Commit Graph

4809 Commits

Author SHA1 Message Date
Daniele Lacamera a3b3ee829b tests: fix config-dependent AES-CTR rounds-check coverage assertion
test_wc_AesModesArgMcdc asserted that wc_AesCtrEncrypt() with corrupted
aes.rounds returns KEYUSAGE_E, but used sz = 32 (an exact block multiple).
When in != out, the full blocks are consumed by a batch path that does not
surface the per-block rounds error - the AES-NI batch, or the HAVE_AES_ECB
fast path which ignores wc_AesEcbEncrypt()'s return - leaving no trailing
partial block, so the function returns 0 and the assertion fails. This was
latent (the whole test binary failed to link before the visibility fix) and
reproduces in --disable-aesni --enable-aesecb builds.

Use a non-block-multiple size (WC_AES_BLOCK_SIZE + 4) so the
"(ret == 0) && sz" leftover-handling call runs and fails on the corrupted
rounds via wc_AesEncrypt() in every backend. Reported by Copilot review on
PR #10845.

Verified: test_wc_AesModesArgMcdc now passes under --disable-aesni
--enable-aesecb (previously failed) and under --enable-aesni --enable-aesecb.
2026-07-09 10:02:22 +02:00
Daniele Lacamera e8cad24798 tests: guard internal-symbol MC/DC tests with WOLFSSL_TEST_STATIC_BUILD
Several MC/DC coverage tests called WOLFSSL_LOCAL (hidden-visibility)
library functions directly from the in-tree unit.test:
  - wc_AesCcmCheckTagSize()                         (test_aes.c)
  - wc_CryptoCb_Init/Cleanup/GetDevIdAtIndex()      (api.c)

These only link when the library is built with test-static visibility, so
normal (shared) builds failed at link with "undefined reference", breaking
essentially every CI build job. Gate the affected assertions on
WOLFSSL_TEST_STATIC_BUILD (in addition to the existing feature guards) so
they compile out where the symbols are hidden, matching the existing
wolfSSL convention for internal-symbol tests.

Verified: ./configure --enable-all (no WOLFSSL_TEST_STATIC_BUILD) now
builds tests/unit.test cleanly and the full suite passes.
2026-07-09 10:02:21 +02:00
Daniele Lacamera e7cd2b773e tests: AES MC/DC white-box supplement + api decision/feature coverage
Add tests/unit-mcdc/, a standalone white-box program that compiles
wolfcrypt/src/aes.c directly to reach static/WOLFSSL_LOCAL helpers
(GHASH/GHASH_UPDATE ptr guards, _AesNew_common cross-arg checks) that
are structurally unreachable through the public API, closing 19 of the
AES MC/DC residuals. Extend tests/api/test_aes.{c,h} with the
decision/feature coverage cases these build on.

