Commit Graph

9216 Commits

Author SHA1 Message Date
Paul Adelsbach 22d7550f8e CRL enhancements for revoked entries 2026-03-04 14:53:28 -08:00
Anthony Hu 9d3cc6e30c Fix for loop exit condition.
size should be length.  s includes offset, so it must be compared against
length, not size because size is only what is after offset.
2026-03-04 10:17:33 -05:00
Sean Parkinson 215fe1341c Merge pull request #9829 from night1rider/tmpSha-fixes
Fix potential memory leak when copying into existing SHA contexts and zero init tmpSha
2026-03-02 21:18:55 +10:00
Sean Parkinson cba9ffd703 Merge pull request #9782 from kareem-wolfssl/zd21204
Ensure length is at least ID_LEN in SetTicket.
2026-03-02 21:12:29 +10:00
Daniel Pouzzner bdea01a931 src/x509.c: in loadX509orX509REQFromPemBio(), fix an identicalInnerCondition. 2026-02-27 23:39:38 -06:00
night1rider 60573a3782 memset 0 the temp contexts 2026-02-27 12:56:57 -07:00
Kareem aaf6aa5aca Code review feedback 2026-02-26 17:09:23 -07:00
Kareem 3d5c03a275 Merge branch 'master' of https://github.com/wolfSSL/wolfssl into zd21204 2026-02-26 17:03:15 -07:00
JacobBarthelmeh 5a26692ee9 Merge pull request #9818 from julek-wolfssl/sssd-2.10.2
sssd 2.10.2 changes
2026-02-26 16:23:00 -07:00
Sean Parkinson b9838aa563 Merge pull request #9711 from julek-wolfssl/nginx-1.28.0
nginx 1.28.1 fixes
2026-02-27 08:39:10 +10:00
JacobBarthelmeh 85228f088e Merge pull request #9824 from embhorn/zd21239
Fix issues in TLS Extension size calculations
2026-02-26 13:47:54 -07:00
JacobBarthelmeh ba859d21fa Merge pull request #9817 from LinuxJedi/static-fixes4
Static code analysis fixes
2026-02-26 12:03:24 -07:00
Eric Blankenhorn f53ce49694 Fix from review 2026-02-26 10:46:03 -06:00
Eric Blankenhorn be7f934157 Add test case 2026-02-26 10:18:31 -06:00
Eric Blankenhorn 187534855d Fix issues in TLS Extension size calculations 2026-02-26 10:18:30 -06:00
Juliusz Sosinowicz fc0ec06e72 sssd 2.10.2 changes 2026-02-26 15:18:36 +01:00
Andrew Hutchings 110f5cb442 Fix ECH error code: use BUFFER_ERROR for malformed peer input
Change innerClientHelloLen underflow guard in TLSX_ECH_Parse from
BAD_FUNC_ARG to BUFFER_ERROR to match the convention used throughout
tls.c for wire-protocol length/bounds validation.
2026-02-26 14:09:01 +00:00
JacobBarthelmeh 76816a0e11 Merge pull request #9823 from embhorn/zd21242
Add sanity checks in key export
2026-02-25 14:38:46 -07:00
JacobBarthelmeh e317aa2b70 Merge pull request #9827 from embhorn/zd21241
Fix cert chain size issue
2026-02-25 14:30:58 -07:00
Eric Blankenhorn 75b0808fe5 Update from review 2026-02-25 09:02:55 -06:00
Eric Blankenhorn 41ebc92fa5 Replace macros from stdint.h with literals to make code more generic 2026-02-25 09:00:57 -06:00
Eric Blankenhorn 67de2349da Add sanity checks in key export 2026-02-25 09:00:57 -06:00
Juliusz Sosinowicz e9a2f27b2c Address peer review 2026-02-25 15:46:20 +01:00
Juliusz Sosinowicz 38b52d8079 nginx 1.28.1
### `wolfssl/internal.h`

- **`InternalTicket` struct gains a flexible array member**: A new `peerCert[]` field (with a preceding `peerCertLen[2]`) is added to `InternalTicket`. This allows the peer's DER-encoded certificate to be stored directly inside the session ticket.
- **`ExternalTicket` struct becomes variable-length**: The `enc_ticket` field is changed from a fixed-size array to a flexible array member (`byte enc_ticket[]`). The `mac` field is removed from the struct — the MAC is now placed dynamically after the encrypted data in `enc_ticket`.

