Commit Graph

29626 Commits

Author SHA1 Message Date
Eric Blankenhorn ba20e380bf Fix DupSSL issue with Poly1305 auth 2026-04-28 09:30:14 -05:00
Lealem Amedie 5da71f4c98 Move new wolfSSL_ED* API's to openssl/ed*.h headers 2026-04-28 08:21:55 -06:00
Lealem Amedie c4400a15fb Address copilot feedback 2026-04-28 08:10:10 -06:00
Lealem Amedie 4791d8c26d Add --enable-tailscale to autotools 2026-04-28 07:05:26 -06:00
Juliusz Sosinowicz 1b26594345 wolfcrypt/src/wc_pkcs11.c: cache PKCS#11 session across multi-call HMAC
The cryptocb dispatcher opened and closed a fresh PKCS#11 session around
each HMAC invocation. PKCS#11 sign operations are session-scoped, so a
multi-call HMAC (wc_HmacUpdate then wc_HmacFinal, which arrive as
separate cryptocb dispatches) had its C_SignFinal land on a session
that never saw a C_SignInit, returning CKR_OPERATION_NOT_INITIALIZED
and surfacing as WC_HW_E. This broke any code path that drives Update
and Final separately under PKCS#11 routing.

Cache the PKCS#11 session handle on Hmac.devCtx (cast through wc_ptr_t,
matching the existing pattern for cached PKCS#11 object handles) and
rebuild the Pkcs11Session on the stack. The session is opened on the
first dispatch when the operation enters
WC_HMAC_INNER_HASH_KEYED_DEV state and released when it leaves that
state (Final completed or hard error).
2026-04-28 13:04:00 +00:00
Juliusz Sosinowicz 9d49f7f261 TLSX_GetSize: return error as soon as it happens 2026-04-28 14:54:20 +02:00
Juliusz Sosinowicz b0fdaa2a6d TLS 1.3: gate 0-RTT on a cache-backed resumption ticket
RFC 8446 section 8 requires any server instance to accept 0-RTT for a
given ClientHello at most once. Prior to this change wolfSSL's behaviour
diverged from that requirement in several ways:

  * ctx->maxEarlyDataSz defaulted to MAX_EARLY_DATA_SZ whenever the
    library was built with WOLFSSL_EARLY_DATA, so servers auto-
    advertised 0-RTT in NewSessionTicket without the application
    asking. RFC 8446 E.5 says 0-RTT MUST NOT be enabled unless
    specifically requested.
  * The post-accept eviction is compiled out under NO_SESSION_CACHE,
    so builds without the cache accepted 0-RTT with no replay defence.
  * Stateless self-encrypted tickets do not carry a session ID on the
    stateless DoClientTicket decrypt path, so wolfSSL_SSL_CTX_remove_
    session could not locate them to evict.
  * wolfSSL_SSL_CTX_remove_session always returned 0 on success
    regardless of whether the session was actually in the cache,
    diverging from OpenSSL's SSL_CTX_remove_session (1 on success,
    0 on not-found).

Changes:
  * src/internal.c: ctx->maxEarlyDataSz defaults to 0; applications
    must opt in with wolfSSL_CTX_set_max_early_data.
  * src/tls13.c: #error when WOLFSSL_EARLY_DATA is built with
    HAVE_SESSION_TICKET and NO_SESSION_CACHE. Escape hatch
    WOLFSSL_EARLY_DATA_NO_ANTI_REPLAY for deployments that take
    application-layer responsibility.
  * wolfssl/internal.h: imply WOLFSSL_TICKET_HAVE_ID from
    WOLFSSL_EARLY_DATA so stateless-ticket issuance populates the
    cache under an ID that eviction can find.
  * src/ssl_sess.c: wolfSSL_SSL_CTX_remove_session returns 1 when the
    session was found (internal-cache hit, or ctx->rem_sess_cb fired
    for an external cache), 0 otherwise. Matches OpenSSL semantics.
  * src/tls13.c: the 0-RTT acceptance condition in CheckPreSharedKeys
    now calls wolfSSL_SSL_CTX_remove_session and checks its return:
    the eviction is the check. If the session was in the cache, 0-RTT
    is accepted and the single-use requirement is satisfied. If not,
    the early_data extension is rejected through the normal path so
    the record layer correctly skips in-flight 0-RTT records.
    WOLFSSL_MSG at each rejection site.
  * doc/dox_comments/header_files/ssl.h: document runtime opt-in.
  * tests: four new tests —
    test_tls13_0rtt_default_off (fails without default-to-0 fix),
    test_tls13_0rtt_stateless_replay (fails without TICKET_HAVE_ID
    implication and remove_session gate),
    test_tls13_remove_session_return (fails without return-value fix),
    test_tls13_0rtt_ext_cache_eviction (fails without ext-cache
    counts-as-found fix).
    test_tls13_early_data explicitly opts in via
    wolfSSL_CTX_set_max_early_data.
    tests/api.c: two SSL_CTX_remove_session == 0 assertions updated
    to == 1.
2026-04-28 14:14:16 +02:00
Juliusz Sosinowicz 558c329571 fixup! fenrir: address review feedback on PR 10230 2026-04-28 13:22:53 +02:00
Juliusz Sosinowicz 4a85f00240 src/x509.c: refactor wolfSSL_PEM_read_bio_X509_CRL onto the per-block reader
ReadPemFromBioToBuffer slurps the entire BIO in one shot, so iterative
callers like wolfSSL_PEM_read_bio_X509_CRL (and by extension
wolfSSL_X509_load_crl_file's BIO branch) saw EOF after the first block
and silently dropped every CRL after the first in a multi-CRL bundle.

