Commit Graph

9875 Commits

Author SHA1 Message Date
David Garske d56fa7972d Merge pull request #10639 from julek-wolfssl/fix-current-cipher-kx-nid
Fix cipher property NIDs for SSL_get_current_cipher and add PSK kx mapping
2026-06-10 14:50:02 -07:00
David Garske fdfb0a9fe7 Merge pull request #10627 from julek-wolfssl/fenrir-fixes-20260601-dtls13-recv-epoch
F-5606: don't enforce DTLS 1.3 2^48-1 epoch cap on the receive side
2026-06-10 10:06:26 -07:00
Daniel Pouzzner 332c249c7a Merge pull request #10572 from Frauschi/lms_xmss_cert_gen
Support RFC 9802 LMS and XMSS in X.509 certificate and CSR generation
2026-06-10 11:14:43 -05:00
Tobias Frauenschläger 11270fc465 Check for EC_PF_UNCOMPRESSED in TLS 1.2 ClientHello
Fixes F-4892
2026-06-10 11:37:40 +02:00
Tobias Frauenschläger e407dba23b Improve supported_groups handling
Fixes F-4891
2026-06-10 11:37:40 +02:00
Tobias Frauenschläger 09b288000c Size cert signature buffers from the key and check sig type vs key
MAX_ENCODED_SIG_SZ grows to ~50KB once SLH-DSA is enabled, yet it was
used to size PKCS#1/signature scratch and output buffers across the
library, wasting stack and heap even for classic RSA/ECC operations.

- Add MAX_ENCODED_CLASSIC_SIG_SZ for RSA/DSA/ECC DigestInfo buffers that
  can never hold a PQC signature.
- Size the certificate/CSR signing output buffer from the signing key at
  runtime instead of the worst-case macro.
- Add overridable WOLFSSL_MAX_SIG_SZ for the WOLFSSL_NO_MALLOC buffer.
- Reject a signature type that does not match the signing key.
2026-06-10 10:51:41 +02:00
Tobias Frauenschläger e05a453944 Support RFC 9802 LMS and XMSS in X.509 certificate and CSR generation
Extend wc_MakeCert_ex/wc_SignCert_ex/wc_MakeCertReq_ex to issue HSS/LMS and
XMSS/XMSS^MT certificates and PKCS#10 requests, building on the existing
RFC 9802 verification support. New LMS_TYPE/XMSS_TYPE/XMSSMT_TYPE selectors,
wc_{Lms,Xmss}Key_PublicKeyToDer SPKI encoders, runtime signature-buffer
sizing, and sigType/key consistency checks. Generation is ASN.1-template
only, matching where the verification path lives.

Tests generate self-signed roots, CSRs and a CA->ECC-leaf chain in-process
and verify them, replacing the patched Bouncy Castle fixtures (only the stock
RFC 9802-aligned LMS interop anchor is kept).
2026-06-10 10:51:33 +02:00
Sean Parkinson 359e688dc3 ssl.c: Move functions out to own files and add testing
ssl_api_pk.c: added Public-key APIs (min/max key sizes, DH key test,
signature NIDs, tmp ecdh. Reworked code of new functions.
ssl_api_cert.c: added more SSL Certificate APIs. Reworked code of new
functions.
ssl_api_ext.c: TLS extension APIs (session tickets, max fragment,
groups, etc.). Reworked code.
ssl_api_dtls.c: DTLS APIs (cookie secret, etc.)

