Commit Graph

883 Commits

Author SHA1 Message Date
Marco Oliverio 5744df1c77 test: add sha512 variants by sha512 general fallback test 2026-06-04 12:06:31 +02:00
Sean Parkinson 26a2b793dc Regression testing fixes
1. Side-aware ML-KEM in TLS (tls.c, tls13.c, ssl.c, internal.h):
TLSX_IsGroupSupported/TLSX_UseSupportedCurve take a `side` arg; new
TLSX_IsMlKemGroupSupported + client/server support macros. A build only
capable of one ML-KEM op no longer advertises groups it can't use for
its role.

2. NO_ASN_TIME support (ssl_asn1.c, ssl.h, settings.h): data-only
ASN1_TIME APIs now compile without system time; OCSP responder
auto-disabled under NO_ASN_TIME.

3. SP ECC (sp_*.c, sp_x86_64_asm.asm): curve `b` constants and
sp_ecc_is_point_* always compiled (point-check available in more
configs); asm movsxd -> movsx.

4. configure.ac: BUILD_MEMUSE fixed to trigger on != "xno".

5. Test fixes: HRR-aware TLS 1.3 memio tests (new
test_memio_msg_is_hello_retry_request); tightened build guards
(Ed25519/Ed448 key-import, AES decrypt, XMSS heights, SP sizes,
static-PSK).
2026-06-04 18:29:24 +10:00
Hideki Miyazaki 904a70d179 Addressed Copilot comments 2026-06-04 15:30:39 +09:00
Daniel Pouzzner 35329296e8 Merge pull request #10554 from gasbytes/ocsp-certid-serial-number-fix
OCSP_resp_find_status to require exact serial-length match
2026-06-03 22:49:31 -05:00
Daniel Pouzzner 12e7a1d5c3 Merge pull request #10548 from SparkiDev/x509_fixups_1
X509 API: fix issues
2026-06-03 22:48:19 -05:00
Daniel Pouzzner 4993571ccd Merge pull request #10549 from rizlik/nc_dns_wildcards
NameConstraints: support wildcard SAN
2026-06-03 22:29:49 -05:00
Hideki Miyazaki 2e34433c52 enforce trailerField==1 in DecodeRsaPssParams 2026-06-04 10:32:27 +09:00
Hideki Miyazaki 9e711f5c9c Add MAX ENTROPY BITS check 2026-06-04 09:08:24 +09:00
Sean Parkinson aef6283a7e Merge pull request #10540 from Frauschi/small_order_check
Reject small-order public keys for Ed25519 and Ed448
2026-06-04 09:58:24 +10:00
David Garske 70da83972b Merge pull request #10536 from SparkiDev/curve25519_x64_red_fix
X25519 x64 ASM: fix full reduction
2026-06-03 09:24:48 -07:00
Daniel Pouzzner 768cdc39d3 wolfcrypt/src/asn.c: in DecodeGeneralName() and DecodeAcertGeneralName(),
* don't disable URI validation when defined(WOLFSSL_FPKI).
* return immediately with ASN_ALT_NAME_E when URI contains an unexpected '/', as in asn_orig.c DecodeAltNames(), fixing OOB read defect.

wolfcrypt/src/asn_orig.c: fix URI validation gating (ignore WOLFSSL_FPKI) in DecodeAltNames().

tests/api/test_certman.c: fix uriSan in test_wolfSSL_X509_check_host_URI_SAN_not_DNS_match() (make it a URI).

tests/api.c: align gating in test_wolfSSL_URI() with new dynamics (URIs validated regardless of defined(WOLFSSL_FPKI)).
2026-06-02 22:16:40 -05:00
Colton Willey 0ca238c50e Scope PKCS7 truncation check to NO_PKCS7_STREAM and guard test underflow
- pkcs7.c: wrap the AuthEnvelopedData encryptedContentSz bounds check
  entirely in #ifdef NO_PKCS7_STREAM so the default streaming build
  carries no empty/no-op branch (behavior unchanged).
- test_pkcs7.c: assert the encoded size is >32 so the encSz-32 and
  encSz-1 truncations can't underflow.
2026-06-02 16:39:26 -07:00
Ruby Martin 5c3100ed5c Remove non-RFC-compliant OCSP responder chain walk. The chain walk
authorized any responder issued by an ancestor of the target's issuer;
  RFC 6960 4.2.2.2 requires direct issuance by the CA identified in the
  request.

    - Remove CheckOcspResponderChain() and WOLFSSL_NO_OCSP_ISSUER_CHAIN_CHECK.
    - Drop now-unused vp parameter from CheckOcspResponder() and the
      OcspRespCheck() helper; cascade through template and non-template
      paths.

