Commit Graph

549 Commits

Author SHA1 Message Date
David Garske 460a87119e Merge pull request #10351 from rizlik/cryptocbonly
CRYPTOCB_ONLY: add test infra + SHA256 + AES
2026-05-14 10:37:39 -07:00
rizlik 6fb617aba9 tests/swdev: add ECC support to wc_swdev
Extend the swdev callback to handle ECC operations: keygen, ECDH, sign,
verify, get-size, get-sig-size.

Relax WOLF_CRYPTO_CB_ONLY_ECC guards in the test suite so that tests run
under swdev, and wire wc_SwDev_Init/Cleanup into testsuite, client, and
server.  Two tests are intentionally kept excluded even with swdev because
they call raw ECC math primitives (wc_ecc_mulmod, on-curve validation in
wc_ecc_import_x963) that are stripped below the cryptocb dispatch layer:

  - ecc_mulmod_test (wolfcrypt/test/test.c)
  - test_wc_ecc_import_x963_off_curve (tests/api/test_ecc.c)
2026-05-13 16:18:51 +02:00
Tobias Frauenschläger d88ce69082 Minor error handling fixes in client and server examples 2026-05-13 09:50:12 +02:00
David Garske e3285850f9 Merge pull request #10289 from julek-wolfssl/zd/21652
TLS 1.3: gate 0-RTT on a cache-backed resumption ticket
2026-05-05 12:46:26 -07:00
Tobias Frauenschläger 1093a36bc3 Fix flaky tcp bind on Windows test runs
Windows test code pre-picked a random port via GetRandomPort() (returning
a value in [49152, 65535]) before calling bind(), with no check that the
port was free and no retry on collision. Under load this occasionally
collided with an already-bound port and aborted the test with
"tcp bind failed", producing intermittent Jenkins failures (e.g. PRB
windows-test-v2 #17140 in the OCSP responder test).

The Unix path already does the right thing: bind to port 0 (OS-assigned
ephemeral) and read the port back via getsockname(). The same primitives
exist in Winsock 1.1, so drop the USE_WINDOWS_API guard around the
getsockname block in tcp_listen()/udp_accept() and remove the per-caller
GetRandomPort() workarounds in the OCSP responder, server example, and
the api.c / test_ossl_bio.c test sites. socklen_t is already typedef'd
as int on Windows in test.h.

GetRandomPort() itself is left in place since it is a static inline in a
shipped public test header.
2026-05-04 10:35:04 +02:00
Tobias Frauenschläger 7a2cf5b655 Remove liboqs for ML-KEM and ML-DSA, update for Falcon 2026-04-30 11:03:06 +02:00
Juliusz Sosinowicz b0fdaa2a6d TLS 1.3: gate 0-RTT on a cache-backed resumption ticket
RFC 8446 section 8 requires any server instance to accept 0-RTT for a
given ClientHello at most once. Prior to this change wolfSSL's behaviour
diverged from that requirement in several ways:

  * ctx->maxEarlyDataSz defaulted to MAX_EARLY_DATA_SZ whenever the
    library was built with WOLFSSL_EARLY_DATA, so servers auto-
    advertised 0-RTT in NewSessionTicket without the application
    asking. RFC 8446 E.5 says 0-RTT MUST NOT be enabled unless
    specifically requested.
  * The post-accept eviction is compiled out under NO_SESSION_CACHE,
    so builds without the cache accepted 0-RTT with no replay defence.
  * Stateless self-encrypted tickets do not carry a session ID on the
    stateless DoClientTicket decrypt path, so wolfSSL_SSL_CTX_remove_
    session could not locate them to evict.
  * wolfSSL_SSL_CTX_remove_session always returned 0 on success
    regardless of whether the session was actually in the cache,
    diverging from OpenSSL's SSL_CTX_remove_session (1 on success,
    0 on not-found).

