Commit Graph

421 Commits

Author SHA1 Message Date
Anthony Hu 7336ed7cee Fixes ZD 19760
Before this fix, the certificates were not getting into the certificate manager.
This makes sure they are going in.
2026-04-09 13:09:17 -04:00
Daniel Pouzzner 60d1e222b2 globally fix all "BLAKE2" references (implicit BLAKE2B) to explicit "BLAKE2B":
* implement legacy compatibility in settings.h and configure.ac (adds --enable-blake2b while retaining --enable-blake2);
* fix incorrect Blake2 gates in wolfcrypt/src/hash.c wc_HashGetDigestSize() and wc_HashGetBlockSize();
* in wolfcrypt/test/test.c hash_test(), backfill missing Blake2 test coverage and separate blake2b from blake2s in typesHashBad[];
* in tests/api/test_hash.c, separate blake2b from blake2s in notCompiledHash[], sizeSupportedHash[], and sizeNotCompiledHash[].
2026-04-07 13:18:53 -05:00
JacobBarthelmeh 7aac9e5766 Merge pull request #10139 from philljj/fix_nightly_mem
Fix nightly mem
2026-04-07 09:08:01 -06:00
Daniel Pouzzner 9347c895fc Merge pull request #10133 from Frauschi/ecc_curve_validation
Improved ECC curve validation
2026-04-06 20:20:35 -05:00
Daniel Pouzzner 32502e9963 Merge pull request #10102 from Frauschi/zd21460
Various fixes
2026-04-06 18:41:31 -05:00
Tobias Frauenschläger 0fb2d2ec11 ecc: fix invalid-curve attack via missing on-curve validation
wc_ecc_import_x963_ex2 only checked whether an imported public point
lies on the intended curve when both USE_ECC_B_PARAM was compiled in
and the caller passed untrusted=1. In a default ./configure build,
USE_ECC_B_PARAM is not defined, so the check was compiled out entirely.
Additionally, the legacy wrapper wc_ecc_import_x963_ex unconditionally
passed untrusted=0, meaning ECIES (wc_ecc_decrypt), PKCS#7 KARI, and
the EVP ECDH layer never triggered the check even when the macro was
present. In the OpenSSL compatibility layer, wolfSSL_ECPoint_d2i
guarded its on-curve check behind !wolfSSL_BN_is_one(point->Z), but
wc_ecc_import_point_der_ex always sets Z=1 for uncompressed points,
making the check dead code.

An attacker who can supply an EC public key (e.g. via an ECIES
ciphertext, PKCS#7 enveloped-data, EVP_PKEY_derive, or
EC_POINT_oct2point + ECDH_compute_key) can choose a point on a twist
of the target curve with a smooth-order subgroup. Each ECDH query
leaks the victim's static private scalar modulo a small prime; CRT
reconstruction across enough queries recovers the full key
(Biehl-Meyer-Müller invalid-curve attack). Static-key ECIES and PKCS#7
KARI are directly affected; TLS is affected in default builds because
the USE_ECC_B_PARAM gate defeated the untrusted=1 flag that the
handshake does pass.

Four changes close the attack:

1. Remove the USE_ECC_B_PARAM gate completely in the code base so that
   wc_ecc_point_is_on_curve() is compiled in all builds, not only
   those with HAVE_COMP_KEY or OPENSSL_EXTRA (only set for legacy FIPS
   builds in settings.h).

2. wc_ecc_import_x963_ex: pass untrusted=1 to wc_ecc_import_x963_ex2
   so that ECIES, PKCS#7 KARI, and EVP callers that go through the
   four-argument wrapper always validate the imported point.

3. wc_ecc_import_x963_ex2: use the lightweight sp_ecc_is_point_NNN
   helpers (curve-equation check only) instead of sp_ecc_check_key_NNN
   (which additionally performs a full point*order scalar multiply).
   For prime-order curves (P-256, P-384, P-521, SM2) the on-curve
   equation check y^2 = x^3 + ax + b is sufficient to defeat
   invalid-curve attacks — every non-identity point on a prime-order
   curve has the full group order, so the expensive order-multiply
   check is unnecessary. This avoids the ~50% ECDH performance
   regression caused by the redundant scalar multiplication.