### `src/internal.c`

- The `GetRecordHeader` function now only adds `MAX_COMP_EXTRA` to the maximum allowed record size when `ssl->options.usingCompression` is true, tightening the length validation. The max fragment length extension check is now much stricter.
- **Peer certificate is serialized into the ticket**: During ticket creation, the code attempts to find the peer certificate from `ssl->peerCert` or from `ssl->session->chain` (fallback). If found and within `MAX_TICKET_PEER_CERT_SZ`, it's copied into `it->peerCert`. DTLS is explicitly excluded (peer cert length set to 0) to keep ticket size small for MTU constraints. If `HAVE_MAX_FRAGMENT` is defined and max fragment is not `MAX_RECORD_SIZE` for TLS 1.3, the cert is also skipped since `SendTls13NewSessionTicket` doesn't support fragmentation yet.
- **Peer certificate restoration from ticket**: On successful ticket decryption, if the ticket contains a peer certificate (`peerCertLen > 0`), it is decoded back into `ssl->peerCert` via `ParseCertRelative`/`CopyDecodedToX509`, and also added to `ssl->session->chain` via `AddSessionCertToChain`.
- The `CLEAR_ASN_NO_PEM_HEADER_ERROR` macro was rewritten to loop and remove all consecutive PEM no-start-line errors (not just the last one), wrapped in a `do { ... } while(0)` for safety.
- The `SendTicket` function is simplified to use `SendHandshakeMsg` to support fragmenting the larger ticket.

---

### `src/x509.c`

- `loadX509orX509REQFromPemBio` now accepts `TRUSTED_CERT_TYPE` in addition to `CERT_TYPE` and `CERTREQ_TYPE`.
- **Streaming BIO support**: When `wolfSSL_BIO_get_len()` returns ≤ 0 (e.g., pipes/FIFOs), the function no longer returns an error. Instead, it sets an initial buffer of `MAX_X509_SIZE` and dynamically grows (doubling) up to `MAX_BIO_READ_BUFFER` (`MAX_X509_SIZE * 16`) as data is read byte-by-byte.
- **Alternate footer detection**: For `TRUSTED_CERT_TYPE`, the PEM reader also checks for the regular `CERT_TYPE` footer (`-----END CERTIFICATE-----`) in addition to the trusted cert footer (`-----END TRUSTED CERTIFICATE-----`), so it can parse either format.
- Removed two lines that set `cert->srcIdx` to `SIGALGO_SEQ` offset. This makes `cert->srcIdx` reflect the end of parsed certificate data. This is used by `loadX509orX509REQFromBuffer` to detect where auxiliary trust data begins in trusted certificates.

---

### `src/ssl_sk.c`

- Added a `STACK_TYPE_X509_CRL` case to `wolfssl_sk_dup_data` that calls `wolfSSL_X509_CRL_dup` for deep-copying CRL stack elements. Previously, `STACK_TYPE_X509_CRL` fell through to the unsupported default case.

---

### `wolfssl/openssl/ssl.h`

- `sk_X509_dup` now maps to `wolfSSL_shallow_sk_dup` (was `wolfSSL_sk_dup`/deep copy). This matches OpenSSL's behavior where `sk_X509_dup` does a shallow copy.
- `sk_SSL_CIPHER_dup` similarly changed to `wolfSSL_shallow_sk_dup`.

---

### `src/ssl_api_cert.c`

- When `ssl->ourCert` is `NULL` and the SSL owns its cert, the function now checks if `ssl->ctx->ourCert` points to the same certificate (by comparing DER buffers). If so, it returns the ctx's `X509` pointer directly. This maintains pointer compatibility for applications (like nginx OCSP stapling) that use the `X509*` from `SSL_CTX_use_certificate` as a lookup key.

### `src/bio.c`

- When `wolfssl_file_len` returns `WOLFSSL_BAD_FILETYPE` (now returned for pipes/FIFOs), `wolfSSL_BIO_get_len` treats it as length 0 instead of propagating the error.

---

### `tests/test-maxfrag.conf` and `tests/test-maxfrag-dtls.conf`

- Removed `DHE-RSA-AES256-GCM-SHA384` test entries because the ClientKeyExchange doesn't fit in the selected max fragment length.
2026-02-25 15:19:13 +01:00
Kareem 9a0c18c8fa Work around error: enumerated and non-enumerated type in conditional expression 2026-02-24 15:19:31 -07:00
Eric Blankenhorn 8f787909da Fix from review 2026-02-24 11:17:42 -06:00
Marco Oliverio d72fcb1d27 tls13: avoid to create a new suite in CertificateRequest
This way the ssl object honour the HasSigAlgo list set by
wolfSSL_set1_sigalgs_list.
2026-02-24 18:02:26 +01:00
Eric Blankenhorn 2ae3164c6f Fix cert chain size issue 2026-02-24 09:27:42 -06:00
Kareem 0463e37716 Pad session ID with 0s if session ticket length is less than ID_LEN.
Prevents underflow in SetTicket.
Thanks to Arjuna Arya for discovering and reporting this.
2026-02-23 16:46:01 -07:00
Andrew Hutchings 599eec673e Fix ImportKeyState wordAdj always-zero bug in DTLS session import
In ImportKeyState(), wordAdj was always zero because it was computed
after clamping wordCount, and the subtraction direction was reversed.
This caused misaligned parsing of all subsequent fields when importing
state from a peer compiled with a larger WOLFSSL_DTLS_WINDOW_WORDS.

