Commit Graph

9846 Commits

Author SHA1 Message Date
Daniel Pouzzner 8fca95ce65 Merge pull request #10532 from rlm2002/zd21800
Remove chain walk for OCSP responder
2026-06-05 16:27:00 -05:00
Daniel Pouzzner 02d08790af Merge pull request #10575 from julek-wolfssl/fenrir-fixes-20260601
Fenrir: TLS/DTLS conformance and crypto hardening fixes
2026-06-05 16:26:05 -05:00
Daniel Pouzzner 764245a8a1 Merge pull request #10489 from holtrop-wolfssl/zd21798
Check SNI/ALPN in TLS 1.2/1.3 session resumptions
2026-06-05 16:25:18 -05:00
Daniel Pouzzner 97095d209a Merge pull request #10561 from sebastian-carpenter/tls-ech-send-on-rejection
Enhancement: Stand out less with ECH or GREASE ECH
2026-06-05 16:23:41 -05:00
Daniel Pouzzner 3012154367 Merge pull request #10259 from sebastian-carpenter/tls-ech-keylog
TLS ECH keylogging
2026-06-05 16:22:11 -05:00
Daniel Pouzzner fe77e37025 Merge pull request #10476 from julek-wolfssl/cache-overhead
Cache AEAD record overhead on WOLFSSL
2026-06-05 16:20:15 -05:00
Daniel Pouzzner c99567c96d Merge pull request #10596 from SparkiDev/regression_fixes_24
Regression testing fixes
2026-06-05 13:37:56 -05:00
Daniel Pouzzner f8f1e932a5 Merge pull request #10534 from SparkiDev/tls13_psk_id_fix
TLSv1.3 PSK binders: always use id protection
2026-06-05 12:36:00 -05:00
Daniel Pouzzner 2d186b378a Merge pull request #10537 from SparkiDev/tls13_pt_alert_before_enc
TLS 1.3 plaintext alert: ignore before seeing encrypted
2026-06-05 11:12:47 -05:00
Daniel Pouzzner 4bf2d52780 Merge pull request #10571 from Frauschi/mlkem_rename
Migrate internal ML-KEM consumers to canonical wc_MlKemKey API
2026-06-05 11:00:44 -05:00
Daniel Pouzzner d80785bb07 Merge pull request #10583 from Frauschi/zephyr_patch
Fixes for Zephyr secure sockets integration
2026-06-05 10:06:23 -05:00
Sean Parkinson b0757c1cb7 TLS 1.3 plaintext alert: ignore before seeing encrypted
Change to ignore plaintext alerts when
WOLFSSL_TLS13_IGNORE_PT_ALERT_ON_ENC is defined only until first
encrypted message from peer is seen.

Negative testing added.
2026-06-05 12:35:04 +10:00
Sean Parkinson 0796519a99 More regression testing fixes
Leak fixes: free existing ssl->buffers.key before overwriting in SetSSL_CTX() (internal.c) and wolfSSL_set_SSL_CTX() (ssl.c)

UAF fix: wc_CheckRsaKey() — mp_memzero_check(tmp) moved before the free (rsa.c)

Build guards: #ifndef NO_ED25519/ED448_VERIFY around forged-sig test data (test_ed25519/ed448.c); guard equal()/cmov() for verify-only builds (ge_operations.c); guard unused pointers under WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC (wc_mldsa.c)

Test cleanups (test.c): fix UB from out-of-range enum in hash_test(), always free AES dec object, fix der buffer declaration under small-stack builds
2026-06-05 11:30:53 +10:00
Sean Parkinson 089f1f7c91 TLSv1.3 PSK binders: always use id protection
Removed WOLFSSL_PSK_ID_PROTECTION from use as it is now on by default.
Always check whether the server has a certificate (not a CA chain).
If there is a certificate then continue, otherwise, report a binder
error.

Added test to ensure binder error returned and alert sent when no
NO_CERT. test_tls13_bad_psk_binder already tested no certificate.

Allowed memio test harness to be built when NO_CERT is defined.
2026-06-05 11:16:48 +10:00
Sean Parkinson 26a2b793dc Regression testing fixes
1. Side-aware ML-KEM in TLS (tls.c, tls13.c, ssl.c, internal.h):
TLSX_IsGroupSupported/TLSX_UseSupportedCurve take a `side` arg; new
TLSX_IsMlKemGroupSupported + client/server support macros. A build only
capable of one ML-KEM op no longer advertises groups it can't use for
its role.

