Commit Graph

29160 Commits

Author SHA1 Message Date
Josh Holtrop 2c981d67e6 Rust wrapper: check all buffer lengths when converting to u32/i32
Fix F-1068
2026-04-14 20:50:08 -04:00
Josh Holtrop f00636919e Rust wrapper: check kdr_index range in srtp_kdf() and srtcp_kdf()
Fix F-1257
2026-04-14 20:50:08 -04:00
Josh Holtrop 5c10fe9a58 Rust wrapper: BLAKE2: check for non-empty hash buffer in finalize()
This is related to F-1070 but not the same. We do not need to check
that hash_size being passed in matches the initialized digest size
because the C function will use the passed-in size as long as it is
non-zero.
2026-04-14 20:50:08 -04:00
Josh Holtrop 56c20aeda0 Rust wrapper: dilithium: remove unnecessary size define presence checks
Fix F-1256
2026-04-14 20:50:08 -04:00
Josh Holtrop 5959aa2b58 Rust wrapper: ed448: add check for context buffers too long
Fix F-1064
2026-04-14 20:50:08 -04:00
Josh Holtrop 4f42ba9aa7 Rust wrapper: ed25519: add check for context buffers too long
Fix F-1063
2026-04-14 20:50:08 -04:00
Josh Holtrop 337dfc323e Rust wrapper: avoid uninitialized sys::XtsAesStreamData
Fix F-1066
2026-04-14 20:50:08 -04:00
Josh Holtrop 9843f0365a Rust wrapper: avoid creating a MaybeUninit<RNG>
Fix F-1067
2026-04-14 20:50:08 -04:00
Josh Holtrop a8fa845fa9 Rust wrapper: ecc: fix possible resource leak in some error cases
Fix F-1062.

If wolfSSL returns an error after initializing ECC struct with
wc_ecc_init_ex(), wc_ecc_free() might not have been called in all cases.

Move construction of the ECC struct earlier ahead of further wolfSSL
calls after wc_ecc_init_ex() so if those subsequent wolfSSL calls return
an error the Drop impl for ECC will be called to deinitialize.
2026-04-14 20:50:07 -04:00
Sean Parkinson 5ad6097f15 Merge pull request #10168 from night1rider/zd-21534
Address bug fixes sent in by ZD 21534
2026-04-15 09:11:04 +10:00
Sean Parkinson 8fd896aa49 Merge pull request #10191 from dgarske/csharp_pqc
C# Wrapper: ML-KEM and ML-DSA (Dilithium) Support
2026-04-15 09:05:25 +10:00
Sean Parkinson 0b88017e20 Merge pull request #10181 from embhorn/zd21567
Fix ReqCertFromX509 to check bounds
2026-04-15 09:01:25 +10:00
Sean Parkinson 409b5fcf38 Merge pull request #10172 from embhorn/zd21568
Fix pkcs12 parse issue
2026-04-15 09:00:12 +10:00
Sean Parkinson 14ebd3d649 Merge pull request #10170 from embhorn/zd21566
Fix partial chain verification
2026-04-15 08:58:28 +10:00
night1rider a99a72029c narrow ecc_size/sig_size guards to SETKEY||EXPORT_KEY, update _WC_PK_TYPE_MAX, const-qualify export_key.obj, call _ecc_import_x963_ex2 directly, fix GetSetKeyTypeStr, fix NULL deref in wc_RsaPrivateKeyDecode with WOLF_CRYPTO_CB_FIND, add FIND CI config. 2026-04-14 16:21:50 -06:00
night1rider d58eea5566 Address pr review: add braces, move scope of variables, add X9.63 comment 2026-04-14 16:21:50 -06:00
night1rider bf1013bfd4 Address feedback from Fenrir 2026-04-14 16:21:50 -06:00
night1rider 642a65a34d Add export hooks for ecc 2026-04-14 16:21:50 -06:00
night1rider 79b0d9f9f5 Add setkey/exportkey/eccgetsize test coverage in api.c 2026-04-14 16:21:50 -06:00
night1rider 1295f4fe0e Add WOLF_CRYPTO_CB_SETKEY and WOLF_CRYPTO_CB_EXPORT_KEY crypto callback
utilities for generic SetKey and ExportKey operations on HMAC, RSA, ECC,
  and AES. Add wc_ecc_size/wc_ecc_sig_size callback hooks for hardware-only
  keys. Integrate into configure.ac as --enable-cryptocbutils=setkey,export
  options with CI test configurations in os-check.yml.