  OCSP test blobs:

    - Re-sign resp_server1_cert with intermediate1-ca (CA-direct path).
    - Add resp_server1_cert_ancestor_responder for the negative test.
    - Embed server1_cert_pem[] in test_ocsp_test_blobs.h so the new test
      runs under NO_FILESYSTEM; matching entry added to
      create_ocsp_test_blobs.py.
    - Regenerate response[] in test_certman.c with intermediate1-ca as
      signer; recipe switched from Wireshark export to openssl -respout
      + xxd -i for reproducibility.
    - Fix self-XOR in test_wolfSSL_CertManagerCheckOCSPResponse so the
      serial byte actually flips (^= 0xFF).

  Live OCSP coverage:

    - Add ocsp-responder-int1 (delegated responder issued directly by
      intermediate1-ca, with id-kp-OCSPSigning EKU) for the
      responder->intermediate->root chain.
    - scripts/ocsp-stapling.test: intermediate1 responder switched to
      ocsp-responder-int1 (delegated path).
    - scripts/ocsp-stapling2.test, scripts/ocsp-stapling_tls13multi.test:
      intermediate2 and intermediate3 sign their OCSP responses with
      their own CA keys (CA-direct path); root block unchanged
      (ocsp-responder-cert is still RFC-compliant for root-issued certs).
    - .github/workflows/ocsp.yml: server1 OCSP responder switched to
      ocsp-responder-int1 to match the cert chain.
    - New test_ocsp_ancestor_responder_rejected confirms the
      ancestor-issued response is rejected with OCSP_LOOKUP_FAIL.
2026-06-02 16:20:37 -06:00
Josh Holtrop 7f3d589c12 Support importing/exporting DTLS sessions with encrypt-then-mac options 2026-06-02 09:34:14 -04:00
Tobias Frauenschläger 320010aad6 Migrate internal ML-KEM consumers to canonical wc_MlKemKey API 2026-06-02 10:51:37 +02:00
Daniel Pouzzner d037bd1eed tests/api/test_pkcs12.c, tests/api/test_pwdbased.c: add missing FIPS version gates to test_wc_PKCS12_PBKDF(), test_wc_PKCS12_PBKDF_ex(), and test_wc_PBKDF1_ex_iterations();
wolfcrypt/src/evp_pk.c: fix identicalInnerCondition in wolfSSL_d2i_PKCS8_PKEY().
2026-06-01 14:23:38 -05:00
David Garske 71ca579ef2 Merge pull request #10317 from Roy-Carter/feature/pem_write_enhancement
Implementation for PEM_write_PrivateKey & PEM_write_PUBKEY
2026-06-01 10:10:39 -07:00
Sean Parkinson 8e4e76fdcc X509 API: fix issues
1. BasicConstraints pathLenConstraint absent vs. 0 —
get_ext_d2i/set_ext/V3_EXT_d2i now distinguish "no constraint" from 0
per RFC 5280 §4.2.1.9, using the existing basicConstPlSet flag.
2. GENERAL_NAME_print GEN_DIRNAME — added missing return-value
normalization so the directory name is actually printed (was emitting
only DirName:).
3. GENERAL_NAME_print GEN_DNS — use ASN1_STRING_print like the EMAIL/URI
cases, avoiding NULL-strData deref and NUL-truncation.
4. X509_print BasicConstraints — print , pathlen:N to match OpenSSL.
5. X509_print Extended Key Usage — print Any Extended Key Usage (was
omitted).
6. get_ext_d2i CRL_DIST_OID double-free — null gn immediately after
ownership transfers to dp, so an error from the next push doesn't free
it twice.
7. X509V3_EXT_print SAN truncation/failure — match XSNPRINTF size cap to
the allocation; was truncating at indent==1 and failing at indent>=2.
8. X509V3_EXT_print AUTH_KEY/SUBJ_KEY NULL deref — NULL-check
i2s_ASN1_STRING return before passing to %s.
9. X509_add_ext SAN type confusion — reject DIRNAME/RID/X400/EDIPARTY;
only the ASN1_STRING*-backed types are read via gn->d.ia5. Was
performing a wild-pointer XMEMCPY in add_altname_ex.

Also: extracted the SAN and WOLFSSL_CUSTOM_OID arms of X509_add_ext into
static helpers (behavior-preserving).

