Commit Graph

8430 Commits

Author SHA1 Message Date
Tobias Frauenschläger fd8f6e168b PQC Clang-tidy fixes
Fixes two clang-tidy warnings in error cases.

Signed-off-by: Tobias Frauenschläger <tobias.frauenschlaeger@oth-regensburg.de>
2025-02-24 09:28:23 +01:00
Daniel Pouzzner 0116ab6ca2 Merge pull request #8484 from jmalak/offsetof
Rename OFFSETOF macro to WolfSSL specific WC_OFFSETOF name
2025-02-23 14:45:43 -06:00
Jiri Malak 1d1ab2d9ff Rename OFFSETOF macro to WolfSSL specific WC_OFFSETOF name
There are the following reasons for this
- it conflicts with the OFFSETOF macro in the OS/2 header (Open Watcom)
- it is compiler-specific and should use the C standard offsetof definition in the header file stddef.h
- it is more transparent unique name
2025-02-22 09:44:54 +01:00
Tobias Frauenschläger c899f79cfa Update key share group ranking algorithm
In case no user group ranking is set, all groups are now ranked equally
instead of the order in the `preferredGroup` array. This is the
behavior already indicated in the comment header of the function.

This change is necessary for applications that do not set their own
group ranking (via `wolfSSL_CTX_set_groups()` for example). When such an
application creates a TLS server and receives a ClientHello message with
multiple key shares, now the first key share is selected instead of the
one with the lowest index in the `preferredGroup` array.

Recent browsers with PQC support place two key shares in their
ClientHello message: a hybrid PQC + X25519 one and at least one
classic-only one. The hybrid one is the first one, indicating a
preference. Without this change, however, always the classic-only key
share has been selected, as these algorithms have a lower index in the
`preferredGroup` array compared to the PQC hybrids.

Tested using a patched version of NGINX.

This change also results in a different selection of a key share group
in case of a HelloRetryRequest message. For the tests, where static
ephemeral keys are used (`WOLFSSL_STATIC_EPHEMERAL`), an additional
check is necessary to make sure the correct key is used for the ECDH
calculation.

Signed-off-by: Tobias Frauenschläger <tobias.frauenschlaeger@oth-regensburg.de>
2025-02-21 18:44:51 +01:00
Tobias Frauenschläger 89491c7e36 Improvements for PQC hybrid key exchange
Add support for X25519 and X448 based hybrid PQC + ECC key exchange
groups. Furthermore, two new combinations with SECP curves are added to
match OQS combinations.

This also incorporates the changed order of X25519 and X448 based
combinations to place the PQC material before the ECDH material. This is
motivated by the necessity to always have material of a FIPS approved
algorithm first.

Also, codepoints are updated to reflect the latest draft standards for
pure ML-KEM and some of the hybrids. With these changes and based on the
recent additions to both enable ML-KEM final and draft versions
simultaneously, a WolfSSL TLS server is now compatible with all recent
browsers that support either the draft version of ML-KEM (Chromium based
browsers and Firefox < version 132; only when the draft version is
enabled in the build) or the final version already (Firefox > version 132).

In the process of extending support, some code and logic cleanup
happened. Furthermore, some memory leaks within the hybrid code path have
been fixed.

Signed-off-by: Tobias Frauenschläger <tobias.frauenschlaeger@oth-regensburg.de>
2025-02-21 18:44:40 +01:00
jordan 95e26f5b27 coverity: dereference before null check. 2025-02-19 23:23:41 -05:00
Sean Parkinson 82b50f19c6 ML-KEM/Kyber: improvements
ML-KEM/Kyber:
  MakeKey call generate random once only for all data.
  Allow MakeKey/Encapsulate/Decapsulate to be compiled separately.
  Pull out public key decoding common to public and private key decode.
Put references to FIPS 140-3 into code. Rename variables to match FIPS
140-3.
  Fix InvNTT assembly code for x64 - more reductions.
  Split out ML-KEM/Kyber tests from api.c.

