The client's resumed-session EMS (F-5807) and cipher-suite (F-5811) checks
were enforced in CompleteServerHello at ServerHello-parse time. For stateless
ticket resumption the client sends an empty session ID and cannot yet tell
whether the server accepted the ticket (RFC 5077 3.4): a server that declines
the ticket falls back to a full handshake under a freshly negotiated
suite/EMS state, which these checks wrongly aborted with MATCH_SUITE_ERROR,
breaking the RFC 5077 ticket-decline fallback to a full handshake.
Move both checks into CheckResumptionConsistency and run it only once
resumption is confirmed - from whichever the server sends first in the
abbreviated flight: a renewed NewSessionTicket (before SetupSession refreshes
the cached suite/EMS to the current values) or its ChangeCipherSpec. By then
the "Not resuming as thought" path has cleared 'resuming' for any ticket
decline, so the full-handshake fallback proceeds.
Add test_tls12_resume_ticket_decline_fallback (ticket declined by a fresh
server CTX, full handshake under a different suite must succeed) and gate
test_tls12_resume_ticket_wrong_suite on WOLFSSL_NO_DEF_TICKET_ENC_CB so it
skips rather than fails in builds without the default ticket encryption
callback.
The TLS 1.2 client only compared the ServerHello suite against the
cached session suite for session-ID resumption; ticket resumption was
skipped on the assumption the suite is bound in the ticket. But the
ticket is opaque to the client, so it must enforce the match itself -
otherwise a server could resume a ticket under a different (weaker)
suite the client offered and the downgrade would go undetected
(RFC 5246 7.4.1.3).
The check is skipped only when the client retained no suite for the
session (cipherSuite0/cipherSuite both zero), so there is nothing to
compare against - as for EAP-FAST, whose PAC is a TLS ticket whose keys
come from the session-secret callback and which never populates the
cached suite. (0,0) is TLS_NULL_WITH_NULL_NULL, never negotiated, so it
unambiguously means "no retained suite". The EMS check remains
ticket-gated.
Add memio regression tests: a ticket resumption under a different
(retained) suite is rejected with MATCH_SUITE_ERROR, and a resumption
whose cached suite was not retained still succeeds.
Extend test_tls13_apis with negative-count assertions for
wolfSSL_CTX_set_groups and wolfSSL_set_groups, and NULL-groups
assertions for wolfSSL_CTX_set1_groups and wolfSSL_set1_groups
(tests/api/test_tls13.c).
Add test_wolfSSL_get_shared_ciphers covering NULL ssl, NULL buf, and
zero-length inputs (tests/api/test_tls.c).
The two new tests (test_tls12_ecdhe_ecdsa_rsa_client_cert and
test_tls12_ecdhe_rsa_ecdsa_client_cert) were appended right after
test_wolfSSL_alert_desc_string, the last function in test_tls.c. Another
in-flight branch appends its own new tests at the same anchor, producing
a spurious add/add merge conflict even though the additions are
independent. Move these two functions just above
test_wolfSSL_alert_desc_string so the two branches insert at different
locations and merge cleanly. Pure code movement; no behavior change.
The TLS 1.2 server derived the single advertised ClientCertificateType
and the signature_algorithms list in its CertificateRequest from the
negotiated cipher suite's own signature algorithm. On an ECDHE-ECDSA
suite only ecdsa_sign was offered (and only ECDSA sig algs), so RSA
clients could not authenticate even though the server could happily
verify an RSA certificate. The same was true in reverse for an RSA
server: the CertificateRequest only advertised rsa_sign.
Refactor SendCertificateRequest to advertise certificate_types and
signature_algorithms covering both sig families when both are compiled
in. Three static helpers in internal.c keep the logic in one place
without mutating ssl->suites:
GetServerCertReqCertTypes - certificate_types to emit
GetServerCertReqHashSigAlgo - signature_algorithms to emit
InServerCertReqHashSigAlgo - membership check used for verification
The advertised lists are written to stack buffers in the caller. To
keep DoCertificateVerify in agreement with what we actually sent, the
SupportedHashSigAlgo call site there is replaced with
InServerCertReqHashSigAlgo, which rebuilds the same list locally and
looks up the client's chosen algo.
Replace the magic certTypes buffer size with a new
MAX_CERT_REQ_CERT_TYPE_CNT constant declared next to
ClientCertificateType.
