DecodeExtensionType() guarded the certificatePolicies duplicate check
(VERIFY_AND_SET_OID) under WOLFSSL_SEP only, because the extCertPolicySet
tracking bit was SEP-only. In a WOLFSSL_CERT_EXT-without-WOLFSSL_SEP build a
cert with two certificatePolicies extensions was accepted and the second
silently overwrote the first (RFC 5280 4.2 forbids repeats). Make the bit and
the guard available under WOLFSSL_CERT_EXT too, matching every other
non-repeatable extension.
Add test_DecodeCertExtensions_dup_certpol (DecodeExtensionType now
WOLFSSL_TEST_VIS).
ParseCipherList() only cleared the InitSuites mask for "!aNULL"/"!eNULL",
which governs generated defaults, so an explicitly listed ADH or NULL-cipher
suite survived (e.g. "ADH-AES128-SHA:!aNULL" still offered an unauthenticated
suite). Scrub the explicit suites after parsing; exclusions are order-
independent and sticky (a later "ALL" cannot re-enable them).
Add test_wolfSSL_set_cipher_list_exclusions.
Add a crypto-callback operation for validating an ECC key.
Under WOLF_CRYPTO_CB_ONLY_ECC validation now fails closed with
NO_VALID_DEVID when no device handles the operation; previously such
keys were accepted unvalidated. This is a deliberate compatibility
break, documented at the dispatch site.
Under WOLF_CRYPTO_CB_ONLY_ECC, HAVE_ECC_MAKE_PUB is now enabled and
backed by the dispatch alone, failing closed with NO_VALID_DEVID when
no device handles the operation (previously NOT_COMPILED_IN).
Instead of failing when top bit is set, the standard and current research says to mask it.
WOLFSSL_X25519_NO_MASK_PEER is added to allow the rejection when required.
Regenerate the SP backends so the ECDH secret generators check the caller's
buffer against the number of bytes actually written. Adds a P-384/P-521
buffer-size regression test.
Only exempt the missing-certificate check during the initial handshake; once a
post-handshake CertificateRequest is outstanding the server again requires the
client certificate (and its CertificateVerify). Adds a post-handshake auth
test.
Ensure a peer's certificate form (X.509 vs raw public key) matches the
negotiated certificate type, defaulting to X.509 when none was negotiated,
on both the client and server. Adds RPK regression tests covering both
directions.
Require the keyCertSign key usage on non-root intermediate CAs added during
path building when a KeyUsage extension is present, per RFC 5280. Adds a
regression test.
The handshake-message defragmentation buffer (pendingMsg/pendingMsgSz/
pendingMsgOffset/pendingMsgType) lived inside ssl->arrays, which
FreeHandshakeResources() releases once the handshake completes. For a
TLS 1.3 client the arrays are released whenever they are not being
retained for later use, e.g. when the library is built without
HAVE_SESSION_TICKET.
DoTls13HandShakeMsg() then took an "arrays == NULL" early path that
handed the record straight to DoTls13HandShakeMsgType() without any
reassembly. A post-handshake handshake message split across several
records -- such as a NewSessionTicket once a small max_fragment_length
has been negotiated -- was therefore rejected with INCOMPLETE_DATA (-310)
and the peer was reset. Fragmentation during the handshake was
unaffected because the arrays still existed at that point.
Move the defragmentation buffer fields out of Arrays and into the WOLFSSL
object so they survive FreeArrays(), and drop the now-unnecessary
arrays == NULL special case in DoTls13HandShakeMsg() so that
post-handshake messages are reassembled exactly like handshake messages.
The buffer is freed in wolfSSL_ResourceFree(). DoHandShakeMsg() (TLS 1.2)
is updated to use the relocated fields as well.
Add a regression test, test_tls13_fragmented_session_ticket, that
releases the client's handshake arrays after the handshake and injects a
NewSessionTicket fragmented across two records, confirming it is
reassembled and consumed instead of failing with INCOMPLETE_DATA.
Align the argument parsing and handling of input group names to align it
with OpenSSL behavior:
* Do a case-insensitive comparison of the input names with our names
* Add aliases for "MLKEMxxx" groups without underscores in addition to
our names with underscores (keep our for backward compatibility)
* Extend unit tests for both
MatchNameConstraint() compared wildcard DNS SANs literally, so
*.example.com was not rejected by an excluded subtree covering
foo.example.com. Route WOLFSSL_GEN_DNS through
wolfssl_local_MatchDnsNameConstraint(), passing the subtree direction:
permitted subtrees require every wildcard expansion to stay inside the
subtree, excluded subtrees reject when any expansion can fall inside.
This matches what ConfirmNameConstraints() already does.