TLSX:
Store the object instead of the private key when WOLFSSL_MLKEM_CACHE_A
is defined or WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ. Faster decapsulation
when A is cached and object stored.
To store private key as normal define
WOLFSSL_TLSX_PQC_MLKEM_STORE_PRIV_KEY.

misc.c: when Intel x64 build, assume able to read/write unaligned
2025-02-20 08:14:15 +10:00
JacobBarthelmeh 539056e749 Merge pull request #8475 from embhorn/gh8473
Fix QUIC callback failure
2025-02-19 14:00:47 -07:00
Eric Blankenhorn 66ed35c910 Fix QUIC callback failure 2025-02-19 10:56:44 -06:00
Marco Oliverio 7db3c34e2b ocsp: enable OPENSSL tlsext status cb for NGINX and HAPROXY 2025-02-17 14:53:49 +00:00
Marco Oliverio a1d1f0ddf1 ocsp: enable SSL_CTX_set_tlsext_status_cb only in OPENSSL_ALL 2025-02-17 11:29:09 +00:00
Marco Oliverio 0945101948 ocsp: fix: remove duplicated code 2025-02-17 11:25:24 +00:00
Marco Oliverio 1eecf326fd ocsp: use ocspReponse->heap in OcspFindSigner + minors 2025-02-17 08:59:29 +00:00
Marco Oliverio c1c9af5cb6 minor: improve indentation of guards 2025-02-17 08:59:29 +00:00
Marco Oliverio 851d74fd69 ocsp-resp-refactor: address reviewer's comments 2025-02-17 08:59:29 +00:00
Marco Oliverio 3a3238eb9f ocsp: refactor wolfSSL_OCSP_response_get1_basic
The internal fields of OcspResponse refer to the resp->source buffer.
Copying these fields is complex, so it's better to decode the response again.
2025-02-17 08:58:03 +00:00
Marco Oliverio f526679ad5 ocsp: refactor OCSP response decoding and wolfSSL_OCSP_basic_verify
- Search certificate based on responderId
- Verify response signer is authorized for all single responses
- Align with OpenSSL behavior
- Separate wolfSSL_OCSP_basic_verify from verification done during
  decoding
2025-02-17 08:58:03 +00:00
Marco Oliverio d7711f04ab openssl compat: skip OCSP response verification in statusCb
This aligns with OpenSSL behavior
2025-02-17 08:58:02 +00:00
Marco Oliverio dedbb2526c ocsp: fix memory leaks in OpenSSL compat layer 2025-02-17 08:58:02 +00:00
David Garske 842b9a3709 Merge pull request #8433 from julek-wolfssl/dtls-cid-negative-tests
Update DTLS CID Tests and Reorganize Test Utilities
2025-02-14 11:26:57 -08:00
David Garske 29f2767b88 Merge pull request #8441 from philljj/wolfio_comments
wolfio: comment ifdef endif blocks.
2025-02-14 08:55:31 -08:00
David Garske 3075e57207 Whitespace and filename comment. 2025-02-14 09:51:29 -06:00
Juliusz Sosinowicz 7380ec68bb cmake.yml: fix error and run tests with ctest 2025-02-14 09:51:29 -06:00
jordan f2bb063ca4 wolfio: peer review comment cleanup. 2025-02-14 08:36:26 -05:00
Daniel Pouzzner 60c1558142 Merge pull request #8447 from dgarske/memleak
Fixed possible memory leaks
2025-02-14 00:26:09 -06:00
Colton Willey e197cdfb36 Fix memory leak in X509 STORE 2025-02-13 14:49:18 -08:00
David Garske f943f6ff5c Fixed possible memory leaks reported by nielsdos in PR 8415 and 8414. 2025-02-13 08:20:37 -08:00
David Garske 846ba43a29 Merge pull request #8392 from SparkiDev/curve25519_blinding
Curve25519: add blinding when using private key
2025-02-12 16:20:51 -08:00
Sean Parkinson 365aac0306 Merge pull request #8393 from anhu/draft-tls-westerbaan-mldsa
New codepoint for MLDSA
2025-02-13 10:20:30 +10:00
Sean Parkinson bb84ebfd7a Curve25519: add blinding when using private key
XOR in random value to scalar and perform special scalar multiplication.
Multiply x3 and z3 by random value to randomize co-ordinates.

