Commit Graph

29626 Commits

Author SHA1 Message Date
JacobBarthelmeh f6b022883f fix for acert builds 2026-04-06 11:17:01 -06:00
Daniel Pouzzner 1cd8edb3ec Merge pull request #10134 from JacobBarthelmeh/openvpn
pin OpenVPN version until BN_bn2binpad is added
2026-04-06 11:52:02 -05:00
Lealem Amedie 97f1e44721 Add Ed25519/Ed448 cases to oid2nid() oidKeyType switch 2026-04-06 10:03:17 -06:00
JacobBarthelmeh eddea3884a pin OpenVPN version until BN_bn2binpad is added 2026-04-06 09:22:28 -06:00
Daniel Pouzzner abce5be989 wolfcrypt: add additional enforcement of correct digest sizes in signature gen and verify ops:
* add WC_FIPS_186_4, WC_FIPS_186_4_PLUS, WC_FIPS_186_5, and WC_FIPS_186_5_PLUS feature macros.
* add support for WC_HASH_CUSTOM_MIN_DIGEST_SIZE, WC_HASH_CUSTOM_MAX_DIGEST_SIZE, and
  WC_HASH_CUSTOM_MAX_BLOCK_SIZE, for use with custom digest algorithms.
* add SigOidMatchesKeyOid() helper function and WC_MIN_DIGEST_SIZE macro.
* add additional size and OID agreement checks for sig gen and verify ops.
* update ecc_test_vector() with FIPS 186-5 vectors.

Co-authored-by: Tobias Frauenschläger <tobias@wolfssl.com>
2026-04-06 00:53:57 -05:00
Tobias Frauenschläger 580cbe29da Fix stack buffer overflow in wc_PKCS7_DecryptOri
Reported by: Nicholas Carlini <npc@anthropic.com>
2026-04-05 11:42:24 +02:00
Tobias Frauenschläger 1de4020fe4 Respect outputSz in PKCS7 decode methods
Reported by: Nicholas Carlini <npc@anthropic.com>
2026-04-05 11:42:24 +02:00
Tobias Frauenschläger 2237297cea Properly reject Ed448 identity public key
Reported by: Nicholas Carlini <npc@anthropic.com>
2026-04-05 11:42:18 +02:00
Tobias Frauenschläger cece804621 Cap DTLS1.3 max ACK records to prevent overflow
Reported by: Nicholas Carlini <npc@anthropic.com>
2026-04-05 11:32:53 +02:00
Tobias Frauenschläger 50f28d907e fix for wc_DhAgree public key validation
Reported by: Nicholas Carlini <npc@anthropic.com>
2026-04-05 11:32:53 +02:00
Ruby Martin 5e79661aa3 prevent resource leak if ASN1_INTEGER_to_BN() != null if expected 2026-04-03 17:13:29 -06:00
Ruby Martin f59d50f18a bound notBeforeDataEnd with origSz 2026-04-03 17:12:27 -06:00
Daniel Pouzzner 0c9b6397be Merge pull request #10103 from gasbytes/fix-dtls13-oversized-cert-chain
Fix DTLS 1.3 extSz out-of-bounds and word16 truncation on oversized certificate chains
2026-04-03 11:55:03 -05:00
Juliusz Sosinowicz e443ef0304 Use InetPtonA for XINET_PTON macro on Windows
Explicitly call the ANSI version of the InetPton function to avoid an incorrect cast to PCWSTR when the input string is a standard character pointer.
2026-04-03 15:25:14 +02:00
Reda Chouk 1653ecd07e Fix DTLS 1.3 extSz out-of-bounds and word16 truncation on oversized certificate chains 2026-04-03 12:10:42 +02:00
Juliusz Sosinowicz f2b9e3d654 Unconditionally validate TLS 1.2 ciphertext size in ProcessReply F-1476 2026-04-03 10:34:55 +02:00
Juliusz Sosinowicz f28fd3746b ForceZero mac buffer in ExpectedResumptionSecret before return F-1465 2026-04-03 10:34:55 +02:00
Juliusz Sosinowicz 96b4e01b20 ForceZero mac buffer in DoTls13Finished before return F-1464 2026-04-03 10:34:55 +02:00
Juliusz Sosinowicz ed0976a821 ForceZero binderKey and binder buffers in DoPreSharedKeys F-1463 2026-04-03 10:34:55 +02:00
Juliusz Sosinowicz b72a2133fc ForceZero hmac buffer in Tls13IntegrityOnly_Decrypt before return F-1466 2026-04-03 10:34:55 +02:00
Juliusz Sosinowicz d7ecfec5e2 Add NULL checks for context/ciphertext/out in wc_HpkeContextOpenBase F-1374 2026-04-03 10:34:55 +02:00
Juliusz Sosinowicz dcde00a1eb Add NULL parameter validation to wc_CryptKey F-1372 2026-04-03 10:34:55 +02:00
Juliusz Sosinowicz d6d439c6e6 Add NULL parameter validation to wc_Des_CbcEncryptWithKey/DecryptWithKey F-1371 2026-04-03 10:34:55 +02:00
Tobias Frauenschläger 2ae20723db evp: fix EVP_PKEY2PKCS8 returning NULL for private-key-only EC keys
When an EC_KEY is created via EC_KEY_new + EC_KEY_set_group +
EC_KEY_set_private_key (no public point set), SetECKeyInternal
incorrectly marks the internal ecc_key as ECC_PRIVATEKEY (instead of
ECC_PRIVATEKEY_ONLY) because pub_key is always non-NULL — EC_KEY_new
always allocates it as an empty, zero-initialised EC_POINT.

