Commit Graph

30037 Commits

Author SHA1 Message Date
Juliusz Sosinowicz e68cc75ecd F-5813: clarify BuildMessage sequence-number wrap comment
The sequence number 2^64-1 is itself RFC 5246 6.1-legal; only the wrap to 0
is forbidden. GetSEQIncrement reads the current counter then post-increments
it, so the check refuses the final legal sequence number to avoid the
wrapping post-increment. Document that this last value is deliberately
sacrificed rather than implying 2^64-1 is itself unusable.
2026-06-11 19:22:36 +00:00
Juliusz Sosinowicz 108afdf1c3 F-5633: use explicit NULL comparison in FreeCiphers
Use the project's preferred `ptr != NULL` form for the new DTLS 1.3 ChaCha
record-number zeroization guards instead of relying on truthiness.
2026-06-11 19:22:36 +00:00
Juliusz Sosinowicz 5e76c66977 F-5818: don't invalidate the session on an unauthenticated alert
DoAlert evicted the cached session from the fatal-alert handling that runs
before the plaintext-under-encryption validation, so a forged TLS 1.3
plaintext alert injected on an established connection evicted the session
(forcing a full handshake on reconnect) even though the alert is then
rejected as PARSE_ERROR. The unexpected_message teardown sent in response
also evicted through the SendAlert hook.

Move the receive-side eviction past the validation, into the branch that
processes a genuine alert, and have InvalidateSessionOnFatalAlert refuse to
evict for a TLS 1.3 plaintext alert received while encryption is on (the
current record was not decrypted) - covering both the receive path and the
unexpected_message teardown sent in response. RFC 8446 6.2 does not require
TLS 1.3 invalidation, so this loses nothing; TLS 1.2 (RFC 5246 7.2.2) is
unaffected.
2026-06-11 19:22:35 +00:00
Juliusz Sosinowicz 2352d73f7f F-5811: defer resumed-session consistency checks to confirmed resumption
The client's resumed-session EMS (F-5807) and cipher-suite (F-5811) checks
were enforced in CompleteServerHello at ServerHello-parse time. For stateless
ticket resumption the client sends an empty session ID and cannot yet tell
whether the server accepted the ticket (RFC 5077 3.4): a server that declines
the ticket falls back to a full handshake under a freshly negotiated
suite/EMS state, which these checks wrongly aborted with MATCH_SUITE_ERROR,
breaking the RFC 5077 ticket-decline fallback to a full handshake.

Move both checks into CheckResumptionConsistency and run it only once
resumption is confirmed - from whichever the server sends first in the
abbreviated flight: a renewed NewSessionTicket (before SetupSession refreshes
the cached suite/EMS to the current values) or its ChangeCipherSpec. By then
the "Not resuming as thought" path has cleared 'resuming' for any ticket
decline, so the full-handshake fallback proceeds.

Add test_tls12_resume_ticket_decline_fallback (ticket declined by a fresh
server CTX, full handshake under a different suite must succeed) and gate
test_tls12_resume_ticket_wrong_suite on WOLFSSL_NO_DEF_TICKET_ENC_CB so it
skips rather than fails in builds without the default ticket encryption
callback.
2026-06-11 19:22:35 +00:00
Juliusz Sosinowicz 748678715a F-5807: extend EMS resumption check to ticket resumption
Address review on PR #10582:

- The client-side extended_master_secret consistency check skipped all
  session-ticket resumptions, leaving a generic ticket resumption open to
  an undetected EMS downgrade by a malicious server or MITM. The client
  retains the EMS state for ticket sessions too (SetupSession), so the
  check now applies to ticket resumption as well, mirroring the adjacent
  cipher-suite check. Only EAP-FAST style resumption - where the
  session-secret callback supplies the master secret for an opaque PAC
  ticket - is exempt, matched precisely via ssl->sessionSecretCb just as
  the callback invocation in DoServerHello does.