2. NO_ASN_TIME support (ssl_asn1.c, ssl.h, settings.h): data-only
ASN1_TIME APIs now compile without system time; OCSP responder
auto-disabled under NO_ASN_TIME.

3. SP ECC (sp_*.c, sp_x86_64_asm.asm): curve `b` constants and
sp_ecc_is_point_* always compiled (point-check available in more
configs); asm movsxd -> movsx.

4. configure.ac: BUILD_MEMUSE fixed to trigger on != "xno".

5. Test fixes: HRR-aware TLS 1.3 memio tests (new
test_memio_msg_is_hello_retry_request); tightened build guards
(Ed25519/Ed448 key-import, AES decrypt, XMSS heights, SP sizes,
static-PSK).
2026-06-04 18:29:24 +10:00
Daniel Pouzzner 35329296e8 Merge pull request #10554 from gasbytes/ocsp-certid-serial-number-fix
OCSP_resp_find_status to require exact serial-length match
2026-06-03 22:49:31 -05:00
Daniel Pouzzner 12e7a1d5c3 Merge pull request #10548 from SparkiDev/x509_fixups_1
X509 API: fix issues
2026-06-03 22:48:19 -05:00
Daniel Pouzzner 590a367d16 Merge pull request #10576 from holtrop-wolfssl/zd21906
Fix user buffer overrun from wolfSSL_get_finished/wolfSSL_get_peer_finished
2026-06-03 20:48:03 -05:00
David Garske 3bc1575e12 Merge pull request #9852 from SparkiDev/ppc64_asm_aes
PPC64 ASM: AES-ECB/CBC/CTR/GCM
2026-06-03 16:30:12 -07:00
Tobias Frauenschläger 00a899e9a3 Fixes for Zephyr secure sockets integration 2026-06-03 14:04:19 +02:00
Juliusz Sosinowicz da719da30c F-4591: fix right-justification of short DH shared secret
The constant-time path of _DH_compute_key (DH_compute_key_padded) had
the XMEMMOVE source/dest swapped and used (padded_keySz - keySz) as the
length instead of keySz, overwriting the secret with junk when keySz <
padded_keySz. Move key[0..keySz-1] to the high end, matching the idiom
used in tls.c/sniffer.c.
2026-06-03 13:01:19 +02:00
Juliusz Sosinowicz 108b120d7f F-5632: zeroize Camellia key schedule on cipher free
FreeCiphersSide freed cipher->cam with XFREE only, leaving the expanded
key schedule and IV in freed heap memory. Call wc_CamelliaFree (which
ForceZeros the context) before XFREE, matching the ARIA cleanup above.
2026-06-03 13:01:19 +02:00
Juliusz Sosinowicz 118d3a8226 F-5583: evict oldest DTLS 1.3 epoch slot, not the last eligible one
Dtls13NewEpochSlot never updated oldestNumber after picking a candidate,
so every eligible epoch compared "older" than the sentinel and the last
eligible slot was returned instead of the lowest epoch number. Update
oldestNumber alongside oldest so the true minimum is evicted.
2026-06-03 13:01:19 +02:00
Juliusz Sosinowicz 289a2670f4 F-5591: reject negative group count in group setters
wolfSSL_CTX_set_groups/wolfSSL_set_groups only rejected counts above
WOLFSSL_MAX_GROUP_COUNT; a negative count skipped the copy loop and was
cast to byte (e.g. 255) into numGroups, which InitSSL later trusts for a
fixed-size copy. Reject count <= 0 in both, and in the set1_groups
OpenSSL-compat wrappers.
2026-06-03 13:01:19 +02:00
Juliusz Sosinowicz 0089fa852e F-5631: reject zero-length/duplicate post-handshake CertReq context
DoTls13CertificateRequest rejected a non-empty context during the
handshake but did the complementary check for post-handshake auth.
Per RFC 8446 Section 4.3.2 a post-handshake certificate_request_context
must be non-empty and unique; reject a zero-length context and one that
duplicates a still-pending request context with a fatal illegal_parameter
alert.
2026-06-03 13:01:19 +02:00
Juliusz Sosinowicz 18b86922d9 F-5630: require signature_algorithms in TLS 1.3 CertificateRequest
DoTls13CertificateRequest parsed the extensions but never verified the
mandatory signature_algorithms extension was present. A request with
none left peerSuites.hashSigAlgoSz at zero and was accepted. Per RFC
8446 Section 4.3.2, reject such a request with a fatal missing_extension
alert before selecting a certificate response.
2026-06-03 13:01:19 +02:00
Juliusz Sosinowicz 6e7bf5fa66 F-5629: reject ServerHello ALPN response with multiple protocols
A response ProtocolNameList was passed whole to ALPN_find_match, which
accepts the first configured match, so a server could return more than
one protocol. Per RFC 7301 Section 3.1 the ServerHello list must contain
exactly one name; enforce that the single name spans the whole list and
reject otherwise with a fatal illegal_parameter alert.
2026-06-03 13:01:19 +02:00
Juliusz Sosinowicz 7a0eca841f F-5628: reject max_fragment_length response that differs from request
TLSX_MFL_Parse only checked that the extension was requested and that
the value was recognized, not that the server echoed the requested
value. Per RFC 6066 Section 4, compare the ServerHello value against the
locally stored request and abort with a fatal illegal_parameter alert on
mismatch.
2026-06-03 13:01:19 +02:00
Juliusz Sosinowicz abb5943466 F-4594: return non-zero from wolfSSL_get_verify_result on NULL ssl
WOLFSSL_FAILURE is 0, which equals X509_V_OK, so a NULL ssl was
indistinguishable from successful verification under the standard
"SSL_get_verify_result(ssl) \!= X509_V_OK" idiom. Return
WOLFSSL_X509_V_ERR_APPLICATION_VERIFICATION (50, matching the OpenSSL
compat value) instead, and add it to the X509 verify-error enum.
2026-06-03 13:01:19 +02:00
Juliusz Sosinowicz 7047d4e01a F-5590: reject oversized length in wolfSSL_CRYPTO_memcmp
The size_t length was cast directly to the int taken by ConstantCompare.
On 64-bit builds a size with a negative low 32-bit value (e.g.
0x80000000) became a negative length, so ConstantCompare ran zero
iterations and returned 0 (equal) without comparing. Reject size >
INT_MAX with a non-zero (mismatch) result before narrowing.
2026-06-03 13:01:19 +02:00
Juliusz Sosinowicz 754f5cfe41 F-5606: enforce DTLS 1.3 KeyUpdate 2^48-1 sending epoch ceiling
RFC 9147 Section 4.2.1 limits the DTLS 1.3 epoch to 2^48-1.
SendTls13KeyUpdate now refuses to send a KeyUpdate when the sending
epoch is already at the maximum, and Dtls13KeyUpdateAckReceived rejects
an epoch that would exceed the limit after incrementing (previously only
a full 64-bit wrap to zero was checked).
2026-06-03 13:01:19 +02:00
Josh Holtrop faad28301a Fix user buffer overrun from wolfSSL_get_finished/wolfSSL_get_peer_finished 2026-06-02 18:21:26 -04:00
Ruby Martin 08a7c4590e Remove CheckOcspResponderChain and related references. Function is not compliant with RFC 6960, 4.2.2.2.
remove unused vp parameter

