1. Side-aware ML-KEM in TLS (tls.c, tls13.c, ssl.c, internal.h):
TLSX_IsGroupSupported/TLSX_UseSupportedCurve take a `side` arg; new
TLSX_IsMlKemGroupSupported + client/server support macros. A build only
capable of one ML-KEM op no longer advertises groups it can't use for
its role.
2. NO_ASN_TIME support (ssl_asn1.c, ssl.h, settings.h): data-only
ASN1_TIME APIs now compile without system time; OCSP responder
auto-disabled under NO_ASN_TIME.
3. SP ECC (sp_*.c, sp_x86_64_asm.asm): curve `b` constants and
sp_ecc_is_point_* always compiled (point-check available in more
configs); asm movsxd -> movsx.
4. configure.ac: BUILD_MEMUSE fixed to trigger on != "xno".
5. Test fixes: HRR-aware TLS 1.3 memio tests (new
test_memio_msg_is_hello_retry_request); tightened build guards
(Ed25519/Ed448 key-import, AES decrypt, XMSS heights, SP sizes,
static-PSK).
WOLFSSL_FAILURE is 0, which equals X509_V_OK, so a NULL ssl was
indistinguishable from successful verification under the standard
"SSL_get_verify_result(ssl) \!= X509_V_OK" idiom. Return
WOLFSSL_X509_V_ERR_APPLICATION_VERIFICATION (50, matching the OpenSSL
compat value) instead, and add it to the X509 verify-error enum.
* don't disable URI validation when defined(WOLFSSL_FPKI).
* return immediately with ASN_ALT_NAME_E when URI contains an unexpected '/', as in asn_orig.c DecodeAltNames(), fixing OOB read defect.
wolfcrypt/src/asn_orig.c: fix URI validation gating (ignore WOLFSSL_FPKI) in DecodeAltNames().
tests/api/test_certman.c: fix uriSan in test_wolfSSL_X509_check_host_URI_SAN_not_DNS_match() (make it a URI).
tests/api.c: align gating in test_wolfSSL_URI() with new dynamics (URIs validated regardless of defined(WOLFSSL_FPKI)).
authorized any responder issued by an ancestor of the target's issuer;
RFC 6960 4.2.2.2 requires direct issuance by the CA identified in the
request.
- Remove CheckOcspResponderChain() and WOLFSSL_NO_OCSP_ISSUER_CHAIN_CHECK.
- Drop now-unused vp parameter from CheckOcspResponder() and the
OcspRespCheck() helper; cascade through template and non-template
paths.
OCSP test blobs:
- Re-sign resp_server1_cert with intermediate1-ca (CA-direct path).
- Add resp_server1_cert_ancestor_responder for the negative test.
- Embed server1_cert_pem[] in test_ocsp_test_blobs.h so the new test
runs under NO_FILESYSTEM; matching entry added to
create_ocsp_test_blobs.py.
- Regenerate response[] in test_certman.c with intermediate1-ca as
signer; recipe switched from Wireshark export to openssl -respout
+ xxd -i for reproducibility.
- Fix self-XOR in test_wolfSSL_CertManagerCheckOCSPResponse so the
serial byte actually flips (^= 0xFF).
Live OCSP coverage:
- Add ocsp-responder-int1 (delegated responder issued directly by
intermediate1-ca, with id-kp-OCSPSigning EKU) for the
responder->intermediate->root chain.
- scripts/ocsp-stapling.test: intermediate1 responder switched to
ocsp-responder-int1 (delegated path).
- scripts/ocsp-stapling2.test, scripts/ocsp-stapling_tls13multi.test:
intermediate2 and intermediate3 sign their OCSP responses with
their own CA keys (CA-direct path); root block unchanged
(ocsp-responder-cert is still RFC-compliant for root-issued certs).
- .github/workflows/ocsp.yml: server1 OCSP responder switched to
ocsp-responder-int1 to match the cert chain.
- New test_ocsp_ancestor_responder_rejected confirms the
ancestor-issued response is rejected with OCSP_LOOKUP_FAIL.
1. BasicConstraints pathLenConstraint absent vs. 0 —
get_ext_d2i/set_ext/V3_EXT_d2i now distinguish "no constraint" from 0
per RFC 5280 §4.2.1.9, using the existing basicConstPlSet flag.
2. GENERAL_NAME_print GEN_DIRNAME — added missing return-value
normalization so the directory name is actually printed (was emitting
only DirName:).
3. GENERAL_NAME_print GEN_DNS — use ASN1_STRING_print like the EMAIL/URI
cases, avoiding NULL-strData deref and NUL-truncation.
