Commit Graph

10014 Commits

Author SHA1 Message Date
Yosuke Shimizu 51aa3fb5f5 Preserve DTLS association on invalid record headers during handshake 2026-07-09 10:02:56 +09:00
David Garske a4aab71ffe Merge pull request #10861 from padelsbach/asn-integer-overflow-copy
Fix possible memcpy length overflow in wolfSSL_d2i_ASN1_INTEGER
2026-07-08 15:20:05 -07:00
David Garske fdfba83c38 Merge pull request #10788 from aidangarske/fenrir-tls-batch-2026-06
Various hardening fixes across sniffer, QUIC, PKCS#11, TLS and tooling
2026-07-08 13:58:14 -07:00
HAJA MOHIDEEN M c2b9cc55fb Merge pull request #10408 from hmohide/master
Add UDP support to NetX sockets for DTLS sessions
2026-07-08 12:24:31 -07:00
David Garske 4d3d2318f6 Merge pull request #10628 from yosuke-wolfssl/fix/f_4226
Reject CR/LF in OCSP/CRL URLs to block HTTP injection
2026-07-08 11:54:00 -07:00
David Garske 922e126423 Merge pull request #10693 from padelsbach/crl-use-after-free
Fix use-after-free possibility in GetCRLInfo
2026-07-08 11:37:41 -07:00
David Garske 9395547299 Merge pull request #10716 from padelsbach/crl-reentrancy-uaf
Address possible UAF in BufferLoadCRL
2026-07-08 11:35:29 -07:00
David Garske b29e3a1a11 Merge pull request #10863 from holtrop-wolfssl/zd22109
Fix use-after-free in some TLS shutdown/ReceiveData sequences
2026-07-08 10:54:52 -07:00
David Garske 76491e6b60 Merge pull request #10661 from yosuke-wolfssl/fix/f_5808
Enable SCSV check unconditionally
2026-07-08 10:52:59 -07:00
David Garske 6b1bf6b81b Merge pull request #10551 from julek-wolfssl/dtls-perf-benchmark
Add DTLS throughput benchmark tool and optimize send path
2026-07-08 10:31:11 -07:00
David Garske 67ca317097 Merge pull request #10737 from kareem-wolfssl/zd21998
X509 validation fixes
2026-07-08 09:48:26 -07:00
JacobBarthelmeh 7c085837ae Merge pull request #10772 from dgarske/qat_review
Intel QuickAssist: multi-device utilization + software-fallback / Cavium fixes
2026-07-08 10:39:24 -06:00
Tobias Frauenschläger 673d8d00bb Merge pull request #10778 from SparkiDev/time_stamp_protocol
Time-Stamp Protocol (RFC 3161)
2026-07-08 17:43:38 +02:00
Josh Holtrop 07d41740de Fix use-after-free in some TLS shutdown/ReceiveData sequences 2026-07-08 08:14:39 -04:00
Paul Adelsbach f842e33145 Fix possible memcpy length overflow in wolfSSL_d2i_ASN1_INTEGER 2026-07-07 17:41:49 -07:00
David Garske e0a8f3f475 Merge pull request #10706 from JacobBarthelmeh/dev
defense in depth hardening for x509 extension create by OBJ and EVP decode update
2026-07-07 16:41:15 -07:00
Sean Parkinson ae023a5643 Time-Stamp Protocol (RFC 3161)
Implementation in wolfCrypt
OpenSSL compatibility layer in wolfSSL
Added tests, certificates, examples.
2026-07-08 09:33:47 +10:00
philljj 2f2ffbac04 Merge pull request #10856 from douzzer/20260702-linuxkm-various
20260702-linuxkm-various
2026-07-07 17:44:50 -05:00
David Garske 7dd7ae86c0 Merge pull request #10770 from embhorn/zd22032
Fix wolfSSL_BUF_MEM_grow_ex with WOLFSSL_NO_REALLOC
2026-07-07 14:48:29 -07:00
David Garske 926a50458b Merge pull request #10841 from SparkiDev/extract_funcs_ssl_1
internal.c: extract functions to make code cleaner
2026-07-07 14:26:16 -07:00
Aidan Garske e6567ac353 Merge pull request #10838 from cyberstormdotmu/loganaden-patch-wolfssl_quic_underflow
quic: Fix buffer underflow
2026-07-07 13:30:26 -07:00
David Garske 0041fa430e Fix TLS 1.3 hybrid PQC server key share dropped under async crypt 2026-07-07 09:54:03 -07:00
Tobias Frauenschläger 1a144b69bd x509_str.c: gate pathLen decrement on isCa
X509StoreCheckPathLen() consumed a unit of the issuer's path length budget
for any non-self-issued intermediate. Gate the RFC 5280 sec. 6.1.4 (l)
decrement on cert->isCa so only CA certificates count, matching
ParseCertRelative() (wolfcrypt/src/asn.c) and the (m) tightening step. This
prevents a false PATH_LENGTH_EXCEEDED when a non-CA intermediate is tolerated
via verify_cb.
2026-07-07 16:02:27 +02:00
Tobias Frauenschläger 54e20016cd x509_str.c: fix partial-chain double-push and rework pathLen tests
- Break out of the chain-build loop after the partial-chain fallback accepts
  a caller-trusted terminus, so it is pushed to ctx->chain once instead of
  twice; X509StoreCheckPathLen's anchor-skip is now defensive, not load-bearing.
- Drop the now-dead cert == anchor guard and refresh the comment.
- Rework the pathLen regression tests: reuse the existing certs/test-pathlen
  chains (chainF rejects, chainB verifies) instead of inlined report certs.
2026-07-07 16:02:27 +02:00
Kareem 3143ae0d75 Refactor to allow maxPathLen set to WOLFSSL_MAX_PATH_LEN. 2026-07-07 16:02:27 +02:00
Tobias Frauenschläger cc78d130c4 X509 validation fixes 2026-07-07 16:02:27 +02:00
Daniel Pouzzner 12272e1c06 wolfssl/wolfcrypt/hash.h, src/internal.c, src/pk_ec.c, tests/api/api.h, wolfcrypt/src/dsa.c, wolfcrypt/src/ecc.c, wolfcrypt/src/pkcs7.c, wolfcrypt/test/test.c:
* remove FIPS 186-5 sign-mode restrictions from WC_HASH_CUSTOM_MIN_DIGEST_SIZE.
* set up WC_MIN_DIGEST_SIZE_FOR_SIGN and WC_MIN_DIGEST_SIZE_FOR_VERIFY, derived from WC_HASH_CUSTOM_MIN_DIGEST_SIZE, but enforcing FIPS 186-5 sign-mode restrictions only for WC_MIN_DIGEST_SIZE_FOR_SIGN.
* replace all uses of WC_MIN_DIGEST_SIZE with WC_MIN_DIGEST_SIZE_FOR_SIGN or WC_MIN_DIGEST_SIZE_FOR_VERIFY as appropriate.