Update ChangeLog.md to include OCSP responder change
2026-06-02 16:20:32 -06:00
Josh Holtrop 7f3d589c12 Support importing/exporting DTLS sessions with encrypt-then-mac options 2026-06-02 09:34:14 -04:00
Tobias Frauenschläger 320010aad6 Migrate internal ML-KEM consumers to canonical wc_MlKemKey API 2026-06-02 10:51:37 +02:00
Josh Holtrop 492603fbd4 Early-return from TLS 1.2 resumption on SNI/ALPN mismatch 2026-06-01 16:15:43 -04:00
David Garske 71ca579ef2 Merge pull request #10317 from Roy-Carter/feature/pem_write_enhancement
Implementation for PEM_write_PrivateKey & PEM_write_PUBKEY
2026-06-01 10:10:39 -07:00
Sean Parkinson 8e4e76fdcc X509 API: fix issues
1. BasicConstraints pathLenConstraint absent vs. 0 —
get_ext_d2i/set_ext/V3_EXT_d2i now distinguish "no constraint" from 0
per RFC 5280 §4.2.1.9, using the existing basicConstPlSet flag.
2. GENERAL_NAME_print GEN_DIRNAME — added missing return-value
normalization so the directory name is actually printed (was emitting
only DirName:).
3. GENERAL_NAME_print GEN_DNS — use ASN1_STRING_print like the EMAIL/URI
cases, avoiding NULL-strData deref and NUL-truncation.
4. X509_print BasicConstraints — print , pathlen:N to match OpenSSL.
5. X509_print Extended Key Usage — print Any Extended Key Usage (was
omitted).
6. get_ext_d2i CRL_DIST_OID double-free — null gn immediately after
ownership transfers to dp, so an error from the next push doesn't free
it twice.
7. X509V3_EXT_print SAN truncation/failure — match XSNPRINTF size cap to
the allocation; was truncating at indent==1 and failing at indent>=2.
8. X509V3_EXT_print AUTH_KEY/SUBJ_KEY NULL deref — NULL-check
i2s_ASN1_STRING return before passing to %s.
9. X509_add_ext SAN type confusion — reject DIRNAME/RID/X400/EDIPARTY;
only the ASN1_STRING*-backed types are read via gn->d.ia5. Was
performing a wild-pointer XMEMCPY in add_altname_ex.