4. wolfSSL_ECPoint_d2i (pk_ec.c): add unconditional on-curve
   validation via wolfSSL_EC_POINT_is_on_curve after import. The
   existing check was gated on !wolfSSL_BN_is_one(point->Z) and
   therefore dead code for all uncompressed-point imports. This closes
   the OpenSSL compat layer attack path (EC_POINT_oct2point followed
   by ECDH_compute_key).

Non-SP curves fall back to wc_ecc_point_is_on_curve which performs the
same equation check using mp_int arithmetic.

Reported by: Nicholas Carlini (Anthropic) & Thai Duong (Calif.io)
2026-04-06 21:18:32 +02:00
jordan f48fd9595d test_pkcs7: use XFREE instead of free. 2026-04-06 13:53:11 -05:00
Daniel Pouzzner abce5be989 wolfcrypt: add additional enforcement of correct digest sizes in signature gen and verify ops:
* add WC_FIPS_186_4, WC_FIPS_186_4_PLUS, WC_FIPS_186_5, and WC_FIPS_186_5_PLUS feature macros.
* add support for WC_HASH_CUSTOM_MIN_DIGEST_SIZE, WC_HASH_CUSTOM_MAX_DIGEST_SIZE, and
  WC_HASH_CUSTOM_MAX_BLOCK_SIZE, for use with custom digest algorithms.
* add SigOidMatchesKeyOid() helper function and WC_MIN_DIGEST_SIZE macro.
* add additional size and OID agreement checks for sig gen and verify ops.
* update ecc_test_vector() with FIPS 186-5 vectors.

Co-authored-by: Tobias Frauenschläger <tobias@wolfssl.com>
2026-04-06 00:53:57 -05:00
Daniel Pouzzner 0c9b6397be Merge pull request #10103 from gasbytes/fix-dtls13-oversized-cert-chain
Fix DTLS 1.3 extSz out-of-bounds and word16 truncation on oversized certificate chains
2026-04-03 11:55:03 -05:00
Reda Chouk 1653ecd07e Fix DTLS 1.3 extSz out-of-bounds and word16 truncation on oversized certificate chains 2026-04-03 12:10:42 +02:00
Tobias Frauenschläger e5ab7fa745 x509: fix CA:FALSE bypass in wolfSSL_X509_verify_cert
When an untrusted issuer has CA:FALSE and no verify_cb is registered,
the !isCa branch now fails closed (ret=WOLFSSL_FAILURE, goto exit)
instead of falling through and skipping X509StoreVerifyCert for the
leaf. SetupStoreCtxError_ex is also hardened to never overwrite a
previously recorded error with success, preventing a later valid chain
link from clobbering ctx->error back to X509_V_OK. Tests added for
both the no-callback rejection and the error-preservation cases.

Reported by: Nicholas Carlini (Anthropic) & Thai Duong (Calif.io)
2026-04-02 22:38:16 -06:00
Daniel Pouzzner d278da09df Merge pull request #10112 from embhorn/zd21470
Fix CertFromX509 copy length check
2026-04-02 23:21:11 -05:00
Daniel Pouzzner 7a6e37d697 Merge pull request #10064 from julek-wolfssl/master
Fixes for wolfclu
2026-04-02 22:54:10 -05:00
Daniel Pouzzner b6d8829ba9 Merge pull request #10114 from Frauschi/fenrir
Fenrir fixes
2026-04-02 22:52:48 -05:00
Eric Blankenhorn 2b1cde5bbb Fix test for FIPS config 2026-04-02 16:13:18 -05:00
Eric Blankenhorn 3893fd3c6e Fix feedback from review 2026-04-02 16:13:18 -05:00
Eric Blankenhorn 772cda3d48 Fix CertFromX509 copy length check 2026-04-02 16:13:18 -05:00
Tobias Frauenschläger 1faddd640e evp: verify Poly1305 tag on ChaCha20-Poly1305 decrypt
EVP_DecryptFinal_ex() called wc_ChaCha20Poly1305_Final() which only
computes the Poly1305 tag, writing it into ctx->authTag and
overwriting the expected tag stored there by EVP_CTRL_AEAD_SET_TAG.
No comparison was ever performed, so any forged tag was accepted.

