Commit Graph

30513 Commits

Author SHA1 Message Date
Kareem 3300d0834e Code review feedback. Don't error out if WOLFSSL_RSA_PUBLIC_ONLY or WOLFSSL_RSA_VERIFY_ONLY are defined as they don't use blinding. 2026-05-14 12:45:17 -07:00
Kareem 02306592be Require that the AES CMAC mac size is inside of the range [WC_CMAC_TAG_MIN_SZ, WC_AES_BLOCK_SIZE].
Fixes F-3084.
2026-05-14 12:45:17 -07:00
Kareem 62de1c1896 Extend check to cover ECC and Curve25519 blinding + no RNG as well. 2026-05-14 12:45:17 -07:00
Kareem 1c63dad5d6 Prevent building with RNG disabled and RSA blinding enabled by default.
Fixes F-2624.
2026-05-14 12:45:17 -07:00
Kareem 6c14129b16 Send correct alert type when server requests certificate and client has none set.
Thanks to Cal Page for the report.
2026-05-14 12:45:17 -07:00
Paul Adelsbach 8e150a2868 Update LMS and XMSS key advance test 2026-05-14 12:25:59 -07:00
David Garske 460a87119e Merge pull request #10351 from rizlik/cryptocbonly
CRYPTOCB_ONLY: add test infra + SHA256 + AES
2026-05-14 10:37:39 -07:00
Jeremiah Mackey a3baac7dbe zero sensitive material before free 2026-05-14 16:59:48 +00:00
Jeremiah Mackey c61fa7d633 honor OpenSSL fail-open contracts 2026-05-14 16:59:12 +00:00
Jeremiah Mackey a5ee9604c7 tls13: alert illegal_parameter for ctx 2026-05-14 16:59:12 +00:00
Jeremiah Mackey b023a719b1 dtls13: fix window and rtx 2026-05-14 16:59:12 +00:00
Jeremiah Mackey 88fde0fff7 fix copy-paste constant mismatches 2026-05-14 16:59:12 +00:00
David Garske d0073d9e5c Merge pull request #10326 from sebastian-carpenter/tls-ech-maxnamelen
Add maximum_name_length to TLS ECH padding
2026-05-14 09:15:38 -07:00
Paul Adelsbach 645996e8ed Fix double free possibility in wolfSSL_X509_set_ext 2026-05-14 07:12:27 -07:00
Daniel Pouzzner 00fe73b2ca Merge pull request #10484 from SparkiDev/arm32_neon_chacha20_align_fix
ARM32 NEON ChaCha20: alignment fix
2026-05-14 08:54:09 -05:00
Juliusz Sosinowicz fd91f681e5 Fail closed in CheckOcspRequest when ocspCheckAll and no URL
CheckOcspRequest used to return CERT_GOOD whenever a certificate
lacked an AIA extension and no override URL was configured, with
the rationale 'Cert has no OCSP URL, assuming CERT_GOOD'. That is
a fail-open soft-fail: an operator who turned on
WOLFSSL_OCSP_CHECKALL expecting every certificate in the chain to
be revocation-checked would still silently accept a certificate
that omits its OCSP responder URL, letting a misconfigured (or
attacker-controlled) issuer bypass revocation for non-stapled
flows.

Gate the fail-open path on cm->ocspCheckAll. When the caller has
asked for full-chain OCSP checking, return OCSP_NEED_URL so the
chain is refused. The legacy behavior is preserved when
ocspCheckAll is not set, keeping the soft-fail default for plain
WOLFSSL_OCSP_ENABLE users.

F-3227
2026-05-14 14:07:53 +02:00
Juliusz Sosinowicz ed4f4ce826 Document SNI per-host policy gap in wolfSSL_set_SSL_CTX
wolfSSL_set_SSL_CTX is the OpenSSL-compatible entry point that an
SNI callback uses to swap in the per-vhost certificate during the
handshake. By design it only copies the certificate chain and
private key from the new CTX. Verification settings, the trusted
CA store, CRL/OCSP configuration, minimum key-size requirements,
and cipher/version policy stay attached to the original CTX. For
multi-tenant servers where each virtual host has its own security
policy, that means one host's verification rules silently apply
to a connection meant for another.

Expand the leading comment with an explicit SECURITY WARNING
that lists the settings which are NOT inherited and points at the
WOLFSSL*-level setters callers must use inside the SNI callback
when virtual hosts have different policies. The behavior of the
function is unchanged.

F-2902
2026-05-14 14:07:53 +02:00
Juliusz Sosinowicz 3234f66cf3 Test TLS 1.3 NewSessionTicket MAX_LIFETIME bound check
DoTls13NewSessionTicket rejects a ticket lifetime greater than
MAX_LIFETIME (RFC 8446 Section 4.6.1, 7 days), but no test
exercised the rejection: every server in the suite stays well
within the limit, so a mutation deleting that bound check would
go unnoticed.