wolfcrypt/test/test.c: in cryptocb_test(), don't expect callback execution in FIPS builds.

wolfssl/wolfcrypt/settings.h: in WOLFSSL_LINUXKM section, if defined(NO_SHA) while registering ECDSA handlers, force WC_MIN_DIGEST_SIZE_FOR_VERIFY to 20 for SHA-1 verify support.
2026-07-07 00:19:48 -05:00
Loganaden Velvindron 0cdc7ab583 Fix whitespaces 2026-07-07 08:51:12 +04:00
Loganaden Velvindron 98c48a43b7 move check earlier 2026-07-07 08:47:50 +04:00
David Garske 675d5df2cd Merge pull request #10833 from kareem-wolfssl/zd22079
Add some missing PKCS7 length checks and bound DTLS 1.3 ACK list.
2026-07-06 17:28:22 -07:00
Sean Parkinson 9918a1177a internal.c: extract functions to make code cleaner 2026-07-07 08:11:10 +10:00
JacobBarthelmeh f1b700180c Merge pull request #10738 from dgarske/zd_ecc_nonblock_certchain
Add WOLFSSL_ASYNC_CERT_YIELD: per-certificate non-blocking yield
2026-07-06 14:21:08 -06:00
Daniel Pouzzner 326f40d032 Merge pull request #10626 from mattia-moffa/20260605-dtls-cid-check-newest
DTLS bugfixes
2026-07-03 01:18:38 -05:00
Daniel Pouzzner 8c7ab8eb4f Merge pull request #10686 from Frauschi/openssl_group_align
Align wolfSSL_set1_groups_list() arg handling with OpenSSL
2026-07-03 01:17:33 -05:00
Daniel Pouzzner a543bc4d78 Merge pull request #10745 from Frauschi/mandatory_psk
Enable support for mandatory PSKs
2026-07-03 01:16:45 -05:00
Daniel Pouzzner cce3f2571e Merge pull request #10803 from Frauschi/fenrir
Fenrir fixes
2026-07-03 01:11:03 -05:00
Daniel Pouzzner d638d2afd7 Merge pull request #10209 from ColtonWilley/harden-chain-depth-and-parser-bounds
Harden chain depth bounds and parser input validation
2026-07-03 01:03:36 -05:00
Daniel Pouzzner dc326f8c70 Merge pull request #10691 from julek-wolfssl/tls13-fragmented-sessionticket-defrag
TLS 1.3: reassemble fragmented post-handshake messages after FreeArrays
2026-07-03 00:50:10 -05:00
Daniel Pouzzner 3c72ada3b1 Merge pull request #10711 from kareem-wolfssl/zd21987
Add a NULL check to refineSuites.
2026-07-03 00:47:08 -05:00
Daniel Pouzzner 27e160fa53 Merge pull request #10764 from embhorn/gh10761
Fix TLS1.2 error code correction
2026-07-03 00:41:35 -05:00
Loganaden Velvindron fd8772ac3f quic: Fix buffer underflow 2026-07-03 03:57:58 +04:00
Daniel Pouzzner 9d3152cae2 Merge pull request #10708 from rlm2002/support-fixes
Support fixes - various reports
2026-07-02 12:51:11 -05:00
Tobias Frauenschläger 79b30aa268 Enable support for mandatory PSKs
Add a new option to require that an external Pre-Shared Key is negotiated
for a handshake to succeed, configured via the new APIs
wolfSSL_CTX_require_psk()/wolfSSL_require_psk(). When set, a handshake
that completes without negotiating an external PSK is aborted with
PSK_MISSING_ERROR instead of falling back to a certificate handshake, so
the PSK acts as an additional security factor.

