Commit Graph

4439 Commits

Author SHA1 Message Date
David Garske dfe03ff538 Merge pull request #10381 from kareem-wolfssl/zd21694
Validate DSA parameters when verifying DSA key.
2026-05-12 16:29:29 -07:00
David Garske eecb8cc601 Merge pull request #10461 from SparkiDev/tls13_cipher_fuzzing
TLSv1.3 testing: add fuzz test of decryption
2026-05-12 09:26:53 -07:00
David Garske 32439c975f Merge pull request #10448 from SparkiDev/lms_fixes_1
LMS: fixes and improvements
2026-05-12 09:26:42 -07:00
David Garske 3e6efbac52 Merge pull request #9567 from jackctj117/serial-0
Allow serial number 0 for root CA certificates
2026-05-12 09:19:56 -07:00
Daniel Pouzzner 7cfc9e9103 Merge pull request #10465 from Frauschi/slhdsa_pre_hash
SLH-DSA fixes
2026-05-12 10:38:49 -05:00
Sean Parkinson d7bdfd3e90 Merge pull request #10349 from rizlik/dtls13_rtx_fixes
DTLS13:  Fixes unnecessary client rtx and increase server robustness
2026-05-12 22:19:56 +10:00
Sean Parkinson 443861563d Merge pull request #10453 from LinuxJedi/fix-memtrack
Fix mem_track.h compile failure on multi-threaded non-Linux builds
2026-05-12 22:01:21 +10:00
Tobias Frauenschläger bec6c0fef2 SLH-DSA fixes
Follow up to PR #10450 with some minor fixes:

* FIPS 205 numbering: slh_sign is §10.2.1 Alg 22; slh_verify is Alg 24;
  hash_slh_verify is Alg 25 (impl comments and doxygen).
* Widen wc_SlhDsaKey_SignHashWithRandom's addRnd to const byte* to
  match wc_SlhDsaKey_SignWithRandom.
* Make the SLHDSA_PHMSG_MAX_LEN invariant explicit with a named
  SLHDSA_LARGEST_APPROVED_PHM_LEN constant and a wc_static_assert.
* SHAKE128/SHAKE256 round-trip and length-rejection coverage for both
  SignHash and VerifyHash.
* Doxygen: briefs for the five DER encode/decode APIs; accurate
  decoder failure-rollback wording; tighter return-code lists for
  Verify and VerifyMsg.
* ChangeLog: silent-failure caveat for raw messages whose length
  happens to equal the digest size of the chosen hashType.
2026-05-12 13:24:24 +02:00
Sean Parkinson c1cf8ffb2e TLSv1.3 testing: add fuzz test of decryption
Fixes F-3478
Add a fuzzing test for each cipher that modifies a random byte at a
random offset of an encrypted message and checks that the reading fails
with an appropriate return and error code.
Fuzzes both sides 5 times each for each cipher suite.
2026-05-12 15:59:28 +10:00
David Garske a2b054e3b8 Merge pull request #10155 from aidangarske/fenrir-fixes-2
Add Negative Testing and Zeroization
2026-05-11 21:07:53 -07:00
Daniel Pouzzner 3afa9018f4 Merge pull request #10450 from Frauschi/slhdsa_pre_hash
HashSLH-DSA APIs take the pre-hashed digest, not the raw message
2026-05-11 16:29:32 -05:00
Kareem a12ccca612 Fully exclude the wc_DsaCheckPubKey function when building with NO_DSA_PUBKEY_CHECK. 2026-05-11 10:05:45 -07:00
Kareem 367bd173d1 Reword comment to hopefully fix clang-tidy test. 2026-05-11 10:05:45 -07:00
Kareem 44d3659244 Code review feedback 2026-05-11 10:05:45 -07:00
Kareem ea67ace873 Validate DSA parameters when verifying DSA key.
Thanks to Kr0emer for the report.
2026-05-11 10:05:45 -07:00
Andrew Hutchings 7b89d82b35 Fix mem_track.h compile failure on multi-threaded non-Linux builds
The memLock mutex and #include <pthread.h> in mem_track.h were
declared under #ifdef DO_MEM_LIST (Linux/macOS/Zephyr only), but
referenced under the broader guard

