Commit Graph

84 Commits

Author SHA1 Message Date
Juliusz Sosinowicz 6303af86ac Cache AEAD record overhead on WOLFSSL
wolfssl_local_GetRecordSize() runs BuildMessage(sizeOnly=1) on every
wolfSSL_write hot path. For AEAD ciphers the overhead is constant per
connection framing state, so cache (recordSz - payloadSz) on WOLFSSL
and invalidate in SetKeysSide(), at cidInfo->tx assignment, and in
wolfSSL_clear(). BuildMessage stays the single source of truth.

Add test_record_size_matches_build_message (cross-checks every built
cipher over TLS/DTLS +/- CID against BuildMessage) and
test_record_size_cache_invalidated_on_renegotiation.
2026-05-28 16:19:44 +02:00
Marco Oliverio bc574f7930 dtls13: WOLFSSL_DTLS13_5_9_0_COMPAT -> WOLFSSL_DTLS13_ECHO_LEGACY_SESSION_ID 2026-05-26 09:16:56 +02:00
Marco Oliverio 8f477356ce dtls: add compat flag for buggy pre 5.9.0 DTLSv1.3 clients 2026-05-26 09:15:58 +02:00
Tobias Frauenschläger 847f3d6bab Make sure large buffers are on the heap with SMALL_STACK 2026-04-19 20:38:41 +02:00
Juliusz Sosinowicz 3b0b50e392 DTLS1.3: Implement RFC 9147 legacy_session_id_echo requirements 2026-03-31 12:42:16 +02:00
Juliusz Sosinowicz 38b52d8079 nginx 1.28.1
### `wolfssl/internal.h`

- **`InternalTicket` struct gains a flexible array member**: A new `peerCert[]` field (with a preceding `peerCertLen[2]`) is added to `InternalTicket`. This allows the peer's DER-encoded certificate to be stored directly inside the session ticket.
- **`ExternalTicket` struct becomes variable-length**: The `enc_ticket` field is changed from a fixed-size array to a flexible array member (`byte enc_ticket[]`). The `mac` field is removed from the struct — the MAC is now placed dynamically after the encrypted data in `enc_ticket`.

### `src/internal.c`

- The `GetRecordHeader` function now only adds `MAX_COMP_EXTRA` to the maximum allowed record size when `ssl->options.usingCompression` is true, tightening the length validation. The max fragment length extension check is now much stricter.
- **Peer certificate is serialized into the ticket**: During ticket creation, the code attempts to find the peer certificate from `ssl->peerCert` or from `ssl->session->chain` (fallback). If found and within `MAX_TICKET_PEER_CERT_SZ`, it's copied into `it->peerCert`. DTLS is explicitly excluded (peer cert length set to 0) to keep ticket size small for MTU constraints. If `HAVE_MAX_FRAGMENT` is defined and max fragment is not `MAX_RECORD_SIZE` for TLS 1.3, the cert is also skipped since `SendTls13NewSessionTicket` doesn't support fragmentation yet.
- **Peer certificate restoration from ticket**: On successful ticket decryption, if the ticket contains a peer certificate (`peerCertLen > 0`), it is decoded back into `ssl->peerCert` via `ParseCertRelative`/`CopyDecodedToX509`, and also added to `ssl->session->chain` via `AddSessionCertToChain`.
- The `CLEAR_ASN_NO_PEM_HEADER_ERROR` macro was rewritten to loop and remove all consecutive PEM no-start-line errors (not just the last one), wrapped in a `do { ... } while(0)` for safety.
- The `SendTicket` function is simplified to use `SendHandshakeMsg` to support fragmenting the larger ticket.