Fix: save the expected tag before calling Final(), then verify with
wc_ChaCha20Poly1305_CheckTag() on the decrypt path, mirroring the
existing AES-GCM branch. Add a regression test that asserts
EVP_DecryptFinal_ex() rejects an all-zero forged tag.

Reported-by: Nicholas Carlini (Anthropic) & Bronson Yen (Calif.io)
2026-04-02 12:35:15 +02:00
Tobias Frauenschläger b6b8de1f59 Add bounds checks for Blake2 digest size 2026-04-02 11:55:41 +02:00
Juliusz Sosinowicz 4cf33849b8 Fix multiple bugs in OCSP implementation
- wolfSSL_i2d_OCSP_REQUEST_bio: save/restore pointer before i2d call
  that advances it, preventing BIO_write from wrong offset and heap
  corruption on free
- wolfSSL_d2i_OCSP_RESPONSE: remove (unsigned char) cast that truncated
  pointer advance to 8 bits, breaking responses larger than 255 bytes
- wolfSSL_OCSP_CERTID_dup: deep-copy CertStatus to prevent double-free
  when both original and duplicate are freed
- wolfSSL_i2d_OCSP_RESPONSE: add NULL check on response parameter
- wolfSSL_i2d_OCSP_REQUEST: advance *data pointer per i2d convention
- FreeOCSP: NULL-check ocsp->cm before dereferencing for heap
- Fix WOLFSSL_LEAVE strings to match actual function names in
  wc_CheckCertOcspResponse, GetOcspEntry, GetOcspStatus,
  CheckOcspResponse, CheckOcspRequest

Add test for CERTID dup (double-free confirmed under ASAN without fix)
and pointer advancement assertions for d2i_OCSP_RESPONSE callers.

Reported in: ZD21469
2026-04-02 11:24:25 +02:00
Daniel Pouzzner 24f9981877 Merge pull request #10120 from douzzer/20260331-wolfcrypt-Wcast-qual
20260331-wolfcrypt-Wcast-qual

approved by @padelsbach
2026-04-02 00:25:13 -05:00
Daniel Pouzzner 661eb46d04 Merge pull request #10117 from gasbytes/2025-03-31-dtls-and-tls-focused-fixes
Multiple DTLS and TLS focused fixes.
2026-04-02 00:24:03 -05:00
Daniel Pouzzner 49cbbab6b0 Merge pull request #10039 from anhu/pkcs7_oob
Add bounds check in PKCS7 streaming indefinite-length end-of-content parsing
2026-04-02 00:16:49 -05:00
Daniel Pouzzner 5701f5db32 Merge pull request #10083 from anhu/privkeyset
Add privKeySet checks to Ed25519, Ed448, ML-DSA, and ML-KEM
2026-04-02 00:15:12 -05:00
Daniel Pouzzner d6fa846615 Merge pull request #10096 from padelsbach/dilithium-oob-shift
Fix out of bounds shift in ML-DSA
2026-04-02 00:13:06 -05:00
Daniel Pouzzner 4dc347082c Merge pull request #10071 from padelsbach/notbefore-notafter-bounds-check
Add bounds check on wolfSSL_X509_notBefore and wolfSSL_X509_notAfter
2026-04-02 00:08:32 -05:00
Daniel Pouzzner 21c6568883 Fixes for -Wcast-qual hygiene in wolfCrypt.
.github/workflows/wolfCrypt-Wconversion.yml: Add -Wcast-qual to all scenarios.

wolfssl/wolfcrypt/signature.h, wolfcrypt/src/signature.c, doc/dox_comments/header_files/signature.h:

  Remove incorrect const qualifier on the key argument in

  * wc_SignatureVerifyHash()
  * wc_SignatureVerify()
  * wc_SignatureGenerateHash()
  * wc_SignatureGenerateHash_ex()
  * wc_SignatureGenerate()
  * wc_SignatureGenerate_ex()

  This fixes UB code patterns throughout signature.c.  key is inherently
  accessed readwrite by the underlying low level crypto.  Fortunately, wolfCrypt
  has no APIs/methods to allow actual const MPI key objects, therefore these
  seeming breaking API changes can't actually break any users.

globally:

  * Add const qualifiers to all struct pointer members that are assigned values
    computed from const pointers.