    !defined(SINGLE_THREADED) && \
    (defined(DO_MEM_LIST) || defined(DO_MEM_STATS))

Since DO_MEM_STATS is defined whenever WOLFSSL_TRACK_MEMORY +
USE_WOLFSSL_MEMORY are set without WOLFSSL_STATIC_MEMORY, any
non-Linux/Mac/Zephyr multi-threaded build failed to compile with
implicit pthread_mutex_lock declarations and undeclared memLock.

Replace the raw pthread mutex with wolfSSL's portable mutex API
(wc_InitMutex / wc_LockMutex / wc_UnLockMutex / wc_FreeMutex) so
locking works on every platform wolfSSL already ports to.
InitMemoryTracker now calls wc_InitMutex before
wolfSSL_SetAllocators installs TrackMalloc, guarded by a
memLockInit flag for idempotency. CleanupMemoryTracker calls
wc_FreeMutex after restoring the default allocators so no
in-flight allocation races a freed mutex. The four mutex guards
in TrackMalloc/TrackFree and the two in InitMemoryTracker/
ShowMemoryTracker are unified on the same condition as the
memLock declaration itself.

ZD #21763
2026-05-11 16:20:35 +01:00
David Garske 01ba609f0d Merge pull request #9702 from danielinux/ta100_2025
[Microchip TA-100] Fix port + update to cryptoauthlib v3.6.0
2026-05-11 07:26:43 -07:00
Tobias Frauenschläger f16216e5b8 HashSLH-DSA APIs now take the pre-hashed digest, not the raw message
wc_SlhDsaKey_{Sign,Verify}Hash* previously accepted the raw message and
performed the pre-hash internally. They now require the caller to hash the
message first and pass the resulting digest -- the functions no longer call
wc_*Hash() themselves and feed the supplied digest directly into the M'
construction. Parameters are renamed from msg/msgSz to hash/hashSz to reflect
this, and hashSz is validated against wc_HashGetDigestSize(hashType) per
FIPS 205 Section 10.2.2 (32 for SHAKE128, 64 for SHAKE256), returning
BAD_LENGTH_E on mismatch.

This matches ML-DSA's wc_dilithium_{sign,verify}_ctx_hash, NIST ACVP
signatureInterface=external / preHash=preHash vectors, and other libraries
(OpenSSL HASH-ML-DSA, leancrypto, mldsa-native). It also enables distributed
signers and HSM-style flows where the digest is computed separately from the
signing operation.

Migration: callers must now hash the message before invoking these APIs;
passing the raw message will either fail length validation or produce
signatures over the wrong input. The M'-supplied wc_SlhDsaKey_SignMsg* /
VerifyMsg family (FIPS 205 internal interface, Algorithms 19/20) is
unchanged but gains stricter input validation and doxygen coverage.
2026-05-11 10:14:13 +02:00
Sean Parkinson 69027c2445 LMS: fixes and improvements
Remove WC_LMS_PARM_NONE as it serves no purpose.
Change sig_len from a 16-bit value to a 32-bit value in the parameters.
Added wc_LmsKey_SetParameters_ex() and wc_LmsKey_GetParameters_ex() to
handle hash algorithm.
Change mass ForceZeros to smaller amounts with XMEMSET and setting to
NULL or default valus.
Allow signing of empty message.
Other minor fixes.