Changes:
  * src/internal.c: ctx->maxEarlyDataSz defaults to 0; applications
    must opt in with wolfSSL_CTX_set_max_early_data.
  * src/tls13.c: #error when WOLFSSL_EARLY_DATA is built with
    HAVE_SESSION_TICKET and NO_SESSION_CACHE. Escape hatch
    WOLFSSL_EARLY_DATA_NO_ANTI_REPLAY for deployments that take
    application-layer responsibility.
  * wolfssl/internal.h: imply WOLFSSL_TICKET_HAVE_ID from
    WOLFSSL_EARLY_DATA so stateless-ticket issuance populates the
    cache under an ID that eviction can find.
  * src/ssl_sess.c: wolfSSL_SSL_CTX_remove_session returns 1 when the
    session was found (internal-cache hit, or ctx->rem_sess_cb fired
    for an external cache), 0 otherwise. Matches OpenSSL semantics.
  * src/tls13.c: the 0-RTT acceptance condition in CheckPreSharedKeys
    now calls wolfSSL_SSL_CTX_remove_session and checks its return:
    the eviction is the check. If the session was in the cache, 0-RTT
    is accepted and the single-use requirement is satisfied. If not,
    the early_data extension is rejected through the normal path so
    the record layer correctly skips in-flight 0-RTT records.
    WOLFSSL_MSG at each rejection site.
  * doc/dox_comments/header_files/ssl.h: document runtime opt-in.
  * tests: four new tests —
    test_tls13_0rtt_default_off (fails without default-to-0 fix),
    test_tls13_0rtt_stateless_replay (fails without TICKET_HAVE_ID
    implication and remove_session gate),
    test_tls13_remove_session_return (fails without return-value fix),
    test_tls13_0rtt_ext_cache_eviction (fails without ext-cache
    counts-as-found fix).
    test_tls13_early_data explicitly opts in via
    wolfSSL_CTX_set_max_early_data.
    tests/api.c: two SSL_CTX_remove_session == 0 assertions updated
    to == 1.
2026-04-28 14:14:16 +02:00
Tobias Frauenschläger 0de3925207 Add RFC8773bis cert_with_extern_psk support
Implement RFC8773bis (draft-ietf-tls-8773bis-13)
cert_with_extern_psk for TLS 1.3, including protocol checks
and API support.

Includes unit tests for API and handshake behavior as well
as tests in the testsuite using extended examples.
2026-04-17 15:12:04 +02:00
Daniel Pouzzner 3c87500207 Merge pull request #10037 from JacobBarthelmeh/nightly
fix examples to follow options.h config
2026-04-02 00:22:40 -05:00
David Garske 051b83b517 Merge pull request #9999 from sebastian-carpenter/hpke-fix
Fix: Improved support for combinations of HPKE algos
2026-03-24 08:47:01 -07:00
JacobBarthelmeh 81c3d26dde update macro guards for coexist build and use ret when getting SSL error 2026-03-23 22:46:34 -04:00
JacobBarthelmeh bab432d84b fix examples to follow options.h config 2026-03-23 21:51:09 -04:00
Daniel Pouzzner 678660e26d src/keys.c and src/tls13.c: add WC_NO_ERR_TRACE() annotations for various initializations.
wolfssl/ssl.h, examples/client/client.c, examples/server/server.c, src/bio.c, tests/api.c: add error tracing for WOLFSSL_SHUTDOWN_NOT_DONE.

tests/api.c: in test_wolfSSL_read_write_ex(), use WOLFSSL_SUCCESS rather than 1 for expected-success wolfSSL_shutdown()s, and add note that the wrong value is being returned (the test currently always fails, which is masked by an always-success retval).
2026-03-22 13:17:47 -05:00
sebastian-carpenter cbb7bfc53a improved ifdef's for hpke 2026-03-19 13:59:57 -06:00
sebastian-carpenter fcedc91d38 touch-ups:
- shrink ech interop workflow
- x448 macro now unused in hpke WOLFSSL_LOCAL functions
- bug fixes in added tests
2026-03-18 15:47:52 -06:00
Tobias Frauenschläger c3289f8aa9 Enable and use ML-KEM by default
* Enable ML-KEM by default in build systems (autoconf and CMake)
* Only allow three to-be-standardized hybrid PQ/T combinations by
  default
* Use X25519MLKEM768 as the default KeyShare in the ClientHello (if user
  does not override that). When Curve25519 is disabled, then either
  WOLFSSL_SECP384R1MLKEM1024 or WOLFSSL_SECP256R1MLKEM768 is used as
  default depending on the ECC configuration
* Disable standalone ML-KEM in supported groups by default (enable with
  --enable-tls-mlkem-standalone)
* Disable extra OQS-based hybrid PQ/T curves by default and gate
  behind --enable-experimental (enable with --enable-extra-pqc-hybrids)
* Reorder the SupportedGroups extension to reflect the preferences
* Reorder the preferredGroup array to also reflect the same preferences
* Add async support for ML-KEM hybrids
2026-03-18 10:48:16 +01:00
sebastian-carpenter 7e9f9dc140 refactor openssl-ech workflow + add suite testing 2026-03-17 16:29:58 -06:00
Tobias Frauenschläger 76b1300adb ML-KEM fixes
* DTLS 1.3 cookie and CH frag handling
* static memory handling
* Fix memory leak in TLS server PQC handling in case of ECH
* Make sure hybrids are actually tested in testsuite
2026-03-17 12:43:15 +01:00
JacobBarthelmeh a8dfa59bbe Merge pull request #9761 from julek-wolfssl/ocsp-responder
Implement OCSP responder
2026-03-11 17:27:33 -06:00
sebastian-carpenter e17ac41070 TLS ECH fixes [SNI, api.c, server.c, comments] 2026-03-11 09:52:13 -06:00
sebastian-carpenter c3a38dced7 testing + bug fixes for TLS ECH 2026-03-11 08:56:26 -06:00
Juliusz Sosinowicz 4578e1390f Implement OCSP responder
OCSP Responder Core API:

- Add new public API for creating and managing an OCSP responder
- Add public wrappers for internal OCSP request/response functions
- OcspRespCheck: fix check when authorized responder is loaded into CM

Header Cleanup:

- Remove circular dependency when including `#include <wolfssl/wolfcrypt/asn.h>` from wolfssl/wolfcrypt/ecc.h and wolfssl/wolfcrypt/rsa.h

OCSP Responder Example (examples/ocsp_responder/):

- Add a command-line OCSP responder for interoperability testing with OpenSSL's `openssl ocsp` client

Test Scripts (scripts/):

- ocsp-responder-openssl-interop.test: Tests wolfSSL OCSP responder with `openssl ocsp` client
- ocsp-stapling-with-wolfssl-responder.test: Tests wolfSSL OCSP responder when doing OCSP stapling

Certificate Infrastructure (certs/ocsp/):

- Add DER-format certificates and keys for OCSP testing
- Update renewcerts.sh to generate DER versions

Known Limitations (documented in src/ocsp.c header comment):

  - Single request/response per OCSP exchange only
  - Key-hash responder ID only (no name-based responder ID)
  - No singleExtensions support
2026-03-11 10:21:16 +01:00
JacobBarthelmeh a156ed7bc7 update Copyright year 2026-02-18 09:52:21 -07:00
Tobias Frauenschläger a462398387 Support Brainpool ECC curve TLS 1.3 key exchange
When both TLS 1.3 and Brainpool curves are enabled, three new groups can
be used for the ECDHE key exchange according to RFC 8734:
* WOLFSSL_ECC_BRAINPOOLP256R1TLS13 (31)
* WOLFSSL_ECC_BRAINPOOLP384R1TLS13 (32)
* WOLFSSL_ECC_BRAINPOOLP512R1TLS13 (33)

Also ensure that the existing TLS 1.2 curves are sent properly.

The TLS client application is updated to support handshakes via
Brainpool curves using the new argument "--bpKs".
2026-01-22 14:14:09 +01:00
Kareem ec92f76dec Fix tests when building with PEM support disabled by using DER certs/keys. 2025-09-12 16:11:07 -07:00
Daniel Pouzzner e0383b496a linuxkm/module_hooks.c: implement wc_linuxkm_GenerateSeed_IntelRD, gated on WC_LINUXKM_RDSEED_IN_GLUE_LAYER;
add WC_GENERATE_SEED_DEFAULT, which defaults to wc_GenerateSeed if not overridden, and replace wc_GenerateSeed with WC_GENERATE_SEED_DEFAULT in various calls to wc_SetSeed_Cb();

linuxkm/linuxkm_wc_port.h: if FIPS <v6 and RDSEED, define WC_LINUXKM_RDSEED_IN_GLUE_LAYER and define WC_GENERATE_SEED_DEFAULT wc_linuxkm_GenerateSeed_IntelRD;

wolfcrypt/test/test.c: update rng_seed_test() with gating and vectors for FIPS v5 with HAVE_AMD_RDSEED or HAVE_INTEL_RDSEED;

wolfssl/wolfcrypt/types.h: add WC_HAVE_VECTOR_SPEEDUPS helper macro, and enlarge fallthrough definition coverage for DISABLE_VECTOR_REGISTERS.
2025-08-22 21:58:00 -05:00
effbiae 0e3f877326 WOLFSSL_ASYNC_WHILE_PENDING refactor 2025-08-14 12:03:13 +10:00
Anthony Hu c7e054a7a7 Rename ML-KEM hybrids to match IETF Draft. 2025-07-25 13:27:26 -04:00
JacobBarthelmeh 629c5b4cf6 updating license from GPLv2 to GPLv3 2025-07-10 16:11:36 -06:00
Eric Blankenhorn f663ed28b6 Fix MSVS build issues with PQC config 2025-03-21 11:49:55 -05:00
Sean Parkinson a7690ca24b ML-KEM/Kyber: finish name change 2025-03-10 08:37:14 +10:00
Tobias Frauenschläger 89491c7e36 Improvements for PQC hybrid key exchange
Add support for X25519 and X448 based hybrid PQC + ECC key exchange
groups. Furthermore, two new combinations with SECP curves are added to
match OQS combinations.