---

### `src/x509.c`

- `loadX509orX509REQFromPemBio` now accepts `TRUSTED_CERT_TYPE` in addition to `CERT_TYPE` and `CERTREQ_TYPE`.
- **Streaming BIO support**: When `wolfSSL_BIO_get_len()` returns ≤ 0 (e.g., pipes/FIFOs), the function no longer returns an error. Instead, it sets an initial buffer of `MAX_X509_SIZE` and dynamically grows (doubling) up to `MAX_BIO_READ_BUFFER` (`MAX_X509_SIZE * 16`) as data is read byte-by-byte.
- **Alternate footer detection**: For `TRUSTED_CERT_TYPE`, the PEM reader also checks for the regular `CERT_TYPE` footer (`-----END CERTIFICATE-----`) in addition to the trusted cert footer (`-----END TRUSTED CERTIFICATE-----`), so it can parse either format.
- Removed two lines that set `cert->srcIdx` to `SIGALGO_SEQ` offset. This makes `cert->srcIdx` reflect the end of parsed certificate data. This is used by `loadX509orX509REQFromBuffer` to detect where auxiliary trust data begins in trusted certificates.

---

### `src/ssl_sk.c`

- Added a `STACK_TYPE_X509_CRL` case to `wolfssl_sk_dup_data` that calls `wolfSSL_X509_CRL_dup` for deep-copying CRL stack elements. Previously, `STACK_TYPE_X509_CRL` fell through to the unsupported default case.

---

### `wolfssl/openssl/ssl.h`

- `sk_X509_dup` now maps to `wolfSSL_shallow_sk_dup` (was `wolfSSL_sk_dup`/deep copy). This matches OpenSSL's behavior where `sk_X509_dup` does a shallow copy.
- `sk_SSL_CIPHER_dup` similarly changed to `wolfSSL_shallow_sk_dup`.

---

### `src/ssl_api_cert.c`

- When `ssl->ourCert` is `NULL` and the SSL owns its cert, the function now checks if `ssl->ctx->ourCert` points to the same certificate (by comparing DER buffers). If so, it returns the ctx's `X509` pointer directly. This maintains pointer compatibility for applications (like nginx OCSP stapling) that use the `X509*` from `SSL_CTX_use_certificate` as a lookup key.

### `src/bio.c`

- When `wolfssl_file_len` returns `WOLFSSL_BAD_FILETYPE` (now returned for pipes/FIFOs), `wolfSSL_BIO_get_len` treats it as length 0 instead of propagating the error.

---

### `tests/test-maxfrag.conf` and `tests/test-maxfrag-dtls.conf`

- Removed `DHE-RSA-AES256-GCM-SHA384` test entries because the ClientKeyExchange doesn't fit in the selected max fragment length.
2026-02-25 15:19:13 +01:00
JacobBarthelmeh a156ed7bc7 update Copyright year 2026-02-18 09:52:21 -07:00
Juliusz Sosinowicz 7b7f9a4fe0 dtls: Check PSK ciphersuite against local list 2025-10-29 13:14:50 +01:00
JacobBarthelmeh 629c5b4cf6 updating license from GPLv2 to GPLv3 2025-07-10 16:11:36 -06:00
Ruby Martin f62d0fa256 check sigAlgs.size against WOLFSSL_MAX_SIGALGO 2025-07-09 08:57:44 -06:00
Daniel Pouzzner c401f5caf2 move the newly added wolfcrypt/src/wolfssl_sources.h to wolfssl/wolfcrypt/libwolfssl_sources.h, and likewise for wolfssl_sources_asm.h; revert changes to IDE/ project files. 2025-04-04 18:44:12 -05:00
Daniel Pouzzner 217440c885 Add wolfcrypt/src/wolfssl_sources.h and wolfcrypt/src/wolfssl_sources_asm.h,
which force on BUILDING_WOLFSSL and do boilerplate includes, and update library
  sources to include them at the top.

  wolfssl_sources.h includes types.h, error-crypt.h, and logging.h, and
  conditionally, config.h.  settings.h and wc_port.h are unconditionally
  included at the top of types.h.

  wolfssl_sources_asm.h includes settings.h, and conditionally, config.h.