Add new APIs to support passing in an RNG.
Old APIs create a new RNG.

Only needed for the C implementations that are not small.

Modified TLS and OpenSSL compat API implementations to pass in RNG.

Fixed tests and benchmark program to pass in RNG.
2025-02-13 08:52:35 +10:00
Anthony Hu aa59eab732 More minor mods. Now interops with oqs-provider. 2025-02-12 17:17:22 -05:00
jordan 9dfcc6a477 wolfio: comment ifdef endif blocks. 2025-02-12 09:51:51 -05:00
Sean Parkinson bcd89b0592 Merge pull request #8388 from julek-wolfssl/BN_CTX_get
Implement BN_CTX_get
2025-02-12 08:08:58 +10:00
David Garske be5f203274 Merge pull request #8425 from philljj/ecdsa_mldsa_test_api
dual alg: add ML-DSA test, and misc cleanup.
2025-02-10 15:05:44 -08:00
jordan 557e43bcd7 dual alg: peer review cleanup, and more function comments. 2025-02-10 10:08:35 -05:00
jordan 937d6d404a dual alg: clean up comments and line lengths. 2025-02-07 09:22:16 -05:00
Daniel Pouzzner 1e17d737c8 "#undef _WINSOCKAPI_" after defining it to "block inclusion of winsock.h header file", to fix #warning in /usr/x86_64-w64-mingw32/usr/include/winsock2.h. 2025-02-06 18:41:20 -06:00
Sean Parkinson ae8b8c4164 Read DER BIO: fix for when BIO data is less than seq buffer size
wolfssl_read_der_bio did not not handle the length to be read from the
BIO being less than the size of the sequence buffer.
2025-02-07 08:46:49 +10:00
jordan 035d4022fb dual alg: add ML-DSA test, and misc cleanup. 2025-02-06 15:50:37 -05:00
David Garske 60c5a0ac7f Peer review feedback. Thank you @jmalak 2025-02-04 14:32:24 -08:00
David Garske 345c969164 Fixes for Watcom compiler and new CI test
* Correct cmake script to support Open Watcom toolchain (#8167)
* Fix thread start callback prototype for Open Watcom toolchain (#8175)
* Added GitHub CI action for Windows/Linux/OS2
* Improvements for C89 compliance.
Thank you @jmalak for your contributions.
2025-02-04 12:38:52 -08:00
Daniel Pouzzner b466bde5d0 src/internal.c and src/ssl.c: in CheckcipherList() and ParseCipherList(), refactor "while (next++)" to "while (next)" to avoid clang21 UndefinedBehaviorSanitizer "applying non-zero offset 1 to null pointer". 2025-02-04 12:07:29 -06:00
Juliusz Sosinowicz 8b7b9636aa Remove BN_CTX_init as its no longer in OpenSSL for a long time 2025-02-04 16:37:21 +01:00
Juliusz Sosinowicz 91bffeead3 wolfSSL_BN_CTX_get: prepend to list skipping need to traverse the list 2025-02-04 16:37:21 +01:00
Juliusz Sosinowicz 841d13e81c Implement BN_CTX_get 2025-02-04 16:37:21 +01:00
Sean Parkinson 92491e6368 TLS 1.3 HRR KeyShare: Improve comments
HelloRetryRequest has the key exchange group it wants to use.
A KeyShare for that group must not have been in the ClientHello.
2025-02-04 10:16:27 +10:00
Sean Parkinson eb15a1213c Merge pull request #8416 from embhorn/zd19323
Clear old ssl->error after retry
2025-02-04 08:54:10 +10:00
Eric Blankenhorn e9892c22a2 Clear old ssl->error after retry 2025-02-03 14:18:09 -06:00
Eric Blankenhorn b488af1d34 Fix compat layer ASN1_TIME_diff to accept NULL output params 2025-01-31 15:55:35 -06:00
Sean Parkinson 3f47963802 Merge pull request #8396 from douzzer/20250129-CT-tweaks
20250129-CT-tweaks
2025-01-31 09:10:22 +10:00