Regression tests added for #1–5 and #9; existing GENERAL_NAME_print test
hardened (gives GEN_DIRNAME a real directoryName, eliminating an OOB
read that the print fix would otherwise expose).
2026-06-01 09:57:19 +10:00
Sean Parkinson 14b55a0bc4 X25519 x64 ASM: fix full reduction
The last add was overflowing into the top bit.
Must mask the last word to clear top bit.

Add test vectors from Wycheproof.
2026-06-01 09:14:57 +10:00
JacobBarthelmeh 9fa5db5606 Merge pull request #10509 from kareem-wolfssl/zd21863_5
Disallow matching URI type in CheckForAltNames.  NULL *response on error in wolfSSL_d2i_OCSP_RESPONSE.
2026-05-29 16:08:04 -06:00
JacobBarthelmeh 1f32365e45 Merge pull request #10547 from SparkiDev/api_c_split_4
api.c: move out tests into other files
2026-05-29 16:03:56 -06:00
Reda Chouk 53e1db478b Require equal serial lengths before comparing serial bytes so a response serial that is only a prefix of the requested serial is not treated as a match 2026-05-29 10:07:29 -07:00
Anthony Hu 6c5097e7ed Enforce only 1 protocolname in serverhello 2026-05-29 12:20:30 -04:00
JacobBarthelmeh beff858833 Merge pull request #10552 from julek-wolfssl/evp-x25519-x448
Add NID_X25519 and NID_X448 support to the EVP layer
2026-05-28 15:57:50 -06:00
Tobias Frauenschläger 25a1a20444 Reject small-order public keys for Ed25519 and Ed448
Add defense-in-depth checks to wc_ed{25519,448}_check_key() and
ed{25519,448}_verify_msg_final_with_sha() that reject the identity
point and other small-order public keys. Honest EdDSA key generation
never produces such keys, but wolfSSL previously accepted them on
import and verification. The guard runs at both entry points so it
holds even when a key is imported with trusted=1. New tests are gated
on !HAVE_FIPS || FIPS_VERSION3_GE(7,0,0).
2026-05-28 19:53:19 +02:00
Josh Holtrop e7f491a98a Check SNI/ALPN in TLS 1.3 session resumption 2026-05-28 12:10:16 -04:00
JacobBarthelmeh fc12de010d Merge pull request #10513 from SparkiDev/tls13_aead_limit_fix
TLS 1.3: AEAD limit fixed
2026-05-28 09:30:43 -06:00
Juliusz Sosinowicz df8cc30cb8 Add NID_X25519 and NID_X448 support to the EVP layer 2026-05-28 14:40:36 +00:00
Juliusz Sosinowicz f3bdecf3f6 tests: skip RENEGOTIATION-INFO SCSV in record_size cipher loop
TLS_EMPTY_RENEGOTIATION_INFO_SCSV appears in GetCipherNames() when
HAVE_RENEGOTIATION_INDICATION is set. It is a signaling value, not a
real suite; set_cipher_list accepts it but the handshake rejects it
with UNSUPPORTED_SUITE. Add it to record_size_skip_cipher's deny list.
2026-05-28 16:19:51 +02:00
Juliusz Sosinowicz 6303af86ac Cache AEAD record overhead on WOLFSSL
wolfssl_local_GetRecordSize() runs BuildMessage(sizeOnly=1) on every
wolfSSL_write hot path. For AEAD ciphers the overhead is constant per
connection framing state, so cache (recordSz - payloadSz) on WOLFSSL
and invalidate in SetKeysSide(), at cidInfo->tx assignment, and in
wolfSSL_clear(). BuildMessage stays the single source of truth.

