Commit Graph

29664 Commits

Author SHA1 Message Date
David Garske d982aa27cc Merge pull request #10467 from JacobBarthelmeh/static_analysis_2
Xilinx/AMD port fixes for sanity checks on return values and psoc6 sanity check on input arg
2026-05-17 22:22:12 -07:00
David Garske 0055eb5e82 Merge pull request #10459 from JacobBarthelmeh/caam
fix for CAAM build
2026-05-17 22:22:05 -07:00
David Garske e7f5c99115 Merge pull request #10398 from julek-wolfssl/fenrir/20260430
Fenrir fixes
2026-05-17 22:21:06 -07:00
David Garske 156c088f3c Merge pull request #10475 from julek-wolfssl/ci-apt-cache
ci: switch direct apt usage to install-apt-deps action
2026-05-17 22:19:43 -07:00
David Garske e0f1ae2af8 Merge pull request #10477 from Frauschi/arduino
Improve Arduino CI test
2026-05-17 22:19:31 -07:00
David Garske 460a87119e Merge pull request #10351 from rizlik/cryptocbonly
CRYPTOCB_ONLY: add test infra + SHA256 + AES
2026-05-14 10:37:39 -07:00
David Garske d0073d9e5c Merge pull request #10326 from sebastian-carpenter/tls-ech-maxnamelen
Add maximum_name_length to TLS ECH padding
2026-05-14 09:15:38 -07:00
Daniel Pouzzner 00fe73b2ca Merge pull request #10484 from SparkiDev/arm32_neon_chacha20_align_fix
ARM32 NEON ChaCha20: alignment fix
2026-05-14 08:54:09 -05:00
Juliusz Sosinowicz fd91f681e5 Fail closed in CheckOcspRequest when ocspCheckAll and no URL
CheckOcspRequest used to return CERT_GOOD whenever a certificate
lacked an AIA extension and no override URL was configured, with
the rationale 'Cert has no OCSP URL, assuming CERT_GOOD'. That is
a fail-open soft-fail: an operator who turned on
WOLFSSL_OCSP_CHECKALL expecting every certificate in the chain to
be revocation-checked would still silently accept a certificate
that omits its OCSP responder URL, letting a misconfigured (or
attacker-controlled) issuer bypass revocation for non-stapled
flows.

Gate the fail-open path on cm->ocspCheckAll. When the caller has
asked for full-chain OCSP checking, return OCSP_NEED_URL so the
chain is refused. The legacy behavior is preserved when
ocspCheckAll is not set, keeping the soft-fail default for plain
WOLFSSL_OCSP_ENABLE users.

F-3227
2026-05-14 14:07:53 +02:00
Juliusz Sosinowicz ed4f4ce826 Document SNI per-host policy gap in wolfSSL_set_SSL_CTX
wolfSSL_set_SSL_CTX is the OpenSSL-compatible entry point that an
SNI callback uses to swap in the per-vhost certificate during the
handshake. By design it only copies the certificate chain and
private key from the new CTX. Verification settings, the trusted
CA store, CRL/OCSP configuration, minimum key-size requirements,
and cipher/version policy stay attached to the original CTX. For
multi-tenant servers where each virtual host has its own security
policy, that means one host's verification rules silently apply
to a connection meant for another.

Expand the leading comment with an explicit SECURITY WARNING
that lists the settings which are NOT inherited and points at the
WOLFSSL*-level setters callers must use inside the SNI callback
when virtual hosts have different policies. The behavior of the
function is unchanged.

F-2902
2026-05-14 14:07:53 +02:00
Juliusz Sosinowicz 3234f66cf3 Test TLS 1.3 NewSessionTicket MAX_LIFETIME bound check
DoTls13NewSessionTicket rejects a ticket lifetime greater than
MAX_LIFETIME (RFC 8446 Section 4.6.1, 7 days), but no test
exercised the rejection: every server in the suite stays well
within the limit, so a mutation deleting that bound check would
go unnoticed.

Add a manual memio test that pokes ctx_s->ticketHint to
MAX_LIFETIME + 1 (the public setter clamps to 604800), runs a
full TLS 1.3 handshake, and reads the post-handshake
NewSessionTicket on the client. The test confirms the over-limit
lifetime surfaces from wolfSSL_read as SERVER_HINT_ERROR.

F-2121
2026-05-14 14:07:53 +02:00
Juliusz Sosinowicz 130f683d8c Validate minDowngrade in wolfSSL_SetSession before reusing version
When resuming a session wolfSSL_SetSession unconditionally
overwrote ssl->version with the version stored in the cached
session, even if that version was below the WOLFSSL's configured
minDowngrade. The overwritten version then fed straight into
SendClientHello, so a client configured to require TLS 1.2 or
higher could still emit a ClientHello advertising e.g. TLS 1.0
when resuming an old cached session. The ServerHello path catches
the actual downgrade, but the ClientHello version is already a
protocol-conformance issue and can confuse middleboxes.