Fix API tests to work when WOLFSSL_LMS_MAX_HEIGHT/WOLFSSL_LMS_MAX_LEVELS
are/is defined.
2026-05-11 16:18:12 +10:00
David Garske 3351eb429a Merge pull request #10354 from embhorn/zd21725
Fix IPSAN and registeredID handling
2026-05-08 12:15:37 -07:00
Daniel Pouzzner f1fff73352 tests/api.c: fix readability-uppercase-literal-suffix in rfc9802_verify_one_cert();
tests/api/test_mldsa.c: fix misplaced PRIVATE_KEY_UNLOCK() in dilithium_oneasymkey_version_check();

wolfcrypt/test/test.c: fix valgrind-detected "Conditional jump or move depends on uninitialised value(s)" in ecc_test_curve_size() negative test on all-zeros digest.
2026-05-08 18:53:57 +02:00
Tesfa Mael fbfc3ba8c2 Fix formatting 2026-05-08 18:50:44 +02:00
Tesfa Mael 4d94b8e8d5 [TA-100] Fix build/test regressions in non-TA100 builds 2026-05-08 18:50:44 +02:00
Tesfa Mae dbf4aaa5be TA100: follow-up changes (squash after 4e64cb56) 2026-05-08 18:50:43 +02:00
Tesfa Mae 00cca3e25b TA100: Microchip Trust Anchor support RSA/ECC 2026-05-08 18:50:43 +02:00
Sean Parkinson 69a378461a Merge pull request #10406 from Frauschi/lms_xmss_certs
Support RFC 9802 LMS and XMSS in X.509 verification
2026-05-08 11:48:34 +10:00
Sean Parkinson 5fce8025bb Merge pull request #10386 from JeremiahM37/fenrir-4
Harden TLS handshake validation, OpenSSL-compat defaults, and stale code paths
2026-05-08 10:50:55 +10:00
David Garske 2b042709f2 Merge pull request #10427 from cconlon/setAsymKeyDerVersion
Set PKCS#8 version correctly in SetAsymKeyDer() when publicKey is bundled
2026-05-07 16:12:18 -07:00
David Garske 7b34be3945 Merge pull request #10331 from embhorn/zd21706
Fix IDNA matching
2026-05-07 16:09:33 -07:00
David Garske bf6c870889 Merge pull request #10304 from JeremiahM37/fenrir-2
Zero DH keys, tighten SSL APIs, harden TLS extensions
2026-05-07 14:51:28 -07:00
David Garske fea8d1b5bc Merge pull request #10413 from JeremiahM37/fenrir-7
zeroize sensitive memory and validate public API inputs
2026-05-07 14:47:32 -07:00
David Garske 58ca6a1fa7 Merge pull request #10302 from JacobBarthelmeh/ecc
additional sanity checks on invalid input
2026-05-07 14:39:21 -07:00
David Garske 8ac2a1ae1b Merge pull request #10418 from rlm2002/coverity
20260506 Coverity
2026-05-07 14:11:32 -07:00
David Garske 52847ed7e0 Merge pull request #10420 from SparkiDev/mldsa_small_1
ML-DSA fixes: small vfy key object, small SHA-3, fix test
2026-05-07 13:52:50 -07:00
jackctj117 84b94f5236 test: move ECC curve cache cleanup from wolfcrypt_test() to unit.test exit path 2026-05-07 14:31:36 -06:00
Chris Conlon 7cc84d38fb fix SetAsymKeyDer to set PKCS#8 version=1 when bundling publicKey (RFC 5958) 2026-05-07 14:05:51 -06:00
Tobias Frauenschläger 28468b44f5 Support RFC 9802 LMS and XMSS in X.509 verification
Wire the stateful hash-based signature schemes HSS/LMS (RFC 8554) and
XMSS / XMSS^MT (RFC 8391) into the X.509 cert-verification path per
RFC 9802.

asn:
- Register id-alg-hss-lms-hashsig (1.2.840.113549.1.9.16.3.17),
  id-alg-xmss-hashsig (1.3.6.1.5.5.7.6.34) and id-alg-xmssmt-hashsig
  (1.3.6.1.5.5.7.6.35) in oid_sum.h, asn.c and asn1_oid_sum.pl.
- Plumb the new keyOIDs through GetCertKey, SigOidMatchesKeyOid,
  HashForSignature, FreeSignatureCtx and ConfirmSignature so leaf
  and CA certificates parse, load and verify end-to-end.
- Rename IsSigAlgoECC -> IsSigAlgoNoParams; the function has tested
  "AlgorithmIdentifier omits NULL parameters" since PQC algos were
  added, and HSS/LMS + XMSS only made the original name more
  misleading.

