Commit Graph

29160 Commits

Author SHA1 Message Date
Eric Blankenhorn e6a4cb232c Fix issue in TLS_hmac size calculation 2026-02-26 10:26:20 -06:00
Eric Blankenhorn edd943e115 Fix prefix map issues 2026-02-26 10:18:31 -06:00
Eric Blankenhorn be7f934157 Add test case 2026-02-26 10:18:31 -06:00
Eric Blankenhorn 187534855d Fix issues in TLS Extension size calculations 2026-02-26 10:18:30 -06:00
Daniel Pouzzner 100e79f9e5 wolfcrypt/src/aes.c: add _TI_CRYPT and _RISCV_ASM fallthrough definitions for Aes{En,de}crypt_preFetchOpt. 2026-02-26 09:24:10 -06:00
Juliusz Sosinowicz fe85ca643a Add test for EC_POINT_dup 2026-02-26 15:18:36 +01:00
Juliusz Sosinowicz fc0ec06e72 sssd 2.10.2 changes 2026-02-26 15:18:36 +01:00
Andrew Hutchings 110f5cb442 Fix ECH error code: use BUFFER_ERROR for malformed peer input
Change innerClientHelloLen underflow guard in TLSX_ECH_Parse from
BAD_FUNC_ARG to BUFFER_ERROR to match the convention used throughout
tls.c for wire-protocol length/bounds validation.
2026-02-26 14:09:01 +00:00
JacobBarthelmeh 5a72a37b58 Merge pull request #9806 from julek-wolfssl/bind-9.20.11
Add bind 9.20.11 to the test matrix
2026-02-25 16:45:30 -07:00
JacobBarthelmeh 1b1b085290 Merge pull request #9822 from SparkiDev/mlkem_decap_h_set
ML-KEM decapsulate: check for H
2026-02-25 16:44:47 -07:00
Sean Parkinson 2064ff461c Merge pull request #9797 from douzzer/20260218-aes-prefetch-optimize
20260218-aes-prefetch-optimize
2026-02-26 08:27:08 +10:00
JacobBarthelmeh 76816a0e11 Merge pull request #9823 from embhorn/zd21242
Add sanity checks in key export
2026-02-25 14:38:46 -07:00
JacobBarthelmeh e317aa2b70 Merge pull request #9827 from embhorn/zd21241
Fix cert chain size issue
2026-02-25 14:30:58 -07:00
JacobBarthelmeh ee616b4774 Merge pull request #9828 from rizlik/sigalgofix
tls13: don't create a new suite in CertificateRequest, fallback to WOLFSSL_SUITES(sa->ssl)
2026-02-25 14:08:09 -07:00
Josh Holtrop 67c500ec87 Rust wrapper: add mlkem module 2026-02-25 14:16:20 -05:00
JacobBarthelmeh b5b7dc89ac Merge pull request #9819 from holtrop-wolfssl/rust-ml-dsa
Rust wrapper: add dilithium module
2026-02-25 10:18:03 -07:00
Juliusz Sosinowicz 5c38f440fa Add msmtp action
Depends on https://github.com/wolfSSL/osp/pull/317
2026-02-25 17:58:38 +01:00
JacobBarthelmeh b63f878300 Merge pull request #9742 from sameehj/pkcs7-rsa-pss
pkcs7: add RSA-PSS support for SignedData
2026-02-25 09:55:00 -07:00
Daniel Pouzzner c962b8cd8f Merge pull request #9832 from JacobBarthelmeh/arduino
reduce arduino coverage to avoid tests failing from external changes
2026-02-25 10:11:23 -06:00
Juliusz Sosinowicz ef325bbed8 Changes for socat 1.8.0.3 2026-02-25 17:04:11 +01:00
Eric Blankenhorn 75b0808fe5 Update from review 2026-02-25 09:02:55 -06:00
Eric Blankenhorn 41ebc92fa5 Replace macros from stdint.h with literals to make code more generic 2026-02-25 09:00:57 -06:00
Eric Blankenhorn 4f8f11bcba Add test case 2026-02-25 09:00:57 -06:00
Eric Blankenhorn 67de2349da Add sanity checks in key export 2026-02-25 09:00:57 -06:00
Juliusz Sosinowicz e9a2f27b2c Address peer review 2026-02-25 15:46:20 +01:00
Juliusz Sosinowicz 38b52d8079 nginx 1.28.1
### `wolfssl/internal.h`

