Add a new option to require that an external Pre-Shared Key is negotiated
for a handshake to succeed, configured via the new APIs
wolfSSL_CTX_require_psk()/wolfSSL_require_psk(). When set, a handshake
that completes without negotiating an external PSK is aborted with
PSK_MISSING_ERROR instead of falling back to a certificate handshake, so
the PSK acts as an additional security factor.
This is a TLS 1.3 / DTLS 1.3 feature. In (D)TLS 1.2 the use of a PSK is
determined by the negotiated cipher suite, so a mandatory PSK is instead
configured there by restricting the cipher suite list to PSK suites; the
new APIs therefore reject non-TLS-1.3 contexts with BAD_FUNC_ARG.
To keep the requirement fail-closed, the APIs also disable version
downgrade on the object so a downgrade-capable context (e.g. one created
from a v23 method) cannot silently fall back to (D)TLS 1.2 and complete
without a PSK; a peer that does not support (D)TLS 1.3 fails to connect.
The requirement applies to external PSKs only (not session tickets):
session-ticket resumption is exempt. To preserve forward secrecy a
mandatory external PSK must also use an (EC)DHE key exchange; a pure
psk_ke handshake is rejected with PSK_KEY_ERROR. When used with
WOLFSSL_CERT_WITH_EXTERN_PSK, it also ensures that peers are properly
authenticated with both the PSK and via certificates.
The new APIs live alongside the existing wolfSSL_[CTX_]no_dhe_psk()/
only_dhe_psk() PSK options and do not depend on certificate support, so
the feature is usable in NO_CERTS (PSK-only) builds.
Added unit tests for the new APIs and enforcement.
tests/api.c: use WOLFSSL_FILETYPE_PEM, not SSL_FILETYPE_PEM;
tests/api/test_dtls.c and tests/api/test_dtls13.c: use WOLFSSL_ERROR_WANT_READ, not SSL_ERROR_WANT_READ.
DecodeExtensionType() guarded the certificatePolicies duplicate check
(VERIFY_AND_SET_OID) under WOLFSSL_SEP only, because the extCertPolicySet
tracking bit was SEP-only. In a WOLFSSL_CERT_EXT-without-WOLFSSL_SEP build a
cert with two certificatePolicies extensions was accepted and the second
silently overwrote the first (RFC 5280 4.2 forbids repeats). Make the bit and
the guard available under WOLFSSL_CERT_EXT too, matching every other
non-repeatable extension.
Add test_DecodeCertExtensions_dup_certpol (DecodeExtensionType now
WOLFSSL_TEST_VIS).
Instead of failing when top bit is set, the standard and current research says to mask it.
WOLFSSL_X25519_NO_MASK_PEER is added to allow the rejection when required.
Regenerate the SP backends so the ECDH secret generators check the caller's
buffer against the number of bytes actually written. Adds a P-384/P-521
buffer-size regression test.
Only exempt the missing-certificate check during the initial handshake; once a
post-handshake CertificateRequest is outstanding the server again requires the
client certificate (and its CertificateVerify). Adds a post-handshake auth
test.
Ensure a peer's certificate form (X.509 vs raw public key) matches the
negotiated certificate type, defaulting to X.509 when none was negotiated,
on both the client and server. Adds RPK regression tests covering both
directions.
Require the keyCertSign key usage on non-root intermediate CAs added during
path building when a KeyUsage extension is present, per RFC 5280. Adds a
regression test.
MatchNameConstraint() compared wildcard DNS SANs literally, so
*.example.com was not rejected by an excluded subtree covering
foo.example.com. Route WOLFSSL_GEN_DNS through
wolfssl_local_MatchDnsNameConstraint(), passing the subtree direction:
permitted subtrees require every wildcard expansion to stay inside the
subtree, excluded subtrees reject when any expansion can fall inside.
This matches what ConfirmNameConstraints() already does.
Replace ExtractHostFromUri() plus DNS-style base matching in
MatchNameConstraint() with wolfssl_local_MatchUriNameConstraint(), and
make wolfSSL_NAME_CONSTRAINTS_check_name() fail closed like
ConfirmNameConstraints(): when URI subtrees are present, a URI name
without a DNS host is rejected instead of passing excluded-only
constraints as a plain non-match.
This aligns the compat layer with RFC 5280 URI constraint semantics: a
base without a leading dot now matches the host exactly instead of as a
DNS subtree, and IP hosts no longer match at all.
One trailing dot marks an absolute FQDN and is not part of the host:
"host.com." and "host.com" denote the same host. Strip it from the
URI host before classification (so "12.31.2.3." is still recognized
as an IPv4 address) and from the constraint base before the exact-match
comparison, mirroring what wolfssl_local_MatchBaseName() already does
for DNS name constraints. Only a single dot is the marker: an empty
last label ("host.com..") is rejected.
RFC 5280 4.2.1.10 defines URI name constraints in terms of a host that
is a fully qualified domain name; RFC 3986 IP-literal ([...]) and
IPv4address hosts are not DNS reg-names and cannot be meaningfully
matched against a DNS-style constraint base.
- Classify the host extracted by GetUriHost (IP-literal, IPv4address,
reg-name) and validate that a reg-name has no empty labels.
- wolfssl_local_MatchUriNameConstraint() no longer matches URIs whose
host is an IP address.
- ConfirmNameConstraints() fails closed: when URI constraints are
present, a URI SAN without a DNS host is rejected. A plain non-match
would otherwise let such names pass excluded-only constraints.