Commit Graph

9933 Commits

Author SHA1 Message Date
Loganaden Velvindron fd8772ac3f quic: Fix buffer underflow 2026-07-03 03:57:58 +04:00
Daniel Pouzzner 9d3152cae2 Merge pull request #10708 from rlm2002/support-fixes
Support fixes - various reports
2026-07-02 12:51:11 -05:00
Daniel Pouzzner 076dc5a206 Merge pull request #10773 from rlm2002/coverity
24062026 Coverity fixes
2026-07-01 17:59:19 -05:00
Daniel Pouzzner fd3b489ea5 Merge pull request #10787 from stenslae/update-wolfssl-email
Updated email to facts@wolfssl.com
2026-07-01 17:52:20 -05:00
Daniel Pouzzner beca44b2fb Merge pull request #10795 from embhorn/gh10791
Fix to send record_overflow alert
2026-07-01 17:45:43 -05:00
Daniel Pouzzner 9f48aef47f Merge pull request #10638 from rizlik/nc_uri_trailing_dot
NameConstraints fixes
2026-07-01 17:14:08 -05:00
Daniel Pouzzner 5a9a49d5d5 Merge pull request #10730 from rizlik/dtlsv13_interop
dtlsv13: fix: send correct CH2 when server do not send HRR
2026-07-01 16:40:29 -05:00
Tobias Frauenschläger 9e71da21ac Merge pull request #10751 from aidangarske/tinytls13
Add --enable-tinytls13 TLS 1.3-only footprint profile.

Merging with PRB-master-job failing. Failures are unrelated to this PR.
2026-07-01 15:21:04 +02:00
philljj b5636ffaf9 Merge pull request #10696 from douzzer/20260615-linuxkm-fixes
20260615-linuxkm-fixes
2026-06-30 12:00:25 -05:00
David Garske 8d63afab99 Merge pull request #10767 from SparkiDev/ppc64_ppc32_asm_1
PPC64/PPC32 ASM: AES, SHA-2, SHA-3
2026-06-30 07:13:35 -07:00
Sean Parkinson 3e99430671 PPC64/PPC32 ASM: AES, SHA-2, SHA-3
PPC64:
  - Added AES-ECB/CBC/CTR/GCM/XTS using crypto instructions
  - Added SHA-256/512 using base scalar and crypto instructions
  - Added SHA-3 using base scalar and POWER8 VSX
  - Added SHA-3 x2/x3 but disabled compilation.
  - Added CPU id flags.
  - Changed the constant data format to be consistent with other platforms.
PPC32:
  - Added AES-ECB/CBC/CTR/GCM/XTS using base scalar
  - Added SHA-256/512 using base scalar
  - Added SHA-3 using base scalar
2026-06-30 08:52:45 +10:00
Daniel Pouzzner 300f58db6e src/include.am: remove wolfcrypt/src/aes_x86_64_asm.S from AESNI source lists in FIPS v2/v5/v6 sections. 2026-06-27 14:04:12 -05:00
Emma Stensland 92e76d4667 updated email to facts@wolfssl.com 2026-06-26 14:44:16 -06:00
Eric Blankenhorn 5d0678d38b Fix from review 2026-06-26 12:46:30 -05:00
Eric Blankenhorn c18833f520 Fix to send record_overflow alert 2026-06-26 11:49:59 -05:00
David Garske 0cecccdf6e Merge pull request #10756 from SparkiDev/aes_asm_ymm_zmm
Intel x64 ASM: Add new assembly for AES
2026-06-25 21:41:17 -07:00
Ruby Martin 0129f6fb72 Remove logically dead len and *data checks 2026-06-25 14:44:03 -06:00
Sean Parkinson a342eba578 Intel x64 ASM: Add new assembly for AES
Support AES-XTS AVX512/VAES
Support AES-GCM AVX512/VAES
Support AES-ECB/CBC/CTR AVX512/VAES/AVX1/AES-NI.
Remove code from aes_asm.S/aes_asm.asm
Add CPU defines for AVX512 and VAES
Updated ASM files with new defines for AVX512.
Added support for printing out the new CPU Id flags in benchmark.
Added new files to Windows projects.
aes.c: Supports ECB/CBC/CTR in assembly. Supports calling AVX512/VAES assembly.
2026-06-23 20:54:59 +10:00
Aidan Garske 41fad5f307 Fix and expand tinytls13 footprint profile across CI configs
Make every --enable-tinytls13 spelling build and pass locally, and grow the
CI matrix to cover them. These are fixes found while testing the configs the
CI workflow had not actually exercised.