Fix both window and prevWindow blocks to compute the adjustment before
clamping, with the correct subtraction direction.

Add test that imports a state buffer with wordCount > WOLFSSL_DTLS_WINDOW_WORDS
to verify the fix.
2026-02-23 16:52:52 +00:00
Andrew Hutchings 10325b4587 Fix integer underflow in ECH innerClientHelloLen parsing
Add bounds check before subtracting WC_AES_BLOCK_SIZE from the
attacker-controlled innerClientHelloLen field in TLSX_ECH_Parse().
Values 0-15 caused a word16 underflow to ~65K, leading to a heap
buffer overflow write via XMEMSET and heap buffer over-read via
wc_AesGcmDecrypt. Return BAD_FUNC_ARG if the field is too small.
2026-02-23 16:52:52 +00:00
Andrew Hutchings af329b38a8 Fix heap buffer over-read in wolfSSL_select_next_proto
Add missing bounds validation in wolfSSL_select_next_proto. Three
issues fixed:

1. Outer loop: no check that length byte + position stays within inLen,
   allowing XMEMCMP to read past the server protocol list buffer.

2. Inner loop: same missing check for clientNames/clientLen boundary.

3. No-overlap fallback unconditionally dereferences clientNames[0] even
   when clientLen is 0, and returns an outLen that may exceed the buffer.

Also reject zero-length protocol entries (invalid per RFC 7301) to
prevent infinite loops.

Add unit test test_wolfSSL_select_next_proto with 8 cases covering NULL
params, normal match, no overlap, malformed length overruns, zero-length
entries, and empty client lists.
2026-02-23 16:52:52 +00:00
Andrew Hutchings 558ae34f68 Fix CRL_STATIC_REVOKED_LIST binary search bugs in FindRevokedSerial
The CRL_STATIC_REVOKED_LIST code path stored revoked certificates in a
fixed array but never sorted it after parsing, causing binary search to
silently miss revoked serials when entries arrived in non-sorted wire
order. Additionally, comparisons used rc[0].serialSz instead of
rc[mid].serialSz, omitted the length-equality check before XMEMCMP,
and ignored the serialHash lookup path entirely (causing a NULL
dereference when hash-based lookup was used).

Fixes:
- Sort the revoked cert array in InitCRL_Entry after populating it
- Use rc[mid].serialSz instead of rc->serialSz in binary search
- Add serialSz equality check before XMEMCMP, matching linked-list path
- Implement serialHash-based linear scan for hash lookup callers

Add unit test that loads a CRL with serials in unsorted wire order and
verifies that a revoked certificate is correctly detected.
2026-02-23 16:52:52 +00:00
Juliusz Sosinowicz a9f23ad140 Add changes for ntp 4.2.8p18
Depends on https://github.com/wolfSSL/osp/pull/319
2026-02-20 19:06:55 +01:00
David Garske f1e8c1b886 Merge pull request #9787 from holtrop-wolfssl/fix-integrity-only-cipher-nonce-calculation
Fix integrity-only cipher nonce calculation
2026-02-19 09:05:24 -08:00
David Garske 1047aaa881 Merge pull request #9796 from JacobBarthelmeh/copyright
update Copyright year
2026-02-19 08:47:30 -08:00
Andrew Hutchings 66de1d6cdb Fix wolfSSL_CRYPTO_memcmp
This is used by the OpenSSL compatibility layer. If either parameter was
NULL, it would return as a match. We should return a non-match instead.

OpenSSL itself has no safety checks here.
2026-02-19 11:01:52 +00:00
Andrew Hutchings 4e37d99d07 Fix OCSP key-based responder ID lookup when SM2/SM3 is enabled.
When WOLFSSL_SM2 and WOLFSSL_SM3 are both defined, KEYID_SIZE becomes 32
(WC_SM3_DIGEST_SIZE) but OCSP_RESPONDER_ID_KEY_SZ remains 20 (SHA-1 per
RFC 6960). The guard (int)KEYID_SIZE == OCSP_RESPONDER_ID_KEY_SZ in
OcspFindSigner() and OcspRespIdMatch() evaluated to false (32 != 20),
completely disabling key-based OCSP responder ID matching. This caused
OCSP stapling to fail with BAD_CERTIFICATE_STATUS_ERROR (-406) against
any server using a key-based responder ID (e.g. login.live.com).