  Add test handlers in test.c and api.c with export/import delegation
  pattern, small-stack-safe allocations, custom curve support, and
  DEBUG_CRYPTOCB helpers.
2026-04-14 16:21:50 -06:00
Kareem 5defbc3219 Tasking compiler does not support #warning and needs the #pragma message case where available.
Fixes #10108.
2026-04-14 15:06:20 -07:00
Kareem 5662077267 Fix uninitialized before use warning in wc_Dilithium_PublicKeyDecode. 2026-04-14 15:00:53 -07:00
Eric Blankenhorn fb726b70c7 Fix from review 2026-04-14 16:44:16 -05:00
Sean Parkinson 64c4203d96 Merge pull request #10214 from douzzer/20260413-cross-riscv64-all-asm-fips-dev
20260413-cross-riscv64-all-asm-fips-dev
2026-04-15 07:13:53 +10:00
Eric Blankenhorn 6aa9db43f2 Fix from review 2026-04-14 15:53:00 -05:00
Ruby Martin e7b7fddacb Apply DNS constraints to subject CN when SAN is not available. 2026-04-14 14:47:48 -06:00
David Garske e3e95c0454 Merge pull request #10213 from SparkiDev/api_test_cipher_algs_2
Unit testing: Add Monte Carlo testing to ciphers
2026-04-14 13:05:08 -07:00
Eric Blankenhorn 2e5a0b76af Various fixes in internal.c 2026-04-14 15:01:12 -05:00
Eric Blankenhorn a8ea8a898c Fix from review 2026-04-14 13:39:17 -05:00
David Garske 584489f2e0 Merge pull request #10211 from night1rider/mlkem-cryptocb-sha3-hashtype-bug
Mlkem cryptocb sha3 hashtype not reset after final call
2026-04-14 11:08:26 -07:00
Eric Blankenhorn 4a13896b2e Report cert verify failure with MD5 2026-04-14 12:31:01 -05:00
David Garske 9ed79a2815 Merge pull request #10189 from michael-membrowse/master
ci: membrowse integration
2026-04-14 09:25:53 -07:00
David Garske c01eca5fc8 Merge pull request #10206 from Frauschi/mlkem-dynamic-key-2
Store the size of the allocated private key buffer for ML-KEM
2026-04-14 09:15:10 -07:00
Marco Oliverio f55ecb5124 se050: add support for SE050 SIGN ONLY options 2026-04-14 18:07:30 +02:00
Marco Oliverio 5cd2db0b4d se050: skip ecc_test_buffers (invalid digest sz) 2026-04-14 18:07:30 +02:00
Marco Oliverio 0fbfbb8089 se050: refuse invalid digest sz in ECDSA 2026-04-14 18:07:30 +02:00
Marco Oliverio e6a7be8969 test: rsa: reset RSA key between operation 2026-04-14 18:07:30 +02:00
Marco Oliverio ed2e230f78 se050: initialize keyId to abide compilers 2026-04-14 18:07:30 +02:00
Marco Oliverio fff6f3fc32 se050: fix RSA Encrypt with only pubkey setting keyId 2026-04-14 18:07:30 +02:00
Andrew Hutchings 931893c62b Address items in code review 2026-04-14 18:07:30 +02:00
Andrew Hutchings f08d7ba950 Fix SE050 RSA port bugs
- se050_rsa_verify: when the function uploads only the public part of the key (keyCreated == 1), erase the transient SE050 object and don't persist keyIdSet = 1. A subsequent sign on the same RsaKey was reusing the public-only SE050 object and failing. Pre-existing bindings (from wc_RsaUseKeyId or a prior sign that uploaded a keypair) are preserved untouched.