This also incorporates the changed order of X25519 and X448 based
combinations to place the PQC material before the ECDH material. This is
motivated by the necessity to always have material of a FIPS approved
algorithm first.

Also, codepoints are updated to reflect the latest draft standards for
pure ML-KEM and some of the hybrids. With these changes and based on the
recent additions to both enable ML-KEM final and draft versions
simultaneously, a WolfSSL TLS server is now compatible with all recent
browsers that support either the draft version of ML-KEM (Chromium based
browsers and Firefox < version 132; only when the draft version is
enabled in the build) or the final version already (Firefox > version 132).

In the process of extending support, some code and logic cleanup
happened. Furthermore, some memory leaks within the hybrid code path have
been fixed.

Signed-off-by: Tobias Frauenschläger <tobias.frauenschlaeger@oth-regensburg.de>
2025-02-21 18:44:40 +01:00
Juliusz Sosinowicz 7380ec68bb cmake.yml: fix error and run tests with ctest 2025-02-14 09:51:29 -06:00
JacobBarthelmeh 2c24291ed5 update copyright date 2025-01-21 09:55:03 -07:00
JacobBarthelmeh 2409971b14 Merge pull request #8224 from julek-wolfssl/dtls-server-demux
DTLS: Add server side stateless and CID QoL API
2024-12-23 10:01:01 -07:00
Daniel Pouzzner ad8f74b650 examples/client/client.c and examples/client/client.c: use XSTRLCPY() to assure proper null termination. 2024-12-19 16:14:59 -06:00
Juliusz Sosinowicz ca4b1667ee strcpy -> strncpy 2024-12-19 11:19:47 +01:00
jordan b5c47d27e0 fedora crypto-policies: initial support. 2024-12-18 16:56:36 -06:00
David Garske 14e3372826 Enable support for using certificate manager only. Fixes for building without TLS enabled (NO_TLS). ZD 19054. Tested using ./configure --disable-tlsv12 --disable-tls13 CFLAGS="-DNO_TLS" && make check 2024-12-17 08:33:32 -08:00
JacobBarthelmeh 1bfbdb6c7f Merge pull request #8257 from dgarske/settings_h
Fix issue with wc_lms_impl.c or wc_lms not including settings.h
2024-12-05 11:43:43 -07:00
David Garske 1e9607b65e Fixes for ML-DSA and LMS cast warnings and spelling errors. 2024-12-05 08:34:58 -08:00
David Garske ef67b1c06a Support for building without wolfssl/openssl header files. ZD 18465
* Fix for `TlsSessionCacheGetAndLock` that was not checking the sessionIDSz, so could return a pointer to an invalid session (if 0's). Resolves issue with `test_wolfSSL_CTX_sess_set_remove_cb` test.
* Fix cast warning with `HAVE_EX_DATA` in Windows VS.
* Fix openssl_extra without PKCS12.
* Refactor the EX data crypto and session API's to gate on `HAVE_EX_DATA_CRYPTO`.
* Grouped the EX data API's in ssl.h
* Moved API's in ssl.h to separate the compatibility ones from ours.
2024-11-20 12:32:32 -08:00
Daniel Pouzzner 165b4afbeb Merge pull request #8143 from SparkiDev/kyber_plus_mlkem
Kyber/ML-KEM: make both available
2024-11-09 00:09:51 -06:00
Daniel Pouzzner aa18bbca55 assorted cleanups and refactors for C89 conformance, codespell and check-source-text, and consistent heap shim usage.
.github/workflows/codespell.yml: remove */README_jp.txt from "skip" list.