- internal.h, internal.c, ssl_load.c: include ML-DSA and Falcon in the
  pkCurveOID member and producer guards so the PSK plus ML-DSA build compiles.
- tls13.c: gate the DoTls13CertificateVerify definition on NO_CERTS to match
  its call site.
- settings.h: let the AES-256 adder survive the floor, default the
  user_settings path to the SHA-256 floor, make WOLFSSL_NO_MALLOC opt-in so
  the test suite still runs, and keep ML-DSA ASN.1 for the cert profile.
- configure.ac: drive ENABLED_ASM and emit WOLFSSL_NO_ASM for the small C
  floor, restrict SP math to P-256, strip ML-DSA ASN.1 only on the PSK floor,
  and print a notice for the reduced security cert verify.
- examples: guard the cert loading paths for NO_CERTS and treat NO_CERTS as
  PSK mode in echoserver and echoclient.
- Add examples/configs/tinytls13_smoke.c, an in memory TLS 1.3 handshake test
  that drives PSK, ECDSA, ML-DSA-65 and RSA-PSS chain verify, plus forced
  cipher suites, for builds with no example or unit test harness.
- certs: add ECDSA leaves signed by the ML-DSA-65 and RSA-PSS CAs so the cert
  profiles drive a real PQC and PSS chain verify in CI.
- .github/workflows/tinytls13.yml: cover every profile and adder, run the
  smoke handshake on the build verified configs, and least privilege the
  workflow token.
2026-06-22 12:08:58 -07:00
aidan garske 8bce9f0ead Add --enable-tinytls13 TLS 1.3-only footprint profile (PSK+ECDHE floor + minimal X.509) 2026-06-19 15:22:59 -07:00
Marco Oliverio 9e7958c108 dtlsv13: fix: send correct CH2 when server do not send HRR 2026-06-18 13:46:08 +02:00
Sean Parkinson fc946d6327 Intel x86/x64 assembly fixes
Allow x86 to build with assembly for enable all - disable assembly when x86 and not assembly code available. Add file fe_operations.c when assembly and x86.
x86: fix ECB decrypt to use corect offsets for parameters
     fix AES-NI and AVX1 assembly code
     fix sp_int with assembly to compile
     minor optimizations of AES-GCM
x64: Don't emit move instruction if source and destination are the same reg
     Use xor instead of mov 0
     minor optimizations of AES-GCM for AES-NI
2026-06-18 21:03:50 +10:00
JacobBarthelmeh 633784e91b Merge pull request #10714 from Frauschi/zd21992_2
Some more fixes
2026-06-17 17:34:15 -06:00
Tobias Frauenschläger 8e5be42a9d Fix !aNULL/!eNULL to drop explicitly-listed anonymous/NULL cipher suites
ParseCipherList() only cleared the InitSuites mask for "!aNULL"/"!eNULL",
which governs generated defaults, so an explicitly listed ADH or NULL-cipher
suite survived (e.g. "ADH-AES128-SHA:!aNULL" still offered an unauthenticated
suite). Scrub the explicit suites after parsing; exclusions are order-
independent and sticky (a later "ALL" cannot re-enable them).