Replace ExtractHostFromUri() plus DNS-style base matching in
MatchNameConstraint() with wolfssl_local_MatchUriNameConstraint(), and
make wolfSSL_NAME_CONSTRAINTS_check_name() fail closed like
ConfirmNameConstraints(): when URI subtrees are present, a URI name
without a DNS host is rejected instead of passing excluded-only
constraints as a plain non-match.
This aligns the compat layer with RFC 5280 URI constraint semantics: a
base without a leading dot now matches the host exactly instead of as a
DNS subtree, and IP hosts no longer match at all.
Add wolfssl_local_MatchDnsNameConstraint() dispatching wildcard names
to the subtree matcher and literal names to plain base-name matching,
and use it for the ASN_DNS_TYPE branches of PermittedListOk() and
IsInExcludedList().
This also drops the outer name->len >= base len byte-length guard for
literal DNS names. That guard ran before MatchBaseName() could strip
the absolute-FQDN trailing dot, so a constraint base like
DNS:example.com. never matched the SAN example.com it denotes.
One trailing dot marks an absolute FQDN and is not part of the host:
"host.com." and "host.com" denote the same host. Strip it from the
URI host before classification (so "12.31.2.3." is still recognized
as an IPv4 address) and from the constraint base before the exact-match
comparison, mirroring what wolfssl_local_MatchBaseName() already does
for DNS name constraints. Only a single dot is the marker: an empty
last label ("host.com..") is rejected.
RFC 5280 4.2.1.10 defines URI name constraints in terms of a host that
is a fully qualified domain name; RFC 3986 IP-literal ([...]) and
IPv4address hosts are not DNS reg-names and cannot be meaningfully
matched against a DNS-style constraint base.
- Classify the host extracted by GetUriHost (IP-literal, IPv4address,
reg-name) and validate that a reg-name has no empty labels.
- wolfssl_local_MatchUriNameConstraint() no longer matches URIs whose
host is an IP address.
- ConfirmNameConstraints() fails closed: when URI constraints are
present, a URI SAN without a DNS host is rejected. A plain non-match
would otherwise let such names pass excluded-only constraints.
Implements the receive-side of RFC 9147 § 9. On NewConnectionId, if
usage is cid_immediate, switches our TX CID to the first usable CID;
if usage is cid_spare, discards it.
RequestConnectionId is parsed and ignored (responding is SHOULD in the
RFC).
Return PUBLIC_KEY_E for wc_ed25519_export_key if public key is not
present.
Return PUBLIC_KEY_E for wc_ed448_export_key if public key is not
present.
Rename several inLen parameters to outLen for consistency.
Fix F-4427
Robustness fixes in the OpenSSL-compatibility certificate verifier, independent
of the depth-exhaustion fix:
- Fail closed on allocation failure. When the failedCerts working stack could
not be allocated, the function fell through to exit with ret still set to
WOLFSSL_SUCCESS and reported the chain as verified without checking anything
(a fail-open regression from the leak fix that turned the early return into a
goto exit). Also check the ctx->chain allocation. Both now set an error.
- Remove caller-supplied intermediates from the correct stack. The intermediates
appended to the working cert list during chain building were popped from
ctx->store->certs by count, but they are appended to whichever stack is in use
- which may be the caller's setTrustedSk (X509_STORE_CTX_set0_trusted_stack).
Remove them by pointer identity from that same stack, recomputed from
ctxIntermediates. Identity removal also survives the chain-building retries
that reorder the stack, where a positional pop could drop a legitimate trusted
entry and leave an injected intermediate behind - which a later verification
reusing the store/ctx would then snapshot as a trust anchor. The removal helper
walks the list once (O(n)) rather than indexing per position.
- NULL-guard ctx->store->param before dereferencing its flags in the
partial-chain check.
Add regression tests covering: the trusted stack being restored after
verification, and the retry path (tampered plus genuine same-subject
intermediates, both orderings) leaving the store clean for later use.
Fail compatibility-layer verification when the path-building loop runs
out of its depth budget before reaching a configured trust anchor,
instead of accepting the last verified link. Add a regression test.
Ensure caller-supplied intermediate certificates cannot terminate the
chain during compatibility-layer verification; a path must reach a
configured trust anchor. Add a regression test and supporting certs.
Replace the one-runner-per-configuration matrices across the
make-check workflow family with a generic pooled runner,
.github/scripts/parallel-make-check.py. Each workflow keeps its
configuration list as JSON next to the invocation; one runner (or a
small fixed set of shards, balanced by measured per-config minutes)
builds every config in its own out-of-tree (VPATH) build directory off
a single checkout/autogen, on a pool of one-per-CPU worker threads,
longest first. Concurrent checks are isolated with bubblewrap network
namespaces, compilations are cached with ccache, the first failure
aborts the rest (fail-fast, with --no-fail-fast to run everything),
and per-config timings plus pool efficiency land in the step summary.
Failure logs upload as artifacts. smoke-test.yml is likewise reworked
into a single pooled job that runs its nine configs on one runner.
