in wc_AesXtsSetKeyNoInit() unless WC_AES_XTS_ALLOW_DUPLICATE_KEYS and !HAVE_FIPS:

tests/api/test_aes.c: add negative tests to test_wc_AesXtsSetKey() for K1==K2;

wolfcrypt/test/test.c: fix keys in aes_xts_128_inplace_test() and aes_xts_192_inplace_test() so that K1!=K2, update test vectors, and remove associated !HAVE_FIPS gating;

linuxkm/lkcapi_aes_glue.c: synchronize aes_xts_128_test() test of ciphertext stealing in-place with wolfcrypt/test/test.c.

wrapper/rust/wolfssl-wolfcrypt/src/aes.rs: synchronize XTS streaming test with wolfcrypt/test/test.c.

linuxkm/: refactor self-test sensing with version-gated setup in linuxkm_wc_port.h and refactored gates in lkcapi_glue.c.
2026-06-11 15:38:28 -05:00
Juliusz Sosinowicz 2352d73f7f F-5811: defer resumed-session consistency checks to confirmed resumption
The client's resumed-session EMS (F-5807) and cipher-suite (F-5811) checks
were enforced in CompleteServerHello at ServerHello-parse time. For stateless
ticket resumption the client sends an empty session ID and cannot yet tell
whether the server accepted the ticket (RFC 5077 3.4): a server that declines
the ticket falls back to a full handshake under a freshly negotiated
suite/EMS state, which these checks wrongly aborted with MATCH_SUITE_ERROR,
breaking the RFC 5077 ticket-decline fallback to a full handshake.

Move both checks into CheckResumptionConsistency and run it only once
resumption is confirmed - from whichever the server sends first in the
abbreviated flight: a renewed NewSessionTicket (before SetupSession refreshes
the cached suite/EMS to the current values) or its ChangeCipherSpec. By then
the "Not resuming as thought" path has cleared 'resuming' for any ticket
decline, so the full-handshake fallback proceeds.

Add test_tls12_resume_ticket_decline_fallback (ticket declined by a fresh
server CTX, full handshake under a different suite must succeed) and gate
test_tls12_resume_ticket_wrong_suite on WOLFSSL_NO_DEF_TICKET_ENC_CB so it
skips rather than fails in builds without the default ticket encryption
callback.
2026-06-11 19:22:35 +00:00
David Garske e0324866bc Merge pull request #10654 from douzzer/20260610-ssl_api_ext-revert-ret-cascades
20260610-ssl_api_ext-revert-ret-cascades
2026-06-11 09:49:08 -07:00
Sean Parkinson 63fd322382 Merge pull request #10641 from rlm2002/zd21890
Fixes for SM2/3 and FindMultiAttrib
2026-06-11 08:01:20 +10:00
Juliusz Sosinowicz 748678715a F-5807: extend EMS resumption check to ticket resumption
Address review on PR #10582:

- The client-side extended_master_secret consistency check skipped all
  session-ticket resumptions, leaving a generic ticket resumption open to
  an undetected EMS downgrade by a malicious server or MITM. The client
  retains the EMS state for ticket sessions too (SetupSession), so the
  check now applies to ticket resumption as well, mirroring the adjacent
  cipher-suite check. Only EAP-FAST style resumption - where the
  session-secret callback supplies the master secret for an opaque PAC
  ticket - is exempt, matched precisely via ssl->sessionSecretCb just as
  the callback invocation in DoServerHello does.