  * Add const qualifiers to intermediate casts for accessors and read-only
    dereference constructs, as needed for -Wcast-qual hygiene, e.g. for a macro
    GET_U16(a), use (*(const word16*)(a)) rather than (*(word16*)(a)).

  * Add const qualifiers to internal declarations, and remove illegal casts, as
    needed for -Wcast-qual hygiene.

  * Add missing const qualifiers to all casts for argument, operand, and
    assignment type agreement, as needed for -Wcast-qual hygiene, e.g.
    "*data = (const byte*)dataASN->data.ref.data" rather than
    "*data = (byte*)dataASN->data.ref.data".

wolfssl/wolfcrypt/asn.h, wolfssl/wolfcrypt/asn_public.h, wolfcrypt/src/asn.c, wolfcrypt/src/asn_orig.c:

  * Add additional lifecycle management for object members that are only sometimes locally allocated:

    DNS_entry.nameStored
    DNS_entry.ipStringStored
    DNS_entry.ridStringStored

wolfssl/wolfcrypt/types.h: add WC_BARRIER() macro -- a portable construct that
   prevents compiler optimizers from reordering operations across the barrier.

wolfssl/wolfcrypt/blake2-impl.h, wolfcrypt/src/blake2s.c, wolfcrypt/src/blake2b.c:

  * In blake2b_init(), blake2b_init_key(), blake2s_init(), and
    blake2s_init_key(), refactor blake2b_param initialization using WC_BARRIER()
    (fixes volatile abuse that triggered -Wcast-qual).

  * Remove the residual and unused WOLFSSL_BLAKE2[BS]_INIT_EACH_FIELD code.

wolfcrypt/src/ecc.c and wolfssl/wolfcrypt/ecc.h:

  Remove incorrect const qualifier on curve arg to wc_ecc_free_curve() (internal function).
2026-04-01 14:12:02 -05:00
Reda Chouk d3ce5b8537 DTLS 1.3 and TLS 1.3 focused fixes
dtls13.c:
- Fix wrong return value in Dtls13SendFragmentedInternal error path (return outputSz instead of recordLength)
- Fix incomplete bounds check in Dtls13SendFragmented to account for DTLS_HANDSHAKE_HEADER_SZ
- Fix wrong WOLFSSL_ENTER trace string in Dtls13EpochCopyKeys

tls13.c:
- Remove wrong (byte) cast on cookie->len passed to TlsCheckCookie
- Add missing bounds check on PSK identityLen in SetupPskKey before copying to client_identity
- Fix data race on static header array in ExpectedResumptionSecret
- Add defensive underflow check in EncryptTls13 for consistency with DecryptTls13
- Fix wrong return variable in DTLS 1.3 Finished send error path (return dtlsRet instead of ret)
- Add missing SM3 case and default in Tls13_Exporter hash switch to prevent NULL dereference
- Initialize *outSz to 0 in wolfSSL_write_early_data to match wolfSSL_read_early_data
- Add bounds check for bindersLen against helloSz in CheckPreSharedKeys
- Fix resource leak and hash state corruption in ExpectedResumptionSecret error paths
- Fix memory leak of rsaSigBuf in dual-alg RSA+RSA CertificateVerify
- Guard against word32 underflow in inputLength - HANDSHAKE_HEADER_SZ in DoTls13HandShakeMsg
- Fix swapped side parameter in DeriveFinishedSecret for server-side Finished processing
- Fix no_mac fall-through in ssl_handshake_md to return NULL instead of wrong digest
- Fix strict aliasing violation in FindPsk PSK key size check
- Remove duplicate !ssl->options.dtls check in TLS 1.3 middlebox compat condition