Add wolfssl_sources*.h to wolfcrypt/src/include.am, and to several IDE/ project
  files.

Also added a TEST_WOLFSSL_SOURCES_INCLUSION_SEQUENCE clause in
  wolfssl/wolfcrypt/settings.h to allow coverage testing.

In wolfcrypt/src/misc.c, retain existing ad hoc boilerplate includes, and use
  them if WOLFSSL_VIS_FOR_TESTS, otherwise include the new wolfssl_sources.h.

Define WOLFSSL_VIS_FOR_TESTS at top of wolfcrypt/test/test.c.

Also renamed WOLFSSL_NEED_LINUX_CURRENT to WOLFSSL_LINUXKM_NEED_LINUX_CURRENT,
  for clarity.
2025-04-04 16:51:04 -05:00
Juliusz Sosinowicz c36d23029f dtls: malloc needs to allocate the size of the dereferenced object 2025-01-30 18:32:22 +01:00
Juliusz Sosinowicz 9a8bc248de dtls: remove dead code 2025-01-30 18:32:22 +01:00
Juliusz Sosinowicz 3cd64581eb dtls: better sanitize incoming messages in stateless handling 2025-01-30 18:32:22 +01:00
JacobBarthelmeh 2c24291ed5 update copyright date 2025-01-21 09:55:03 -07:00
Juliusz Sosinowicz 9cb75ef5f8 fixup! DTLS: Add server side stateless and CID QoL API 2024-12-18 09:31:25 +01:00
Juliusz Sosinowicz a1ee953411 Protect peer access when WOLFSSL_RW_THREADED 2024-12-18 09:31:25 +01:00
Juliusz Sosinowicz 3ded2bc05d Code review and jenkins fixes 2024-12-18 09:31:25 +01:00
Juliusz Sosinowicz daa57c492d DTLS: Add server side stateless and CID QoL API
- wolfDTLS_accept_stateless - statelessly listen for incoming connections
- wolfSSL_inject - insert data into WOLFSSL object
- wolfSSL_SSL(Enable|Disable)Read - enable/disable reading from IO
- wolfSSL_get_wfd - get the write side file descriptor
- wolfSSL_dtls_set_pending_peer - set the pending peer that will be upgraded to regular peer when we successfully de-protect a DTLS record
- wolfSSL_dtls_get0_peer - zero copy access to the peer address
- wolfSSL_is_stateful - boolean to check if we have entered stateful processing
- wolfSSL_dtls_cid_get0_rx - zero copy access to the rx cid
- wolfSSL_dtls_cid_get0_tx - zero copy access to the tx cid
- wolfSSL_dtls_cid_parse - extract cid from a datagram/message
2024-12-18 09:31:24 +01:00
gojimmypi 5d86031f57 Initialize vars & change types to appease Windows/VS 2024-11-17 17:50:17 -08:00
Juliusz Sosinowicz cf96ab22ba Address code review 2024-09-20 15:31:01 +02:00
Juliusz Sosinowicz 99a99e3d6e Implement DTLS 1.2 Connection ID (CID) 2024-09-20 15:31:01 +02:00
Juliusz Sosinowicz b2f59f733a DTLS 1.3: check size including headers 2024-08-28 12:58:50 +02:00
Andras Fekete f419e2351b Remove NULL test with 'ptr = NULL' at the end 2024-08-06 10:55:37 -04:00
Andras Fekete eb0c64d79a Remove NULL test when there is a dereference 2024-08-06 10:29:02 -04:00
JacobBarthelmeh 31a6a2bf59 update copyright to 2024 2024-07-19 13:15:05 -06:00
Daniel Pouzzner b3e8f0ad24 add --enable-debug-trace-errcodes, WOLFSSL_DEBUG_TRACE_ERROR_CODES, WC_ERR_TRACE(), WC_NO_ERR_TRACE(), support/gen-debug-trace-error-codes.sh. also add numerous deployments of WC_NO_ERR_TRACE() to inhibit frivolous/misleading errcode traces when -DWOLFSSL_DEBUG_TRACE_ERROR_CODES. 2024-06-08 16:39:53 -05:00
Andras Fekete affd0a318e Fix sign conversion errors 2024-05-14 11:02:28 -04:00
Juliusz Sosinowicz 7644d792b6 Mark all record sequence numbers before stateful parsing as read
Fixes https://github.com/wolfSSL/wolfssl/issues/7273
2024-04-25 16:23:41 +02:00
Juliusz Sosinowicz 8bddeb10c7 DTLS sequence number and cookie fixes
- dtls: check that the cookie secret is not emtpy
- Dtls13DoDowngrade -> Dtls13ClientDoDowngrade
- dtls: generate both 1.2 and 1.3 cookie secrets in case we downgrade
- dtls: setup sequence numbers for downgrade
- add dtls downgrade sequence number check test

