Commit Graph

30072 Commits

Author SHA1 Message Date
Juliusz Sosinowicz 94d0a49497 Address review: harden dtls_bench time source and -z usage
Fail loudly if clock_gettime() ever fails instead of computing
throughput from uninitialized stack, and warn when -z is combined with
-s since the sink-send only applies to the client.
2026-06-10 14:03:52 +02:00
Juliusz Sosinowicz 000d407dee Address review: document that BuildMessage explicit-nonce bytes are placeholders
The PeekSEQ-written explicit nonce is overwritten by the encrypt paths
before transmission (cipher-generated counter, or aead_exp_IV on legacy
FIPS/selftest builds) and the AAD sequence is written separately; the
optimization is the removal of the per-record RNG draw.
2026-06-10 14:03:52 +02:00
Juliusz Sosinowicz 85e85c1fb4 Address review: probe the DTLS socket type where the fd is set
Under WOLFSSL_RW_THREADED the read and write threads could both perform
the lazy isDGramSock() first-time cache write concurrently; the cached
bit-fields share a storage unit with other dtlsCtx flags, making this a
data race.

Instead of caching from inside the I/O callbacks, run the
getsockopt(SO_TYPE) probe where dtlsCtx.rfd/wfd is assigned and store
the result per descriptor (rfd and wfd may be different sockets of
different types). fd assignment happens during single-threaded setup,
so no thread-specific handling is needed, and the I/O callbacks reduce
to reading a struct member, so isDGramSock() is dropped in favor of
reading the flags directly. The stateless-hash test no longer needs to
mask the fields: the I/O callbacks no longer write to the WOLFSSL
object.
2026-06-10 14:03:52 +02:00
Juliusz Sosinowicz d2c9f53ef6 examples/benchmark/dtls_bench: build a stub on non-POSIX platforms
dtls_bench.c is built whenever DTLS and the example servers are enabled,
including the cross-mingw-all-crypto multi-test scenario, which cross-
compiles for Windows. It directly includes POSIX-only headers
(<sys/socket.h>, <arpa/inet.h>, <netdb.h>, <net/if.h>) that mingw does
not ship, so the build failed there.

Gate the networking includes and the whole benchmark body behind a
DTLS_BENCH_ENABLED check (WOLFSSL_DTLS, not USE_WINDOWS_API, not
WOLFSSL_NO_SOCK). When the platform lacks POSIX BSD sockets, compile a
small stub main() that reports the tool is unsupported, so the source
tree still builds.
2026-06-10 14:03:52 +02:00
Juliusz Sosinowicz c815d98ef4 DTLS throughput: add benchmark tool and optimize the record send path
Add examples/benchmark/dtls_bench, a DTLS throughput benchmark that
completes a handshake and then measures bulk-send throughput. It
supports DTLS 1.2 and 1.3, selectable cipher suites, an end-to-end
mode, and a -z sink mode that discards records on the server after the
handshake to isolate the sender's record-layer cost. The socket is set
up with wolfSSL_set_dtls_fd_connected.

Optimize the send path exercised by the benchmark:

- wolfio (EmbedSendTo): cache the per-descriptor socket-type probe
  (getsockopt SO_TYPE) in WOLFSSL_DTLS_CTX instead of running it on
  every send, removing a syscall from the record send path. The cache
  is invalidated whenever rfd/wfd is reassigned.

- internal (BuildMessage): for AEAD suites whose explicit nonce is the
  8-byte record sequence number, write the sequence number directly as
  nonce_explicit instead of drawing it from the RNG. This covers
  AES-GCM (RFC 5288 sec 3), AES-CCM (RFC 6655 sec 3), SM4-GCM/CCM
  (RFC 8998 sec 3), and Camellia-/ARIA-GCM which inherit the RFC 5288
  construction; ChaCha20 uses an implicit nonce and is excluded. A new
  read-only PeekSEQ() helper reads the sequence number without advancing
  the per-direction counter, leaving the single mandated increment to
  writeAeadAuthData().

Also ignore the built dtls_bench binary in .gitignore.
2026-06-10 14:03:52 +02:00
Daniel Pouzzner fdbfb66c4b Merge pull request #10569 from SparkiDev/ssl_c_split_1
ssl.c: Move functions out to own files and add testing
2026-06-09 22:52:34 -05:00
Sean Parkinson 359e688dc3 ssl.c: Move functions out to own files and add testing
ssl_api_pk.c: added Public-key APIs (min/max key sizes, DH key test,
signature NIDs, tmp ecdh. Reworked code of new functions.
ssl_api_cert.c: added more SSL Certificate APIs. Reworked code of new
functions.
ssl_api_ext.c: TLS extension APIs (session tickets, max fragment,
groups, etc.). Reworked code.
ssl_api_dtls.c: DTLS APIs (cookie secret, etc.)

