* don't disable URI validation when defined(WOLFSSL_FPKI).
* return immediately with ASN_ALT_NAME_E when URI contains an unexpected '/', as in asn_orig.c DecodeAltNames(), fixing OOB read defect.
wolfcrypt/src/asn_orig.c: fix URI validation gating (ignore WOLFSSL_FPKI) in DecodeAltNames().
tests/api/test_certman.c: fix uriSan in test_wolfSSL_X509_check_host_URI_SAN_not_DNS_match() (make it a URI).
tests/api.c: align gating in test_wolfSSL_URI() with new dynamics (URIs validated regardless of defined(WOLFSSL_FPKI)).
1. BasicConstraints pathLenConstraint absent vs. 0 —
get_ext_d2i/set_ext/V3_EXT_d2i now distinguish "no constraint" from 0
per RFC 5280 §4.2.1.9, using the existing basicConstPlSet flag.
2. GENERAL_NAME_print GEN_DIRNAME — added missing return-value
normalization so the directory name is actually printed (was emitting
only DirName:).
3. GENERAL_NAME_print GEN_DNS — use ASN1_STRING_print like the EMAIL/URI
cases, avoiding NULL-strData deref and NUL-truncation.
4. X509_print BasicConstraints — print , pathlen:N to match OpenSSL.
5. X509_print Extended Key Usage — print Any Extended Key Usage (was
omitted).
6. get_ext_d2i CRL_DIST_OID double-free — null gn immediately after
ownership transfers to dp, so an error from the next push doesn't free
it twice.
7. X509V3_EXT_print SAN truncation/failure — match XSNPRINTF size cap to
the allocation; was truncating at indent==1 and failing at indent>=2.
8. X509V3_EXT_print AUTH_KEY/SUBJ_KEY NULL deref — NULL-check
i2s_ASN1_STRING return before passing to %s.
9. X509_add_ext SAN type confusion — reject DIRNAME/RID/X400/EDIPARTY;
only the ASN1_STRING*-backed types are read via gn->d.ia5. Was
performing a wild-pointer XMEMCPY in add_altname_ex.
Also: extracted the SAN and WOLFSSL_CUSTOM_OID arms of X509_add_ext into
static helpers (behavior-preserving).
Regression tests added for #1–5 and #9; existing GENERAL_NAME_print test
hardened (gives GEN_DIRNAME a real directoryName, eliminating an OOB
read that the print fix would otherwise expose).
Move out DTLS 1.3 specific tests into test_dtls13.c. (Also move out from
test_dtls.c)
Move out DTLS tests into test_dtls.c.
Move out LMS and XMSS tests into test_lms_xmss.c.
Move out SSL session tests into test_session.c.
Move out remaining ML-DSA/Dilithium tests in api.c into test_mldsa.c.
Modes (CTR, GCM, CCM, etc.) can be supported either directly or fallback
to invoking the crypto callback with a "direct" (ECB) mode.
Software implementation and AES tables are stripped under CB_ONLY_AES.
wc_swdev gains AES support so WOLF_CRYPTO_CB_ONLY_AES builds can be
tested.
crypto find cb support added to wc_AesSetKey in order to support current
CI tests that use INVALID_DEVID.
Add WOLF_CRYPTO_CB_ONLY_SHA256: when set, the SHA-256 software.
wc_Sha256FinalRaw is reduced to a stub returning NO_VALID_DEVID, and
sha256.h force-defines WOLFSSL_NO_HASH_RAW so the constant-time TLS HMAC
path falls back to its backend-opaque variant.
Incompatible with
WOLFSSL_SHA224, which aliases the SHA-256 statics; #error guard added.
Add wc_swdev support for SHA-256 for testing.
Extend the swdev callback to handle ECC operations: keygen, ECDH, sign,
verify, get-size, get-sig-size.
Relax WOLF_CRYPTO_CB_ONLY_ECC guards in the test suite so that tests run
under swdev, and wire wc_SwDev_Init/Cleanup into testsuite, client, and
server. Two tests are intentionally kept excluded even with swdev because
they call raw ECC math primitives (wc_ecc_mulmod, on-curve validation in
wc_ecc_import_x963) that are stripped below the cryptocb dispatch layer:
- ecc_mulmod_test (wolfcrypt/test/test.c)
- test_wc_ecc_import_x963_off_curve (tests/api/test_ecc.c)
Add a software crypto-callback device (wc_swdev) that lets the wolfcrypt
test suite run under WOLF_CRYPTO_CB_ONLY_* flags without per-test devId
plumbing. The bundle is a separately-compiled second copy of wolfcrypt
(software implementations enabled, WOLF_CRYPTO_CB_ONLY_* stripped) linked
into testwolfcrypt as a single relocatable object; every symbol is demoted
to local via objcopy --keep-global-symbol except wc_SwDev_Callback, so there
is no collision with the main libwolfssl.