- **`InternalTicket` struct gains a flexible array member**: A new `peerCert[]` field (with a preceding `peerCertLen[2]`) is added to `InternalTicket`. This allows the peer's DER-encoded certificate to be stored directly inside the session ticket.
- **`ExternalTicket` struct becomes variable-length**: The `enc_ticket` field is changed from a fixed-size array to a flexible array member (`byte enc_ticket[]`). The `mac` field is removed from the struct — the MAC is now placed dynamically after the encrypted data in `enc_ticket`.

### `src/internal.c`

- The `GetRecordHeader` function now only adds `MAX_COMP_EXTRA` to the maximum allowed record size when `ssl->options.usingCompression` is true, tightening the length validation. The max fragment length extension check is now much stricter.
- **Peer certificate is serialized into the ticket**: During ticket creation, the code attempts to find the peer certificate from `ssl->peerCert` or from `ssl->session->chain` (fallback). If found and within `MAX_TICKET_PEER_CERT_SZ`, it's copied into `it->peerCert`. DTLS is explicitly excluded (peer cert length set to 0) to keep ticket size small for MTU constraints. If `HAVE_MAX_FRAGMENT` is defined and max fragment is not `MAX_RECORD_SIZE` for TLS 1.3, the cert is also skipped since `SendTls13NewSessionTicket` doesn't support fragmentation yet.
- **Peer certificate restoration from ticket**: On successful ticket decryption, if the ticket contains a peer certificate (`peerCertLen > 0`), it is decoded back into `ssl->peerCert` via `ParseCertRelative`/`CopyDecodedToX509`, and also added to `ssl->session->chain` via `AddSessionCertToChain`.
- The `CLEAR_ASN_NO_PEM_HEADER_ERROR` macro was rewritten to loop and remove all consecutive PEM no-start-line errors (not just the last one), wrapped in a `do { ... } while(0)` for safety.
- The `SendTicket` function is simplified to use `SendHandshakeMsg` to support fragmenting the larger ticket.

---

### `src/x509.c`

- `loadX509orX509REQFromPemBio` now accepts `TRUSTED_CERT_TYPE` in addition to `CERT_TYPE` and `CERTREQ_TYPE`.
- **Streaming BIO support**: When `wolfSSL_BIO_get_len()` returns ≤ 0 (e.g., pipes/FIFOs), the function no longer returns an error. Instead, it sets an initial buffer of `MAX_X509_SIZE` and dynamically grows (doubling) up to `MAX_BIO_READ_BUFFER` (`MAX_X509_SIZE * 16`) as data is read byte-by-byte.
- **Alternate footer detection**: For `TRUSTED_CERT_TYPE`, the PEM reader also checks for the regular `CERT_TYPE` footer (`-----END CERTIFICATE-----`) in addition to the trusted cert footer (`-----END TRUSTED CERTIFICATE-----`), so it can parse either format.
- Removed two lines that set `cert->srcIdx` to `SIGALGO_SEQ` offset. This makes `cert->srcIdx` reflect the end of parsed certificate data. This is used by `loadX509orX509REQFromBuffer` to detect where auxiliary trust data begins in trusted certificates.

---

### `src/ssl_sk.c`

- Added a `STACK_TYPE_X509_CRL` case to `wolfssl_sk_dup_data` that calls `wolfSSL_X509_CRL_dup` for deep-copying CRL stack elements. Previously, `STACK_TYPE_X509_CRL` fell through to the unsupported default case.

