Commit Graph

28649 Commits

Author SHA1 Message Date
Marco Oliverio b30e0f679c bio: update stale comment 2026-04-10 08:50:30 +02:00
Marco Oliverio 6b74ae5fc5 bio: simplify BIO_gets null-termination, improve ossl compat 2026-04-09 15:18:22 +02:00
Marco Oliverio 5107613025 bio: add tests 2026-04-08 18:49:40 +02:00
Marco Oliverio c07d8634b3 bio: ABI breaking change: use int instead of byte for type 2026-04-08 18:49:40 +02:00
Marco Oliverio 7802a75acd bio: various fixes and improvements
* simplify wolfSSL_BIO_set_conn_hostname, fixing OOB read
* restructure wolfSSL_BIO_ctrl_pending, fixing inverted check and
* ctrlCB checking
* return WOLFSSL_FAILURE in wolfSSL_BIO_up_ref when refInc fails,
  updated test to reflect this
* check arguments for NULL in wolfSSL_BIO_ADDR_size
* replace non-portable type long usigned int with size_t
* wolfSSL_BIO_MEMORY_write: return WOLFSSL_BIO_ERROR on failure instead
  of WOLFSSL_FAILURE, return 0 when len is 0
* wolfSSL_BIO_get_fp: fix type mismatch comparing XFILE* pointer against
  XBADFILE
* wolfSSL_BIO_ctrl: add NULL check on bio before switch
* wolfSSL_BIO_pop: clear bio prev and next pointers after unlinking
* wolfSSL_BIO_gets: place null terminator after actual bytes read from
  BIO_BIO nread
2026-04-08 18:49:40 +02:00
Daniel Pouzzner 750f3b119e Merge pull request #10088 from anhu/new_various
Various security fixes and tests
2026-04-07 22:13:18 -05:00
JacobBarthelmeh 4fd0df42e7 add adjustment for review 2026-04-07 21:08:11 -06:00
JacobBarthelmeh 9a79c412a5 Merge pull request #10154 from douzzer/20260407-fips-ready-WC_FIPS_186_4
20260407-fips-ready-WC_FIPS_186_4
2026-04-07 16:46:16 -06:00
JacobBarthelmeh 7f84fb2624 Merge pull request #10152 from douzzer/20260407-BLAKE-gating
20260407-BLAKE-gating
2026-04-07 16:18:09 -06:00
JacobBarthelmeh d1c6423b82 make the padding check constant time and move evp exponent print size macro to local file 2026-04-07 16:09:52 -06:00
JacobBarthelmeh ecfd1174bb refactor sanity pointer set of session and clean up macro guards 2026-04-07 14:10:25 -06:00
Daniel Pouzzner 5fa8b1535a wolfssl/wolfcrypt/settings.h: for fips-ready, set WC_FIPS_186_4, not _5, to match v5/v6. 2026-04-07 14:35:15 -05:00
Daniel Pouzzner 60d1e222b2 globally fix all "BLAKE2" references (implicit BLAKE2B) to explicit "BLAKE2B":
* implement legacy compatibility in settings.h and configure.ac (adds --enable-blake2b while retaining --enable-blake2);
* fix incorrect Blake2 gates in wolfcrypt/src/hash.c wc_HashGetDigestSize() and wc_HashGetBlockSize();
* in wolfcrypt/test/test.c hash_test(), backfill missing Blake2 test coverage and separate blake2b from blake2s in typesHashBad[];
* in tests/api/test_hash.c, separate blake2b from blake2s in notCompiledHash[], sizeSupportedHash[], and sizeNotCompiledHash[].
2026-04-07 13:18:53 -05:00
JacobBarthelmeh ad1cc4e87f adjust test case return value check after rebase 2026-04-07 10:26:16 -06:00
Paul Adelsbach c335f7dd6f Remove UTF-8 chars
Get rid of weird character