tests:
- Add regression tests for wolfSSL_write_early_data outSz initialization and DTLS 1.3 Finished send error propagation
2026-04-01 18:36:45 +02:00
Anthony Hu c51cbe149b Get rid of a data file. 2026-04-01 09:00:43 -04:00
Juliusz Sosinowicz 829fbbc702 Fix namespace collision on CRL reasons 2026-04-01 14:00:27 +02:00
Anthony Hu 7be3d1f18d Better macro gating 2026-03-31 12:48:12 -04:00
Paul Adelsbach 73c6f2a91f Fix out of bounds shift in ML-DSA 2026-03-31 09:39:45 -07:00
Paul Adelsbach ec9b6cf469 Add test cases 2026-03-31 09:29:46 -07:00
Juliusz Sosinowicz 8b378bcfd1 fixup! DTLS1.3: Implement RFC 9147 legacy_session_id_echo requirements 2026-03-31 12:42:16 +02:00
Juliusz Sosinowicz 3b0b50e392 DTLS1.3: Implement RFC 9147 legacy_session_id_echo requirements 2026-03-31 12:42:16 +02:00
Daniel Pouzzner 5f54de0577 Merge pull request #10076 from rizlik/dtls13_ack_improvements
Dtls13: ack management improvements
2026-03-30 22:59:54 -05:00
Marco Oliverio d1d6e587c0 test_dtls: remove bad char 2026-03-30 16:53:07 +02:00
Anthony Hu 46f6320380 Fix PQC hybrid KeyShare pointer sanity.
Also add tests for it and SetTicket
2026-03-27 14:33:41 -04:00
Daniel Pouzzner f0b711045c wolfssl/wolfcrypt/types.h: restore WC_ALLOC_DO_ON_FAILURE fallback definition from 760178c7dc -- reversion in part of 5f4d499df0. fixes optest build failures in all-crypto-only-intelasm-fips-v5-linuxkm-next-insmod-optest, all-crypto-only-intelasm-fips-v6-linuxkm-next-insmod-optest, and all-crypto-only-intelasm-fips-dev-linuxkm-next-insmod-optest. 2026-03-26 16:28:18 -05:00
Anthony Hu 30b196471b Add privKeySet checks to Ed25519, Ed448, ML-DSA, and ML-KEM 2026-03-26 14:56:00 -04:00
Marco Oliverio ccfc95809b test: dtls13: add ack test 2026-03-26 15:11:31 +01:00
Marco Oliverio 1c83e24a7a dtls13: keep a counter for seenRecords list 2026-03-26 15:11:31 +01:00
Anthony Hu 6721bde8e0 Add bounds check in PKCS7 streaming indefinite-length end-of-content parsing 2026-03-25 20:03:00 -04:00
David Garske c64fd4f132 Merge pull request #9905 from julek-wolfssl/WC_ALLOC_DO_ON_FAILURE-cleanup
Don't declare WC_ALLOC_DO_ON_FAILURE by default
2026-03-24 09:35:03 -07:00
David Garske 73bea906be Merge pull request #10034 from sebastian-carpenter/GH-10016
verify ciphersuite in CH2 matches HRR
2026-03-24 09:31:45 -07:00
David Garske 328822b447 Merge pull request #10047 from Frauschi/mldsa_no_ctx
Guard old non-ctx ML-DSA API by default
2026-03-24 09:26:24 -07:00
David Garske bddeac1d72 Merge pull request #9952 from julek-wolfssl/zd/21324
wolfSSL_X509_verify_cert: add host check from `ctx->param`
2026-03-24 09:26:12 -07:00
David Garske 3cf4aeab5c Merge pull request #10025 from embhorn/zd21392
Fix DecodeObjectId unknown ext parse
2026-03-24 09:17:10 -07:00
David Garske ab8cd6fc46 Merge pull request #9937 from douzzer/20260306-wc_Hash-refactor
20260306-wc_Hash-refactor
2026-03-24 08:48:08 -07:00
David Garske 3b9084142d Merge pull request #10020 from SparkiDev/sp_int_ai_fixes_1
SP int: fixes from AI review
2026-03-24 08:43:50 -07:00