- Add test_tls_ems_resumption_server_downgrade, exercising the
  client-direction downgrade (server resumes but omits EMS from its
  ServerHello) for both session-ID and session-ticket resumption. This
  client-side branch previously had no test coverage.
2026-06-10 20:50:51 +00:00
Juliusz Sosinowicz 2da5b24438 F-5811: enforce resumed cipher suite match for ticket resumption
The TLS 1.2 client only compared the ServerHello suite against the
cached session suite for session-ID resumption; ticket resumption was
skipped on the assumption the suite is bound in the ticket. But the
ticket is opaque to the client, so it must enforce the match itself -
otherwise a server could resume a ticket under a different (weaker)
suite the client offered and the downgrade would go undetected
(RFC 5246 7.4.1.3).

The check is skipped only when the client retained no suite for the
session (cipherSuite0/cipherSuite both zero), so there is nothing to
compare against - as for EAP-FAST, whose PAC is a TLS ticket whose keys
come from the session-secret callback and which never populates the
cached suite. (0,0) is TLS_NULL_WITH_NULL_NULL, never negotiated, so it
unambiguously means "no retained suite". The EMS check remains
ticket-gated.

Add memio regression tests: a ticket resumption under a different
(retained) suite is rejected with MATCH_SUITE_ERROR, and a resumption
whose cached suite was not retained still succeeds.
2026-06-09 13:07:53 +00:00
Juliusz Sosinowicz 1a2fcb8607 F-4144: propagate SendAlert result in DoHelloRequest no-reneg trace
In the WOLFSSL_OP_NO_RENEGOTIATION refusal path, WOLFSSL_LEAVE logged a
hard-coded 0 while the function actually returned SendAlert()'s result.
Capture the return value first so the trace reflects reality (e.g. when
SendAlert fails due to write backpressure) and return it.
2026-06-08 19:28:06 +00:00
Juliusz Sosinowicz 1f4afe9ccc F-5810: require renegotiation_info on renegotiation ClientHello
The server validated client_verify_data only inside
TLSX_SecureRenegotiation_Parse, which never runs when the renegotiation_info
extension is absent, so a renegotiation ClientHello that omitted it was never
checked. Track a per-handshake renegInfoSeen flag and, after parsing the
renegotiation ClientHello extensions, abort with handshake_failure if the
extension was absent (RFC 5746 3.7). Also reject an SCSV received during
renegotiation (RFC 5746 3.5).
2026-06-08 14:25:10 +02:00
Juliusz Sosinowicz 1173a365fe F-4144: honor WOLFSSL_OP_NO_RENEGOTIATION
The documented 'reject peer-initiated renegotiation' option was accepted and
stored but never consulted. Now DoHelloRequest replies with a no_renegotiation
warning instead of starting SCR when the bit is set (client side), and the
server refuses a renegotiation ClientHello with a no_renegotiation warning
instead of resetting handshake state.
2026-06-08 14:25:10 +02:00
Juliusz Sosinowicz 6e1ca6bc70 F-5818: invalidate cached session on fatal alert
DoAlert marked a connection closed on a received fatal alert but left the
established session in the resumption cache, and the send path did the same,
so a session whose connection ended in a fatal alert remained resumable. Per
RFC 5246 Section 7.2.2 the session identifier MUST be invalidated; evict the
established session from the cache on both receipt and transmission of a fatal