Fix warning found by CI

Style changes

Addressed 1 and 2.
2026-04-07 10:07:12 -06:00
Anthony Hu 2e32094545 Add regression tests for fixes 2026-04-07 10:05:56 -06:00
Anthony Hu 5bd5f36dff Fix RSA exponent printing (ZD 21426)
Increase buff size from 8 to 24 bytes in PrintPubKeyRSA and related
EVP PKEY print functions.
2026-04-07 10:05:48 -06:00
Anthony Hu 985cceaa97 Fix session cache restore dangling pointer (ZD 21423)
Reinitialize pointer fields in WOLFSSL_SESSION after raw XMEMCPY or
XFREAD in wolfSSL_memrestore_session_cache and
wolfSSL_restore_session_cache. After restore, ticket is reset to
staticTicket, ticketLenAlloc to 0, and peer to NULL.
2026-04-07 10:05:31 -06:00
Anthony Hu c563f3932a Fix PKCS7 CBC padding oracle in EnvelopedData and EncryptedData (ZD 21422)
Replace single last-byte padding check with full PKCS#5/PKCS#7
validation: verify padLen is non-zero and within block size.
Both wc_PKCS7_DecodeEnvelopedData and wc_PKCS7_DecodeEncryptedData
paths are fixed.
2026-04-07 10:05:21 -06:00
Anthony Hu d14b506c51 Fix Dilithium with USE_INTEL_SPEEDUP (ZD 21417)
Add check before word32 addition in dilithium_hash256() that
could wrap to zero, bypassing the size check.
Also reject absurdly large msgLen (> UINT32_MAX/2) in
wc_dilithium_verify_ctx_msg.
2026-04-07 10:04:41 -06:00
Anthony Hu b3278af8dc Fix wc_*_delete() functions (ZD 21415)
Save key->heap before calling wc_*_free(), which zeros the entire key
structure via ForceZero. The saved heap pointer is then passed to XFREE
instead of the now-zeroed key->heap.
2026-04-07 10:04:35 -06:00
Anthony Hu e0421828ff Fix TLS 1.3 PQC key share over heap read (ZD 21413)
Validate that the received key share data length (keLen) is at least
as large as the expected ciphertext size (ctSz) before passing it to
wc_KyberKey_Decapsulate. A malicious TLS 1.3 server could send a
short ML-KEM key share.
2026-04-07 10:04:19 -06:00
JacobBarthelmeh 7aac9e5766 Merge pull request #10139 from philljj/fix_nightly_mem
Fix nightly mem
2026-04-07 09:08:01 -06:00
philljj b5874a6d9e Merge pull request #10132 from douzzer/20260404-default_rng_bank
20260404-default_rng_bank
2026-04-06 22:54:20 -05:00
Daniel Pouzzner efe6ad4bd6 Merge pull request #10116 from Frauschi/zd21457
Additional fixes
2026-04-06 20:23:25 -05:00
Daniel Pouzzner 9347c895fc Merge pull request #10133 from Frauschi/ecc_curve_validation
Improved ECC curve validation
2026-04-06 20:20:35 -05:00
Daniel Pouzzner ede15b4ff4 Merge pull request #10137 from JacobBarthelmeh/acert
fix for acert builds
2026-04-06 19:17:48 -05:00
Daniel Pouzzner 32502e9963 Merge pull request #10102 from Frauschi/zd21460
Various fixes
2026-04-06 18:41:31 -05:00
Daniel Pouzzner 995092362f Merge pull request #10126 from julek-wolfssl/fenrir/20260302
Fenrir fixes
2026-04-06 18:40:11 -05:00
Daniel Pouzzner 0afd9f8819 Merge pull request #10127 from rlm2002/coverity
Coverity change 03042026
2026-04-06 18:24:22 -05:00
Daniel Pouzzner 4924402051 Merge pull request #10125 from kareem-wolfssl/zd21521
Add sz check to ChachaAEADDecrypt to prevent potential underflow.
2026-04-06 18:23:25 -05:00
Daniel Pouzzner 53a3d23ce6 Merge pull request #10131 from douzzer/20260403-WC_FIPS_186
20260403-WC_FIPS_186

approved by @JacobBarthelmeh, @Frauschi, and @dgarske.
2026-04-06 18:22:27 -05:00
Daniel Pouzzner 1d6f295113 wolfssl/wolfcrypt/md2.h and wolfssl/wolfcrypt/md4.h: fix stray commas in compat #defines. 2026-04-06 18:09:48 -05:00
Tobias Frauenschläger e32e926f4e evp: fix EVP_PKEY2PKCS8 returning NULL for private-key-only EC keys
When an EC_KEY is created via EC_KEY_new + EC_KEY_set_group +
EC_KEY_set_private_key (no public point set), SetECKeyInternal
incorrectly marks the internal ecc_key as ECC_PRIVATEKEY (instead of
ECC_PRIVATEKEY_ONLY) because pub_key is always non-NULL — EC_KEY_new
always allocates it as an empty, zero-initialised EC_POINT.

ECC_populate_EVP_PKEY only calls wc_ecc_make_pub for ECC_PRIVATEKEY_ONLY
keys, so the zero public-key point was serialised into the DER stored in
pkey->pkey.ptr.  After commit 929dd9913 made wc_ecc_import_x963_ex always
pass untrusted=1, the re-decode inside wolfSSL_EVP_PKEY2PKCS8 →
wolfSSL_d2i_PrivateKey_EVP correctly rejected that zero point with an
on-curve failure, causing EVP_PKEY2PKCS8 to return NULL.

