Commit Graph

22 Commits

Author SHA1 Message Date
JacobBarthelmeh b5738236d9 Merge pull request #10187 from embhorn/zd21587
Fixes in TLS ECH, handle empty records, and ASN len check
2026-04-22 14:44:15 -06:00
Tobias Frauenschläger 0de3925207 Add RFC8773bis cert_with_extern_psk support
Implement RFC8773bis (draft-ietf-tls-8773bis-13)
cert_with_extern_psk for TLS 1.3, including protocol checks
and API support.

Includes unit tests for API and handshake behavior as well
as tests in the testsuite using extended examples.
2026-04-17 15:12:04 +02:00
Jeremiah Mackey a0614dd3c0 add negative tests for TLS handshake verification paths 2026-04-16 14:37:07 +00:00
Juliusz Sosinowicz e5f569ad7c TLS 1.3: evict session from cache after accepted 0-RTT resumption
Per RFC 8446 section 8, a server MUST ensure that any instance of it
would accept 0-RTT for the same 0-RTT handshake at most once. Without
this, the same ClientHello could be replayed to re-accept early data on
a subsequent connection.

After the PSK is authenticated (binder verified) in DoPreSharedKeys,
call wolfSSL_SSL_CTX_remove_session on ssl->session when the client
offered 0-RTT and the session permits it. That evicts the entry from
the internal cache (under the row's write lock) and invokes the
application's ctx->rem_sess_cb so any external cache can drop its copy
too. The session's timeout is also cleared so the live reference held
by the current handshake cannot be resumed again.

The mutation is paid only when the client actually included the
early_data extension on a 0-RTT-capable session, so normal resumptions
are unaffected and the existing remove-callback counts in
test_wolfSSL_CTX_add_session_ext_{tls13,dtls13} stay correct.

wolfSSL_SSL_CTX_remove_session was previously declared and defined only
under the OpenSSL compatibility layer. Because it is now called from
the core TLS 1.3 PSK path, the declaration in wolfssl/ssl.h and the
definition in src/ssl_sess.c are moved out of that block to match the
existing !NO_SESSION_CACHE gate under which the function is meaningful.
wolfSSL_SSL_get0_session stays in the compat block.

test_tls13_early_data_0rtt_replay verifies the behaviour. It does a
full TLS 1.3 handshake with stateful tickets (SSL_OP_NO_TICKET) and
max_early_data > 0, then tries to resume the saved session twice while
offering 0-RTT each time. A minimal single-slot external session cache
is wired up via wolfSSL_CTX_sess_set_{new,get,remove}_cb to confirm
both caches are cleared. Round 0 must resume and deliver the early
data, and rem_calls must hit 1 (the fix's single eviction). Round 1
must fall back to a full handshake (session_reused == 0), deliver no
early data, and leave rem_calls at 1.

Verified against multiple configurations (incl. --enable-all
--enable-earlydata, the no-compat -DHAVE_EXT_CACHE build, and the
os-check.yml combo). Valgrind under -g2 -O0 with OPENSSL_EXTRA +
HAVE_EXT_CACHE + HAVE_EX_DATA reports no errors and no
definitely-lost bytes.

Refs wolfSSL/wolfssl#10197
2026-04-14 15:35:50 +00:00
Eric Blankenhorn 8f73ae460d Fix TLSX_Parse to check dup ECH 2026-04-14 07:37:21 -05:00
Tobias Frauenschläger b0763ea4d1 Error out in case of unknown extensions in response message in TLS 1.3 2026-04-10 17:43:35 +02:00
Anthony Hu 46f6320380 Fix PQC hybrid KeyShare pointer sanity.
Also add tests for it and SetTicket
2026-03-27 14:33:41 -04:00
sebastian-carpenter 406f5033c6 verify ciphersuite in CH2 matches HRR 2026-03-20 16:07:27 -06:00
JacobBarthelmeh 528b22140b revert PR 9909 2026-03-10 14:47:21 -06:00
Eric Blankenhorn 4b09fb36d9 Add test test_tls13_derive_keys_no_key 2026-03-09 09:49:37 -06:00
Tobias Frauenschläger a2622746cd Error out in case of unknown extensions in response message in TLS 1.3 2026-03-06 17:09:49 +01:00
Tobias Frauenschläger 11fc781d0d Treat alerts as fatal errors regardless of level in TLS1.3 2026-03-05 18:21:02 +01:00
Marco Oliverio 20eeba3d89 test: tls13: add wolfSSL_set1_sigalgs_list test 2026-02-25 12:10:48 +01:00
JacobBarthelmeh a156ed7bc7 update Copyright year 2026-02-18 09:52:21 -07:00
Anthony Hu c3c9acc5bf Middle box compatibility compliance. 2026-02-13 10:28:12 -05:00
Sean Parkinson b766f11e7b TLS 1.3, plaintext alert: ignore when expecting encrypted
In TLS 1.3, ignore valid unencrypted alerts that appear after encryption
has started.
Only ignore WOLFSSL_ALERT_COUNT_MAX-1 alerts.
2025-12-23 09:09:06 +10:00
Juliusz Sosinowicz f61bfd7805 Check KeyShare after HRR 2025-12-17 10:27:04 +01:00
Sean Parkinson d3863e5fa3 TLS 1.3: duplicate extension alert code fix
The specification states to return illegal_parameter when a message is
syntactically correct but semantically invalid. (RFC 8446 section 6,
Paragraph 5)
2025-12-15 10:00:56 -08:00
Sean Parkinson 44be44a509 TLS 1.3 missing extension: return correct alert code
Change TLS 1.3 handling to return missing_extension alert code when
 - KeyShare is present but SupportedGroups is missing and
 - SupportedGroups is present but KeyShare is missing

Added tests for this.
2025-12-15 09:07:13 +10:00
Juliusz Sosinowicz c14b1a0504 Validate cipher suite after HelloRetryRequest
- Add validation to ensure the cipher suite in the ServerHello matches the one specified in the HelloRetryRequest.
- test_TLSX_CA_NAMES_bad_extension: use the same ciphersuite in HRR and SH
2025-10-29 13:14:50 +01:00
Juliusz Sosinowicz f798a585d9 Abort connection if we are about to send the same CH 2025-09-26 12:08:53 +02:00
Sean Parkinson 115d4d88c0 api.c: pull out TLS 1.3 specific tests 2025-08-26 09:05:46 +10:00