- tls.c: TLSX_CertWithExternPsk_GetSize takes word16*, but length was
widened to word32 in TLSX_GetSize. Use the hsz staging variable like
the other cases so WOLFSSL_CERT_WITH_EXTERN_PSK builds compile.
- tls.c: silence -Wunused-variable for hsz in builds where every case
that consumes it (TLS 1.3, PSK, ETM, early data, PHA, cookie, cert
with extern PSK) is compiled out, e.g. user_settings_tls12.h.
- test_tls_ext.c: assert session->ticketLen > 0 before mutating
ticketAdd in the ticket-age out-of-window test so it fails loudly if
no NewSessionTicket was received.
DoClientTicketCheck's ticket-age bounds (-1000 ms low bound and
MAX_TICKET_AGE_DIFF*1000+1000 ms high bound) were never exercised by
any integration test, so mutations of the constants went undetected.
Establish a TLS 1.3 session, read the NewSessionTicket, then shift the
client's cached ageAdd by well over 1 second so the server's
unobfuscated diff falls outside the valid window on resumption. The
server must reject the PSK — session_reused stays 0.
DoTls13ClientHello enforces RFC 8446 Section 4.1.4 by comparing the
cipher suite in the second ClientHello to the hrrCipherSuite cached on
the server from the HelloRetryRequest. No existing test covers the
mismatch branch, so a deletion of the check would silently allow a
client to switch cipher suite between CH1 and CH2. Drive a partial
handshake until the server has emitted the HRR, then flip the cached
hrrCipherSuite on the server; processing CH2 must surface
INVALID_PARAMETER.
wolfSSL_TicketKeyCb is the built-in ticket callback registered by the
OpenSSL-compat wolfSSL_CTX_set_tlsext_ticket_key_cb API. Its
ConstantCompare of the ticket HMAC was never reached in any test, so a
deletion of the check would silently accept forged tickets. New test
sets up the compat callback, establishes a TLS 1.2 session, saves it,
flips a byte of the encrypted ticket, and asserts the resumption
attempt does not complete.
Cover both branches of TLSX_SecureRenegotiation_Parse's ConstantCompare
against the cached Finished verify_data: a single memio test loops
over client-side and server-side corruption, renegotiates, and
asserts the offending peer surfaces SECURE_RENEGOTIATION_E.
Tls13IntegrityOnly_Decrypt was completely untouched by existing tests,
so any mutation of its ConstantCompare would pass CI. Add a memio
TLS 1.3 handshake over TLS13-SHA256-SHA256 (integrity-only NULL cipher),
then corrupt the final byte of the next record body via an IORecv
wrapper and assert the server surfaces DECRYPT_ERROR.
Cover the Poly1305 ConstantCompare tag check in ChachaAEADDecrypt that
no existing test was hitting (VERIFY_MAC_ERROR never expected in the
suite). A memio-based TLS 1.2 handshake over
ECDHE-RSA-CHACHA20-POLY1305 completes, the server's IORecv is then
replaced with a wrapper that flips the final byte of the next record
body so the forged Poly1305 tag no longer matches. The server's
wolfSSL_read must surface VERIFY_MAC_ERROR.
Covers the HandleResumeHistory check that RFC 7627 Section 5.3 requires:
if the original session used Extended Master Secret, the server MUST
abort when a resumption ClientHello is received without EMS. The new
memio test performs a TLS 1.2 handshake with EMS, saves the session,
disables EMS on a fresh client, resumes with the saved session, and
asserts the server returns EXT_MASTER_SECRET_NEEDED_E.
The CA Names extension size accumulator was a word16. With enough
CA entries (or large DER-encoded names) the running total can wrap
silently, leaving TLSX_CA_Names_Write to overflow an undersized
extension buffer. Match TLSX_SNI_GetSize: use a word32 accumulator
and return 0 when the total exceeds WOLFSSL_MAX_16BIT.
Both TLSX_PreSharedKey_GetSize and TLSX_PreSharedKey_GetSizeBinders
accumulate per-identity bytes into a word16. With enough PSK entries
(or large binderLen/identityLen values) the accumulator wraps silently
and the caller allocates an undersized extension buffer, which
TLSX_PreSharedKey_Write then overflows.
Switch both accumulators to word32 and return LENGTH_ERROR when the
total would exceed the 16-bit wire length field.
Mirror the TLSX_SNI_GetSize pattern: accumulate into a word32 and
return 0 when the aggregate size exceeds WOLFSSL_MAX_16BIT so large
idSz values or many TCA entries no longer silently wrap to a small
value that undersizes the TLSX_TCA_Write output buffer.
Match the TLSX_SNI_GetSize pattern: use a word32 accumulator and return
0 if the aggregate size exceeds WOLFSSL_MAX_16BIT, so a large number of
ALPN entries can no longer silently wrap the length computation.
wolfssl/wolfcrypt/hash.h: when WOLFSSL_NOSHA512_{224,256}, gate out prototypes for wc_Sha512_{224,256}Hash[_ex](), to shift build failures from link-time to compile-time.
.github/workflows/pq-all.yml: for the --enable-sp-math scenario, --disable-quic (QUIC unit tests fail on that combo);
wolfcrypt/test/test.c: add WC_MAYBE_UNUSED to ecdsa_test_deterministic_k_rs(), to fix armel sp-math build.
* allow for fips-dev in v7|ready|dev ENABLED_SHA256_DRBG and ENABLED_SHA512_DRBG setup and change from AC_MSG_WARN to AC_MSG_ERROR if user tries to disable outside fips-dev;
* set ENABLED_SHA512_DRBG=no in lean-aesgcm setup;
wolfcrypt/test/test.c: suppress concurrency-mt-unsafe in myFipsCb();
.wolfssl_known_macro_extras: fix lexical order.
* add "-Wnull-dereference" to all existing "-pedantic -Wdeclaration-after-statement" configs;
* add an --enable-sp-math config to .github/workflows/pq-all.yml and .github/workflows/multi-arch.yml.