---

### `wolfssl/openssl/ssl.h`

- `sk_X509_dup` now maps to `wolfSSL_shallow_sk_dup` (was `wolfSSL_sk_dup`/deep copy). This matches OpenSSL's behavior where `sk_X509_dup` does a shallow copy.
- `sk_SSL_CIPHER_dup` similarly changed to `wolfSSL_shallow_sk_dup`.

---

### `src/ssl_api_cert.c`

- When `ssl->ourCert` is `NULL` and the SSL owns its cert, the function now checks if `ssl->ctx->ourCert` points to the same certificate (by comparing DER buffers). If so, it returns the ctx's `X509` pointer directly. This maintains pointer compatibility for applications (like nginx OCSP stapling) that use the `X509*` from `SSL_CTX_use_certificate` as a lookup key.

### `src/bio.c`

- When `wolfssl_file_len` returns `WOLFSSL_BAD_FILETYPE` (now returned for pipes/FIFOs), `wolfSSL_BIO_get_len` treats it as length 0 instead of propagating the error.

---

### `tests/test-maxfrag.conf` and `tests/test-maxfrag-dtls.conf`

- Removed `DHE-RSA-AES256-GCM-SHA384` test entries because the ClientKeyExchange doesn't fit in the selected max fragment length.
2026-02-25 15:19:13 +01:00
Marco Oliverio 20eeba3d89 test: tls13: add wolfSSL_set1_sigalgs_list test 2026-02-25 12:10:48 +01:00
Sameeh Jubran deb668ca4b pkcs7: add RSA-PSS support for SignedData
Add full RSA-PSS (RSASSA-PSS) support to PKCS#7 SignedData
encoding and verification.

This change enables SignerInfo.signatureAlgorithm to use
id-RSASSA-PSS with explicit RSASSA-PSS-params (hash, MGF1,
salt length), as required by RFC 4055 and CMS profiles.

Key changes:
- Add RSA-PSS encode and verify paths for PKCS7 SignedData
- Encode full RSASSA-PSS AlgorithmIdentifier parameters
- Decode RSA-PSS parameters from SignerInfo for verification
- Treat RSA-PSS like ECDSA (sign raw digest, not DigestInfo)
- Fix certificate signatureAlgorithm parameter length handling
- Add API test coverage for RSA-PSS SignedData

This resolves failures when using RSA-PSS signer certificates
(e.g. -173 invalid signature algorithm) and maintains backward
compatibility with RSA PKCS#1 v1.5 and ECDSA.

Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
2026-02-25 11:02:47 +02:00
aidan garske 3295a6521c Fix Fenrir issues in wolfcrypt 2026-02-24 18:51:58 -08:00
JacobBarthelmeh 3f3bf7501c reduce arduino coverage to avoid tests failing from external changes 2026-02-24 16:35:10 -07:00
JacobBarthelmeh 47033c4b3e Merge pull request #9826 from Frauschi/declaration-after-statement
Wdeclaration-after-statement fixes
2026-02-24 16:14:00 -07:00
Kareem 9a0c18c8fa Work around error: enumerated and non-enumerated type in conditional expression 2026-02-24 15:19:31 -07:00
Daniel Pouzzner 314da6d6bc wolfssl/wolfcrypt/types.h: work around limitations of Watcom and Windows preprocessors, re WC_ARG_NOT_NULL and friends. 2026-02-24 15:41:11 -06:00
Daniel Pouzzner 39987a9d53 wolfcrypt/src/aes.c, wolfcrypt/src/cmac.c, wolfssl/wolfcrypt/aes.h, wolfssl/wolfcrypt/types.h: optimizations to mitigate performance regressions from 299e7bd097 (#9783):
* add prefetch_ptr flag argument to AesEncrypt_C() and AesDecrypt_C(), and call PreFetchTe() and PreFetchSBox() only if *prefetch_ptr is zero, whereupon it is set to 1;
* when C implementations are available, add prefetch_ptr arg to wc_AesEncrypt() and wc_AesDecrypt(), and pass it through;
* in functions that directly call the AES block encryption methods, opportunistically inhibit prefetch on all but the first call;
* move AES-specific code in wc_CmacUpdate() in cmac.c to wc_local_CmacUpdateAes() in aes.c to let it use conditional prefetching;
* add WC_ARG_NOT_NULL(), WC_ARGS_NOT_NULL(), and WC_ALL_ARGS_NOT_NULL attribute abstractions.
2026-02-24 13:59:12 -06:00
Josh Holtrop 7af0fa497a Rust wrapper: update dilithium module after review 2026-02-24 14:23:59 -05:00
Eric Blankenhorn 5536ecf026 Fix issue from review 2026-02-24 12:43:46 -06:00
Eric Blankenhorn 8f787909da Fix from review 2026-02-24 11:17:42 -06:00
Marco Oliverio d72fcb1d27 tls13: avoid to create a new suite in CertificateRequest
This way the ssl object honour the HasSigAlgo list set by
wolfSSL_set1_sigalgs_list.
2026-02-24 18:02:26 +01:00
Eric Blankenhorn 2ae3164c6f Fix cert chain size issue 2026-02-24 09:27:42 -06:00
Tobias Frauenschläger 96fc896265 Wdeclaration-after-statement fixes 2026-02-24 16:20:10 +01:00
Daniel Pouzzner 66566955db wolfssl/wolfcrypt/wc_port.h, wolfssl/wolfcrypt/sha256.h, wolfssl/wolfcrypt/sha512.h, wolfssl/wolfcrypt/sp.h, wolfssl/wolfcrypt/wc_mlkem.h: add WC_NO_INLINE. 2026-02-23 23:03:08 -06:00
Sean Parkinson 8a75e7d1c7 ML-KEM decapsulate: check for H
Decapsulation needs H, hash of public key, and it is not present if you
have a new key made from a seed.
Code changed to check for and create H in decapsulate.
2026-02-24 10:11:05 +10:00
Kareem 0463e37716 Pad session ID with 0s if session ticket length is less than ID_LEN.
Prevents underflow in SetTicket.
Thanks to Arjuna Arya for discovering and reporting this.
2026-02-23 16:46:01 -07:00
Kaleb Himes a08efc9b0a Merge pull request #9821 from douzzer/20260223-fix2-configure-kernel-mode-defaults
20260223-fix2-configure-kernel-mode-defaults
2026-02-23 16:33:03 -07:00
Daniel Pouzzner 1270733838 configure.ac: fix typo, $enabled_rng for $enable_rng, in KERNEL_MODE_DEFAULTS setup added in a21dad9555. 2026-02-23 16:05:24 -06:00
Kaleb Himes 9b10357e78 Merge pull request #9820 from douzzer/20260223-fix-configure-kernel-mode-defaults
20260223-fix-configure-kernel-mode-defaults
2026-02-23 14:46:45 -07:00
JacobBarthelmeh 505d170631 Merge pull request #9812 from rlm2002/coverity
02202026 Coverity changes
2026-02-23 14:42:48 -07:00
David Garske c3bc68806c Merge pull request #9811 from julek-wolfssl/ntp-4.2.8p18
Add changes for ntp 4.2.8p18
2026-02-23 10:46:11 -08:00
Daniel Pouzzner a21dad9555 configure.ac: fixes for 47dd864f32 (#9815) -- in KERNEL_MODE_DEFAULTS setup, add additional conditions for automatic activation of AES modes and CMAC, ECC options, and SHAKE, to avoid configuration conflicts in barebones configurations. 2026-02-23 12:31:37 -06:00
Andrew Hutchings 599eec673e Fix ImportKeyState wordAdj always-zero bug in DTLS session import
In ImportKeyState(), wordAdj was always zero because it was computed
after clamping wordCount, and the subtraction direction was reversed.
This caused misaligned parsing of all subsequent fields when importing
state from a peer compiled with a larger WOLFSSL_DTLS_WINDOW_WORDS.

Fix both window and prevWindow blocks to compute the adjustment before
clamping, with the correct subtraction direction.

Add test that imports a state buffer with wordCount > WOLFSSL_DTLS_WINDOW_WORDS
to verify the fix.
2026-02-23 16:52:52 +00:00