Fixes ZD17314
2024-02-05 16:09:03 +01:00
Eric Blankenhorn 7bbeadcf97 Fix build errors with dtls1.3 and no tls1.2 2023-11-15 10:37:09 -06:00
Juliusz Sosinowicz b8d5ac83eb Add info on how to use WOLFSSL_DTLS13_NO_HRR_ON_RESUME 2023-11-10 10:43:26 +01:00
Juliusz Sosinowicz aed715cb2c dtls 1.3: allow to skip cookie exchange on resumption
tls 1.3: do cookie exchange when asked too even when found a matching cipher
2023-10-31 14:29:04 +01:00
Juliusz Sosinowicz 275c0a0838 Update window in one place only when stateful 2023-10-09 12:54:11 +02:00
Juliusz Sosinowicz c1a49fef99 Fix unreachable code error 2023-10-09 12:54:11 +02:00
Juliusz Sosinowicz ada785e115 Address code review 2023-10-09 12:54:11 +02:00
Juliusz Sosinowicz 8da863184c Force DTLS 1.3 when accepting fragmented CH 2023-10-09 12:54:11 +02:00
Juliusz Sosinowicz 85a596e54a DTLS 1.3: allow fragmenting the second ClientHello message
- DTLS 1.3 pqc support
- Add --enable-dtls-frag-ch option to enable CH fragmenting
- Send an alert when we get an empty keyshare with a cookie present to not allow for multiple HRR in one connection
- Only update the DTLS window when we have successfully processed or stored a message
- Call ssl->chGoodCb as soon as we have processed a verified full or fragmented ClientHello cookie
2023-10-09 12:54:11 +02:00
Juliusz Sosinowicz 058dfca809 Use explicit field to signal that we received a unified hdr 2023-08-23 23:20:51 +02:00
JacobBarthelmeh 1285ae7816 Merge pull request #6506 from DimitriPapadopoulos/codespell
Fix typos found by codespell
2023-07-24 10:34:29 -06:00
Juliusz Sosinowicz ab560aa6b8 Fix ClientHello parsing when no extensions are present 2023-07-24 09:14:21 +02:00
Dimitri Papadopoulos 50752f5a2b Fix typos found by codespell 2023-07-04 07:21:27 +02:00
Sean Parkinson e2424e6744 SM2/SM3/SM4: Chinese cipher support
Add support for:
 - SM2 elliptic curve and SM2 sign/verify
 - SM3 digest
 - SM4 cipher with modes ECB/CBC/CTR/GCM/CCM