- Add test_tls_ems_resumption_server_downgrade, exercising the
  client-direction downgrade (server resumes but omits EMS from its
  ServerHello) for both session-ID and session-ticket resumption. This
  client-side branch previously had no test coverage.
2026-06-10 20:50:51 +00:00
jordan 7926d9dea4 dsa: fix fips gating in api tests. 2026-06-10 14:10:21 -05:00
David Garske 10e2afa20a Merge pull request #10595 from miyazakh/f5381_RSASSA-PSS_trailerField
f5381 enforce trailerField==1 in DecodeRsaPssParams
2026-06-10 10:05:22 -07:00
Daniel Pouzzner 37511b484e tests/api/test_ssl_cert.c, tests/api/test_ssl_ext.c, tests/api/test_ssl_pk.c: add missing gates on !NO_TLS. 2026-06-10 12:05:00 -05:00
Daniel Pouzzner 332c249c7a Merge pull request #10572 from Frauschi/lms_xmss_cert_gen
Support RFC 9802 LMS and XMSS in X.509 certificate and CSR generation
2026-06-10 11:14:43 -05:00
David Garske 953467875f Merge pull request #10560 from philljj/fix_dh_agree
dh: fix subgroup check in wc_DhAgree.
2026-06-10 09:13:31 -07:00
David Garske 760392f403 Merge pull request #10636 from embhorn/zd21942
Harden PKCS#7 FlattenEncodedAttribs
2026-06-10 08:57:39 -07:00
jordan 2f5ad2d1d2 hmac: cleanup, and fix fips gating in api tests. 2026-06-10 09:53:00 -05:00
Tobias Frauenschläger 11270fc465 Check for EC_PF_UNCOMPRESSED in TLS 1.2 ClientHello
Fixes F-4892
2026-06-10 11:37:40 +02:00
Tobias Frauenschläger e407dba23b Improve supported_groups handling
Fixes F-4891
2026-06-10 11:37:40 +02:00
Tobias Frauenschläger c611a22b2f Ensure a key is set for DES3 operations
Fixes F-5379
2026-06-10 11:36:59 +02:00
Tobias Frauenschläger c76c83258c Ensure a key is set for ARC4 operations
Fixes F-5378
2026-06-10 11:36:29 +02:00
Tobias Frauenschläger e05a453944 Support RFC 9802 LMS and XMSS in X.509 certificate and CSR generation
Extend wc_MakeCert_ex/wc_SignCert_ex/wc_MakeCertReq_ex to issue HSS/LMS and
XMSS/XMSS^MT certificates and PKCS#10 requests, building on the existing
RFC 9802 verification support. New LMS_TYPE/XMSS_TYPE/XMSSMT_TYPE selectors,
wc_{Lms,Xmss}Key_PublicKeyToDer SPKI encoders, runtime signature-buffer
sizing, and sigType/key consistency checks. Generation is ASN.1-template
only, matching where the verification path lives.

Tests generate self-signed roots, CSRs and a CA->ECC-leaf chain in-process
and verify them, replacing the patched Bouncy Castle fixtures (only the stock
RFC 9802-aligned LMS interop anchor is kept).
2026-06-10 10:51:33 +02:00
jordan 0640b2ef99 dh tests: fix define gate. 2026-06-10 01:39:18 -05:00
jordan c78fb5f41b dh: fix subgroup check in wc_DhAgree. 2026-06-10 01:28:12 -05:00
Sean Parkinson 359e688dc3 ssl.c: Move functions out to own files and add testing
ssl_api_pk.c: added Public-key APIs (min/max key sizes, DH key test,
signature NIDs, tmp ecdh. Reworked code of new functions.
ssl_api_cert.c: added more SSL Certificate APIs. Reworked code of new
functions.
ssl_api_ext.c: TLS extension APIs (session tickets, max fragment,
groups, etc.). Reworked code.
ssl_api_dtls.c: DTLS APIs (cookie secret, etc.)