Improved test coverage for functions moved.
2026-06-10 09:11:59 +10:00
David Garske 4f09916e7e Merge pull request #10443 from anhu/protonamelist
Enforce only 1 protocolname in serverhello
2026-06-09 15:42:02 -07:00
Juliusz Sosinowicz 6853bf1d93 F-5606: don't enforce DTLS 1.3 2^48-1 epoch cap on the receive side
RFC 9147 Section 8's 2^48-1 epoch ceiling is a sender-only rule; the same
paragraph says receiving implementations MUST NOT enforce it. The KeyUpdate
receive path was rejecting a peer epoch that crossed 2^48-1, violating that.
Guard only the genuine wrap-to-zero (Section 4.2.1) and let the receiving
epoch advance past 2^48-1. The sender-side gates are unchanged.
2026-06-10 00:26:00 +02:00
David Garske 358ae9a559 Merge pull request #10249 from ColtonWilley/pr15-tls-config-bounds
Add negative-count and NULL checks to group-setting and shared-cipher APIs
2026-06-09 14:40:16 -07:00
David Garske e2d3b63139 Merge pull request #10207 from ColtonWilley/d2i_pem_negative_length
Add signed-length validation to d2i, PEM, and buffer-load APIs
2026-06-08 15:42:00 -07:00
David Garske dbf72c4f00 Merge pull request #10601 from kareem-wolfssl/f3772
Fenrir fixes
2026-06-08 15:23:05 -07:00
Colton Willey 41c09a734c Address review cleanups 2026-06-08 15:10:51 -07:00
David Garske c9cb0ef033 Merge pull request #10212 from ColtonWilley/fix-skid-overflow-and-null-checks
Harden X509 DER length handling in wolfSSL_X509_get_der and wolfSSL_i2d_X509
2026-06-08 15:01:14 -07:00
Daniel Pouzzner f3ab345d1c Merge pull request #10553 from julek-wolfssl/tls-12-mutual-auth
Allow RSA client certs on ECDHE-ECDSA mutual auth
2026-06-08 15:21:29 -05:00
Daniel Pouzzner e51317261d Merge pull request #10630 from yosuke-wolfssl/fix/f_4890
Fix odd-length CertificateRequest signature_algorithms acceptance
2026-06-08 15:21:02 -05:00
Daniel Pouzzner 1943a6f33a Merge pull request #10550 from rizlik/sha512_only
add support for WOLF_CRYPTO_CB_ONLY_SHA512
2026-06-08 15:20:08 -05:00
Colton Willey af0db53e86 Fix negative count and NULL pointer checks in group-setting and shared cipher APIs
Add count < 0 validation to wolfSSL_CTX_set_groups and wolfSSL_set_groups
(src/tls.c) to prevent negative count from bypassing the upper-bound check
and corrupting numGroups via byte truncation.

Widen count == 0 to count <= 0 and add NULL groups check in
wolfSSL_CTX_set1_groups and wolfSSL_set1_groups (src/ssl.c).

Add NULL buf and NULL cipher checks in wolfSSL_get_shared_ciphers to
prevent NULL pointer dereference.
2026-06-08 12:40:46 -07:00
Juliusz Sosinowicz 921cf5dc20 Simplify GetCipherSegment offset lookup and trim comments 2026-06-08 18:12:05 +00:00
Juliusz Sosinowicz 94bed7e7c2 Fix cipher property NIDs for SSL_get_current_cipher and add PSK kx mapping
The cipher property helpers (SSL_CIPHER_get_kx_nid / get_auth_nid /
get_cipher_nid / get_digest_nid / is_aead) parse the cipher name looked
up via cipher->offset in GetCipherSegment(). That offset is only
populated when the cipher is obtained through wolfSSL_get_ciphers_compat()
(SSL_get_ciphers()). When the cipher comes from SSL_get_current_cipher(),
offset is left at 0, so these helpers parsed cipher_names[0] (a TLS 1.3
suite) instead of the negotiated cipher - e.g. returning NID_kx_any for a
plain PSK suite while SSL_CIPHER_get_name() (which uses the suite bytes)
reported the correct name.

Resolve the cipher_names entry from the always-populated suite bytes in
GetCipherSegment(), falling back to cipher->offset when no match is found.

Also add the missing plain "PSK" -> NID_kx_psk entry to the kx lookup
table so PSK suites report NID_kx_psk instead of NID_undef.

Add a regression test that drives the SSL_get_current_cipher() path for
TLS_PSK_WITH_AES_128_GCM_SHA256 and checks all five property helpers.
2026-06-08 18:12:05 +00:00
Kareem 147c808562 Change no_renegotiation alert to warning level to match RFC 5246 7.2.2.
Fixes F-4113.
2026-06-08 10:29:10 -07:00
Juliusz Sosinowicz fdda31b5c3 Allow RSA client certs on ECDHE-ECDSA mutual auth
The TLS 1.2 server derived the single advertised ClientCertificateType
and the signature_algorithms list in its CertificateRequest from the
negotiated cipher suite's own signature algorithm. On an ECDHE-ECDSA
suite only ecdsa_sign was offered (and only ECDSA sig algs), so RSA
clients could not authenticate even though the server could happily
verify an RSA certificate. The same was true in reverse for an RSA
server: the CertificateRequest only advertised rsa_sign.

Refactor SendCertificateRequest to advertise certificate_types and
signature_algorithms covering both sig families when both are compiled
in. Three static helpers in internal.c keep the logic in one place
without mutating ssl->suites:

  GetServerCertReqCertTypes    - certificate_types to emit
  GetServerCertReqHashSigAlgo  - signature_algorithms to emit
  InServerCertReqHashSigAlgo   - membership check used for verification

The advertised lists are written to stack buffers in the caller. To
keep DoCertificateVerify in agreement with what we actually sent, the
SupportedHashSigAlgo call site there is replaced with
InServerCertReqHashSigAlgo, which rebuilds the same list locally and
looks up the client's chosen algo.

Replace the magic certTypes buffer size with a new
MAX_CERT_REQ_CERT_TYPE_CNT constant declared next to
ClientCertificateType.