alert via the new InvalidateSessionOnFatalAlert helper.
2026-06-08 14:25:10 +02:00
Juliusz Sosinowicz 0ec0db9357 F-5813: fail TLS 1.2 record send before the sequence number wraps
GetSEQIncrement silently rolled the 64-bit write sequence counter from 2^64-1
back to 0, reusing sequence number 0 with the same keys. Per RFC 5246 Section
6.1 sequence numbers MUST NOT wrap. BuildMessage now refuses to emit a TLS 1.2
record once the write sequence number has reached its maximum, returning the
new SEQUENCE_NUMBER_E error so the caller renegotiates or closes instead.
2026-06-08 14:25:10 +02:00
Juliusz Sosinowicz a3a2609b18 F-5811: verify resumed cipher suite matches cached session
On session-ID resumption the client only checked that the server's selected
suite was in its offered list, not that it equaled the resumed session's
suite, so a server could resume the session ID under a different cipher suite.
Per RFC 5246 Section 7.4.1.2 / F.1.4 a resumed session reuses its negotiated
suite; abort with a fatal illegal_parameter on mismatch.
2026-06-08 14:25:10 +02:00
Juliusz Sosinowicz b2c80eae15 F-5807: enforce EMS consistency on client session resumption
CompleteServerHello's resumption branch derived keys from the cached master
secret without checking the resumed session's extended_master_secret state
against the abbreviated ServerHello, letting a MITM strip EMS on resumption.
Per RFC 7627 Section 5.3, abort with a fatal handshake_failure when the cached
session's EMS flag does not match the ServerHello EMS state.
2026-06-08 14:25:10 +02:00
Juliusz Sosinowicz 0269b58400 F-5633: zeroize DTLS 1.3 ChaCha record-number keys before free
FreeCiphers released the DTLS 1.3 record-number protection ChaCha contexts
with XFREE only, leaving key material in freed heap memory. ForceZero both
contexts before freeing, matching the regular TLS ChaCha path in
FreeCiphersSide, and also zeroize a partially-set key in
Dtls13InitChaChaCipher when wc_Chacha_SetKey fails.
2026-06-08 14:25:10 +02:00
Juliusz Sosinowicz 2d36eca90e F-4868: reject trailing bytes in TLS 1.3 CertificateRequest
DoTls13CertificateRequest advanced past the certificate_request_context and
extensions blocks but never verified the whole message body was consumed,
silently ignoring trailing bytes. RFC 8446 Section 4.3.2 fixes the wire
format; enforce that the consumed length equals the message size and return
BUFFER_ERROR (decode_error) otherwise.
2026-06-08 14:25:10 +02:00
Juliusz Sosinowicz e4007a8956 F-4867: reject trailing bytes in TLS 1.3 EncryptedExtensions
DoTls13EncryptedExtensions only bounds-checked the extensions length against
the message size, silently ignoring any trailing bytes. RFC 8446 Section 4.3.1
defines the message as solely the extensions block, so enforce length equality
and return BUFFER_ERROR (decode_error) on a mismatch.
2026-06-08 14:21:53 +02:00
Juliusz Sosinowicz c18784a11c F-3888: add negative tests for tampered RSA signatures/hashes
Extend test_wolfSSL_RSA_verify and test_wolfSSL_RSA_padding_add_PKCS1_PSS
with negative cases that flip a byte in the signature/encoding and in the
hash, asserting verification fails. This guards the XMEMCMP-based signature
acceptance decision in wolfSSL_RSA_verify_mgf against regressions that would
let any decryption result of matching length pass as valid.