Add APIs for SM3 and SM4.
Add SM2 sign and verify APIs.
Add support for SM3 in wc_Hash and wc_Hmac API.
Add support for SM3 and SM4 through EVP layer.
Add support for SM2-SM3 certificates. Support key ID and name hash being
with SHA-1/256 or SM3.
Add support for TLS 1.3 cipher suites: TLS-SM4-GCM-SM3, TLS-SM4-CCM-SM3
Add support for TLS 1.2 SM cipher suite: ECDHE-ECDSA-SM4-CBC-SM3
Add support for SM3 in wc_PRF_TLS.
Add SM2-SM3 certificates and keys. Generated with GmSSL-3.0.0 and
OpenSSL.
2023-07-04 13:36:28 +10:00
Marco Oliverio e53453a7ed fix: add guards to compile w !HAVE_SUPPORTED_CURVES && NO_CERTS
This configuration can be used to build a static PSK only build
2023-06-05 16:13:11 +00:00
tmael 1106e5ff0e TLS v1.3: Support a stateful ticket and test HAVE_EXT_CACHE (#5960)
* Add TLSv1.3 stateful support
Fix internal and external session cache

* session cache fixes

* Refactor

- implement wolfSSL_CTX_flush_sessions
- use wolfSSL_CTX_flush_sessions to make test_wolfSSL_CTX_add_session_ext deterministic
- add dtls to test_wolfSSL_CTX_add_session_ext
- DoClientTicket_ex does not modify ssl object
- only call session remove callback on:
  - timeout
  - session is being overwritten/removed from the cache

* Session fixes

- restore bogus ID on session duplicate
- don't evict on overwrite
- use memmove instead on memcpy as `ssl->session == session` is possible
- ignore ClientSession parameter in AddSessionToCache on NO_SESSION_CACHE_REF
- use sessionID when altSessionID not present

* Session fixes

- DoClientTicketFinalize: always copy in the ID as teh altSessionID
- don't overwrite ex_data when overwriting cacheSession and cacheSession owns it

* Callback wants to retain a copy

* wolfSSL_GetSessionClient: ssl->ctx->get_sess_cb does not apply here

* test_wolfSSL_CTX_add_session_ext 

gate expected results on WOLFSSL_DTLS_NO_HVR_ON_RESUME

* TlsSessionIdIsValid: copy return can't be ignored

* Silence unused parameter

* test_wolfSSL_CTX_add_session_ext: handle async case

* Gate wolfSSL_SSL_CTX_remove_session on NO_SESSION_CACHE

* ssl.c: style fixes

* Add twcase_get_sessionCb_cleanup to free external cache

* Remove hard tab

* Correct build error in wolfSSL_CTX_flush_sessions

* Jenkins fixes:

- altSessionID only available with WOLFSSL_TICKET_HAVE_ID
- slim out psk_sess_free_cb_ctx

* Stateful dtls case has 2 accesses. Stateless just one.

* Add version numbering to hostap logs

* Import internal.h for test_wolfSSL_SESSION_get_ex_new_index

* wolfSSL_SetSession: don't check SslSessionCacheOff for session setting

* wolfSSL_SetSession: fully set expired session for OpenSSL compatibility

* wolfSSL_SetSession: check if setting same object

* AddSession: always populate the session object to allow re-use

* Add logging to wolfSSL_NewSession and wolfSSL_FreeSession

* Always setup session object

* Check if session has been setup before setting it

* Print errors in async test

* Make SetupSession available outside NO_SESSION_CACHE

* Review comments

* Fix ticBuf leak and TlsSessionIdIsValid logic

* Fix unmatched curly brackets

* TlsSessionIdIsValid: always need to check copy var

* TlsResumptionIsValid: set resume to FALSE default

* wolfSSL_SetSession: remove now variable since only used in one place

* Move internalCacheLookupOff into HAVE_EXT_CACHE block

---------

Co-authored-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-04-21 06:46:08 -07:00
Juliusz Sosinowicz 4c7aa5c8dd Address code review 2023-03-09 19:00:25 +01:00
Juliusz Sosinowicz 335722c586 Async fixes 2023-03-07 12:04:54 +01:00
Juliusz Sosinowicz f5f67f43d7 Reset DTLS sequence number 2023-03-07 12:04:54 +01:00
Juliusz Sosinowicz a432502a98 Refactor sequence number reset for DTLS into one function 2023-03-07 12:04:54 +01:00