4. X509_print BasicConstraints — print , pathlen:N to match OpenSSL.
5. X509_print Extended Key Usage — print Any Extended Key Usage (was
omitted).
6. get_ext_d2i CRL_DIST_OID double-free — null gn immediately after
ownership transfers to dp, so an error from the next push doesn't free
it twice.
7. X509V3_EXT_print SAN truncation/failure — match XSNPRINTF size cap to
the allocation; was truncating at indent==1 and failing at indent>=2.
8. X509V3_EXT_print AUTH_KEY/SUBJ_KEY NULL deref — NULL-check
i2s_ASN1_STRING return before passing to %s.
9. X509_add_ext SAN type confusion — reject DIRNAME/RID/X400/EDIPARTY;
only the ASN1_STRING*-backed types are read via gn->d.ia5. Was
performing a wild-pointer XMEMCPY in add_altname_ex.
Also: extracted the SAN and WOLFSSL_CUSTOM_OID arms of X509_add_ext into
static helpers (behavior-preserving).
Regression tests added for #1–5 and #9; existing GENERAL_NAME_print test
hardened (gives GEN_DIRNAME a real directoryName, eliminating an OOB
read that the print fix would otherwise expose).
Move out DTLS 1.3 specific tests into test_dtls13.c. (Also move out from
test_dtls.c)
Move out DTLS tests into test_dtls.c.
Move out LMS and XMSS tests into test_lms_xmss.c.
Move out SSL session tests into test_session.c.
Move out remaining ML-DSA/Dilithium tests in api.c into test_mldsa.c.
Modes (CTR, GCM, CCM, etc.) can be supported either directly or fallback
to invoking the crypto callback with a "direct" (ECB) mode.
Software implementation and AES tables are stripped under CB_ONLY_AES.
wc_swdev gains AES support so WOLF_CRYPTO_CB_ONLY_AES builds can be
tested.
crypto find cb support added to wc_AesSetKey in order to support current
CI tests that use INVALID_DEVID.
Add WOLF_CRYPTO_CB_ONLY_SHA256: when set, the SHA-256 software.
wc_Sha256FinalRaw is reduced to a stub returning NO_VALID_DEVID, and
sha256.h force-defines WOLFSSL_NO_HASH_RAW so the constant-time TLS HMAC
path falls back to its backend-opaque variant.
Incompatible with
WOLFSSL_SHA224, which aliases the SHA-256 statics; #error guard added.
Add wc_swdev support for SHA-256 for testing.
Extend the swdev callback to handle ECC operations: keygen, ECDH, sign,
verify, get-size, get-sig-size.
Relax WOLF_CRYPTO_CB_ONLY_ECC guards in the test suite so that tests run
under swdev, and wire wc_SwDev_Init/Cleanup into testsuite, client, and
server. Two tests are intentionally kept excluded even with swdev because
they call raw ECC math primitives (wc_ecc_mulmod, on-curve validation in
wc_ecc_import_x963) that are stripped below the cryptocb dispatch layer:
- ecc_mulmod_test (wolfcrypt/test/test.c)
- test_wc_ecc_import_x963_off_curve (tests/api/test_ecc.c)
Add a software crypto-callback device (wc_swdev) that lets the wolfcrypt
test suite run under WOLF_CRYPTO_CB_ONLY_* flags without per-test devId
plumbing. The bundle is a separately-compiled second copy of wolfcrypt
(software implementations enabled, WOLF_CRYPTO_CB_ONLY_* stripped) linked
into testwolfcrypt as a single relocatable object; every symbol is demoted
to local via objcopy --keep-global-symbol except wc_SwDev_Callback, so there
is no collision with the main libwolfssl.
A find callback routes unbound operations (devId == INVALID_DEVID) to the
swdev while letting real device IDs pass through.
wc_SwDev_Init / wc_SwDev_Cleanup hooks are wired into wolfcrypt/test/test.c.
cryptocb_test's WOLF_CRYPTO_CB_FIND and WOLF_CRYPTO_CB_ONLY_RSA blocks are
gated off under WOLFSSL_SWDEV.
Enable via --enable-swdev (requires --enable-cryptocb).
Adds resp_certid_keyhash_mismatch — a forged response signed by the
legitimate ocsp-responder whose CertID pairs the legitimate root CA's
issuerNameHash with the imposter root CA's issuerKeyHash. The new
test_ocsp_responder_keyhash_binding asserts wolfSSL_OCSP_basic_verify
rejects it, exercising the fix that requires both halves of the
CertID to match the responder's issuer.