Fix: in ECC_populate_EVP_PKEY, also call wc_ecc_make_pub when the key
type is ECC_PRIVATEKEY but pubkey.x is zero (meaning the public key was
never actually populated).  This reconstructs the public key from the
private scalar so that the encoded DER contains a valid on-curve point.
2026-04-06 21:18:32 +02:00
Tobias Frauenschläger 0fb2d2ec11 ecc: fix invalid-curve attack via missing on-curve validation
wc_ecc_import_x963_ex2 only checked whether an imported public point
lies on the intended curve when both USE_ECC_B_PARAM was compiled in
and the caller passed untrusted=1. In a default ./configure build,
USE_ECC_B_PARAM is not defined, so the check was compiled out entirely.
Additionally, the legacy wrapper wc_ecc_import_x963_ex unconditionally
passed untrusted=0, meaning ECIES (wc_ecc_decrypt), PKCS#7 KARI, and
the EVP ECDH layer never triggered the check even when the macro was
present. In the OpenSSL compatibility layer, wolfSSL_ECPoint_d2i
guarded its on-curve check behind !wolfSSL_BN_is_one(point->Z), but
wc_ecc_import_point_der_ex always sets Z=1 for uncompressed points,
making the check dead code.

An attacker who can supply an EC public key (e.g. via an ECIES
ciphertext, PKCS#7 enveloped-data, EVP_PKEY_derive, or
EC_POINT_oct2point + ECDH_compute_key) can choose a point on a twist
of the target curve with a smooth-order subgroup. Each ECDH query
leaks the victim's static private scalar modulo a small prime; CRT
reconstruction across enough queries recovers the full key
(Biehl-Meyer-Müller invalid-curve attack). Static-key ECIES and PKCS#7
KARI are directly affected; TLS is affected in default builds because
the USE_ECC_B_PARAM gate defeated the untrusted=1 flag that the
handshake does pass.

Four changes close the attack:

1. Remove the USE_ECC_B_PARAM gate completely in the code base so that
   wc_ecc_point_is_on_curve() is compiled in all builds, not only
   those with HAVE_COMP_KEY or OPENSSL_EXTRA (only set for legacy FIPS
   builds in settings.h).

2. wc_ecc_import_x963_ex: pass untrusted=1 to wc_ecc_import_x963_ex2
   so that ECIES, PKCS#7 KARI, and EVP callers that go through the
   four-argument wrapper always validate the imported point.

3. wc_ecc_import_x963_ex2: use the lightweight sp_ecc_is_point_NNN
   helpers (curve-equation check only) instead of sp_ecc_check_key_NNN
   (which additionally performs a full point*order scalar multiply).
   For prime-order curves (P-256, P-384, P-521, SM2) the on-curve
   equation check y^2 = x^3 + ax + b is sufficient to defeat
   invalid-curve attacks — every non-identity point on a prime-order
   curve has the full group order, so the expensive order-multiply
   check is unnecessary. This avoids the ~50% ECDH performance
   regression caused by the redundant scalar multiplication.

4. wolfSSL_ECPoint_d2i (pk_ec.c): add unconditional on-curve
   validation via wolfSSL_EC_POINT_is_on_curve after import. The
   existing check was gated on !wolfSSL_BN_is_one(point->Z) and
   therefore dead code for all uncompressed-point imports. This closes
   the OpenSSL compat layer attack path (EC_POINT_oct2point followed
   by ECDH_compute_key).

Non-SP curves fall back to wc_ecc_point_is_on_curve which performs the
same equation check using mp_int arithmetic.

Reported by: Nicholas Carlini (Anthropic) & Thai Duong (Calif.io)
2026-04-06 21:18:32 +02:00
Daniel Pouzzner 31d0fcef81 wolfcrypt/src/rng_bank.c and wolfssl/wolfcrypt/rng_bank.h: add new wc_rng_bank_default facility:
* wc_rng_bank_default_set()
  * wc_rng_bank_default_checkout()
  * wc_rng_bank_default_checkin()
  * wc_rng_bank_default_clear()

  * Added additional argument error checking to existing APIs, with a new
    rng_inst_matches_bank() helper function.