Add a manual memio test that pokes ctx_s->ticketHint to
MAX_LIFETIME + 1 (the public setter clamps to 604800), runs a
full TLS 1.3 handshake, and reads the post-handshake
NewSessionTicket on the client. The test confirms the over-limit
lifetime surfaces from wolfSSL_read as SERVER_HINT_ERROR.

F-2121
2026-05-14 14:07:53 +02:00
Juliusz Sosinowicz 130f683d8c Validate minDowngrade in wolfSSL_SetSession before reusing version
When resuming a session wolfSSL_SetSession unconditionally
overwrote ssl->version with the version stored in the cached
session, even if that version was below the WOLFSSL's configured
minDowngrade. The overwritten version then fed straight into
SendClientHello, so a client configured to require TLS 1.2 or
higher could still emit a ClientHello advertising e.g. TLS 1.0
when resuming an old cached session. The ServerHello path catches
the actual downgrade, but the ClientHello version is already a
protocol-conformance issue and can confuse middleboxes.

Reject the session if its stored minor version is below
ssl->options.minDowngrade. The check is DTLS-aware: DTLS minor
versions decrease as the protocol version increases, so the
direction of the comparison is flipped for DTLS.

F-2105
2026-05-14 14:07:53 +02:00
Juliusz Sosinowicz 425d3e9628 Make DoClientTicketCheckVersion DTLS-aware
DTLS minor versions decrease as the protocol version increases
(DTLS 1.0=0xFF, DTLS 1.2=0xFD, DTLS 1.3=0xFC), but the ticket
version comparisons in DoClientTicketCheckVersion used the TLS
direction unconditionally. As a result a DTLS server resuming a
session ticket from a different DTLS version could land on the
wrong branch: a ticket from a newer DTLS version would be treated
as a downgrade instead of being rejected, and a ticket from an
older DTLS version would be flagged as 'greater version' and
refused outright. The minDowngrade check at the bottom had the
same inversion bug.

Branch on ssl->options.dtls so the greater-version, lesser-version,
and minDowngrade comparisons all use the right direction for the
active protocol family. TLS behavior is unchanged.

F-1828
2026-05-14 14:07:26 +02:00
Juliusz Sosinowicz 9d77c217f2 Stop suppressing OCSP_CERT_REVOKED in server stapling path
Server-side OCSP stapling was unconditionally folding
OCSP_CERT_REVOKED, OCSP_CERT_UNKNOWN, and OCSP_LOOKUP_FAIL into a
success result so a stapling failure would not break the handshake.
OCSP_CERT_REVOKED, however, is an explicit positive assertion of
revocation by the responder and must not be ignored: silently
suppressing it lets a server keep advertising a revoked certificate
to clients that rely on stapling for revocation status.

Drop OCSP_CERT_REVOKED from the suppression list in
CreateOcspResponse, the CSR2_OCSP_MULTI handler in
SendCertificateStatus, and ProcessChainOCSPRequest. Continue
suppressing OCSP_CERT_UNKNOWN and OCSP_LOOKUP_FAIL, which are true
soft-fail responder conditions where the responder cannot answer.

F-1820
2026-05-14 14:07:26 +02:00
Juliusz Sosinowicz 39642d5ad3 Skip multi-msg-record test when wolfSSL built without RSA
The test certs are RSA; if NO_RSA is defined the client can neither
load nor verify them. Detect "RSA not supported" in client -? help
and exit 77 (SKIP) before tlslite-ng tries to use the RSA chain.
2026-05-14 13:10:13 +02:00
Juliusz Sosinowicz d2f45f614f Make test scripts work in sandboxed/restricted environments
multi-msg-record.py: auto-detect the CA cert format the wolfSSL client
build accepts (PEM or DER) from the default shown in client -? help.
OPENSSL_EXTRA-style builds need PEM; NO_CODING builds need DER.

ocsp-stapling.test: skip the external login.live.com connection unless
WOLFSSL_EXTERNAL_TEST is explicitly enabled (matches external.test /
google.test convention). Local OCSP tests still run.