Add test_wolfSSL_set_cipher_list_exclusions.
2026-06-17 19:14:07 +02:00
Ruby Martin ccbc1bac60 free md5/sha before returning error 2026-06-16 16:19:55 -06:00
Tobias Frauenschläger eaa563419e BIO: reject negative length in memory BIO read
Reject a negative read length in the memory BIO read path so it cannot bypass
the signed bounds checks and reach a wild copy. Adds a regression test.
2026-06-16 20:56:45 +02:00
Tobias Frauenschläger f23544f094 TLS 1.3: fix for post-handshake authentication
Only exempt the missing-certificate check during the initial handshake; once a
post-handshake CertificateRequest is outstanding the server again requires the
client certificate (and its CertificateVerify). Adds a post-handshake auth
test.
2026-06-16 20:56:45 +02:00
Tobias Frauenschläger c929798460 TLS: validate negotiated certificate type for raw public keys
Ensure a peer's certificate form (X.509 vs raw public key) matches the
negotiated certificate type, defaulting to X.509 when none was negotiated,
on both the client and server. Adds RPK regression tests covering both
directions.
2026-06-16 20:31:36 +02:00
Tobias Frauenschläger 3e30e69c35 certman: enforce keyCertSign usage on chain-supplied intermediate CAs
Require the keyCertSign key usage on non-root intermediate CAs added during
path building when a KeyUsage extension is present, per RFC 5280. Adds a
regression test.
2026-06-16 20:31:36 +02:00
Tobias Frauenschläger d382439c7c PKCS7: tighten signature presence check in PKCS7_verify
Ensure a signer signature is actually verified before reporting a
PKCS7 SignedData object as verified, and add a regression test.
2026-06-16 20:19:22 +02:00
David Garske 70883a4ead Merge pull request #10692 from JacobBarthelmeh/fuzz
additional sanity check on alert message size
2026-06-15 18:27:58 -07:00
JacobBarthelmeh 68422e84de additional sanity check on alert message size 2026-06-15 16:49:54 -06:00
Marco Oliverio 44a22af323 Handle wildcard DNS names in compat name-constraint checks
MatchNameConstraint() compared wildcard DNS SANs literally, so
*.example.com was not rejected by an excluded subtree covering
foo.example.com. Route WOLFSSL_GEN_DNS through
wolfssl_local_MatchDnsNameConstraint(), passing the subtree direction:
permitted subtrees require every wildcard expansion to stay inside the
subtree, excluded subtrees reject when any expansion can fall inside.
This matches what ConfirmNameConstraints() already does.
2026-06-15 12:10:40 +02:00
Marco Oliverio eb9cd6c9c5 Use the shared URI name-constraint matcher in the compat layer
Replace ExtractHostFromUri() plus DNS-style base matching in
MatchNameConstraint() with wolfssl_local_MatchUriNameConstraint(), and
make wolfSSL_NAME_CONSTRAINTS_check_name() fail closed like
ConfirmNameConstraints(): when URI subtrees are present, a URI name
without a DNS host is rejected instead of passing excluded-only
constraints as a plain non-match.

This aligns the compat layer with RFC 5280 URI constraint semantics: a
base without a leading dot now matches the host exactly instead of as a
DNS subtree, and IP hosts no longer match at all.
2026-06-15 12:10:20 +02:00
JacobBarthelmeh 86ba8f7770 Merge pull request #10652 from SparkiDev/regression_fixes_25
Regression testing fixes - memory allocation failure testing
2026-06-12 16:30:57 -06:00
Tobias Frauenschläger 5c1225e6ab x509: harden wolfSSL_X509_verify_cert() against alloc failure and stack pollution
Robustness fixes in the OpenSSL-compatibility certificate verifier, independent
of the depth-exhaustion fix:

- Fail closed on allocation failure. When the failedCerts working stack could
  not be allocated, the function fell through to exit with ret still set to
  WOLFSSL_SUCCESS and reported the chain as verified without checking anything
  (a fail-open regression from the leak fix that turned the early return into a
  goto exit). Also check the ctx->chain allocation. Both now set an error.

- Remove caller-supplied intermediates from the correct stack. The intermediates
  appended to the working cert list during chain building were popped from
  ctx->store->certs by count, but they are appended to whichever stack is in use
  - which may be the caller's setTrustedSk (X509_STORE_CTX_set0_trusted_stack).
  Remove them by pointer identity from that same stack, recomputed from
  ctxIntermediates. Identity removal also survives the chain-building retries
  that reorder the stack, where a positional pop could drop a legitimate trusted
  entry and leave an injected intermediate behind - which a later verification
  reusing the store/ctx would then snapshot as a trust anchor. The removal helper
  walks the list once (O(n)) rather than indexing per position.

- NULL-guard ctx->store->param before dereferencing its flags in the
  partial-chain check.

