Commit Graph

646 Commits

Author SHA1 Message Date
David Garske e7f5c99115 Merge pull request #10398 from julek-wolfssl/fenrir/20260430
Fenrir fixes
2026-05-17 22:21:06 -07:00
David Garske 460a87119e Merge pull request #10351 from rizlik/cryptocbonly
CRYPTOCB_ONLY: add test infra + SHA256 + AES
2026-05-14 10:37:39 -07:00
Juliusz Sosinowicz 3234f66cf3 Test TLS 1.3 NewSessionTicket MAX_LIFETIME bound check
DoTls13NewSessionTicket rejects a ticket lifetime greater than
MAX_LIFETIME (RFC 8446 Section 4.6.1, 7 days), but no test
exercised the rejection: every server in the suite stays well
within the limit, so a mutation deleting that bound check would
go unnoticed.

Add a manual memio test that pokes ctx_s->ticketHint to
MAX_LIFETIME + 1 (the public setter clamps to 604800), runs a
full TLS 1.3 handshake, and reads the post-handshake
NewSessionTicket on the client. The test confirms the over-limit
lifetime surfaces from wolfSSL_read as SERVER_HINT_ERROR.

F-2121
2026-05-14 14:07:53 +02:00
Juliusz Sosinowicz 130f683d8c Validate minDowngrade in wolfSSL_SetSession before reusing version
When resuming a session wolfSSL_SetSession unconditionally
overwrote ssl->version with the version stored in the cached
session, even if that version was below the WOLFSSL's configured
minDowngrade. The overwritten version then fed straight into
SendClientHello, so a client configured to require TLS 1.2 or
higher could still emit a ClientHello advertising e.g. TLS 1.0
when resuming an old cached session. The ServerHello path catches
the actual downgrade, but the ClientHello version is already a
protocol-conformance issue and can confuse middleboxes.

Reject the session if its stored minor version is below
ssl->options.minDowngrade. The check is DTLS-aware: DTLS minor
versions decrease as the protocol version increases, so the
direction of the comparison is flipped for DTLS.

F-2105
2026-05-14 14:07:53 +02:00
Sean Parkinson 31a76d333b Merge pull request #10468 from JeremiahM37/fenrir-wolfcrypt-api-hardening
wolfCrypt API hardening: input validation, key zeroization, hardware ports
2026-05-14 20:00:39 +10:00
David Garske 497ed9843e Merge pull request #10303 from julek-wolfssl/zd/21675
ocsp: bind responder authorization to CertID issuerKeyHash
2026-05-13 10:33:17 -07:00
rizlik c84ea8df88 tests: api: remove extra wolfSSL_cleanup() 2026-05-13 16:18:52 +02:00
rizlik 6fb617aba9 tests/swdev: add ECC support to wc_swdev
Extend the swdev callback to handle ECC operations: keygen, ECDH, sign,
verify, get-size, get-sig-size.

Relax WOLF_CRYPTO_CB_ONLY_ECC guards in the test suite so that tests run
under swdev, and wire wc_SwDev_Init/Cleanup into testsuite, client, and
server.  Two tests are intentionally kept excluded even with swdev because
they call raw ECC math primitives (wc_ecc_mulmod, on-curve validation in
wc_ecc_import_x963) that are stripped below the cryptocb dispatch layer:

  - ecc_mulmod_test (wolfcrypt/test/test.c)
  - test_wc_ecc_import_x963_off_curve (tests/api/test_ecc.c)
2026-05-13 16:18:51 +02:00
rizlik 0f82b9e5fb tests/swdev: add scaffolding for WOLF_CRYPTO_CB_ONLY_* testing
Add a software crypto-callback device (wc_swdev) that lets the wolfcrypt
test suite run under WOLF_CRYPTO_CB_ONLY_* flags without per-test devId
plumbing.  The bundle is a separately-compiled second copy of wolfcrypt
(software implementations enabled, WOLF_CRYPTO_CB_ONLY_* stripped) linked
into testwolfcrypt as a single relocatable object; every symbol is demoted
to local via objcopy --keep-global-symbol except wc_SwDev_Callback, so there
is no collision with the main libwolfssl.

A find callback routes unbound operations (devId == INVALID_DEVID) to the
swdev while letting real device IDs pass through.

wc_SwDev_Init / wc_SwDev_Cleanup hooks are wired into wolfcrypt/test/test.c.
cryptocb_test's WOLF_CRYPTO_CB_FIND and WOLF_CRYPTO_CB_ONLY_RSA blocks are
gated off under WOLFSSL_SWDEV.