ECC_populate_EVP_PKEY only calls wc_ecc_make_pub for ECC_PRIVATEKEY_ONLY
keys, so the zero public-key point was serialised into the DER stored in
pkey->pkey.ptr.  After commit 929dd9913 made wc_ecc_import_x963_ex always
pass untrusted=1, the re-decode inside wolfSSL_EVP_PKEY2PKCS8 →
wolfSSL_d2i_PrivateKey_EVP correctly rejected that zero point with an
on-curve failure, causing EVP_PKEY2PKCS8 to return NULL.

Fix: in ECC_populate_EVP_PKEY, also call wc_ecc_make_pub when the key
type is ECC_PRIVATEKEY but pubkey.x is zero (meaning the public key was
never actually populated).  This reconstructs the public key from the
private scalar so that the encoded DER contains a valid on-curve point.
2026-04-02 22:38:35 -06:00
Tobias Frauenschläger 1823f2e9fc tls: fix ECH heap buffer overflow via publicName SNI pollution
In TLSX_EchChangeSNI, the ctx->extensions branch set extensions
unconditionally even when TLSX_Find returned NULL. This caused
TLSX_UseSNI to attach the attacker-controlled publicName to the shared
WOLFSSL_CTX when no inner SNI was configured. TLSX_EchRestoreSNI then
failed to clean it up because its removal was gated on serverNameX !=
NULL. The inner ClientHello was sized before the pollution but written
after it, causing TLSX_SNI_Write to memcpy 255 bytes past the
allocation boundary.

Fix by mirroring the guarded pattern of the ssl->extensions branch:
only set extensions when TLSX_Find returns non-NULL, and only perform
the SNI swap when extensions is non-NULL. Also move TLSX_Remove in
TLSX_EchRestoreSNI outside the serverNameX guard so any injected
publicName SNI is always cleaned up.

Also return BAD_FUNC_ARG when ECH is used without an inner SNI,
preventing ECH ClientHello construction in an invalid configuration.

Reported by: Nicholas Carlini (Anthropic) & Thai Duong (Calif.io)
2026-04-02 22:38:26 -06:00
Tobias Frauenschläger e5ab7fa745 x509: fix CA:FALSE bypass in wolfSSL_X509_verify_cert
When an untrusted issuer has CA:FALSE and no verify_cb is registered,
the !isCa branch now fails closed (ret=WOLFSSL_FAILURE, goto exit)
instead of falling through and skipping X509StoreVerifyCert for the
leaf. SetupStoreCtxError_ex is also hardened to never overwrite a
previously recorded error with success, preventing a later valid chain
link from clobbering ctx->error back to X509_V_OK. Tests added for
both the no-callback rejection and the error-preservation cases.