Add test_record_size_matches_build_message (cross-checks every built
cipher over TLS/DTLS +/- CID against BuildMessage) and
test_record_size_cache_invalidated_on_renegotiation.
2026-05-28 16:19:44 +02:00
Marco Oliverio c4b4e6cd14 NameConstraints: support wildcard SAN 2026-05-28 15:19:20 +02:00
Sean Parkinson c674cec4ac api.c: move out tests into other files
Move out DTLS 1.3 specific tests into test_dtls13.c. (Also move out from
test_dtls.c)
Move out DTLS tests into test_dtls.c.
Move out LMS and XMSS tests into test_lms_xmss.c.
Move out SSL session tests into test_session.c.
Move out remaining ML-DSA/Dilithium tests in api.c into test_mldsa.c.
2026-05-28 19:34:09 +10:00
Kareem a1b71a6f34 Rework added test 2026-05-27 18:20:20 -07:00
David Garske 2dd7947d27 Merge pull request #10483 from cconlon/pkcs8V1PublicKeyParse
ML-DSA: PKCS#8 parsing + EVP_PKCS82PKEY support
2026-05-27 17:41:30 -07:00
Colton Willey 359fb7ecbd Remove DTLS oversized cert chain test superseded by load-time depth cap
test_dtls13_oversized_cert_chain (added upstream in 1653ecd07) loaded a >9-cert chain to exercise SendTls13Certificate's word16 overflow guard. This PR now rejects over-MAX_CHAIN_DEPTH chains at load in ProcessUserChain, so the chain never reaches the send path; the load-time rejection is covered by test_wolfSSL_CTX_use_certificate_chain_buffer_max_depth. The word16 send guard remains as defense-in-depth (now only reachable via large PQC chains).
2026-05-27 17:20:18 -07:00
Colton Willey eb180dbee2 Add test cases for max chain depth fixes 2026-05-27 17:16:30 -07:00
Kareem a28ea7ac1c NULL *response on error in wolfSSL_d2i_OCSP_RESPONSE.
Thanks to Zou Dikai for the report.
2026-05-27 16:54:14 -07:00
Kareem 872a03a056 Disallow matching URI type in CheckForAltNames.
Thanks to Haruki Oyama (Waseda University) for the report.
2026-05-27 16:54:14 -07:00
Sean Parkinson 713a220fc9 Merge pull request #10426 from JeremiahM37/fenrir-8
protocol correctness, OpenSSL-compat hardening, and sensitive-memory zeroization
2026-05-28 09:48:10 +10:00
Sean Parkinson 78a5740bac Merge pull request #10504 from miyazakh/f-2180_pbkdf
f-2180: fix clamp iterations <= 0 to 1 instead of returning an error
2026-05-28 09:32:01 +10:00
Sean Parkinson c92208076f Merge pull request #10374 from kareem-wolfssl/zd21699
Enable all-zero shared secret check for Curve448/25519 by default.  Ensure post_handshake_auth extension was sent before accepting post-handshake CertificateRequest message.
2026-05-28 09:29:49 +10:00
Sean Parkinson 70f8bd9831 Merge pull request #10492 from rizlik/legacy_session_id_bad_client
Add compatibility flag and tests for pre-5.9.0 DTLSv1.3 clients
2026-05-28 08:57:48 +10:00
Kareem 5b2569e321 Fix potential mismatch in size between DECL_MP_INT_SIZE_DYN and NEW_MP_INT_SIZE. In some configurations DECL_MP_INT_SIZE_DYN will set the size to max while NEW_MP_INT_SIZE will memset bits. 2026-05-27 15:57:00 -07:00
Colton Willey 3ffe25f783 Add d2i NULL-deref guards and regression tests
Add `*pp == NULL` checks to three d2i wrappers to prevent NULL deref
on public OpenSSL-compat APIs:
- d2i_evp_pkey (reachable via wolfSSL_d2i_PublicKey/PrivateKey)
- wolfSSL_d2i_OCSP_RESPONSE
- wolfSSL_d2i_ECDSA_SIG (template-ASN crash)

Also add regression tests for the existing PR fixes: ProcessBuffer
negative-size, PemToDer family negative-pemSz, GetCRLInfo negative-sz,
wc_Set*Buffer derSz<0, and d2i_ECDSA_SIG negative-length / *pp==NULL.
2026-05-27 15:38:30 -07:00
Daniel Pouzzner f6d6ae687a tests/api/test_mldsa_legacy.c: fix bugprone-macro-parentheses in MLDSA_LEGACY_SIZE_ASSERT().
wolfssl/wolfcrypt/wc_mldsa.h: move WOLFSSL_MLDSA_NO_CTX setup to precede legacy dilithium.h header, so that the _NO_CTX remap macros are properly gated in.
2026-05-27 14:02:37 -05:00
Josh Holtrop 43fabc694f Check SNI/ALPN in TLS 1.2 stateful session ID resumption 2026-05-27 09:16:34 -04:00
David Garske 8199fda0a4 Merge pull request #10160 from Roy-Carter/feature/integrate_openssl_comp_fixes
OpenSSL compatibility layer extension
2026-05-26 10:39:14 -07:00
Tobias Frauenschläger 637c07798a Finalize ML-DSA renaming 2026-05-26 14:54:30 +02:00
Marco Oliverio bc574f7930 dtls13: WOLFSSL_DTLS13_5_9_0_COMPAT -> WOLFSSL_DTLS13_ECHO_LEGACY_SESSION_ID 2026-05-26 09:16:56 +02:00
Marco Oliverio e6fa789e68 test_dtls: remove non-ASCII chars 2026-05-26 09:15:58 +02:00