Improved test coverage for functions moved.
2026-06-10 09:11:59 +10:00
David Garske 4f09916e7e Merge pull request #10443 from anhu/protonamelist
Enforce only 1 protocolname in serverhello
2026-06-09 15:42:02 -07:00
David Garske 358ae9a559 Merge pull request #10249 from ColtonWilley/pr15-tls-config-bounds
Add negative-count and NULL checks to group-setting and shared-cipher APIs
2026-06-09 14:40:16 -07:00
David Garske 52681591fe Merge pull request #10640 from douzzer/20260608-atomic-fixes
20260608-atomic-fixes
2026-06-09 10:41:01 -07:00
David Garske 850cc84ee8 Merge pull request #10635 from holtrop-wolfssl/wolfssl-wolfcrypt-2.0.0
Update wolfssl-wolfcrypt Rust crate to v2.0.0
2026-06-09 10:08:19 -07:00
David Garske 65d54df5ea Merge pull request #10644 from Frauschi/arduino
Fix Arduino CI test
2026-06-09 09:36:01 -07:00
Tobias Frauenschläger 0278d3a72e Reduce flash size for Arduino examples 2026-06-09 15:41:27 +02:00
David Garske bbace5a1cc Merge pull request #10494 from LinuxJedi/STM32MP13-SHAKE
Fix SHAKE with STM32MP13 and add simulator
2026-06-08 15:45:30 -07:00
David Garske e2d3b63139 Merge pull request #10207 from ColtonWilley/d2i_pem_negative_length
Add signed-length validation to d2i, PEM, and buffer-load APIs
2026-06-08 15:42:00 -07:00
David Garske dbf72c4f00 Merge pull request #10601 from kareem-wolfssl/f3772
Fenrir fixes
2026-06-08 15:23:05 -07:00
Colton Willey 41c09a734c Address review cleanups 2026-06-08 15:10:51 -07:00
David Garske c9cb0ef033 Merge pull request #10212 from ColtonWilley/fix-skid-overflow-and-null-checks
Harden X509 DER length handling in wolfSSL_X509_get_der and wolfSSL_i2d_X509
2026-06-08 15:01:14 -07:00
Daniel Pouzzner 68144a81da fixes from AI review:
wolfcrypt/src/wc_port.c: fix several missed refactors to WC_ATOMIC_[U]INT_ARG.

wolfssl/wolfcrypt/wc_port.h:
* harmonize the return type of WOLFSSL_ATOMIC_STORE() (always void).
* fix MSVC WOLFSSL_ATOMIC_LOAD() and _STORE() with correct atomic semantics, and add gating on USE_WINDOWS_API.
2026-06-08 16:52:06 -05:00
David Garske da1de8a9fc Merge pull request #10472 from douzzer/20260512-wc_init_state
20260512-wc_init_state
2026-06-08 13:44:17 -07:00
Daniel Pouzzner 672da2ad96 Merge pull request #10633 from holtrop-wolfssl/f-4141
Add unit tests that TLS resumption fails due to ALPN mismatch
2026-06-08 15:21:53 -05:00
Daniel Pouzzner f3ab345d1c Merge pull request #10553 from julek-wolfssl/tls-12-mutual-auth
Allow RSA client certs on ECDHE-ECDSA mutual auth
2026-06-08 15:21:29 -05:00
Daniel Pouzzner e51317261d Merge pull request #10630 from yosuke-wolfssl/fix/f_4890
Fix odd-length CertificateRequest signature_algorithms acceptance
2026-06-08 15:21:02 -05:00
Daniel Pouzzner 51bbb74b74 Merge pull request #10629 from yosuke-wolfssl/fix/f_4637
Fix the error handling on wc_PKCS7_DecodeAuthEnvelopedData
2026-06-08 15:20:36 -05:00
Daniel Pouzzner 1943a6f33a Merge pull request #10550 from rizlik/sha512_only
add support for WOLF_CRYPTO_CB_ONLY_SHA512
2026-06-08 15:20:08 -05:00
Colton Willey 6211210c86 Strengthen regression tests for group and shared-cipher API guards 2026-06-08 12:41:34 -07:00
Colton Willey 00a21b0bfa Add regression tests for group-setting and shared-cipher API guards
Extend test_tls13_apis with negative-count assertions for
wolfSSL_CTX_set_groups and wolfSSL_set_groups, and NULL-groups
assertions for wolfSSL_CTX_set1_groups and wolfSSL_set1_groups
(tests/api/test_tls13.c).