ocsp-responder-openssl-interop.test: use ${TMPDIR:-/tmp} for mktemp
templates so the test works when /tmp is not writable.
2026-05-14 13:10:13 +02:00
Juliusz Sosinowicz 7cc972d5c7 Use DER CA cert in multi-msg-record test for NO_CODING builds
wolfSSL builds configured with --enable-coding=no cannot parse PEM
because base64 decoding is disabled. Switch the example client's -A
argument to ca-cert.der so the test works in both PEM-enabled and
PEM-disabled builds.
2026-05-14 13:10:13 +02:00
Juliusz Sosinowicz 6357a0e5cf Skip multi-msg-record ciphers not built into wolfSSL client
Probe ./client -e for the supported cipher list and skip suites that
aren't compiled in instead of reporting them as failures.
2026-05-14 13:10:13 +02:00
Juliusz Sosinowicz b9fad30bee Install tlslite-ng in os-check workflow so multi-msg-record test runs 2026-05-14 13:10:13 +02:00
Juliusz Sosinowicz dab6461db1 Fix comment dash 2026-05-14 13:10:13 +02:00
Juliusz Sosinowicz 0b1b158fe2 Add a test for multi-message TLS records 2026-05-14 13:10:13 +02:00
Juliusz Sosinowicz b88eb32c1d Guard against unsigned underflow in inputLength calculation
Add bounds check before computing inputLength from curStartIdx + curSize
to prevent unsigned underflow if *inOutIdx ever exceeds the record
content boundary.
2026-05-14 13:10:13 +02:00
Juliusz Sosinowicz 38bd87591f Use curSize for content-only input length in handshake/ack handlers
Since ProcessReply already reduces curSize by padSz after decryption,
use curStartIdx + curSize to bound content data instead of recomputing
it from buffer.length - padSz. This removes three more padSz references
from message processing code.
2026-05-14 13:10:13 +02:00
Juliusz Sosinowicz 7fe8f4d5c6 Fix CI 2026-05-14 13:10:13 +02:00
Juliusz Sosinowicz 7a61b2e087 Refactor record padding handling to eliminate middle padding pattern
Move padSz index advancement from individual message handlers to a
single location at the end of record processing in ProcessReply.
Previously, each handler (DoFinished, DoApplicationData, DoAlert,
DoCertificate, DoServerHello, etc.) advanced the index by padSz,
which then had to be corrected when processing multiple messages
in one record. This "middle padding" pattern was error-prone.

Now curSize is reduced by padSz after decryption/verification so
it reflects content size only. Message handlers advance the index
by content size only. padSz is added once when the record is fully
processed. The correction code for multi-message records is removed.
2026-05-14 13:10:12 +02:00
Sean Parkinson 81cce394db Merge pull request #10440 from JeremiahM37/gh10423
fix NO_VERIFY_OID build in GetOID
2026-05-14 20:02:06 +10:00
Sean Parkinson 31a76d333b Merge pull request #10468 from JeremiahM37/fenrir-wolfcrypt-api-hardening
wolfCrypt API hardening: input validation, key zeroization, hardware ports
2026-05-14 20:00:39 +10:00
Sean Parkinson 8d08ff8926 Merge pull request #10428 from kareem-wolfssl/gh10271_10313
tls13.c fixes + Add configure and CMake options for WOLF_CRYPTO_CB_RSA_PAD.
2026-05-14 19:56:23 +10:00
Sean Parkinson a7beb20675 Merge pull request #10451 from Frauschi/fix/client-nonblocking-resume-err
Minor error handling fixes in client and server examples
2026-05-14 19:53:32 +10:00
Sean Parkinson 75f32a336c Merge pull request #10442 from JeremiahM37/zd21783
Fix SAKKE OOB write and correctness gap in sakke_hash_to_range
2026-05-14 19:51:52 +10:00
Sean Parkinson 233c3e9130 Merge pull request #10474 from Frauschi/membrowse_timeout
Add timeout to membrowse CI tests
2026-05-14 19:48:54 +10:00
Sean Parkinson e1840c6f83 ARM32 NEON ChaCha20: alignment fix
vldm and vstm assume an 32-bit alignment.
Change to use vld1 and vst1.
2026-05-14 19:39:10 +10:00
Kareem bd95858a95 Avoid overwriting shared secret in non-blocking mode 2026-05-13 17:41:30 -07:00
Kareem 775af7d967 Fix unit test failures with --enable-all. 2026-05-13 17:36:21 -07:00
Kareem dc6381a695 Code review feedback, add test. 2026-05-13 17:36:21 -07:00
Kareem 2aacc18788 Enable all-zero shared secret check for curve448/25519 by default. Change macro to opt-out macro WOLFSSL_NO_ECDHX_SHARED_ZERO_CHECK. Add unit test.
Thanks to Xiangdong Li for the report.
2026-05-13 17:02:08 -07:00
Kareem 125274935e Ensure post_handshake_auth extension was sent before accepting post-handshake CertificateRequest message as per RFC 8446 4.6.2.
Thanks to Xiangdong Li for the report.
2026-05-13 17:02:08 -07:00
Ruby Martin a24ea6fae4 add guard to clear null dereference 2026-05-13 17:14:27 -06:00
Ruby Martin bbde4c5fcc remove unnecessary check, idx will be 1 and derSz is at least 5 2026-05-13 16:32:54 -06:00
David Garske c450bdb381 Merge pull request #10471 from JacobBarthelmeh/cavium_octeon
fix Octeon AES-GCM J0 derivation when ivSz is a non-12-byte non-zero …
2026-05-13 15:25:11 -07:00
Eric Blankenhorn dc6db15b19 Check params to GeneratePrivateDh186 2026-05-13 17:00:13 -05:00
Eric Blankenhorn 8c85618d0f Fix SP int truncation issue 2026-05-13 16:59:36 -05:00
David Garske 121387ab25 Merge pull request #10479 from padelsbach/aesgcm-unused-vars
Avoid unused variable errors in aesgcm_non12iv_test
2026-05-13 14:36:07 -07:00