A find callback routes unbound operations (devId == INVALID_DEVID) to the
swdev while letting real device IDs pass through.
wc_SwDev_Init / wc_SwDev_Cleanup hooks are wired into wolfcrypt/test/test.c.
cryptocb_test's WOLF_CRYPTO_CB_FIND and WOLF_CRYPTO_CB_ONLY_RSA blocks are
gated off under WOLFSSL_SWDEV.
Enable via --enable-swdev (requires --enable-cryptocb).
Adds resp_certid_keyhash_mismatch — a forged response signed by the
legitimate ocsp-responder whose CertID pairs the legitimate root CA's
issuerNameHash with the imposter root CA's issuerKeyHash. The new
test_ocsp_responder_keyhash_binding asserts wolfSSL_OCSP_basic_verify
rejects it, exercising the fix that requires both halves of the
CertID to match the responder's issuer.
Remove WC_LMS_PARM_NONE as it serves no purpose.
Change sig_len from a 16-bit value to a 32-bit value in the parameters.
Added wc_LmsKey_SetParameters_ex() and wc_LmsKey_GetParameters_ex() to
handle hash algorithm.
Change mass ForceZeros to smaller amounts with XMEMSET and setting to
NULL or default valus.
Allow signing of empty message.
Other minor fixes.
Fix API tests to work when WOLFSSL_LMS_MAX_HEIGHT/WOLFSSL_LMS_MAX_LEVELS
are/is defined.
tests/api/test_mldsa.c: fix misplaced PRIVATE_KEY_UNLOCK() in dilithium_oneasymkey_version_check();
wolfcrypt/test/test.c: fix valgrind-detected "Conditional jump or move depends on uninitialised value(s)" in ecc_test_curve_size() negative test on all-zeros digest.
Wire the stateful hash-based signature schemes HSS/LMS (RFC 8554) and
XMSS / XMSS^MT (RFC 8391) into the X.509 cert-verification path per
RFC 9802.
asn:
- Register id-alg-hss-lms-hashsig (1.2.840.113549.1.9.16.3.17),
id-alg-xmss-hashsig (1.3.6.1.5.5.7.6.34) and id-alg-xmssmt-hashsig
(1.3.6.1.5.5.7.6.35) in oid_sum.h, asn.c and asn1_oid_sum.pl.
- Plumb the new keyOIDs through GetCertKey, SigOidMatchesKeyOid,
HashForSignature, FreeSignatureCtx and ConfirmSignature so leaf
and CA certificates parse, load and verify end-to-end.
- Rename IsSigAlgoECC -> IsSigAlgoNoParams; the function has tested
"AlgorithmIdentifier omits NULL parameters" since PQC algos were
added, and HSS/LMS + XMSS only made the original name more
misleading.
wc_lms / wc_xmss:
- Add wc_XmssKey_ImportPubRaw_ex which derives parameters from the
4-byte OID prefix at the start of the raw public key, taking an
is_xmssmt hint to disambiguate the overlapping XMSS / XMSS^MT OID
spaces.
- Extend wc_LmsKey_ImportPubRaw with the same auto-derive from
u32str(L) || lmsType || lmOtsType when key->params is NULL; this
also fixes a latent NULL-deref when the legacy precondition was
violated.
- Reject WC_*_STATE_OK in both ImportPubRaw paths so re-importing
on a private-key-loaded handle can't desync priv/pub.
- Tighten wc_XmssKey_Verify's length check to strict equality,
matching wc_LmsKey_Verify and the documented contract of using
wc_XmssKey_GetSigLen for the buffer size.
tests / fixtures:
- Bouncy Castle 1.81 fixtures in certs/lms and certs/xmss covering
every supported parameter set, plus CA->leaf chains per family
and one BC-native LMS fixture as a cross-impl interop gate.
- New api tests verify each fixture end-to-end, tamper TBS and
signature bytes, exercise the wolfCrypt-level negative paths
(NOT_COMPILED_IN, BUFFER_E, BAD_FUNC_ARG, BAD_STATE_E, OID/family
mismatch, partial-write invariants, lenient VERIFYONLY re-import,
strict sigLen check) and confirm the outer signatureAlgorithm
OID is rejected when it disagrees with the SPKI in both
XMSS<->XMSS^MT directions.