Add two end-to-end mutual-auth tests covering both directions:

  test_tls12_ecdhe_ecdsa_rsa_client_cert - ECDSA server, RSA client
  test_tls12_ecdhe_rsa_ecdsa_client_cert - RSA  server, ECDSA client

Update test_certreq_sighash_algos to permit RSA / RSA-PSS sig algs in
the ECDHE-ECDSA CertificateRequest; the previous assertion locked in
the ECDSA-only behaviour that this change corrects.

TLS 1.3 is unaffected: RFC 8446 removed certificate_types from
CertificateRequest, and TLS 1.3 cipher suites do not bind a signature
algorithm, so the server's hashSigAlgo already covers both sig
families when either has been compiled in.
2026-06-08 15:10:27 +02:00
Yosuke Shimizu a6f69ec09c Fix odd-length CertificateRequest signature_algorithms acceptance 2026-06-08 11:33:50 +09:00
Daniel Pouzzner 8fca95ce65 Merge pull request #10532 from rlm2002/zd21800
Remove chain walk for OCSP responder
2026-06-05 16:27:00 -05:00
Daniel Pouzzner 02d08790af Merge pull request #10575 from julek-wolfssl/fenrir-fixes-20260601
Fenrir: TLS/DTLS conformance and crypto hardening fixes
2026-06-05 16:26:05 -05:00
Daniel Pouzzner 764245a8a1 Merge pull request #10489 from holtrop-wolfssl/zd21798
Check SNI/ALPN in TLS 1.2/1.3 session resumptions
2026-06-05 16:25:18 -05:00
Daniel Pouzzner 97095d209a Merge pull request #10561 from sebastian-carpenter/tls-ech-send-on-rejection
Enhancement: Stand out less with ECH or GREASE ECH
2026-06-05 16:23:41 -05:00
Daniel Pouzzner 3012154367 Merge pull request #10259 from sebastian-carpenter/tls-ech-keylog
TLS ECH keylogging
2026-06-05 16:22:11 -05:00
Daniel Pouzzner fe77e37025 Merge pull request #10476 from julek-wolfssl/cache-overhead
Cache AEAD record overhead on WOLFSSL
2026-06-05 16:20:15 -05:00
Daniel Pouzzner c99567c96d Merge pull request #10596 from SparkiDev/regression_fixes_24
Regression testing fixes
2026-06-05 13:37:56 -05:00
Daniel Pouzzner f8f1e932a5 Merge pull request #10534 from SparkiDev/tls13_psk_id_fix
TLSv1.3 PSK binders: always use id protection
2026-06-05 12:36:00 -05:00
Daniel Pouzzner 2d186b378a Merge pull request #10537 from SparkiDev/tls13_pt_alert_before_enc
TLS 1.3 plaintext alert: ignore before seeing encrypted
2026-06-05 11:12:47 -05:00
Daniel Pouzzner 4bf2d52780 Merge pull request #10571 from Frauschi/mlkem_rename
Migrate internal ML-KEM consumers to canonical wc_MlKemKey API
2026-06-05 11:00:44 -05:00
Daniel Pouzzner d80785bb07 Merge pull request #10583 from Frauschi/zephyr_patch
Fixes for Zephyr secure sockets integration
2026-06-05 10:06:23 -05:00
Sean Parkinson b0757c1cb7 TLS 1.3 plaintext alert: ignore before seeing encrypted
Change to ignore plaintext alerts when
WOLFSSL_TLS13_IGNORE_PT_ALERT_ON_ENC is defined only until first
encrypted message from peer is seen.

Negative testing added.
2026-06-05 12:35:04 +10:00
Sean Parkinson 0796519a99 More regression testing fixes
Leak fixes: free existing ssl->buffers.key before overwriting in SetSSL_CTX() (internal.c) and wolfSSL_set_SSL_CTX() (ssl.c)

UAF fix: wc_CheckRsaKey() — mp_memzero_check(tmp) moved before the free (rsa.c)

Build guards: #ifndef NO_ED25519/ED448_VERIFY around forged-sig test data (test_ed25519/ed448.c); guard equal()/cmov() for verify-only builds (ge_operations.c); guard unused pointers under WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC (wc_mldsa.c)

Test cleanups (test.c): fix UB from out-of-range enum in hash_test(), always free AES dec object, fix der buffer declaration under small-stack builds
2026-06-05 11:30:53 +10:00
Sean Parkinson 089f1f7c91 TLSv1.3 PSK binders: always use id protection
Removed WOLFSSL_PSK_ID_PROTECTION from use as it is now on by default.
Always check whether the server has a certificate (not a CA chain).
If there is a certificate then continue, otherwise, report a binder
error.

Added test to ensure binder error returned and alert sent when no
NO_CERT. test_tls13_bad_psk_binder already tested no certificate.