  * Implemented feature gates WC_RNG_BANK_DEFAULT_SUPPORT and
    WC_RNG_BANK_NO_DEFAULT_SUPPORT.  When WC_RNG_BANK_DEFAULT_SUPPORT, the new
    APIs are available, and a NULL bank passed to APIs implicitly refers to the
    default bank.

wolfcrypt/test/test.c: in random_bank_test() add comprehensive smoke test coverage of new APIs and argument checking.

wolfssl/wolfcrypt/wc_port.h and wolfcrypt/src/wc_port.c:

  * Add wolfSSL_RefInc2(), wolfSSL_RefDec2(), wolfSSL_RefWithMutexInc2(), and
    wolfSSL_RefWithMutexDec2(), returning the atomically determined new count in
    the second arg;

  * Fix type of second arg in the fallback definition of
    wolfSSL_Atomic_Ptr_CompareExchange().

linuxkm/lkcapi_sha_glue.c:

  Refactor the _REGISTER_HASH_DRBG / _REGISTER_HASH_DRBG_DEFAULT facility around
  the new wc_rng_bank_default facility, eliminating post-init use of
  kernel-native crypto_default_rng, crypto_get_default_rng(), and
  crypto_put_default_rng(), and eliminating all use on kernel 7.1+ (where these
  will become unexported kernel-native statics).  With the refactor, the
  LINUXKM_DRBG_GET_RANDOM_BYTES facility uses only direct native wolfCrypt
  objects and calls to fulfill requests.

wolfssl/wolfcrypt/error-crypt.h, wolfcrypt/src/error.c, wolfcrypt/test/test.c, tests/api.c: add WC_SUCCESS = 0 "wolfCrypt generic success".
2026-04-06 14:06:20 -05:00
jordan 01689b837f tests api: use XFREE instead of free in dual_alg tests. 2026-04-06 14:00:08 -05:00
jordan f48fd9595d test_pkcs7: use XFREE instead of free. 2026-04-06 13:53:11 -05:00
JacobBarthelmeh f6b022883f fix for acert builds 2026-04-06 11:17:01 -06:00
Daniel Pouzzner 1cd8edb3ec Merge pull request #10134 from JacobBarthelmeh/openvpn
pin OpenVPN version until BN_bn2binpad is added
2026-04-06 11:52:02 -05:00
JacobBarthelmeh eddea3884a pin OpenVPN version until BN_bn2binpad is added 2026-04-06 09:22:28 -06:00
Daniel Pouzzner abce5be989 wolfcrypt: add additional enforcement of correct digest sizes in signature gen and verify ops:
* add WC_FIPS_186_4, WC_FIPS_186_4_PLUS, WC_FIPS_186_5, and WC_FIPS_186_5_PLUS feature macros.
* add support for WC_HASH_CUSTOM_MIN_DIGEST_SIZE, WC_HASH_CUSTOM_MAX_DIGEST_SIZE, and
  WC_HASH_CUSTOM_MAX_BLOCK_SIZE, for use with custom digest algorithms.
* add SigOidMatchesKeyOid() helper function and WC_MIN_DIGEST_SIZE macro.
* add additional size and OID agreement checks for sig gen and verify ops.
* update ecc_test_vector() with FIPS 186-5 vectors.

Co-authored-by: Tobias Frauenschläger <tobias@wolfssl.com>
2026-04-06 00:53:57 -05:00
Tobias Frauenschläger 580cbe29da Fix stack buffer overflow in wc_PKCS7_DecryptOri
Reported by: Nicholas Carlini <npc@anthropic.com>
2026-04-05 11:42:24 +02:00
Tobias Frauenschläger 1de4020fe4 Respect outputSz in PKCS7 decode methods
Reported by: Nicholas Carlini <npc@anthropic.com>
2026-04-05 11:42:24 +02:00
Tobias Frauenschläger 2237297cea Properly reject Ed448 identity public key
Reported by: Nicholas Carlini <npc@anthropic.com>
2026-04-05 11:42:18 +02:00
Tobias Frauenschläger cece804621 Cap DTLS1.3 max ACK records to prevent overflow
Reported by: Nicholas Carlini <npc@anthropic.com>
2026-04-05 11:32:53 +02:00
Tobias Frauenschläger 50f28d907e fix for wc_DhAgree public key validation
Reported by: Nicholas Carlini <npc@anthropic.com>
2026-04-05 11:32:53 +02:00
Daniel Pouzzner 0c9b6397be Merge pull request #10103 from gasbytes/fix-dtls13-oversized-cert-chain
Fix DTLS 1.3 extSz out-of-bounds and word16 truncation on oversized certificate chains
2026-04-03 11:55:03 -05:00
Juliusz Sosinowicz e443ef0304 Use InetPtonA for XINET_PTON macro on Windows
Explicitly call the ANSI version of the InetPton function to avoid an incorrect cast to PCWSTR when the input string is a standard character pointer.
2026-04-03 15:25:14 +02:00
Reda Chouk 1653ecd07e Fix DTLS 1.3 extSz out-of-bounds and word16 truncation on oversized certificate chains 2026-04-03 12:10:42 +02:00