Fix by comparing only OCSP_RESPONDER_ID_KEY_SZ bytes for the responder
ID match, and zero-padding the 20-byte key hash to KEYID_SIZE before
passing to CA lookup functions that compare the full KEYID_SIZE.
2026-02-18 18:01:33 +00:00
Andrew Hutchings 730519211d Fix wrong flags read on BIO write 2026-02-18 18:01:33 +00:00
Andrew Hutchings 3ffa625fd4 Fix leak in Aria upon error 2026-02-18 18:01:33 +00:00
Andrew Hutchings 5bb447dee6 Fix copy/paste error in SM4 CBC Decrypt Async 2026-02-18 18:01:33 +00:00
Andrew Hutchings 43aad1e4d7 Fix SM4 TLS 1.3 decrypt auth tag and SM2 cert verification
- Fix SM4 GCM/CCM TLS 1.3 decrypt to read auth tag from input buffer
  instead of output buffer, consistent with all other AEAD ciphers
  (src/tls13.c)

- Fix SM4_BLOCK_SIZE typo (was SM$_BLOCK_SIZE) in TicketEncDec SM4-GCM
  decrypt path (src/internal.c)

- Fix SM2 certificate signature verification for certs using
  id-ecPublicKey (ECDSAk) with SM2-with-SM3 signature algorithm.
  OpenSSL creates SM2 cert signatures without the standard
  distinguishing identifier in the ZA hash. The SM2k code path already
  handled this correctly (idSz=0), but the ECDSAk + CTC_SM3wSM2 path
  was incorrectly using CERT_SIG_ID_SZ (16), causing ASN_SIG_CONFIRM_E
  (-155) when verifying non-self-signed SM2 certs (wolfcrypt/src/asn.c)

- Regenerate expired SM2 test certificates via certs/sm2/gen-sm2-certs.sh
  They had expired.
2026-02-18 18:01:33 +00:00
Andrew Hutchings b7c3bbf101 Fixes to size checking
In `quic_record_transfer()`, the unsigned subtraction
`qr->end - qr->start` could wrap around if `end < start`, and the
subsequent `len <= 0` check was ineffective on a `word32`. Move the
comparison before the subtraction so the function returns `0` safely.

In `GetEchConfig()`, `XSTRLEN(config->publicName)` was assigned to a
single byte, silently truncating names longer than 255 characters while
`XMEMCPY` still copied the full string. Add a 255-byte length
validation in both `wolfSSL_CTX_GenerateEchConfig()` and
`GetEchConfig()`, and cache the length in a local variable to avoid
redundant `XSTRLEN` calls.
2026-02-18 18:01:33 +00:00
JacobBarthelmeh a156ed7bc7 update Copyright year 2026-02-18 09:52:21 -07:00
Andrew Hutchings 060a2b3395 Fix DTLS 1.3 unified header fixed bits mask
DTLS13_FIXED_BITS_MASK used 0x111 (hex 273) instead of 0x7 (decimal 7,
binary 111). Per RFC 9147 Section 4, the top 3 bits of the unified
header flags byte must be 001. The incorrect hex value caused the mask
to only check bit 5 instead of bits 5, 6, and 7, allowing bytes with
bits 6 or 7 set to be misidentified as unified DTLS 1.3 headers.
2026-02-17 10:39:41 +00:00
Andrew Hutchings 00de3f3918 Use XMEMSET instead of memset in QUIC 2026-02-17 10:36:47 +00:00
Andrew Hutchings f31ed0d0cd Fix logic bug in TLSX_TCA_Find causing incorrect Trusted CA matching
The while loop conditions in TLSX_TCA_Find were inverted, causing two
bugs: the loop short-circuited on type match alone without checking the
id content, and the XMEMCMP sense was reversed (continuing on match,
stopping on mismatch). This meant any TCA entry with a matching type
would be returned as a match regardless of whether the identifier
actually matched.

Restructure the loop to correctly require both type and id (size +
content) to match before returning an entry, and to match any entry
immediately for PRE_AGREED type.

Add test_TLSX_TCA_Find unit test exercising exact match, mismatched id,
and PRE_AGREED cases via memio handshake.
2026-02-17 10:35:54 +00:00
Josh Holtrop 2be175fa35 Fix integrity-only cipher nonce calculation 2026-02-16 21:30:03 -05:00
Chris Conlon 36a28ac08c Merge pull request #9713 from padelsbach/crl-generation-cert-updates
Add cert/CRL capabilities: skid, akid, dist point, netscape
2026-02-16 15:29:18 -07:00
David Garske db82c3ef59 Merge pull request #9777 from Pushyanth-Infineon/fix_TLSX_IsGroupSupported_switch_case_handling
Fix switch case handling in TLSX_IsGroupSupported function
2026-02-16 13:13:46 -08:00