Reject the session if its stored minor version is below
ssl->options.minDowngrade. The check is DTLS-aware: DTLS minor
versions decrease as the protocol version increases, so the
direction of the comparison is flipped for DTLS.

F-2105
2026-05-14 14:07:53 +02:00
Juliusz Sosinowicz 425d3e9628 Make DoClientTicketCheckVersion DTLS-aware
DTLS minor versions decrease as the protocol version increases
(DTLS 1.0=0xFF, DTLS 1.2=0xFD, DTLS 1.3=0xFC), but the ticket
version comparisons in DoClientTicketCheckVersion used the TLS
direction unconditionally. As a result a DTLS server resuming a
session ticket from a different DTLS version could land on the
wrong branch: a ticket from a newer DTLS version would be treated
as a downgrade instead of being rejected, and a ticket from an
older DTLS version would be flagged as 'greater version' and
refused outright. The minDowngrade check at the bottom had the
same inversion bug.

Branch on ssl->options.dtls so the greater-version, lesser-version,
and minDowngrade comparisons all use the right direction for the
active protocol family. TLS behavior is unchanged.

F-1828
2026-05-14 14:07:26 +02:00
Juliusz Sosinowicz 9d77c217f2 Stop suppressing OCSP_CERT_REVOKED in server stapling path
Server-side OCSP stapling was unconditionally folding
OCSP_CERT_REVOKED, OCSP_CERT_UNKNOWN, and OCSP_LOOKUP_FAIL into a
success result so a stapling failure would not break the handshake.
OCSP_CERT_REVOKED, however, is an explicit positive assertion of
revocation by the responder and must not be ignored: silently
suppressing it lets a server keep advertising a revoked certificate
to clients that rely on stapling for revocation status.

Drop OCSP_CERT_REVOKED from the suppression list in
CreateOcspResponse, the CSR2_OCSP_MULTI handler in
SendCertificateStatus, and ProcessChainOCSPRequest. Continue
suppressing OCSP_CERT_UNKNOWN and OCSP_LOOKUP_FAIL, which are true
soft-fail responder conditions where the responder cannot answer.