This is a TLS 1.3 / DTLS 1.3 feature. In (D)TLS 1.2 the use of a PSK is
determined by the negotiated cipher suite, so a mandatory PSK is instead
configured there by restricting the cipher suite list to PSK suites; the
new APIs therefore reject non-TLS-1.3 contexts with BAD_FUNC_ARG.

To keep the requirement fail-closed, the APIs also disable version
downgrade on the object so a downgrade-capable context (e.g. one created
from a v23 method) cannot silently fall back to (D)TLS 1.2 and complete
without a PSK; a peer that does not support (D)TLS 1.3 fails to connect.

The requirement applies to external PSKs only (not session tickets):
session-ticket resumption is exempt. To preserve forward secrecy a
mandatory external PSK must also use an (EC)DHE key exchange; a pure
psk_ke handshake is rejected with PSK_KEY_ERROR. When used with
WOLFSSL_CERT_WITH_EXTERN_PSK, it also ensures that peers are properly
authenticated with both the PSK and via certificates.

The new APIs live alongside the existing wolfSSL_[CTX_]no_dhe_psk()/
only_dhe_psk() PSK options and do not depend on certificate support, so
the feature is usable in NO_CERTS (PSK-only) builds.

Added unit tests for the new APIs and enforcement.
2026-07-02 16:02:20 +02:00
Mattia Moffa bf985f1d21 NewConnectionId: reject CID larger than DTLS_CID_MAX_SIZE 2026-07-02 14:16:25 +02:00
Tobias Frauenschläger 154f2e2ea4 F-6547 - Reject TLS KeyUpdate on QUIC connections
QUIC performs key updates at the packet-protection layer via the Key
Phase bit, so RFC 9001 section 6 requires a QUIC endpoint to reject any
received TLS KeyUpdate handshake message as a fatal unexpected_message
connection error and to never send one. The TLS 1.3 receive path
processed the message normally, rotating traffic secrets and possibly
emitting a prohibited KeyUpdate response, and the send path allowed a
QUIC connection to originate a KeyUpdate.

Guard the key_update case in SanityCheckTls13MsgReceived so a QUIC
connection aborts with a fatal unexpected_message alert, and guard
Tls13UpdateKeys so a QUIC connection cannot send a KeyUpdate. Add a
QUIC unit test that feeds a post-handshake KeyUpdate and confirms the
connection is refused.
2026-07-02 11:36:01 +02:00
Tobias Frauenschläger e8865748f2 F-6351 - Fix use after free in wolfSSL_ASN1_STRING_set self-alias
When the caller passes the object's own data pointer as the source,
wolfSSL_ASN1_STRING_set freed the existing buffer before copying from
it, reading freed memory in the dynamic case and copying cleared bytes
in the fixed-buffer case. Duplicate the source into a temporary buffer
when it aliases the object before disposing of the old buffer, then
free the temporary once the copy completes.
2026-07-02 11:36:01 +02:00
Tobias Frauenschläger 3c5ae182a6 F-6350 - Cap d2i_ASN1_OBJECT parse window to OID size
An oversized length argument was passed straight to GetASNHeader as the
buffer bound. A caller supplying a length larger than the real buffer let
the OBJECT_ID header claim more content than was present, driving the OID
validation read past the end of the allocation. Since an ASN1_OBJECT is an
OID, clamp the parse window to the maximum OID encoding so the header
decode cannot read beyond a sane bound.
2026-07-02 11:36:01 +02:00
Tobias Frauenschläger 845a3a93b5 F-6345 - Reject oversized length in memory BIO write
wolfSSL_BIO_write rejected negative lengths but allowed a large positive
length through to wolfSSL_BIO_MEMORY_write. On a fresh buffer an INT_MAX
length overflowed the 4/3 buffer growth calculation, so the grow reported
success with a short allocation and the following copy read far past the
small source buffer.

Add an upper bound check that rejects lengths large enough to overflow the
growth math before any allocation or copy, and add a regression test that
drives a huge length through the public BIO_write entry point.
2026-07-02 11:36:01 +02:00
Mattia Moffa 3b21af4277 Invalidate record size cache when changing connection IDs 2026-07-02 05:54:03 +02:00
Daniel Pouzzner 076dc5a206 Merge pull request #10773 from rlm2002/coverity
24062026 Coverity fixes
2026-07-01 17:59:19 -05:00