These are for the external ISO 26262 per-module MC/DC campaign; they do
not change library behaviour and are not part of the wolfSSL build.
2026-07-09 10:02:21 +02:00
Daniele Lacamera 8b5abe54c1 tests: add MC/DC decision/feature coverage tests
Add MC/DC-targeted unit tests exercising decision and feature coverage
across AES (key wrap, GCM, feature), ASN.1, RSA, signature (falcon),
and CryptoCb registry surfaces.
2026-07-09 10:02:21 +02:00
David Garske a4aab71ffe Merge pull request #10861 from padelsbach/asn-integer-overflow-copy
Fix possible memcpy length overflow in wolfSSL_d2i_ASN1_INTEGER
2026-07-08 15:20:05 -07:00
David Garske b4d51dbbda Merge pull request #10607 from julek-wolfssl/evp-pkey-encoded-public-key
Add EVP_PKEY encoded public key get/set compatibility functions
2026-07-08 12:20:33 -07:00
David Garske 4d3d2318f6 Merge pull request #10628 from yosuke-wolfssl/fix/f_4226
Reject CR/LF in OCSP/CRL URLs to block HTTP injection
2026-07-08 11:54:00 -07:00
David Garske 922e126423 Merge pull request #10693 from padelsbach/crl-use-after-free
Fix use-after-free possibility in GetCRLInfo
2026-07-08 11:37:41 -07:00
David Garske b29e3a1a11 Merge pull request #10863 from holtrop-wolfssl/zd22109
Fix use-after-free in some TLS shutdown/ReceiveData sequences
2026-07-08 10:54:52 -07:00
David Garske 76491e6b60 Merge pull request #10661 from yosuke-wolfssl/fix/f_5808
Enable SCSV check unconditionally
2026-07-08 10:52:59 -07:00
David Garske 16a2681ca4 Merge pull request #10604 from AlexLanzano/cryptocb-getdevice
Expose wc_CryptoCb_GetDevice and add CryptoCb API test coverage
2026-07-08 10:30:59 -07:00
David Garske 67ca317097 Merge pull request #10737 from kareem-wolfssl/zd21998
X509 validation fixes
2026-07-08 09:48:26 -07:00
JacobBarthelmeh 7c085837ae Merge pull request #10772 from dgarske/qat_review
Intel QuickAssist: multi-device utilization + software-fallback / Cavium fixes
2026-07-08 10:39:24 -06:00
David Garske 60085b0e48 Merge pull request #10837 from rlm2002/zd-NameConstraints
DNS name constraint fix
2026-07-08 09:21:52 -07:00
Tobias Frauenschläger 673d8d00bb Merge pull request #10778 from SparkiDev/time_stamp_protocol
Time-Stamp Protocol (RFC 3161)
2026-07-08 17:43:38 +02:00
David Garske b19f00a736 Merge pull request #10807 from SparkiDev/aes_gcm_siv_asm
AES-GCM-SIV: Add implementation in C and assembly
2026-07-08 08:30:02 -07:00
David Garske 7f441a687a Merge pull request #10748 from night1rider/AES-Callbacks
AES callbacks for CFB and OFB
2026-07-08 08:25:23 -07:00
Josh Holtrop 07d41740de Fix use-after-free in some TLS shutdown/ReceiveData sequences 2026-07-08 08:14:39 -04:00
Tobias Frauenschläger dcc2b23b1a Merge pull request #10852 from stenslae/fix-mldsa-privkeydecode-no-asn1
Fix ML-DSA level auto-detection in WOLFSSL_MLDSA_NO_ASN1 builds
2026-07-08 10:03:34 +02:00
Paul Adelsbach f842e33145 Fix possible memcpy length overflow in wolfSSL_d2i_ASN1_INTEGER 2026-07-07 17:41:49 -07:00
David Garske e0a8f3f475 Merge pull request #10706 from JacobBarthelmeh/dev
defense in depth hardening for x509 extension create by OBJ and EVP decode update
2026-07-07 16:41:15 -07:00
Sean Parkinson ae023a5643 Time-Stamp Protocol (RFC 3161)
Implementation in wolfCrypt
OpenSSL compatibility layer in wolfSSL
Added tests, certificates, examples.
2026-07-08 09:33:47 +10:00
philljj 2f2ffbac04 Merge pull request #10856 from douzzer/20260702-linuxkm-various
20260702-linuxkm-various
2026-07-07 17:44:50 -05:00
David Garske 7dd7ae86c0 Merge pull request #10770 from embhorn/zd22032
Fix wolfSSL_BUF_MEM_grow_ex with WOLFSSL_NO_REALLOC
2026-07-07 14:48:29 -07:00
Sean Parkinson 2c0e235bd1 AES-GCM-SIV: Add implementation in C and assembly
Added assembly for Intel x64, ARM64, ARM32, Thumb2.
2026-07-08 07:15:26 +10:00
night1rider 2c6261d1a8 Add testing for cryptocb only for aes ofb and cfb 2026-07-07 14:20:29 -06:00
night1rider d09803154b Adding callbacks for AES mode OFB and CFB, along with callback testing/coverage for the callback paths 2026-07-07 14:20:26 -06:00
David Garske e1ff608876 Intel QAT: add async hybrid PQC server key share regression test 2026-07-07 09:54:04 -07:00
Tobias Frauenschläger 54e20016cd x509_str.c: fix partial-chain double-push and rework pathLen tests
- Break out of the chain-build loop after the partial-chain fallback accepts
  a caller-trusted terminus, so it is pushed to ctx->chain once instead of
  twice; X509StoreCheckPathLen's anchor-skip is now defensive, not load-bearing.
- Drop the now-dead cert == anchor guard and refresh the comment.
- Rework the pathLen regression tests: reuse the existing certs/test-pathlen
  chains (chainF rejects, chainB verifies) instead of inlined report certs.
2026-07-07 16:02:27 +02:00
Tobias Frauenschläger cc78d130c4 X509 validation fixes 2026-07-07 16:02:27 +02:00
Daniel Pouzzner 833e360ccd fixes for issues identified by CI tests and AI review:
tests/api/api.h: always use FIPS 186-4 settings if defined(HAVE_SELFTEST).