IDE/Renesas/cs+/Projects/t4_demo/README_jp.txt: convert from SHIFT_JIS to UTF-8.

cmake/options.h.in: use "#cmakedefine HAVE_PTHREAD 1" to avoid conflict with config.h.

configure.ac: add --enable-c89, and remove !ENABLED_OPENSSLEXTRA dependency from AM_CONDITIONAL([BUILD_CRYPTONLY],...).

wolfcrypt/src/asn.c: refactor SetOthername() for efficiency, and add PRAGMA_GCC to suppress false positive -Wstringop-overflow associated with -fstack-protector.

wolfssl/wolfcrypt/rsa.h: add WC_ prefixes to RSA_PKCS1_PADDING_SIZE and RSA_PKCS1_OAEP_PADDING_SIZE, and define unprefixed compat aliases only if !OPENSSL_COEXIST.

wolfssl/wolfcrypt/types.h:

  #ifdef WOLF_C89, #define WC_BITFIELD unsigned;
  enhance WOLF_ENUM_DUMMY_LAST_ELEMENT() to include the line number, to construct unique labels given a per-filename argument, to accommodate anonymous enums.

examples/asn1/asn1.c:
examples/client/client.c:
examples/pem/pem.c:
examples/server/server.c:
wolfcrypt/src/sp_dsp32.c:
wolfcrypt/src/wc_port.c:
wolfssl/test.h:

  use XMALLOC/XREALLOC/XFREE consistently, not malloc/realloc/free.

wolfcrypt/benchmark/benchmark.c:
wolfcrypt/src/memory.c:
wolfcrypt/test/test.c:
wolfssl/wolfcrypt/mem_track.h:
wolfssl/wolfcrypt/settings.h:
wolfssl/wolfcrypt/types.h:

  annotate intentional native heap access with "/* native heap */".

wolfcrypt/src/asn.c:
wolfssl/callbacks.h:
wolfssl/openssl/ec.h:
wolfssl/openssl/ssl.h:
wolfssl/wolfcrypt/hpke.h:
wolfssl/wolfcrypt/types.h:

  fix enum trailing commas.

wolfssl/openssl/ec.h:
wolfssl/openssl/evp.h:
wolfssl/openssl/rsa.h:
wolfssl/openssl/ssl.h:

  use WC_BITFIELD in bitfield elements, not byte or word16, to allow for pedantic C89 conformant builds.

wolfssl/openssl/ec.h:
wolfssl/openssl/evp.h:
wolfssl/openssl/pem.h:
wolfssl/openssl/ssl.h:
wolfssl/wolfcrypt/logging.h:
avoid variadic macros wherever possible, and where unavoidable, #ifdef WOLF_NO_VARIADIC_MACROS, define them with empty arg lists, rather than ..., to support Watcom compiler.

wolfssl/wolfcrypt/settings.h: if defined(__WATCOMC__), define WOLF_NO_VARIADIC_MACROS.
2024-11-07 22:36:24 -06:00
Sean Parkinson 7d42ddae48 Kyber/ML-KEM: make both available
Make Kyber and ML-KEM individually available as well as at the same
time.
Modified TLS layer to support both Kyber and ML-KEM.
Added new identifiers in TLS layer for ML-KEM.
2024-11-04 23:51:51 +10:00
Daniel Pouzzner 950ee40111 additional fixes and enhancements for -DOPENSSL_EXTRA -DOPENSSL_COEXIST:
configure.ac:
* add --enable-all-osp to separate OSP meta-feature sets from --enable-all, allowing --enable-all --disable-all-osp --disable-opensslall (e.g. for testing OPENSSL_COEXIST).
* fix enable_all_crypto=yes in enable-all to be conditional on "$enable_all_crypto" = "".
* move enable_rsapss=yes from enable-all to enable-all-crypto.

examples/ and testsuite/: #undef OPENSSL_COEXIST unconditionally rather than only if defined(OPENSSL_EXTRA), to capture -DOPENSSL_EXTRA_X509_SMALL or any other such variants.
2024-10-31 13:42:04 -05:00
Daniel Pouzzner cf95fdc071 Globally remap & refactor conflicting symbols to allow -DOPENSSL_EXTRA -DOPENSSL_COEXIST, or equivalently, --enable-opensslextra --enable-opensslcoexist.
No functional changes.

Several compat symbols that were formerly enums are now macros.

All library source is refactored to use only native symbols in all code gated in with --enable-all-crypto --enable-opensslextra.

wolfcrypt/test/test.c is similarly refactored to use only native symbols.

examples/ and tests/ are unmodified except for header setup to disable OPENSSL_COEXIST and TEST_OPENSSL_COEXIST.
2024-10-31 00:10:21 -05:00
Juliusz Sosinowicz 99a99e3d6e Implement DTLS 1.2 Connection ID (CID) 2024-09-20 15:31:01 +02:00
Daniel Pouzzner b26fa6cf59 Merge pull request #7918 from SparkiDev/type_conversion_fixes_3
Type conversion fixes
2024-09-03 20:18:00 -05:00
Sean Parkinson ed7beb4e0e Type conversion fixes
Changes to get compilation with -Wconversion passing on the files.
2024-09-02 19:19:23 +10:00