Enable via --enable-swdev (requires --enable-cryptocb).
2026-05-13 16:18:51 +02:00
Tobias Frauenschläger 12070eb032 Merge pull request #10473 from douzzer/20260512-fips-gating-fixes
20260512-fips-gating-fixes
2026-05-13 16:15:30 +02:00
Sean Parkinson 58c41b6d57 Merge pull request #10458 from philljj/fix_GetShortInt
asn: fix GetShortInt for asn original.
2026-05-13 16:44:38 +10:00
Sean Parkinson 581a9688c6 Merge pull request #10444 from philljj/fix_wc_export_int
wolfmath: check mpSz in wc_export_int.
2026-05-13 16:41:17 +10:00
Sean Parkinson b8bc480394 Merge pull request #10291 from JeremiahM37/test-coverage
Add negative tests for AEAD, PKCS7, PSS, DSA, DRBG, and PQ key
2026-05-13 16:39:54 +10:00
Sean Parkinson 2670a4f976 Merge pull request #10441 from padelsbach/pkcs7-verify-fix
Fix OOB possibility in PKCS7_VerifySignedData
2026-05-13 16:19:15 +10:00
Sean Parkinson 16132b4582 Merge pull request #10445 from embhorn/zd21742
Fix in ECC point conversion
2026-05-13 16:09:02 +10:00
Daniel Pouzzner e1c7385ccf wolfcrypt/test/test.c:
* in pbkdf2_test(), pwdbased_test(), and pkcs12_test(), add missing FIPS v7+
    gates around stanzas that use wc_PBKDF_max_iterations_set() and
    wc_PBKDF_max_iterations_get() or depend on erroring for excessive PBKDF
    iterations (fixes #10050);

  * in ecc_test_buffers(), omit new corrupt HMAC tag test on FIPS <v6 (fixes
    8f2a3f9563).

tests/api/test_dtls.c: add FIPS v7+ gate to test_dtls13_frag_ch2_with_ch1_rtx().

wolfssl/wolfcrypt/memory.h: #include "../../linuxkm/linuxkm_memory.h" rather than "linuxkm/linuxkm_memory.h", following pattern in wc_port.h.
2026-05-12 20:46:46 -05:00
David Garske dfe03ff538 Merge pull request #10381 from kareem-wolfssl/zd21694
Validate DSA parameters when verifying DSA key.
2026-05-12 16:29:29 -07:00
Jeremiah Mackey efe98a71fd add DRBG reseed boundary test 2026-05-12 20:59:29 +00:00
Jeremiah Mackey 0b917bc206 add signature negative verify tests 2026-05-12 20:59:29 +00:00
Jeremiah Mackey 71ce5a1e56 add PQ key integrity tests 2026-05-12 20:59:29 +00:00
Jeremiah Mackey 0a4ef94f5e add PKCS7 tampered attribs tests 2026-05-12 20:59:29 +00:00
Jeremiah Mackey ec44572bfc add AEAD bad tag tests 2026-05-12 20:59:29 +00:00
Jeremiah Mackey c516d9b6af Add wc_Rc2Free for key zeroization 2026-05-12 20:57:31 +00:00
David Garske eecb8cc601 Merge pull request #10461 from SparkiDev/tls13_cipher_fuzzing
TLSv1.3 testing: add fuzz test of decryption
2026-05-12 09:26:53 -07:00
David Garske 3e6efbac52 Merge pull request #9567 from jackctj117/serial-0
Allow serial number 0 for root CA certificates
2026-05-12 09:19:56 -07:00
Daniel Pouzzner 7cfc9e9103 Merge pull request #10465 from Frauschi/slhdsa_pre_hash
SLH-DSA fixes
2026-05-12 10:38:49 -05:00
Juliusz Sosinowicz 415f4f0504 tests: add OCSP responder CertID issuerKeyHash binding test
Adds resp_certid_keyhash_mismatch — a forged response signed by the
legitimate ocsp-responder whose CertID pairs the legitimate root CA's
issuerNameHash with the imposter root CA's issuerKeyHash. The new
test_ocsp_responder_keyhash_binding asserts wolfSSL_OCSP_basic_verify
rejects it, exercising the fix that requires both halves of the
CertID to match the responder's issuer.
2026-05-12 14:36:00 +02:00
Sean Parkinson d7bdfd3e90 Merge pull request #10349 from rizlik/dtls13_rtx_fixes
DTLS13:  Fixes unnecessary client rtx and increase server robustness
2026-05-12 22:19:56 +10:00
Tobias Frauenschläger bec6c0fef2 SLH-DSA fixes
Follow up to PR #10450 with some minor fixes:

* FIPS 205 numbering: slh_sign is §10.2.1 Alg 22; slh_verify is Alg 24;
  hash_slh_verify is Alg 25 (impl comments and doxygen).
* Widen wc_SlhDsaKey_SignHashWithRandom's addRnd to const byte* to
  match wc_SlhDsaKey_SignWithRandom.
* Make the SLHDSA_PHMSG_MAX_LEN invariant explicit with a named
  SLHDSA_LARGEST_APPROVED_PHM_LEN constant and a wc_static_assert.
* SHAKE128/SHAKE256 round-trip and length-rejection coverage for both
  SignHash and VerifyHash.
* Doxygen: briefs for the five DER encode/decode APIs; accurate
  decoder failure-rollback wording; tighter return-code lists for
  Verify and VerifyMsg.
* ChangeLog: silent-failure caveat for raw messages whose length
  happens to equal the digest size of the chosen hashType.
2026-05-12 13:24:24 +02:00
Sean Parkinson c1cf8ffb2e TLSv1.3 testing: add fuzz test of decryption
Fixes F-3478
Add a fuzzing test for each cipher that modifies a random byte at a
random offset of an encrypted message and checks that the reading fails
with an appropriate return and error code.
Fuzzes both sides 5 times each for each cipher suite.
2026-05-12 15:59:28 +10:00
David Garske a2b054e3b8 Merge pull request #10155 from aidangarske/fenrir-fixes-2
Add Negative Testing and Zeroization
2026-05-11 21:07:53 -07:00
Daniel Pouzzner 3afa9018f4 Merge pull request #10450 from Frauschi/slhdsa_pre_hash
HashSLH-DSA APIs take the pre-hashed digest, not the raw message
2026-05-11 16:29:32 -05:00
Eric Blankenhorn 05d73707ef Fixes from review 2026-05-11 15:06:32 -05:00
Eric Blankenhorn 29f3b30651 Fix in ECC point conversion 2026-05-11 15:06:32 -05:00
jordan 333aaaa3a9 asn: fix GetShortInt for asn original. 2026-05-11 14:50:48 -05:00
jordan 99e5597372 wolfmath: check mpSz cleanup. 2026-05-11 12:09:50 -05:00
Kareem a12ccca612 Fully exclude the wc_DsaCheckPubKey function when building with NO_DSA_PUBKEY_CHECK. 2026-05-11 10:05:45 -07:00
Kareem 367bd173d1 Reword comment to hopefully fix clang-tidy test. 2026-05-11 10:05:45 -07:00
Kareem 44d3659244 Code review feedback 2026-05-11 10:05:45 -07:00
Kareem ea67ace873 Validate DSA parameters when verifying DSA key.
Thanks to Kr0emer for the report.
2026-05-11 10:05:45 -07:00
David Garske 01ba609f0d Merge pull request #9702 from danielinux/ta100_2025
[Microchip TA-100] Fix port + update to cryptoauthlib v3.6.0
2026-05-11 07:26:43 -07:00
Tobias Frauenschläger f16216e5b8 HashSLH-DSA APIs now take the pre-hashed digest, not the raw message
wc_SlhDsaKey_{Sign,Verify}Hash* previously accepted the raw message and
performed the pre-hash internally. They now require the caller to hash the
message first and pass the resulting digest -- the functions no longer call
wc_*Hash() themselves and feed the supplied digest directly into the M'
construction. Parameters are renamed from msg/msgSz to hash/hashSz to reflect
this, and hashSz is validated against wc_HashGetDigestSize(hashType) per
FIPS 205 Section 10.2.2 (32 for SHAKE128, 64 for SHAKE256), returning
BAD_LENGTH_E on mismatch.

This matches ML-DSA's wc_dilithium_{sign,verify}_ctx_hash, NIST ACVP
signatureInterface=external / preHash=preHash vectors, and other libraries
(OpenSSL HASH-ML-DSA, leancrypto, mldsa-native). It also enables distributed
signers and HSM-style flows where the digest is computed separately from the
signing operation.

Migration: callers must now hash the message before invoking these APIs;
passing the raw message will either fail length validation or produce
signatures over the wrong input. The M'-supplied wc_SlhDsaKey_SignMsg* /
VerifyMsg family (FIPS 205 internal interface, Algorithms 19/20) is
unchanged but gains stricter input validation and doxygen coverage.
2026-05-11 10:14:13 +02:00
Paul Adelsbach 3cad0bfe50 Fix OOB possibility in PKCS7_VerifySignedData 2026-05-10 20:34:48 -07:00
jordan 98831c25d4 wolfmath: check mpSz in wc_export_int. 2026-05-08 15:26:57 -05:00
David Garske 3351eb429a Merge pull request #10354 from embhorn/zd21725
Fix IPSAN and registeredID handling
2026-05-08 12:15:37 -07:00
Daniel Pouzzner f1fff73352 tests/api.c: fix readability-uppercase-literal-suffix in rfc9802_verify_one_cert();
tests/api/test_mldsa.c: fix misplaced PRIVATE_KEY_UNLOCK() in dilithium_oneasymkey_version_check();

wolfcrypt/test/test.c: fix valgrind-detected "Conditional jump or move depends on uninitialised value(s)" in ecc_test_curve_size() negative test on all-zeros digest.
2026-05-08 18:53:57 +02:00
Tesfa Mael fbfc3ba8c2 Fix formatting 2026-05-08 18:50:44 +02:00
Tesfa Mael 4d94b8e8d5 [TA-100] Fix build/test regressions in non-TA100 builds 2026-05-08 18:50:44 +02:00
Tesfa Mae dbf4aaa5be TA100: follow-up changes (squash after 4e64cb56) 2026-05-08 18:50:43 +02:00
Tesfa Mae 00cca3e25b TA100: Microchip Trust Anchor support RSA/ECC 2026-05-08 18:50:43 +02:00