wolfssl/wolfcrypt/settings.h: if defined(HAVE_SELFTEST), #define WC_FIPS_186_4.
2026-07-07 02:35:51 -05:00
Daniel Pouzzner 12272e1c06 wolfssl/wolfcrypt/hash.h, src/internal.c, src/pk_ec.c, tests/api/api.h, wolfcrypt/src/dsa.c, wolfcrypt/src/ecc.c, wolfcrypt/src/pkcs7.c, wolfcrypt/test/test.c:
* remove FIPS 186-5 sign-mode restrictions from WC_HASH_CUSTOM_MIN_DIGEST_SIZE.
* set up WC_MIN_DIGEST_SIZE_FOR_SIGN and WC_MIN_DIGEST_SIZE_FOR_VERIFY, derived from WC_HASH_CUSTOM_MIN_DIGEST_SIZE, but enforcing FIPS 186-5 sign-mode restrictions only for WC_MIN_DIGEST_SIZE_FOR_SIGN.
* replace all uses of WC_MIN_DIGEST_SIZE with WC_MIN_DIGEST_SIZE_FOR_SIGN or WC_MIN_DIGEST_SIZE_FOR_VERIFY as appropriate.

wolfcrypt/test/test.c: in cryptocb_test(), don't expect callback execution in FIPS builds.

wolfssl/wolfcrypt/settings.h: in WOLFSSL_LINUXKM section, if defined(NO_SHA) while registering ECDSA handlers, force WC_MIN_DIGEST_SIZE_FOR_VERIFY to 20 for SHA-1 verify support.
2026-07-07 00:19:48 -05:00
Daniel Pouzzner 42a9983e05 tests/api.c: appropriately pivot expected result code on minDhKeySz in test_wolfSSL_CTX_SetTmpDH_file() and test_wolfSSL_SetTmpDH_file().
tests/api/test_evp_pkey.c and tests/api/test_ossl_rsa.c: for FIPS, use WC_RSA_EXPONENT as the exponent for RSA_generate_key(), not 3.
2026-07-07 00:19:47 -05:00
Emma Stensland 8407359792 fix ml-dsa level auto detection in no asn1 builds 2026-07-06 16:08:58 -06:00
Daniel Pouzzner 326f40d032 Merge pull request #10626 from mattia-moffa/20260605-dtls-cid-check-newest
DTLS bugfixes
2026-07-03 01:18:38 -05:00
Daniel Pouzzner 8c7ab8eb4f Merge pull request #10686 from Frauschi/openssl_group_align
Align wolfSSL_set1_groups_list() arg handling with OpenSSL
2026-07-03 01:17:33 -05:00
Daniel Pouzzner a543bc4d78 Merge pull request #10745 from Frauschi/mandatory_psk
Enable support for mandatory PSKs
2026-07-03 01:16:45 -05:00
Daniel Pouzzner cce3f2571e Merge pull request #10803 from Frauschi/fenrir
Fenrir fixes
2026-07-03 01:11:03 -05:00
Daniel Pouzzner d638d2afd7 Merge pull request #10209 from ColtonWilley/harden-chain-depth-and-parser-bounds
Harden chain depth bounds and parser input validation
2026-07-03 01:03:36 -05:00
Daniel Pouzzner dc326f8c70 Merge pull request #10691 from julek-wolfssl/tls13-fragmented-sessionticket-defrag
TLS 1.3: reassemble fragmented post-handshake messages after FreeArrays
2026-07-03 00:50:10 -05:00
Daniel Pouzzner 47b7d6ff04 Merge pull request #10739 from JacobBarthelmeh/test
fix for nightly memory allocation test cases with LMS
2026-07-03 00:44:29 -05:00
Daniel Pouzzner 27e160fa53 Merge pull request #10764 from embhorn/gh10761
Fix TLS1.2 error code correction
2026-07-03 00:41:35 -05:00
Ruby Martin bd4c11aec4 Expand test_wolfSSL_CertManagerNameConstraint_DNS_CN with non-dNSName SAN cases
update comments
2026-07-02 12:43:28 -06:00
David Garske d390a98f64 Merge pull request #10754 from SparkiDev/arm64_asm_c_fallback
Aarch64 asm: Have software fallback and CPU id checks
2026-07-02 09:30:19 -07:00
Tobias Frauenschläger 79b30aa268 Enable support for mandatory PSKs
Add a new option to require that an external Pre-Shared Key is negotiated
for a handshake to succeed, configured via the new APIs
wolfSSL_CTX_require_psk()/wolfSSL_require_psk(). When set, a handshake
that completes without negotiating an external PSK is aborted with
PSK_MISSING_ERROR instead of falling back to a certificate handshake, so
the PSK acts as an additional security factor.