Refactor wolfSSL_PEM_read_bio_X509_CRL to delegate to
wolfSSL_PEM_X509_X509_CRL_X509_PKEY_read_bio, which already reads one
PEM BEGIN/END pair per call and leaves the BIO positioned just past the
END line. Loop over it so we skip past intervening cert/key blocks and
return the next CRL in the stream — matching OpenSSL's
PEM_read_bio_X509_CRL, verified against OpenSSL 3.0.13 with cases
{cert,CRL}, {CRL,cert}, {CRL,cert,CRL}, {key,CRL}, {CRL,key,CRL}: in
each case OpenSSL skips non-CRL blocks until EOF.

When the caller passes a non-NULL `x` whose `*x` is already populated,
free the previous CRL before overwriting the slot — matching the
d2i_X509_CRL reuse contract the old body relied on.

To keep both helpers visible at the new call site, drop their `static`
qualifier (wolfSSL_PEM_X509_X509_CRL_X509_PKEY_read_bio for the per-block
read, wolfSSL_X509_PKEY_free to free defensively-allocated keys parsed
from intervening non-CRL blocks). Their definitions in src/x509.c and
declarations in wolfssl/internal.h are widened from OPENSSL_ALL to
OPENSSL_EXTRA || OPENSSL_ALL so the OPENSSL_EXTRA-only build (which
compiles wolfSSL_PEM_read_bio_X509_CRL) links cleanly. The unrelated
INFO_read_bio / INFO_read_bio_X509_INFO group below them keeps its
OPENSSL_ALL gate because it depends on wolfSSL_X509_INFO_new/free that
are still OPENSSL_ALL-only.