2026-06-08 14:21:53 +02:00
Daniel Pouzzner 8fca95ce65 Merge pull request #10532 from rlm2002/zd21800
Remove chain walk for OCSP responder
2026-06-05 16:27:00 -05:00
Daniel Pouzzner 02d08790af Merge pull request #10575 from julek-wolfssl/fenrir-fixes-20260601
Fenrir: TLS/DTLS conformance and crypto hardening fixes
2026-06-05 16:26:05 -05:00
Daniel Pouzzner 764245a8a1 Merge pull request #10489 from holtrop-wolfssl/zd21798
Check SNI/ALPN in TLS 1.2/1.3 session resumptions
2026-06-05 16:25:18 -05:00
Daniel Pouzzner d5560b06cf Merge pull request #10556 from holtrop-wolfssl/rust-crate-updates-3
Rust wrapper: add scrypt KDF and RSA-OAEP support
2026-06-05 16:24:29 -05:00
Daniel Pouzzner 97095d209a Merge pull request #10561 from sebastian-carpenter/tls-ech-send-on-rejection
Enhancement: Stand out less with ECH or GREASE ECH
2026-06-05 16:23:41 -05:00
Daniel Pouzzner c300c41a68 Merge pull request #10514 from kaleb-himes/PQ-DOX
Add PQ documentation
2026-06-05 16:23:05 -05:00
Daniel Pouzzner 3012154367 Merge pull request #10259 from sebastian-carpenter/tls-ech-keylog
TLS ECH keylogging
2026-06-05 16:22:11 -05:00
Daniel Pouzzner 7caa3b97a8 Merge pull request #10503 from kareem-wolfssl/zd21858
Fix potential mismatch in size between DECL_MP_INT_SIZE_DYN and NEW_MP_INT_SIZE, fix unused variable warning in random.c.
2026-06-05 16:20:55 -05:00
Daniel Pouzzner fe77e37025 Merge pull request #10476 from julek-wolfssl/cache-overhead
Cache AEAD record overhead on WOLFSSL
2026-06-05 16:20:15 -05:00
Daniel Pouzzner 1d934846ea Merge pull request #10565 from philljj/bsdkm_misc_cleanup
bsdkm: misc cleanup.
2026-06-05 15:21:57 -05:00
David Garske f9817cf996 Merge pull request #10431 from mattia-moffa/20260330-max32666-sha-bare-metal
MAX32666 bare-metal SHA accelerator
2026-06-05 13:03:00 -07:00
Daniel Pouzzner c99567c96d Merge pull request #10596 from SparkiDev/regression_fixes_24
Regression testing fixes
2026-06-05 13:37:56 -05:00
Daniel Pouzzner f8f1e932a5 Merge pull request #10534 from SparkiDev/tls13_psk_id_fix
TLSv1.3 PSK binders: always use id protection
2026-06-05 12:36:00 -05:00
Daniel Pouzzner 2d186b378a Merge pull request #10537 from SparkiDev/tls13_pt_alert_before_enc
TLS 1.3 plaintext alert: ignore before seeing encrypted
2026-06-05 11:12:47 -05:00
Daniel Pouzzner 4bf2d52780 Merge pull request #10571 from Frauschi/mlkem_rename
Migrate internal ML-KEM consumers to canonical wc_MlKemKey API
2026-06-05 11:00:44 -05:00
Daniel Pouzzner 727041b525 Merge pull request #10543 from anhu/zeroOnAuthFail
For chachapoly, force zero of output on auth fail
2026-06-05 10:55:05 -05:00
Daniel Pouzzner d80785bb07 Merge pull request #10583 from Frauschi/zephyr_patch
Fixes for Zephyr secure sockets integration
2026-06-05 10:06:23 -05:00
Sean Parkinson eeab53205a Merge pull request #10600 from douzzer/20260604-asm-and-linuxkm-fixes
20260604-asm-and-linuxkm-fixes
2026-06-05 20:55:43 +10:00
Daniel Pouzzner b8d8e918af Merge pull request #10597 from SparkiDev/sp_lazy_mutex_init_improv
SP gen: FP_ECC init mutex improvement
2026-06-04 22:38:06 -05:00
Sean Parkinson b0757c1cb7 TLS 1.3 plaintext alert: ignore before seeing encrypted
Change to ignore plaintext alerts when
WOLFSSL_TLS13_IGNORE_PT_ALERT_ON_ENC is defined only until first
encrypted message from peer is seen.