Reported by: Nicholas Carlini (Anthropic) & Thai Duong (Calif.io)
2026-04-02 22:38:16 -06:00
Tobias Frauenschläger a88dd07c70 pkcs7,aes: reject truncated GCM auth tags
wc_PKCS7_DecodeAuthEnvelopedData() accepted an attacker-controlled GCM tag
length from the mac OCTET STRING and did not validate it against the
parsed aes-ICVlen parameter. In parallel, wc_AesGcmDecrypt() accepted
very short tags on decrypt while encrypt enforced WOLFSSL_MIN_AUTH_TAG_SZ.

This made short-tag verification reachable through CMS AuthEnvelopedData
and weakened integrity checks by allowing tag truncation.

Fixes:
- validate parsed macSz range in AuthEnvelopedData decode
- require authTagSz to match parsed macSz
- reject undersized GCM tags in PKCS7 decode
- enforce WOLFSSL_MIN_AUTH_TAG_SZ in wc_AesGcmDecrypt() and
  wc_AesGcmDecryptFinal()

Also add a regression test in pkcs7authenveloped vectors that truncates
the final MAC OCTET STRING length from 16 to 1 and verifies decode fails.

Reported by: Nicholas Carlini (Anthropic) & Thai Duong (Calif.io)
2026-04-02 22:38:05 -06:00
Daniel Pouzzner d278da09df Merge pull request #10112 from embhorn/zd21470
Fix CertFromX509 copy length check
2026-04-02 23:21:11 -05:00
Daniel Pouzzner ed1f055116 Merge pull request #10119 from kareem-wolfssl/zd21512
Exit MatchDomainName if pattern or string length reach 0.
2026-04-02 22:54:53 -05:00
Daniel Pouzzner 7a6e37d697 Merge pull request #10064 from julek-wolfssl/master
Fixes for wolfclu
2026-04-02 22:54:10 -05:00
Daniel Pouzzner b6d8829ba9 Merge pull request #10114 from Frauschi/fenrir
Fenrir fixes
2026-04-02 22:52:48 -05:00
Daniel Pouzzner 2c41a7c5aa Merge pull request #10115 from julek-wolfssl/zd/21469
Fix multiple bugs in OCSP implementation
2026-04-02 22:50:28 -05:00
Daniel Pouzzner fb4c40170a Merge pull request #10090 from julek-wolfssl/zd/21421
Improve DTLS bucket logic
2026-04-02 22:49:41 -05:00
Kareem 5b6b138964 Add sz check to ChachaAEADDecrypt to prevent potential underflow.
Thanks to Zou Dikai for the report.
2026-04-02 16:41:55 -07:00
Daniel Pouzzner 14dbba7b21 armasm: in prototypes for fe_cmov_table(), declare the base arg as const fe*. 2026-04-02 14:14:16 -07:00
Eric Blankenhorn 2b1cde5bbb Fix test for FIPS config 2026-04-02 16:13:18 -05:00
Eric Blankenhorn 3893fd3c6e Fix feedback from review 2026-04-02 16:13:18 -05:00
Eric Blankenhorn 772cda3d48 Fix CertFromX509 copy length check 2026-04-02 16:13:18 -05:00
Kareem 90d6312323 Rework check to avoid changing existing logic. 2026-04-02 11:17:20 -07:00
Kareem 1274c7b5e7 Exit MatchDomainName if pattern or string length reach 0. 2026-04-02 11:17:19 -07:00
Daniel Pouzzner 84f9b20435 Merge pull request #10062 from anhu/vol
Volatile casting
2026-04-02 09:40:40 -05:00
Tobias Frauenschläger 22a2290972 Fix TOCTOU issues in SP math code 2026-04-02 15:06:35 +02:00
Tobias Frauenschläger 1faddd640e evp: verify Poly1305 tag on ChaCha20-Poly1305 decrypt
EVP_DecryptFinal_ex() called wc_ChaCha20Poly1305_Final() which only
computes the Poly1305 tag, writing it into ctx->authTag and
overwriting the expected tag stored there by EVP_CTRL_AEAD_SET_TAG.
No comparison was ever performed, so any forged tag was accepted.