Also register the previously-orphaned test_wolfSSL_X509_load_crl_file
(its slot in TEST_OSSL_X509_LOOKUP_DECLS was a duplicated
test_wolfSSL_X509_LOOKUP_ctrl_hash_dir entry), update its assertion for
crl2.pem (which already contains two CRLs) to expect 2 instead of 1, and
add a multi-CRL bundle case that builds a memory BIO from
crl.pem + server-cert.pem + crl2.pem and asserts that the reader walks
past the cert and returns all 3 CRLs before NULL.
2026-04-28 10:06:47 +00:00
Lealem Amedie 1f260ccb0a Add TLS-ALPN-01 challenge cert support (RFC 8737 acmeId extension) 2026-04-27 17:15:06 -06:00
David Garske e31e158225 Fix for using STM32 AES hardware crypto with WOLFSSL_ARMASM set (ZD 21262) 2026-04-27 14:46:18 -07:00
David Garske 1c9555c121 Merge pull request #10324 from douzzer/20260426-fixes
20260426-fixes
2026-04-27 14:06:07 -07:00
Eric Blankenhorn e37118bdfb Hardening in TLSX_KeyShare_ProcessPqcHybridClient 2026-04-27 15:37:32 -05:00
Daniel Pouzzner 66ea4daa09 wolfcrypt/src/wc_port.c: in wc_socket_cloexec(), add necessary but undocumented __USE_GNU gating on call to accept4() (pre-includes can bring in socket.h before the override setting of _GNU_SOURCE at the top). Also enable accept4() for FreeBSD. 2026-04-27 11:40:04 -05:00
Daniel Pouzzner 3279b367d7 wolfcrypt/src/wc_lms.c: remove redundant gating on WOLFSSL_LMS_SHAKE256 in wc_LmsParamsMap wc_lms_map[]. 2026-04-27 11:37:29 -05:00
Daniel Pouzzner ac11279c60 wolfcrypt/src/random.c:
* add workaround in Hash512_df() for gcc compiler bug around AVX512 and object alignment.
* add missing WC_VERBOSE_RNG clause.
2026-04-27 11:37:15 -05:00
Daniel Pouzzner 1d8028865f wolfcrypt/benchmark/benchmark.c: add missing WOLFSSL_USE_SAVE_VECTOR_REGISTERS handling in bench_stats_ops_finish(). 2026-04-27 11:36:48 -05:00
Daniel Pouzzner beae56fba7 wolfcrypt/test/test.c:
* fix aes_eax_test() for NO_MALLOC (use WC_*_VAR() to allocate eax context).
* in slhdsa_test(), gate the profusely verbose TestDumpData() clauses on WC_SLHDSA_VERBOSE_DEBUG.
2026-04-27 11:36:34 -05:00
Daniel Pouzzner 7035fcf72b wolfcrypt/src/wc_slhdsa.c:
* fix smallstackcache memory leaks in sha256 and sha512 contexts -- don't init or copy over a context that's been inited but not freed, and make sure to explicitly free any context that's been inited or copied over.
* fix uninited-var warnings in slhdsakey_wots_sign(), slhdsakey_xmss_sign(), and slhdsakey_fors_sign() (the uninited-var scenario depends on corrupt arg(s) resulting in zero iterations).
2026-04-27 11:36:15 -05:00
David Garske 3181e2bcf8 Merge pull request #10309 from JacobBarthelmeh/openvpn
remove openvpn master from CI test
2026-04-27 08:49:30 -07:00
Juliusz Sosinowicz f3e183a338 fenrir: address review feedback on PR 10230
- tls.c: TLSX_CertWithExternPsk_GetSize takes word16*, but length was
  widened to word32 in TLSX_GetSize. Use the hsz staging variable like
  the other cases so WOLFSSL_CERT_WITH_EXTERN_PSK builds compile.
- tls.c: silence -Wunused-variable for hsz in builds where every case
  that consumes it (TLS 1.3, PSK, ETM, early data, PHA, cookie, cert
  with extern PSK) is compiled out, e.g. user_settings_tls12.h.
- test_tls_ext.c: assert session->ticketLen > 0 before mutating
  ticketAdd in the ticket-age out-of-window test so it fails loudly if
  no NewSessionTicket was received.
2026-04-27 14:03:31 +02:00
Juliusz Sosinowicz ff60134ff0 tests: add TLS 1.3 ticket age out-of-window test (F-1824)
DoClientTicketCheck's ticket-age bounds (-1000 ms low bound and
MAX_TICKET_AGE_DIFF*1000+1000 ms high bound) were never exercised by
any integration test, so mutations of the constants went undetected.
Establish a TLS 1.3 session, read the NewSessionTicket, then shift the
client's cached ageAdd by well over 1 second so the server's
unobfuscated diff falls outside the valid window on resumption. The
server must reject the PSK — session_reused stays 0.
2026-04-27 14:03:14 +02:00
Juliusz Sosinowicz 2df4936092 tests: add HRR cipher-suite mismatch negative test (F-2126)
DoTls13ClientHello enforces RFC 8446 Section 4.1.4 by comparing the
cipher suite in the second ClientHello to the hrrCipherSuite cached on
the server from the HelloRetryRequest. No existing test covers the
mismatch branch, so a deletion of the check would silently allow a
client to switch cipher suite between CH1 and CH2. Drive a partial
handshake until the server has emitted the HRR, then flip the cached
hrrCipherSuite on the server; processing CH2 must surface
INVALID_PARAMETER.
2026-04-27 14:03:13 +02:00
Juliusz Sosinowicz 9aa69f4996 tests: add default ticket key callback HMAC negative test (F-2922)
wolfSSL_TicketKeyCb is the built-in ticket callback registered by the
OpenSSL-compat wolfSSL_CTX_set_tlsext_ticket_key_cb API. Its
ConstantCompare of the ticket HMAC was never reached in any test, so a
deletion of the check would silently accept forged tickets. New test
sets up the compat callback, establishes a TLS 1.2 session, saves it,
flips a byte of the encrypted ticket, and asserts the resumption
attempt does not complete.
2026-04-27 14:03:13 +02:00
Juliusz Sosinowicz 920e175dd6 tests: add SCR verify_data mismatch test (F-2913, F-2914)
Cover both branches of TLSX_SecureRenegotiation_Parse's ConstantCompare
against the cached Finished verify_data: a single memio test loops
over client-side and server-side corruption, renegotiates, and
asserts the offending peer surfaces SECURE_RENEGOTIATION_E.
2026-04-27 14:03:13 +02:00
Juliusz Sosinowicz d97d0370d1 tests: add TLS 1.3 null cipher HMAC negative test (F-2916)
Tls13IntegrityOnly_Decrypt was completely untouched by existing tests,
so any mutation of its ConstantCompare would pass CI. Add a memio
TLS 1.3 handshake over TLS13-SHA256-SHA256 (integrity-only NULL cipher),
then corrupt the final byte of the next record body via an IORecv
wrapper and assert the server surfaces DECRYPT_ERROR.
2026-04-27 14:03:13 +02:00
Juliusz Sosinowicz 01cc5b1655 tests: add ChaCha20-Poly1305 AEAD tag negative test (F-2921)
Cover the Poly1305 ConstantCompare tag check in ChachaAEADDecrypt that
no existing test was hitting (VERIFY_MAC_ERROR never expected in the
suite). A memio-based TLS 1.2 handshake over
ECDHE-RSA-CHACHA20-POLY1305 completes, the server's IORecv is then
replaced with a wrapper that flips the final byte of the next record
body so the forged Poly1305 tag no longer matches. The server's
wolfSSL_read must surface VERIFY_MAC_ERROR.
2026-04-27 14:03:13 +02:00
Juliusz Sosinowicz ef73b3b233 tests: add EMS resumption downgrade negative test (F-2915)
Covers the HandleResumeHistory check that RFC 7627 Section 5.3 requires:
if the original session used Extended Master Secret, the server MUST
abort when a resumption ClientHello is received without EMS. The new
memio test performs a TLS 1.2 handshake with EMS, saves the session,
disables EMS on a fresh client, resumes with the saved session, and
asserts the server returns EXT_MASTER_SECRET_NEEDED_E.
2026-04-27 14:03:13 +02:00
Juliusz Sosinowicz 0f9fb2fb1d tls: fix TLSX_CA_Names_GetSize word16 overflow (F-2927)
The CA Names extension size accumulator was a word16. With enough
CA entries (or large DER-encoded names) the running total can wrap
silently, leaving TLSX_CA_Names_Write to overflow an undersized
extension buffer. Match TLSX_SNI_GetSize: use a word32 accumulator
and return 0 when the total exceeds WOLFSSL_MAX_16BIT.
2026-04-27 14:03:13 +02:00
Juliusz Sosinowicz b8da926ae8 tls: fix TLSX_PreSharedKey_GetSize word16 overflow (F-2925)
Both TLSX_PreSharedKey_GetSize and TLSX_PreSharedKey_GetSizeBinders
accumulate per-identity bytes into a word16. With enough PSK entries
(or large binderLen/identityLen values) the accumulator wraps silently
and the caller allocates an undersized extension buffer, which
TLSX_PreSharedKey_Write then overflows.