Also: extracted the SAN and WOLFSSL_CUSTOM_OID arms of X509_add_ext into
static helpers (behavior-preserving).

Regression tests added for #1–5 and #9; existing GENERAL_NAME_print test
hardened (gives GEN_DIRNAME a real directoryName, eliminating an OOB
read that the print fix would otherwise expose).
2026-06-01 09:57:19 +10:00
sebastian-carpenter 75de834b7f fix GREASE ECH write 2026-05-29 15:33:42 -06:00
Reda Chouk 53e1db478b Require equal serial lengths before comparing serial bytes so a response serial that is only a prefix of the requested serial is not treated as a match 2026-05-29 10:07:29 -07:00
sebastian-carpenter fb3693ce50 send ECH on rejection 2026-05-28 14:50:00 -06:00
sebastian-carpenter 050e538ece change random handling in ECH 2026-05-28 14:19:20 -06:00
sebastian-carpenter 406365ec1c TLS ECH keylogging 2026-05-28 11:17:45 -06:00
Josh Holtrop e7f491a98a Check SNI/ALPN in TLS 1.3 session resumption 2026-05-28 12:10:16 -04:00
Juliusz Sosinowicz 6303af86ac Cache AEAD record overhead on WOLFSSL
wolfssl_local_GetRecordSize() runs BuildMessage(sizeOnly=1) on every
wolfSSL_write hot path. For AEAD ciphers the overhead is constant per
connection framing state, so cache (recordSz - payloadSz) on WOLFSSL
and invalidate in SetKeysSide(), at cidInfo->tx assignment, and in
wolfSSL_clear(). BuildMessage stays the single source of truth.

Add test_record_size_matches_build_message (cross-checks every built
cipher over TLS/DTLS +/- CID against BuildMessage) and
test_record_size_cache_invalidated_on_renegotiation.
2026-05-28 16:19:44 +02:00
Kareem 4472980738 Code review feedback and minor fixes.
Remove outdated RFC, refactor into single error case, guard against negative/0 len and NULL *data pointer, don't set ownStatus until status is confirmed non-NULL.
2026-05-27 16:54:14 -07:00
Kareem 1e338487db Code review feedback 2026-05-27 16:54:14 -07:00
Kareem a28ea7ac1c NULL *response on error in wolfSSL_d2i_OCSP_RESPONSE.
Thanks to Zou Dikai for the report.
2026-05-27 16:54:14 -07:00
Kareem 872a03a056 Disallow matching URI type in CheckForAltNames.
Thanks to Haruki Oyama (Waseda University) for the report.
2026-05-27 16:54:14 -07:00
Sean Parkinson 713a220fc9 Merge pull request #10426 from JeremiahM37/fenrir-8
protocol correctness, OpenSSL-compat hardening, and sensitive-memory zeroization
2026-05-28 09:48:10 +10:00