F-1820
2026-05-14 14:07:26 +02:00
Sean Parkinson 81cce394db Merge pull request #10440 from JeremiahM37/gh10423
fix NO_VERIFY_OID build in GetOID
2026-05-14 20:02:06 +10:00
Sean Parkinson 31a76d333b Merge pull request #10468 from JeremiahM37/fenrir-wolfcrypt-api-hardening
wolfCrypt API hardening: input validation, key zeroization, hardware ports
2026-05-14 20:00:39 +10:00
Sean Parkinson 8d08ff8926 Merge pull request #10428 from kareem-wolfssl/gh10271_10313
tls13.c fixes + Add configure and CMake options for WOLF_CRYPTO_CB_RSA_PAD.
2026-05-14 19:56:23 +10:00
Sean Parkinson a7beb20675 Merge pull request #10451 from Frauschi/fix/client-nonblocking-resume-err
Minor error handling fixes in client and server examples
2026-05-14 19:53:32 +10:00
Sean Parkinson 75f32a336c Merge pull request #10442 from JeremiahM37/zd21783
Fix SAKKE OOB write and correctness gap in sakke_hash_to_range
2026-05-14 19:51:52 +10:00
Sean Parkinson 233c3e9130 Merge pull request #10474 from Frauschi/membrowse_timeout
Add timeout to membrowse CI tests
2026-05-14 19:48:54 +10:00
Sean Parkinson e1840c6f83 ARM32 NEON ChaCha20: alignment fix
vldm and vstm assume an 32-bit alignment.
Change to use vld1 and vst1.
2026-05-14 19:39:10 +10:00
David Garske c450bdb381 Merge pull request #10471 from JacobBarthelmeh/cavium_octeon
fix Octeon AES-GCM J0 derivation when ivSz is a non-12-byte non-zero …
2026-05-13 15:25:11 -07:00
David Garske 121387ab25 Merge pull request #10479 from padelsbach/aesgcm-unused-vars
Avoid unused variable errors in aesgcm_non12iv_test
2026-05-13 14:36:07 -07:00
David Garske e4b9ac442b Merge pull request #10480 from douzzer/20260513-fixes
20260513-fixes
2026-05-13 14:35:53 -07:00
Daniel Pouzzner ffab43aa82 .wolfssl_known_macro_extras: add __CHERI_PURE_CAPABILITY__. 2026-05-13 14:41:02 -05:00
Daniel Pouzzner 5dd30c277d wolfcrypt/test/test.c: reapply lost fixes from 03cee6f2bf to aes_cbc_iv_state_test() (lost in #10404 / df5b2b6cb1). 2026-05-13 14:39:50 -05:00
Tobias Frauenschläger 97183e873a Improve Arduino CI test
* Remove test platforms not required for test coverage
* Install only required dependencies
* Make flaky configs "continue-on-error"
2026-05-13 20:59:35 +02:00
Paul Adelsbach 51540a0c79 Avoid unused variable errors in aesgcm_non12iv_test 2026-05-13 10:59:06 -07:00
David Garske 497ed9843e Merge pull request #10303 from julek-wolfssl/zd/21675
ocsp: bind responder authorization to CertID issuerKeyHash
2026-05-13 10:33:17 -07:00
David Garske d6931b9f29 Merge pull request #10272 from The-Capable-Hub/wbeasley/meta-cheri-fixes
Fix support on CHERI RISC-V architecture
2026-05-13 09:33:53 -07:00
Jeremiah Mackey e346cf93cc Add SSV size coverage to sakke_op_test 2026-05-13 14:58:56 +00:00
Jeremiah Mackey cd34cefbad Reject ssvSz=0 in SAKKE public APIs 2026-05-13 14:58:56 +00:00
JeremiahM37 623ab49572 Fix sakke_xor_in_v write offset and read base 2026-05-13 14:58:56 +00:00
rizlik cbaf9c154a cryptocb: don't declare wc_Sha256Trasnform under ONLY_SHA256 2026-05-13 16:18:52 +02:00
rizlik 6c2040adba swdev: add README.md 2026-05-13 16:18:52 +02:00
rizlik e03bc94742 swdev: add AES-ECB only testing option 2026-05-13 16:18:52 +02:00
rizlik cf6c645d73 aes: CRYPTO_ONLY_AES: do keyscheduling to support GCM on ECB-only device 2026-05-13 16:18:52 +02:00
rizlik a98d4798b1 tests: swdev: api: init/deinit swdev in TestSetup/TestCleanup 2026-05-13 16:18:52 +02:00
rizlik c84ea8df88 tests: api: remove extra wolfSSL_cleanup() 2026-05-13 16:18:52 +02:00
rizlik b1a3d72854 github ci: minor rewording 2026-05-13 16:18:52 +02:00
rizlik 31891eae8f swdev: always add swdev files to EXTRA_DISK 2026-05-13 16:18:52 +02:00
rizlik 71819bcb44 swdev: pair internal wolfCrypt_Init() with wolfCrypt_Cleanup() 2026-05-13 16:18:52 +02:00
rizlik 6d4fa5919c tests:api: skip TLS_CALLBACK_TEST under CRYPTO_CB_ONLY_* 2026-05-13 16:18:52 +02:00
rizlik 799f7d438b swdev: support user_settings.h based main library builds 2026-05-13 16:18:52 +02:00
rizlik c926aafa1b swdev: add copyright headers 2026-05-13 16:18:52 +02:00
rizlik 438e512334 test: use XFREE to pair XMALLOC 2026-05-13 16:18:52 +02:00
rizlik df2fd4ec06 swdev: refcount swdev Init/Cleanup 2026-05-13 16:18:52 +02:00
rizlik ade53b0c59 CRYPTO_CB_ONLY_SHA256: fix: guard Sha256FinalRaw under CB_ONLY_SHA256 2026-05-13 16:18:52 +02:00
rizlik c5ef060139 WOLF_CRYPTO_CB_ONLY_AES: add support + swdev for testing
Modes (CTR, GCM, CCM, etc.) can be supported either directly or fallback
to invoking the crypto callback with a "direct" (ECB) mode.
Software implementation and AES tables are stripped under CB_ONLY_AES.

wc_swdev gains AES support so WOLF_CRYPTO_CB_ONLY_AES builds can be
tested.

crypto find cb support added to wc_AesSetKey in order to support current
CI tests that use INVALID_DEVID.
2026-05-13 16:18:52 +02:00
rizlik 61bfff1dac WOLF_CRYPTO_CB_ONLY_SHA256: strip software SHA-256 and dispatch via swdev
Add WOLF_CRYPTO_CB_ONLY_SHA256: when set, the SHA-256 software.
wc_Sha256FinalRaw is reduced to a stub returning NO_VALID_DEVID, and
sha256.h force-defines WOLFSSL_NO_HASH_RAW so the constant-time TLS HMAC
path falls back to its backend-opaque variant.

Incompatible with
WOLFSSL_SHA224, which aliases the SHA-256 statics; #error guard added.

Add wc_swdev support for SHA-256 for testing.
2026-05-13 16:18:51 +02:00