Switch both accumulators to word32 and return LENGTH_ERROR when the
total would exceed the 16-bit wire length field.
2026-04-27 14:03:13 +02:00
Juliusz Sosinowicz 535aaf2325 tls: fix TLSX_TCA_GetSize word16 overflow (F-2131)
Mirror the TLSX_SNI_GetSize pattern: accumulate into a word32 and
return 0 when the aggregate size exceeds WOLFSSL_MAX_16BIT so large
idSz values or many TCA entries no longer silently wrap to a small
value that undersizes the TLSX_TCA_Write output buffer.
2026-04-27 14:01:55 +02:00
Juliusz Sosinowicz 646ff6dde4 tls: fix TLSX_ALPN_GetSize word16 overflow (F-2128)
Match the TLSX_SNI_GetSize pattern: use a word32 accumulator and return
0 if the aggregate size exceeds WOLFSSL_MAX_16BIT, so a large number of
ALPN entries can no longer silently wrap the length computation.
2026-04-27 14:01:55 +02:00
David Garske 6074a2dbe8 Merge pull request #10308 from douzzer/20260424-fixes
20260424-fixes
2026-04-25 16:35:09 -07:00
Daniel Pouzzner 6040cd7915 configure.ac: fix to allow SHAKE force-off FIPS lean-aesgcm setup. 2026-04-25 12:34:25 -05:00
Daniel Pouzzner 0bfa206b74 configure.ac: for FIPS v6 setup, explicitly set WOLFSSL_NOSHA512_224 and WOLFSSL_NOSHA512_256;
wolfssl/wolfcrypt/hash.h: when WOLFSSL_NOSHA512_{224,256}, gate out prototypes for wc_Sha512_{224,256}Hash[_ex](), to shift build failures from link-time to compile-time.
2026-04-25 12:21:26 -05:00
Daniel Pouzzner caffc458af .github/workflows/: add -Wnull-dereferences to a few -pedantic scenarios missed in the first pass. 2026-04-25 11:47:25 -05:00
Daniel Pouzzner aab90d7a25 tests/api.c: fix false-positive -Wmaybe-uninitialized in test_wolfSSL_clear_secure_renegotiation() with --enable-all CFLAGS=-Og. 2026-04-25 11:47:25 -05:00
Daniel Pouzzner df486d8cd5 src/ssl_load.c: fix -Wnull-dereference in wolfssl_ctx_set_tmp_dh() (detected by armel build);
.github/workflows/pq-all.yml: for the --enable-sp-math scenario, --disable-quic (QUIC unit tests fail on that combo);