Allowed memio test harness to be built when NO_CERT is defined.
2026-06-05 11:16:48 +10:00
Marco Oliverio 0314b3fed2 cryptocb: support WOLF_CRYPTO_CB_ONLY_SHA512 2026-06-04 20:21:50 +02:00
Colton Willey 368e1486f6 Harden X509 DER length handling in wolfSSL_X509_get_der and wolfSSL_i2d_X509
- src/x509.c: Guard wolfSSL_X509_get_der against derCert->length > INT_MAX, and reject derSz <= 0 in wolfSSL_i2d_X509.
- tests/api/test_ossl_x509_io.{c,h}: Add API coverage for the X509 DER length guards.
2026-06-04 10:38:37 -07:00
Sean Parkinson 26a2b793dc Regression testing fixes
1. Side-aware ML-KEM in TLS (tls.c, tls13.c, ssl.c, internal.h):
TLSX_IsGroupSupported/TLSX_UseSupportedCurve take a `side` arg; new
TLSX_IsMlKemGroupSupported + client/server support macros. A build only
capable of one ML-KEM op no longer advertises groups it can't use for
its role.

2. NO_ASN_TIME support (ssl_asn1.c, ssl.h, settings.h): data-only
ASN1_TIME APIs now compile without system time; OCSP responder
auto-disabled under NO_ASN_TIME.

3. SP ECC (sp_*.c, sp_x86_64_asm.asm): curve `b` constants and
sp_ecc_is_point_* always compiled (point-check available in more
configs); asm movsxd -> movsx.

4. configure.ac: BUILD_MEMUSE fixed to trigger on != "xno".

5. Test fixes: HRR-aware TLS 1.3 memio tests (new
test_memio_msg_is_hello_retry_request); tightened build guards
(Ed25519/Ed448 key-import, AES decrypt, XMSS heights, SP sizes,
static-PSK).
2026-06-04 18:29:24 +10:00
Daniel Pouzzner 35329296e8 Merge pull request #10554 from gasbytes/ocsp-certid-serial-number-fix
OCSP_resp_find_status to require exact serial-length match
2026-06-03 22:49:31 -05:00
Daniel Pouzzner 12e7a1d5c3 Merge pull request #10548 from SparkiDev/x509_fixups_1
X509 API: fix issues
2026-06-03 22:48:19 -05:00
Daniel Pouzzner 590a367d16 Merge pull request #10576 from holtrop-wolfssl/zd21906
Fix user buffer overrun from wolfSSL_get_finished/wolfSSL_get_peer_finished
2026-06-03 20:48:03 -05:00
David Garske 3bc1575e12 Merge pull request #9852 from SparkiDev/ppc64_asm_aes
PPC64 ASM: AES-ECB/CBC/CTR/GCM
2026-06-03 16:30:12 -07:00
Tobias Frauenschläger 00a899e9a3 Fixes for Zephyr secure sockets integration 2026-06-03 14:04:19 +02:00
Juliusz Sosinowicz da719da30c F-4591: fix right-justification of short DH shared secret
The constant-time path of _DH_compute_key (DH_compute_key_padded) had
the XMEMMOVE source/dest swapped and used (padded_keySz - keySz) as the
length instead of keySz, overwriting the secret with junk when keySz <
padded_keySz. Move key[0..keySz-1] to the high end, matching the idiom
used in tls.c/sniffer.c.
2026-06-03 13:01:19 +02:00
Juliusz Sosinowicz 108b120d7f F-5632: zeroize Camellia key schedule on cipher free
FreeCiphersSide freed cipher->cam with XFREE only, leaving the expanded
key schedule and IV in freed heap memory. Call wc_CamelliaFree (which
ForceZeros the context) before XFREE, matching the ARIA cleanup above.
2026-06-03 13:01:19 +02:00
Juliusz Sosinowicz 118d3a8226 F-5583: evict oldest DTLS 1.3 epoch slot, not the last eligible one
Dtls13NewEpochSlot never updated oldestNumber after picking a candidate,
so every eligible epoch compared "older" than the sentinel and the last
eligible slot was returned instead of the lowest epoch number. Update
oldestNumber alongside oldest so the true minimum is evicted.
2026-06-03 13:01:19 +02:00
Juliusz Sosinowicz 289a2670f4 F-5591: reject negative group count in group setters
wolfSSL_CTX_set_groups/wolfSSL_set_groups only rejected counts above
WOLFSSL_MAX_GROUP_COUNT; a negative count skipped the copy loop and was
cast to byte (e.g. 255) into numGroups, which InitSSL later trusts for a
fixed-size copy. Reject count <= 0 in both, and in the set1_groups
OpenSSL-compat wrappers.
2026-06-03 13:01:19 +02:00