Add two end-to-end mutual-auth tests covering both directions:
test_tls12_ecdhe_ecdsa_rsa_client_cert - ECDSA server, RSA client
test_tls12_ecdhe_rsa_ecdsa_client_cert - RSA server, ECDSA client
Update test_certreq_sighash_algos to permit RSA / RSA-PSS sig algs in
the ECDHE-ECDSA CertificateRequest; the previous assertion locked in
the ECDSA-only behaviour that this change corrects.
TLS 1.3 is unaffected: RFC 8446 removed certificate_types from
CertificateRequest, and TLS 1.3 cipher suites do not bind a signature
algorithm, so the server's hashSigAlgo already covers both sig
families when either has been compiled in.
1. Side-aware ML-KEM in TLS (tls.c, tls13.c, ssl.c, internal.h):
TLSX_IsGroupSupported/TLSX_UseSupportedCurve take a `side` arg; new
TLSX_IsMlKemGroupSupported + client/server support macros. A build only
capable of one ML-KEM op no longer advertises groups it can't use for
its role.
2. NO_ASN_TIME support (ssl_asn1.c, ssl.h, settings.h): data-only
ASN1_TIME APIs now compile without system time; OCSP responder
auto-disabled under NO_ASN_TIME.
3. SP ECC (sp_*.c, sp_x86_64_asm.asm): curve `b` constants and
sp_ecc_is_point_* always compiled (point-check available in more
configs); asm movsxd -> movsx.
4. configure.ac: BUILD_MEMUSE fixed to trigger on != "xno".
5. Test fixes: HRR-aware TLS 1.3 memio tests (new
test_memio_msg_is_hello_retry_request); tightened build guards
(Ed25519/Ed448 key-import, AES decrypt, XMSS heights, SP sizes,
static-PSK).
TLS_EMPTY_RENEGOTIATION_INFO_SCSV appears in GetCipherNames() when
HAVE_RENEGOTIATION_INDICATION is set. It is a signaling value, not a
real suite; set_cipher_list accepts it but the handshake rejects it
with UNSUPPORTED_SUITE. Add it to record_size_skip_cipher's deny list.
wolfssl_local_GetRecordSize() runs BuildMessage(sizeOnly=1) on every
wolfSSL_write hot path. For AEAD ciphers the overhead is constant per
connection framing state, so cache (recordSz - payloadSz) on WOLFSSL
and invalidate in SetKeysSide(), at cidInfo->tx assignment, and in
wolfSSL_clear(). BuildMessage stays the single source of truth.
Add test_record_size_matches_build_message (cross-checks every built
cipher over TLS/DTLS +/- CID against BuildMessage) and
test_record_size_cache_invalidated_on_renegotiation.
When building with --enable-opensslextra=x509small, only OPENSSL_EXTRA_X509_SMALL is defined, not OPENSSL_EXTRA, so these functions are not compiled into the library
When resuming a session wolfSSL_SetSession unconditionally
overwrote ssl->version with the version stored in the cached
session, even if that version was below the WOLFSSL's configured
minDowngrade. The overwritten version then fed straight into
SendClientHello, so a client configured to require TLS 1.2 or
higher could still emit a ClientHello advertising e.g. TLS 1.0
when resuming an old cached session. The ServerHello path catches
the actual downgrade, but the ClientHello version is already a
protocol-conformance issue and can confuse middleboxes.
Reject the session if its stored minor version is below
ssl->options.minDowngrade. The check is DTLS-aware: DTLS minor
versions decrease as the protocol version increases, so the
direction of the comparison is flipped for DTLS.
F-2105
Mostly combinations of NO_WOLFSSL_CLIENT, NO_WOLFSSL_SERVER and
WOLFSSL_NO_CLIENT_AUTH were failing.
Added configurations to CI loop.
wc_AesGcmDecryptFinal: use WC_AES_BLOCK_SIZE to satisfy compiler.
The signature algorithm specified in CertificateVerify must have been in
the CertificateRequest. Add check.
The cipher suite test cases, when client auth and RSA are built-in and
use the default client certificate and use the *-ECDSA-* cipher
suites, no longer work. The client certificate must be ECC when the
cipher suite has ECDSA. Don't run them for that build.
Server only uses curves that are supported by both the client and the server. If no common groups are found, the connection will fail in TLS 1.2 and below. In TLS 1.3, HRR may still be used to resolve the group mismatch.