- rsa_keygen_test: add WOLFSSL_SE050 to the existing WOLFSSL_CRYPTOCELL guard around the export-then-decode round-trip. SE050-generated keys keep their private components in the secure element, so wc_RsaKeyToDer + wc_RsaPrivateKeyDecode cannot complete. Matching guard on the idx declaration to avoid an unused-variable warning.
2026-04-14 18:07:28 +02:00
Andrew Hutchings 6d2845751b Fix SE050 Ed25519 port bugs and add simulator CI workflow
- se050_ed25519_verify_msg: initialize *res = 0 at entry so failures don't leak a stale res = 1 from a prior good verify.
- Ed25519 import functions: reset keyIdSet / keyId under WOLFSSL_SE050 in wc_ed25519_import_private_key_ex, wc_ed25519_import_private_only, wc_ed25519_import_public_ex so overwriting host-side key material invalidates any prior SE050 object binding.
- New workflow .github/workflows/se050-sim.yml: builds wolfSSL against the NXP Plug&Trust SDK and runs the wolfCrypt tests against the SE050Sim simulator. Patches the upstream Dockerfile to use the PR's wolfSSL source.
- ed25519_test SE050 adjustments:
- Cap the RFC 8032 loop at 5 iters — iter 5's 1023 B msg exceeds NXP SDK SE05X_TLV_BUF_SIZE_CMD = 900.
  - rareEd verifies and private-only sign: expect WC_HW_E (SE050 delegates malformed-input rejection to the secure element) instead of BAD_FUNC_ARG / SIG_VERIFY_E.
  - Skip ed25519ctx_test / ed25519ph_test — SE050 port drops the context/prehash params so RFC 8032 ctx/ph vectors can't byte-match.
2026-04-14 18:05:51 +02:00
Jeremiah Mackey 83d71ee5cc guard DES3 length test with HAVE_FIPS 2026-04-14 15:40:06 +00:00
Juliusz Sosinowicz e5f569ad7c TLS 1.3: evict session from cache after accepted 0-RTT resumption
Per RFC 8446 section 8, a server MUST ensure that any instance of it
would accept 0-RTT for the same 0-RTT handshake at most once. Without
this, the same ClientHello could be replayed to re-accept early data on
a subsequent connection.

After the PSK is authenticated (binder verified) in DoPreSharedKeys,
call wolfSSL_SSL_CTX_remove_session on ssl->session when the client
offered 0-RTT and the session permits it. That evicts the entry from
the internal cache (under the row's write lock) and invokes the
application's ctx->rem_sess_cb so any external cache can drop its copy
too. The session's timeout is also cleared so the live reference held
by the current handshake cannot be resumed again.

The mutation is paid only when the client actually included the
early_data extension on a 0-RTT-capable session, so normal resumptions
are unaffected and the existing remove-callback counts in
test_wolfSSL_CTX_add_session_ext_{tls13,dtls13} stay correct.

wolfSSL_SSL_CTX_remove_session was previously declared and defined only
under the OpenSSL compatibility layer. Because it is now called from
the core TLS 1.3 PSK path, the declaration in wolfssl/ssl.h and the
definition in src/ssl_sess.c are moved out of that block to match the
existing !NO_SESSION_CACHE gate under which the function is meaningful.
wolfSSL_SSL_get0_session stays in the compat block.

test_tls13_early_data_0rtt_replay verifies the behaviour. It does a
full TLS 1.3 handshake with stateful tickets (SSL_OP_NO_TICKET) and
max_early_data > 0, then tries to resume the saved session twice while
offering 0-RTT each time. A minimal single-slot external session cache
is wired up via wolfSSL_CTX_sess_set_{new,get,remove}_cb to confirm
both caches are cleared. Round 0 must resume and deliver the early
data, and rem_calls must hit 1 (the fix's single eviction). Round 1
must fall back to a full handshake (session_reused == 0), deliver no
early data, and leave rem_calls at 1.