wc_lms / wc_xmss:
- Add wc_XmssKey_ImportPubRaw_ex which derives parameters from the
  4-byte OID prefix at the start of the raw public key, taking an
  is_xmssmt hint to disambiguate the overlapping XMSS / XMSS^MT OID
  spaces.
- Extend wc_LmsKey_ImportPubRaw with the same auto-derive from
  u32str(L) || lmsType || lmOtsType when key->params is NULL; this
  also fixes a latent NULL-deref when the legacy precondition was
  violated.
- Reject WC_*_STATE_OK in both ImportPubRaw paths so re-importing
  on a private-key-loaded handle can't desync priv/pub.
- Tighten wc_XmssKey_Verify's length check to strict equality,
  matching wc_LmsKey_Verify and the documented contract of using
  wc_XmssKey_GetSigLen for the buffer size.

tests / fixtures:
- Bouncy Castle 1.81 fixtures in certs/lms and certs/xmss covering
  every supported parameter set, plus CA->leaf chains per family
  and one BC-native LMS fixture as a cross-impl interop gate.
- New api tests verify each fixture end-to-end, tamper TBS and
  signature bytes, exercise the wolfCrypt-level negative paths
  (NOT_COMPILED_IN, BUFFER_E, BAD_FUNC_ARG, BAD_STATE_E, OID/family
  mismatch, partial-write invariants, lenient VERIFYONLY re-import,
  strict sigLen check) and confirm the outer signatureAlgorithm
  OID is rejected when it disagrees with the SPKI in both
  XMSS<->XMSS^MT directions.
2026-05-07 17:14:31 +02:00
Eric Blankenhorn 9802b35fa8 Fixes from rebase 2026-05-07 07:33:56 -05:00
Eric Blankenhorn 6689397eec Fix from review 2026-05-07 07:33:56 -05:00
Eric Blankenhorn 9ac4a001fa Fix from review 2026-05-07 07:33:56 -05:00
Eric Blankenhorn c55b77b382 Fix handling of registeredID 2026-05-07 07:33:56 -05:00
Eric Blankenhorn df7a5e8a85 Fix in CheckForAltNames to handle IPSAN 2026-05-07 07:33:55 -05:00
Eric Blankenhorn ede266acc2 Fixes from review 2026-05-07 07:32:51 -05:00
Eric Blankenhorn 0f50c225e2 Fix IDNA matching 2026-05-07 07:31:25 -05:00
Jeremiah Mackey 18c627c2bf tests 2026-05-07 02:34:41 +00:00
Jeremiah Mackey 3d489d1c10 tests 2026-05-07 02:33:58 +00:00
Jeremiah Mackey 51072bbce9 tests: cover input validation fixes 2026-05-07 02:31:25 +00:00
Sean Parkinson 55d7ed8d0e ML-DSA fixes: small vfy key object, small SHA-3, fix test
Only have the public key in the ML-DSA key object when verify-only.
Be able to leave out SHA-3 APIs when only needing SHAKE.
Fix ML-DSA testing to only have data for compiled in parameters.
2026-05-07 10:03:41 +10:00
Ruby Martin f6019467fa add unit test for NULL SHAKE parameters 2026-05-06 15:25:06 -06:00
Daniel Pouzzner 03cee6f2bf tests/api/test_ed25519.c and tests/api/test_ed448.c: add missing FIPS v7+ gating in test_wc_ed25519_export() and test_wc_ed448_export().
wolfcrypt/test/test.c: in aes_cbc_test(), use unconditional static on msg4 and verify4 to work around gcc optimizer bug (probably same bug as noted in ac11279c60).
2026-05-06 14:24:18 -05:00