Fix: save the expected tag before calling Final(), then verify with
wc_ChaCha20Poly1305_CheckTag() on the decrypt path, mirroring the
existing AES-GCM branch. Add a regression test that asserts
EVP_DecryptFinal_ex() rejects an all-zero forged tag.

Reported-by: Nicholas Carlini (Anthropic) & Bronson Yen (Calif.io)
2026-04-02 12:35:15 +02:00
Tobias Frauenschläger 13a016367f eccsi: fix universal signature forgery via r=0/s=0
wc_VerifyEccsiHash did not validate that r and s lie in [1, q-1]
after decoding them from the signature buffer.  With s=0 the scalar
multiplication [s](...) returns the point at infinity (J_x=0); with
r=0 the final mp_cmp(0,0)==MP_EQ check then accepts the forged
signature unconditionally against any message and any identity.

Add [1, q-1] range checks for r (in wc_VerifyEccsiHash, after params
are loaded) and for s (in eccsi_calc_j, after eccsi_decode_sig_s),
mirroring the checks already present in wc_ecc_check_r_s_range.
Add a defense-in-depth point-at-infinity guard on J before the final
comparison.

Reported-by: Nicholas Carlini (Anthropic) & Bronson Yen (Calif.io)
2026-04-02 12:35:15 +02:00
Tobias Frauenschläger 10953f021b CMAC: fix wraparound in streaming update.
The guard `if (cmac->totalSz != 0)` was used to skip XOR-chaining on
the first block (where digest is all-zeros and the XOR is a no-op).
However, totalSz is word32 and wraps to zero after 2^28 block flushes
(4 GiB), causing the guard to erroneously fire again and discard the
live CBC-MAC chain state.  Any two messages sharing a common suffix
beyond the 4 GiB mark then produce identical CMAC tags, enabling a
zero-work prefix-substitution forgery.  The fix removes the guard,
making the XOR unconditional; the no-op property on the first block is
preserved because digest is zero-initialized by wc_InitCmac_ex.

Identified by: Nicholas Carlini (Anthropic) & Thai Duong (Calif.io)
2026-04-02 12:35:15 +02:00
Tobias Frauenschläger 8b2c0f7cd2 Make sure ASCON is unusable on big endian 2026-04-02 11:55:41 +02:00
Tobias Frauenschläger da597e30db Fix SECO AES GCM return value 2026-04-02 11:55:41 +02:00
Tobias Frauenschläger 6e0624065f Make sure ECB decrypt function is called in EVP
This only makes an actual difference when FREESCALE_MMCAU is defined (otherwise encrypt and decrypt are the same), but better for clarity still.
2026-04-02 11:55:41 +02:00
Tobias Frauenschläger b6b8de1f59 Add bounds checks for Blake2 digest size 2026-04-02 11:55:41 +02:00
Juliusz Sosinowicz 4cf33849b8 Fix multiple bugs in OCSP implementation
- wolfSSL_i2d_OCSP_REQUEST_bio: save/restore pointer before i2d call
  that advances it, preventing BIO_write from wrong offset and heap
  corruption on free
- wolfSSL_d2i_OCSP_RESPONSE: remove (unsigned char) cast that truncated
  pointer advance to 8 bits, breaking responses larger than 255 bytes
- wolfSSL_OCSP_CERTID_dup: deep-copy CertStatus to prevent double-free
  when both original and duplicate are freed
- wolfSSL_i2d_OCSP_RESPONSE: add NULL check on response parameter
- wolfSSL_i2d_OCSP_REQUEST: advance *data pointer per i2d convention
- FreeOCSP: NULL-check ocsp->cm before dereferencing for heap
- Fix WOLFSSL_LEAVE strings to match actual function names in
  wc_CheckCertOcspResponse, GetOcspEntry, GetOcspStatus,
  CheckOcspResponse, CheckOcspRequest

Add test for CERTID dup (double-free confirmed under ASAN without fix)
and pointer advancement assertions for d2i_OCSP_RESPONSE callers.

Reported in: ZD21469
2026-04-02 11:24:25 +02:00