wolfcrypt/test/test.c: add WC_MAYBE_UNUSED to ecdsa_test_deterministic_k_rs(), to fix armel sp-math build.
2026-04-25 11:47:25 -05:00
Daniel Pouzzner 363bb0e216 configure.ac:
* allow for fips-dev in v7|ready|dev ENABLED_SHA256_DRBG and ENABLED_SHA512_DRBG setup and change from AC_MSG_WARN to AC_MSG_ERROR if user tries to disable outside fips-dev;
* set ENABLED_SHA512_DRBG=no in lean-aesgcm setup;

wolfcrypt/test/test.c: suppress concurrency-mt-unsafe in myFipsCb();

 .wolfssl_known_macro_extras: fix lexical order.
2026-04-25 11:47:25 -05:00
Daniel Pouzzner 72a39bfa57 wolfssl/wolfcrypt/random.h: fix "comma at end of enumerator list [-Werror=pedantic]" in enum wc_DrbgType. 2026-04-25 11:47:25 -05:00
Daniel Pouzzner b79221acd3 wolfcrypt/test/test.c: in random_bank_test(), accommodate WOLFSSL_DRBG_SHA512 in the WC_RNG_BANK_FLAG_NO_VECTOR_OPS test;
linuxkm/lkcapi_sha_glue.c: in wc_mix_pool_bytes(), accommodate WOLFSSL_DRBG_SHA512.
2026-04-25 11:47:25 -05:00
Daniel Pouzzner d14b8f8e79 .github/workflows/:
* add "-Wnull-dereference" to all existing "-pedantic -Wdeclaration-after-statement" configs;
* add an --enable-sp-math config to .github/workflows/pq-all.yml and .github/workflows/multi-arch.yml.
2026-04-25 11:47:24 -05:00
Daniel Pouzzner 91c7c8f9fb wolfcrypt/test/test.c and wolfcrypt/test/test.h: fix gating for dsa_test() and srp_test() prototypes to avoid -Wunused-function in --enable-sp-math builds. 2026-04-25 11:47:24 -05:00
Daniel Pouzzner 91f66fb9c0 tests/api/test_pkcs7.c: in test_wc_PKCS7_BER(), in expected-failure wc_PKCS7_DecodeEnvelopedData() in WOLFSSL_SP_MATH build, allow failure with either WC_KEY_SIZE_E or BUFFER_E, to accommodate blinding added by #10128 / 589feabc0c. 2026-04-25 11:47:24 -05:00
Daniel Pouzzner 1f1b572548 tests/api.c: fix -Wnull-dereferences in wolfSSL_UseSecureRenegotiation(). 2026-04-25 11:47:24 -05:00
Daniel Pouzzner 6c9e0ea5a7 linuxkm/lkcapi_ecdsa_glue.c: in km_ecdsa_verify(), add checks on hash_len following pattern of #10131, before calling wc_ecc_verify_hash(), for defense-in-depth. 2026-04-25 11:47:24 -05:00
JacobBarthelmeh 186ab8b0c3 remove openvpn master from CI test 2026-04-24 16:55:51 -06:00
David Garske 426dc7bb76 Merge pull request #10236 from Roy-Carter/feature/enhance_conf_and_max_size
Enhance extra user data value and external cookie length max size
2026-04-24 14:42:44 -07:00
David Garske 21921408b9 Merge pull request #10216 from ColtonWilley/add-null-checks-public-api
Add missing NULL checks in public API functions
2026-04-24 14:42:24 -07:00
JacobBarthelmeh 734a71180c Merge pull request #10220 from embhorn/zd21596
Fix TLS ext bounds checking
2026-04-24 15:10:05 -06:00