Add test_wolfSSL_get_shared_ciphers covering NULL ssl, NULL buf, and
zero-length inputs (tests/api/test_tls.c).
2026-06-08 12:41:34 -07:00
Colton Willey af0db53e86 Fix negative count and NULL pointer checks in group-setting and shared cipher APIs
Add count < 0 validation to wolfSSL_CTX_set_groups and wolfSSL_set_groups
(src/tls.c) to prevent negative count from bypassing the upper-bound check
and corrupting numGroups via byte truncation.

Widen count == 0 to count <= 0 and add NULL groups check in
wolfSSL_CTX_set1_groups and wolfSSL_set1_groups (src/ssl.c).

Add NULL buf and NULL cipher checks in wolfSSL_get_shared_ciphers to
prevent NULL pointer dereference.
2026-06-08 12:40:46 -07:00
Kareem 4a854b0a71 Add unit test for wc_AesEaxEncryptFinal authTagSz below minimum. 2026-06-08 10:29:10 -07:00
Kareem 147c808562 Change no_renegotiation alert to warning level to match RFC 5246 7.2.2.
Fixes F-4113.
2026-06-08 10:29:10 -07:00
Kareem 8e268dee13 Avoid suppressing error from Cy_Crypto_Core_Sha_Finish in wc_Sha512_224Final.
Fixes F-4002.
2026-06-08 10:29:10 -07:00
Kareem b2d5cbf6f1 Reject auth tags below WOLFSSL_MIN_AUTH_TAG_SZ in the AES-EAX encrypt path. This matches AES-EAX decrypt behavior as well as other AES modes.
Fixes F-3759.
2026-06-08 10:29:10 -07:00
Kareem 00c84ced25 Confirm keys-params is not NULL before dereferencing in wc_XmssKey_GetPubLen.
Fixes F-3980.
2026-06-08 10:29:10 -07:00
Kareem 47bebc6441 Fix wc_tsip_MakeRsaKey ignoring errors and not freeing buffers in some error cases.
Fixes F-4005.
2026-06-08 10:29:09 -07:00
Kareem 8c4ad8d573 Confirm rng pointer is not NULL before dereferencing it in wc_rng_new_ex.
Fixes F-3979.
2026-06-08 10:29:09 -07:00
Kareem edf1439151 Properly set ret and error out when tsip_RsakeyImport fails.
Fixes F-3772.
2026-06-08 10:29:09 -07:00
Daniel Pouzzner a36ada8d53 wolfcrypt/src/wc_port.c and wolfssl/wolfcrypt/wc_port.h: add
* wc_local_InitUp()
* wc_local_InitUpDone()
* wc_local_InitDown()
* wc_local_InitDownDone()
* wc_init_state_t
* WC_DECLARE_INIT_STATE()
* WC_INIT_STATE_*
* union wc_init_state_bitfields
* WC_INIT_STATE_RAISE_BAD_STATE()
* WC_ATOMIC_INT_ARG and WC_ATOMIC_UINT_ARG, pivoting on WC_16BIT_CPU, used to assure operands to atomic operators are 32 bits, and that wc_init_state_t is 32 bits, even on 16 bit targets like Arduino.

fix&refactor thread safety mechanisms in wolfCrypt_Init() and wolfCrypt_Cleanup(), and fix a few preexisting error-handling flubs in wolfCrypt_Init().
2026-06-08 11:01:10 -05:00
Josh Holtrop 243926f5da Update wolfssl-wolfcrypt Rust crate to v2.0.0 2026-06-08 10:14:24 -04:00
Juliusz Sosinowicz a3bc7c96a0 tests: relocate TLS 1.2 mutual-auth tests to avoid merge collision
The two new tests (test_tls12_ecdhe_ecdsa_rsa_client_cert and
test_tls12_ecdhe_rsa_ecdsa_client_cert) were appended right after
test_wolfSSL_alert_desc_string, the last function in test_tls.c. Another
in-flight branch appends its own new tests at the same anchor, producing
a spurious add/add merge conflict even though the additions are
independent. Move these two functions just above
test_wolfSSL_alert_desc_string so the two branches insert at different
locations and merge cleanly. Pure code movement; no behavior change.
2026-06-08 15:10:27 +02:00
Juliusz Sosinowicz fdda31b5c3 Allow RSA client certs on ECDHE-ECDSA mutual auth
The TLS 1.2 server derived the single advertised ClientCertificateType
and the signature_algorithms list in its CertificateRequest from the
negotiated cipher suite's own signature algorithm. On an ECDHE-ECDSA
suite only ecdsa_sign was offered (and only ECDSA sig algs), so RSA
clients could not authenticate even though the server could happily
verify an RSA certificate. The same was true in reverse for an RSA
server: the CertificateRequest only advertised rsa_sign.