Improved test coverage for functions moved.
2026-06-10 09:11:59 +10:00
David Garske 4f09916e7e Merge pull request #10443 from anhu/protonamelist
Enforce only 1 protocolname in serverhello
2026-06-09 15:42:02 -07:00
Hideki Miyazaki 7d74caac6d Addressed review comments 2026-06-10 07:02:46 +09:00
David Garske 358ae9a559 Merge pull request #10249 from ColtonWilley/pr15-tls-config-bounds
Add negative-count and NULL checks to group-setting and shared-cipher APIs
2026-06-09 14:40:16 -07:00
Ruby Martin fa5247b516 add regression test for sm builds 2026-06-09 15:40:16 -06:00
Eric Blankenhorn 4ef8d52abb Fix from review 2026-06-09 16:37:44 -05:00
jordan f063721fac dsa: check that key was created before export. 2026-06-09 12:27:08 -05:00
jordan 132079d2a1 hmac: err on update if key not set. 2026-06-09 10:02:51 -05:00
Juliusz Sosinowicz 2da5b24438 F-5811: enforce resumed cipher suite match for ticket resumption
The TLS 1.2 client only compared the ServerHello suite against the
cached session suite for session-ID resumption; ticket resumption was
skipped on the assumption the suite is bound in the ticket. But the
ticket is opaque to the client, so it must enforce the match itself -
otherwise a server could resume a ticket under a different (weaker)
suite the client offered and the downgrade would go undetected
(RFC 5246 7.4.1.3).

The check is skipped only when the client retained no suite for the
session (cipherSuite0/cipherSuite both zero), so there is nothing to
compare against - as for EAP-FAST, whose PAC is a TLS ticket whose keys
come from the session-secret callback and which never populates the
cached suite. (0,0) is TLS_NULL_WITH_NULL_NULL, never negotiated, so it
unambiguously means "no retained suite". The EMS check remains
ticket-gated.

Add memio regression tests: a ticket resumption under a different
(retained) suite is rejected with MATCH_SUITE_ERROR, and a resumption
whose cached suite was not retained still succeeds.
2026-06-09 13:07:53 +00:00
David Garske e2d3b63139 Merge pull request #10207 from ColtonWilley/d2i_pem_negative_length
Add signed-length validation to d2i, PEM, and buffer-load APIs
2026-06-08 15:42:00 -07:00
David Garske dbf72c4f00 Merge pull request #10601 from kareem-wolfssl/f3772
Fenrir fixes
2026-06-08 15:23:05 -07:00
Colton Willey 41c09a734c Address review cleanups 2026-06-08 15:10:51 -07:00
David Garske c9cb0ef033 Merge pull request #10212 from ColtonWilley/fix-skid-overflow-and-null-checks
Harden X509 DER length handling in wolfSSL_X509_get_der and wolfSSL_i2d_X509
2026-06-08 15:01:14 -07:00
Daniel Pouzzner 672da2ad96 Merge pull request #10633 from holtrop-wolfssl/f-4141
Add unit tests that TLS resumption fails due to ALPN mismatch
2026-06-08 15:21:53 -05:00
Daniel Pouzzner f3ab345d1c Merge pull request #10553 from julek-wolfssl/tls-12-mutual-auth
Allow RSA client certs on ECDHE-ECDSA mutual auth
2026-06-08 15:21:29 -05:00
Daniel Pouzzner e51317261d Merge pull request #10630 from yosuke-wolfssl/fix/f_4890
Fix odd-length CertificateRequest signature_algorithms acceptance
2026-06-08 15:21:02 -05:00
Daniel Pouzzner 1943a6f33a Merge pull request #10550 from rizlik/sha512_only
add support for WOLF_CRYPTO_CB_ONLY_SHA512
2026-06-08 15:20:08 -05:00
Colton Willey 6211210c86 Strengthen regression tests for group and shared-cipher API guards 2026-06-08 12:41:34 -07:00
Colton Willey 00a21b0bfa Add regression tests for group-setting and shared-cipher API guards
Extend test_tls13_apis with negative-count assertions for
wolfSSL_CTX_set_groups and wolfSSL_set_groups, and NULL-groups
assertions for wolfSSL_CTX_set1_groups and wolfSSL_set1_groups
(tests/api/test_tls13.c).