Verified against multiple configurations (incl. --enable-all
--enable-earlydata, the no-compat -DHAVE_EXT_CACHE build, and the
os-check.yml combo). Valgrind under -g2 -O0 with OPENSSL_EXTRA +
HAVE_EXT_CACHE + HAVE_EX_DATA reports no errors and no
definitely-lost bytes.

Refs wolfSSL/wolfssl#10197
2026-04-14 15:35:50 +00:00
Eric Blankenhorn 0c0c426875 Fix from review 2026-04-14 09:35:29 -05:00
Eric Blankenhorn 415c288965 Fix from review 2026-04-14 08:14:55 -05:00
Juliusz Sosinowicz 4a36d16b30 Fix bugs found in crl.c, keys.c, and ssl_certman.c review
crl.c:
- wolfSSL_X509_CRL_dup: add NULL check on input before dereferencing crl->cm
- DupX509_CRL: distinguish empty source CRL list from allocation failure so
  duplicating a CRL with no entries no longer returns MEMORY_E
- wolfSSL_X509_STORE_add_crl: free newly-allocated CRL when wc_LockRwLock_Rd
  fails to avoid leaking it
- InitCRL: propagate wolfSSL_RefInit failure in OPENSSL_ALL +
  WOLFSSL_REFCNT_ERROR_RETURN builds, freeing crlLock (and cond when
  HAVE_CRL_MONITOR is enabled) on the error path

keys.c:
- GetCipherSpec: remove duplicate usingPSK_cipher assignment in
  BUILD_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 case
- GetCipherSpec: return UNSUPPORTED_SUITE for unknown cipher suite bytes in
  the TLS13_BYTE, ECDHE_PSK_BYTE, and SM_BYTE switch blocks, matching the
  behavior of the ECC_BYTE, CHACHA_BYTE, and normal suite switches
- SetKeys: fix misleading indentation on the AESCCM and SM4-CCM dec->aes
  NULL-check return statements

ssl_certman.c / internal.h:
- AddTrustedPeer: remove dead code that checked peerCert->permittedNames
  and peerCert->excludedNames immediately after XMEMSET zeroed the struct
- AddTrustedPeer: use cm->heap (matching allocation) instead of NULL when
  freeing cert on the ParseCert failure path
- Extract the body of wolfSSL_CertManagerFree into a new static helper
  DoCertManagerFree that unconditionally disposes of the certificate
  manager, bypassing the reference count check. wolfSSL_CertManagerFree
  now delegates to it after the RefDec check.
- Add caLockInit, tpLockInit, and refInit bitfield members to
  WOLFSSL_CERT_MANAGER that track which sub-resources were successfully
  initialized. DoCertManagerFree consults these flags so that it only
  destroys mutexes and the reference count that were actually set up,
  which makes partial-construction cleanup safe without relying on
  platform-specific behavior of free-on-zeroed-storage.
- wolfSSL_CertManagerNew_ex: set the init flags as each sub-resource is
  initialized, and on failure call DoCertManagerFree directly to free
  exactly the resources that succeeded. Set cm->heap immediately after
  XMEMSET so the forceful free path can use it.
2026-04-14 13:14:21 +00:00
Eric Blankenhorn c873f3f77d Fix from review 2026-04-14 07:58:43 -05:00
Eric Blankenhorn 68b3bbb16f Fix from review 2026-04-14 07:47:29 -05:00
Eric Blankenhorn 2b503dae54 Fix from review 2026-04-14 07:41:30 -05:00