This is a TLS 1.3 / DTLS 1.3 feature. In (D)TLS 1.2 the use of a PSK is
determined by the negotiated cipher suite, so a mandatory PSK is instead
configured there by restricting the cipher suite list to PSK suites; the
new APIs therefore reject non-TLS-1.3 contexts with BAD_FUNC_ARG.

To keep the requirement fail-closed, the APIs also disable version
downgrade on the object so a downgrade-capable context (e.g. one created
from a v23 method) cannot silently fall back to (D)TLS 1.2 and complete
without a PSK; a peer that does not support (D)TLS 1.3 fails to connect.

The requirement applies to external PSKs only (not session tickets):
session-ticket resumption is exempt. To preserve forward secrecy a
mandatory external PSK must also use an (EC)DHE key exchange; a pure
psk_ke handshake is rejected with PSK_KEY_ERROR. When used with
WOLFSSL_CERT_WITH_EXTERN_PSK, it also ensures that peers are properly
authenticated with both the PSK and via certificates.

The new APIs live alongside the existing wolfSSL_[CTX_]no_dhe_psk()/
only_dhe_psk() PSK options and do not depend on certificate support, so
the feature is usable in NO_CERTS (PSK-only) builds.

Added unit tests for the new APIs and enforcement.
2026-07-02 16:02:20 +02:00
Mattia Moffa bf985f1d21 NewConnectionId: reject CID larger than DTLS_CID_MAX_SIZE 2026-07-02 14:16:25 +02:00
Tobias Frauenschläger 154f2e2ea4 F-6547 - Reject TLS KeyUpdate on QUIC connections
QUIC performs key updates at the packet-protection layer via the Key
Phase bit, so RFC 9001 section 6 requires a QUIC endpoint to reject any
received TLS KeyUpdate handshake message as a fatal unexpected_message
connection error and to never send one. The TLS 1.3 receive path
processed the message normally, rotating traffic secrets and possibly
emitting a prohibited KeyUpdate response, and the send path allowed a
QUIC connection to originate a KeyUpdate.

Guard the key_update case in SanityCheckTls13MsgReceived so a QUIC
connection aborts with a fatal unexpected_message alert, and guard
Tls13UpdateKeys so a QUIC connection cannot send a KeyUpdate. Add a
QUIC unit test that feeds a post-handshake KeyUpdate and confirms the
connection is refused.
2026-07-02 11:36:01 +02:00
Tobias Frauenschläger e8865748f2 F-6351 - Fix use after free in wolfSSL_ASN1_STRING_set self-alias
When the caller passes the object's own data pointer as the source,
wolfSSL_ASN1_STRING_set freed the existing buffer before copying from
it, reading freed memory in the dynamic case and copying cleared bytes
in the fixed-buffer case. Duplicate the source into a temporary buffer
when it aliases the object before disposing of the old buffer, then
free the temporary once the copy completes.
2026-07-02 11:36:01 +02:00
Tobias Frauenschläger 3c5ae182a6 F-6350 - Cap d2i_ASN1_OBJECT parse window to OID size
An oversized length argument was passed straight to GetASNHeader as the
buffer bound. A caller supplying a length larger than the real buffer let
the OBJECT_ID header claim more content than was present, driving the OID
validation read past the end of the allocation. Since an ASN1_OBJECT is an
OID, clamp the parse window to the maximum OID encoding so the header
decode cannot read beyond a sane bound.
2026-07-02 11:36:01 +02:00
Tobias Frauenschläger d88ac76fda F-6347 - Reject negative and oversized length in EVP_EncodeUpdate
wolfSSL_EVP_EncodeUpdate did not validate the input length. A large
inl caused the block loop and the residual copy to read far past the
caller's input buffer, and a negative inl was silently treated as
success. Reject negative lengths and lengths whose base64 output would
overflow a positive int before processing any data.
2026-07-02 11:36:01 +02:00