Add test_wolfSSL_get_shared_ciphers covering NULL ssl, NULL buf, and
zero-length inputs (tests/api/test_tls.c).
2026-06-08 12:41:34 -07:00
Kareem 4a854b0a71 Add unit test for wc_AesEaxEncryptFinal authTagSz below minimum. 2026-06-08 10:29:10 -07:00
Eric Blankenhorn 9f7c536e23 Harden PKCS#7 FlattenEncodedAttribs 2026-06-08 09:26:29 -05:00
Juliusz Sosinowicz a3bc7c96a0 tests: relocate TLS 1.2 mutual-auth tests to avoid merge collision
The two new tests (test_tls12_ecdhe_ecdsa_rsa_client_cert and
test_tls12_ecdhe_rsa_ecdsa_client_cert) were appended right after
test_wolfSSL_alert_desc_string, the last function in test_tls.c. Another
in-flight branch appends its own new tests at the same anchor, producing
a spurious add/add merge conflict even though the additions are
independent. Move these two functions just above
test_wolfSSL_alert_desc_string so the two branches insert at different
locations and merge cleanly. Pure code movement; no behavior change.
2026-06-08 15:10:27 +02:00
Juliusz Sosinowicz fdda31b5c3 Allow RSA client certs on ECDHE-ECDSA mutual auth
The TLS 1.2 server derived the single advertised ClientCertificateType
and the signature_algorithms list in its CertificateRequest from the
negotiated cipher suite's own signature algorithm. On an ECDHE-ECDSA
suite only ecdsa_sign was offered (and only ECDSA sig algs), so RSA
clients could not authenticate even though the server could happily
verify an RSA certificate. The same was true in reverse for an RSA
server: the CertificateRequest only advertised rsa_sign.

Refactor SendCertificateRequest to advertise certificate_types and
signature_algorithms covering both sig families when both are compiled
in. Three static helpers in internal.c keep the logic in one place
without mutating ssl->suites:

  GetServerCertReqCertTypes    - certificate_types to emit
  GetServerCertReqHashSigAlgo  - signature_algorithms to emit
  InServerCertReqHashSigAlgo   - membership check used for verification

The advertised lists are written to stack buffers in the caller. To
keep DoCertificateVerify in agreement with what we actually sent, the
SupportedHashSigAlgo call site there is replaced with
InServerCertReqHashSigAlgo, which rebuilds the same list locally and
looks up the client's chosen algo.

Replace the magic certTypes buffer size with a new
MAX_CERT_REQ_CERT_TYPE_CNT constant declared next to
ClientCertificateType.

Add two end-to-end mutual-auth tests covering both directions:

  test_tls12_ecdhe_ecdsa_rsa_client_cert - ECDSA server, RSA client
  test_tls12_ecdhe_rsa_ecdsa_client_cert - RSA  server, ECDSA client

Update test_certreq_sighash_algos to permit RSA / RSA-PSS sig algs in
the ECDHE-ECDSA CertificateRequest; the previous assertion locked in
the ECDSA-only behaviour that this change corrects.

TLS 1.3 is unaffected: RFC 8446 removed certificate_types from
CertificateRequest, and TLS 1.3 cipher suites do not bind a signature
algorithm, so the server's hashSigAlgo already covers both sig
families when either has been compiled in.
2026-06-08 15:10:27 +02:00
Juliusz Sosinowicz 1173a365fe F-4144: honor WOLFSSL_OP_NO_RENEGOTIATION
The documented 'reject peer-initiated renegotiation' option was accepted and
stored but never consulted. Now DoHelloRequest replies with a no_renegotiation
warning instead of starting SCR when the bit is set (client side), and the
server refuses a renegotiation ClientHello with a no_renegotiation warning
instead of resetting handshake state.
2026-06-08 14:25:10 +02:00
Juliusz Sosinowicz c18784a11c F-3888: add negative tests for tampered RSA signatures/hashes
Extend test_wolfSSL_RSA_verify and test_wolfSSL_RSA_padding_add_PKCS1_PSS
with negative cases that flip a byte in the signature/encoding and in the
hash, asserting verification fails. This guards the XMEMCMP-based signature
acceptance decision in wolfSSL_RSA_verify_mgf against regressions that would
let any decryption result of matching length pass as valid.
2026-06-08 14:21:53 +02:00
Yosuke Shimizu a6f69ec09c Fix odd-length CertificateRequest signature_algorithms acceptance 2026-06-08 11:33:50 +09:00