Refactor SendCertificateRequest to advertise certificate_types and
signature_algorithms covering both sig families when both are compiled
in. Three static helpers in internal.c keep the logic in one place
without mutating ssl->suites:

  GetServerCertReqCertTypes    - certificate_types to emit
  GetServerCertReqHashSigAlgo  - signature_algorithms to emit
  InServerCertReqHashSigAlgo   - membership check used for verification

The advertised lists are written to stack buffers in the caller. To
keep DoCertificateVerify in agreement with what we actually sent, the
SupportedHashSigAlgo call site there is replaced with
InServerCertReqHashSigAlgo, which rebuilds the same list locally and
looks up the client's chosen algo.

Replace the magic certTypes buffer size with a new
MAX_CERT_REQ_CERT_TYPE_CNT constant declared next to
ClientCertificateType.

Add two end-to-end mutual-auth tests covering both directions:

  test_tls12_ecdhe_ecdsa_rsa_client_cert - ECDSA server, RSA client
  test_tls12_ecdhe_rsa_ecdsa_client_cert - RSA  server, ECDSA client

Update test_certreq_sighash_algos to permit RSA / RSA-PSS sig algs in
the ECDHE-ECDSA CertificateRequest; the previous assertion locked in
the ECDSA-only behaviour that this change corrects.

TLS 1.3 is unaffected: RFC 8446 removed certificate_types from
CertificateRequest, and TLS 1.3 cipher suites do not bind a signature
algorithm, so the server's hashSigAlgo already covers both sig
families when either has been compiled in.
2026-06-08 15:10:27 +02:00
Yosuke Shimizu a6f69ec09c Fix odd-length CertificateRequest signature_algorithms acceptance 2026-06-08 11:33:50 +09:00
Yosuke Shimizu ef5c5f8ecb Fix the error handling on wc_PKCS7_DecodeAuthEnvelopedData 2026-06-08 10:11:42 +09:00
Daniel Pouzzner 8fca95ce65 Merge pull request #10532 from rlm2002/zd21800
Remove chain walk for OCSP responder
2026-06-05 16:27:00 -05:00
Daniel Pouzzner 02d08790af Merge pull request #10575 from julek-wolfssl/fenrir-fixes-20260601
Fenrir: TLS/DTLS conformance and crypto hardening fixes
2026-06-05 16:26:05 -05:00
Daniel Pouzzner 764245a8a1 Merge pull request #10489 from holtrop-wolfssl/zd21798
Check SNI/ALPN in TLS 1.2/1.3 session resumptions
2026-06-05 16:25:18 -05:00
Daniel Pouzzner d5560b06cf Merge pull request #10556 from holtrop-wolfssl/rust-crate-updates-3
Rust wrapper: add scrypt KDF and RSA-OAEP support
2026-06-05 16:24:29 -05:00
Daniel Pouzzner 97095d209a Merge pull request #10561 from sebastian-carpenter/tls-ech-send-on-rejection
Enhancement: Stand out less with ECH or GREASE ECH
2026-06-05 16:23:41 -05:00
Daniel Pouzzner c300c41a68 Merge pull request #10514 from kaleb-himes/PQ-DOX
Add PQ documentation
2026-06-05 16:23:05 -05:00
Daniel Pouzzner 3012154367 Merge pull request #10259 from sebastian-carpenter/tls-ech-keylog
TLS ECH keylogging
2026-06-05 16:22:11 -05:00
Daniel Pouzzner 7caa3b97a8 Merge pull request #10503 from kareem-wolfssl/zd21858
Fix potential mismatch in size between DECL_MP_INT_SIZE_DYN and NEW_MP_INT_SIZE, fix unused variable warning in random.c.
2026-06-05 16:20:55 -05:00