Negative testing added.
2026-06-05 12:35:04 +10:00
Sean Parkinson 0796519a99 More regression testing fixes
Leak fixes: free existing ssl->buffers.key before overwriting in SetSSL_CTX() (internal.c) and wolfSSL_set_SSL_CTX() (ssl.c)

UAF fix: wc_CheckRsaKey() — mp_memzero_check(tmp) moved before the free (rsa.c)

Build guards: #ifndef NO_ED25519/ED448_VERIFY around forged-sig test data (test_ed25519/ed448.c); guard equal()/cmov() for verify-only builds (ge_operations.c); guard unused pointers under WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC (wc_mldsa.c)

Test cleanups (test.c): fix UB from out-of-range enum in hash_test(), always free AES dec object, fix der buffer declaration under small-stack builds
2026-06-05 11:30:53 +10:00
Sean Parkinson 089f1f7c91 TLSv1.3 PSK binders: always use id protection
Removed WOLFSSL_PSK_ID_PROTECTION from use as it is now on by default.
Always check whether the server has a certificate (not a CA chain).
If there is a certificate then continue, otherwise, report a binder
error.

Added test to ensure binder error returned and alert sent when no
NO_CERT. test_tls13_bad_psk_binder already tested no certificate.

Allowed memio test harness to be built when NO_CERT is defined.
2026-06-05 11:16:48 +10:00
Sean Parkinson ada6c5f95b SP gen: FP_ECC init mutex improvement
F-1379
Better handling of the lazy mutex initialization to use atomics where
available.

Improved atomic code when no system support:
 - add types
 - used types in functions

Add --no-ec to unit.test to not run wolfCrypt tests.
2026-06-05 10:58:44 +10:00
Daniel Pouzzner af119869d2 Merge pull request #10364 from MarkAtwood/fix/evp-cipher-iv-length-cfb-ofb
fix: EVP_CIPHER_iv_length returns 0 for AES-CFB128 and AES-OFB (ZD-21730)
2026-06-04 17:26:48 -05:00
Daniel Pouzzner b2e4bd1a11 Merge pull request #9987 from MarkAtwood/fix/evp-pkey-cmp-after-der-roundtrip
evp: fix EVP_PKEY_cmp for EC keys after DER deserialization
2026-06-04 17:19:46 -05:00
Daniel Pouzzner 6c4c03dc76 Merge pull request #10593 from miyazakh/f4429_EntropyGet
f4429 Add missing upper-bound validation in wc_Entropy_Get()
2026-06-04 17:09:36 -05:00
David Garske 887f88b106 Merge pull request #10599 from michael-membrowse/master
fix membrowse report group
2026-06-04 14:38:11 -07:00
Daniel Pouzzner 50166aab36 wolfcrypt/src/port/ppc64/ppc64-aes-asm.S: use TOC-relative addressing consistently, and add ELFv2 global-entry prologues. 2026-06-04 16:28:08 -05:00
Mattia Moffa bd022d995a Update README so the #define can be grepped by CI 2026-06-04 23:11:53 +02:00
Michael Rogov Papernov 5d810f4625 fix membrowse report group 2026-06-04 21:04:16 +01:00
Daniel Pouzzner ca59984200 wolfssl/wolfcrypt/settings.h: for WOLFSSL_LINUXKM, force on NO_STDDEF_H to avoid conflicts with linux/stddef.h, which is always included indirectly in linuxkm_wc_port.h (via linux/kernel.h);
fix indentation in WOLFSSL_uITRON4 section.
2026-06-04 14:20:50 -05:00
Daniel Pouzzner a7b0b3ebc2 linuxkm/module_hooks.c: tweak wc_linuxkm_malloc_usable_size() and my_kallsyms_lookup_name(), moving wc_linuxkm_can_block() to where it's really needed in my_kallsyms_lookup_name(). 2026-06-04 14:18:34 -05:00
Daniel Pouzzner 99bf36bb61 wolfcrypt/src/port/arm/armv8-32-curve25519.S and wolfcrypt/src/port/arm/armv8-32-curve25519_c.c: fix MPI overflow in L_curve25519_inv_8, similar to fix in #10536 (efabd1844a). 2026-06-04 14:12:01 -05:00