Converted workflows (runner jobs per full pass):
os-check.yml 101 -> 8 (92 Ubuntu configs -> 4 shards;
the macOS matrix, the user-settings jobs and
the standalone
macos-apple-native-cert-validation.yml fold
into one macOS runner; Windows unchanged)
pq-all.yml 21 -> 2 shards
disable-pk-algs.yml 15 -> 1
wolfCrypt-Wconversion.yml 11 -> 1
trackmemory.yml 7 -> 1
cryptocb-only.yml 8 -> 1 (incl. the two new SHA512 entries)
multi-compiler.yml 6 -> 1
smallStackSize.yml 6 -> 1
multi-arch.yml 6 -> 1
async.yml 5 -> 1
psk.yml 5 -> 1
no-malloc.yml 3 -> 1
wolfsm.yml 3 -> 1
opensslcoexist.yml 2 -> 1
Measured against current upstream passing runs (job execution time,
queue excluded): ~200 runner jobs / ~374 runner-minutes per full pass
become 23 jobs / ~168 runner-minutes, with more coverage than before.
multi-arch's old matrix combined an "include" list of four
architectures with an "opts" axis; GitHub's include-merge rules made
each arch entry overwrite the previous one, so only the armel
combinations actually ran. The pooled list restores the intended
aarch64/armhf/riscv64 coverage (23 combinations; riscv64 x sp-math is
omitted as invalid - configure rejects sp-math without SP, and
--enable-riscv-asm, unlike --enable-sp-asm, does not bring SP in).
Out-of-tree build fixes this depends on:
- Makefile.am: symlink the read-only test data (certs/, tests/ config
files, sniffer captures and helpers, examples/crypto_policies,
input, quit) into the build tree via a BUILT_SOURCES stamp, removed
again in distclean-local. ChangeToWolfRoot() and the script tests
resolve everything relative to the working directory, so out-of-tree
make check and make distcheck now pass.
- scripts/multi-msg-record.py: locate the client binary from the build
tree working directory rather than the script's source directory.
- configure.ac + wolfssl/include.am: run
support/gen-debug-trace-error-codes.sh from $srcdir; it reads the
error-code headers from the source tree and generates into the build
tree.
- tests/swdev: a WOLFBUILD variable points the sub-make at the build
tree for the configure-generated headers (wolfssl/options.h,
wolfssl/version.h); the in-tree-only guards are dropped.
Portions of PR #10649 are incorporated: the cross-platform
ccache-setup composite action, repository_owner gates on check-headers
and check-source-text, the docs-only paths-ignore on os-check, and the
libspdm timeout bumps.
wolfcrypt/src/aes.c: enforce AES-XTS K1!=K2 constraint in wc_AesXtsSetKeyNoInit() unless WC_AES_XTS_ALLOW_DUPLICATE_KEYS and !HAVE_FIPS:
tests/api/test_aes.c: add negative tests to test_wc_AesXtsSetKey() for K1==K2;
wolfcrypt/test/test.c: fix keys in aes_xts_128_inplace_test() and aes_xts_192_inplace_test() so that K1!=K2, update test vectors, and remove associated !HAVE_FIPS gating;
linuxkm/lkcapi_aes_glue.c: synchronize aes_xts_128_test() test of ciphertext stealing in-place with wolfcrypt/test/test.c.
wrapper/rust/wolfssl-wolfcrypt/src/aes.rs: synchronize XTS streaming test with wolfcrypt/test/test.c.
linuxkm/: refactor self-test sensing with version-gated setup in linuxkm_wc_port.h and refactored gates in lkcapi_glue.c.
The client's resumed-session EMS (F-5807) and cipher-suite (F-5811) checks
were enforced in CompleteServerHello at ServerHello-parse time. For stateless
ticket resumption the client sends an empty session ID and cannot yet tell
whether the server accepted the ticket (RFC 5077 3.4): a server that declines
the ticket falls back to a full handshake under a freshly negotiated
suite/EMS state, which these checks wrongly aborted with MATCH_SUITE_ERROR,
breaking the RFC 5077 ticket-decline fallback to a full handshake.
Move both checks into CheckResumptionConsistency and run it only once
resumption is confirmed - from whichever the server sends first in the
abbreviated flight: a renewed NewSessionTicket (before SetupSession refreshes
the cached suite/EMS to the current values) or its ChangeCipherSpec. By then
the "Not resuming as thought" path has cleared 'resuming' for any ticket
decline, so the full-handshake fallback proceeds.
Add test_tls12_resume_ticket_decline_fallback (ticket declined by a fresh
server CTX, full handshake under a different suite must succeed) and gate
test_tls12_resume_ticket_wrong_suite on WOLFSSL_NO_DEF_TICKET_ENC_CB so it
skips rather than fails in builds without the default ticket encryption
callback.