Add regression tests covering: the trusted stack being restored after
verification, and the retry path (tampered plus genuine same-subject
intermediates, both orderings) leaving the store clean for later use.
2026-06-12 17:29:31 +02:00
Tobias Frauenschläger 2d76a68925 x509: reject depth-exhausted chains in wolfSSL_X509_verify_cert()
Fail compatibility-layer verification when the path-building loop runs
out of its depth budget before reaching a configured trust anchor,
instead of accepting the last verified link. Add a regression test.
2026-06-12 17:29:31 +02:00
Tobias Frauenschläger 3e2c46001e x509: require a trusted anchor in wolfSSL_X509_verify_cert()
Ensure caller-supplied intermediate certificates cannot terminate the
chain during compatibility-layer verification; a path must reach a
configured trust anchor. Add a regression test and supporting certs.
2026-06-12 17:29:31 +02:00
David Garske 29f14ed2ee Merge pull request #10582 from julek-wolfssl/fenrir-20260602
Fenrir 2026-06-02: TLS/DTLS correctness, resumption & renegotiation safety fixes
2026-06-11 15:29:51 -07:00
Juliusz Sosinowicz e68cc75ecd F-5813: clarify BuildMessage sequence-number wrap comment
The sequence number 2^64-1 is itself RFC 5246 6.1-legal; only the wrap to 0
is forbidden. GetSEQIncrement reads the current counter then post-increments
it, so the check refuses the final legal sequence number to avoid the
wrapping post-increment. Document that this last value is deliberately
sacrificed rather than implying 2^64-1 is itself unusable.
2026-06-11 19:22:36 +00:00
Juliusz Sosinowicz 108afdf1c3 F-5633: use explicit NULL comparison in FreeCiphers
Use the project's preferred `ptr != NULL` form for the new DTLS 1.3 ChaCha
record-number zeroization guards instead of relying on truthiness.
2026-06-11 19:22:36 +00:00
Juliusz Sosinowicz 5e76c66977 F-5818: don't invalidate the session on an unauthenticated alert
DoAlert evicted the cached session from the fatal-alert handling that runs
before the plaintext-under-encryption validation, so a forged TLS 1.3
plaintext alert injected on an established connection evicted the session
(forcing a full handshake on reconnect) even though the alert is then
rejected as PARSE_ERROR. The unexpected_message teardown sent in response
also evicted through the SendAlert hook.

Move the receive-side eviction past the validation, into the branch that
processes a genuine alert, and have InvalidateSessionOnFatalAlert refuse to
evict for a TLS 1.3 plaintext alert received while encryption is on (the
current record was not decrypted) - covering both the receive path and the
unexpected_message teardown sent in response. RFC 8446 6.2 does not require
TLS 1.3 invalidation, so this loses nothing; TLS 1.2 (RFC 5246 7.2.2) is
unaffected.
2026-06-11 19:22:35 +00:00
Juliusz Sosinowicz 2352d73f7f F-5811: defer resumed-session consistency checks to confirmed resumption
The client's resumed-session EMS (F-5807) and cipher-suite (F-5811) checks
were enforced in CompleteServerHello at ServerHello-parse time. For stateless
ticket resumption the client sends an empty session ID and cannot yet tell
whether the server accepted the ticket (RFC 5077 3.4): a server that declines
the ticket falls back to a full handshake under a freshly negotiated
suite/EMS state, which these checks wrongly aborted with MATCH_SUITE_ERROR,
breaking the RFC 5077 ticket-decline fallback to a full handshake.

Move both checks into CheckResumptionConsistency and run it only once
resumption is confirmed - from whichever the server sends first in the
abbreviated flight: a renewed NewSessionTicket (before SetupSession refreshes
the cached suite/EMS to the current values) or its ChangeCipherSpec. By then
the "Not resuming as thought" path has cleared 'resuming' for any ticket
decline, so the full-handshake fallback proceeds.

Add test_tls12_resume_ticket_decline_fallback (ticket declined by a fresh
server CTX, full handshake under a different suite must succeed) and gate
test_tls12_resume_ticket_wrong_suite on WOLFSSL_NO_DEF_TICKET_ENC_CB so it
skips rather than fails in builds without the default ticket encryption
callback.
2026-06-11 19:22:35 +00:00
David Garske e0324866bc Merge pull request #10654 from douzzer/20260610-ssl_api_ext-revert-ret-cascades
20260610-ssl_api_ext-revert-ret-cascades
2026-06-11 09:49:08 -07:00
Sean Parkinson b04f573e20 Regression testing fixes - memory allocation failure testing
crl.c, internal.h: leak of sigParams requiring reorder the struct fields to that it is above memcpy part.
dtl13.c: free the DRLS fragments buffer in Dtls13FreeFsmResources in case fragment is never sent.
ocsp.c: only free cid if locally allocated.
tls.c: make sure ecc_kse is zeroized and can be freed.
tls13.c: set hsHashesEch after init so isn't lost on failure.
evp_pk.c: free key on the BIO error path

Fixed various tests to not leak or crash on memory allocation failure.
2026-06-11 12:14:06 +10:00
David Garske d56fa7972d Merge pull request #10639 from julek-wolfssl/fix-current-cipher-kx-nid
Fix cipher property NIDs for SSL_get_current_cipher and add PSK kx mapping
2026-06-10 14:50:02 -07:00
Juliusz Sosinowicz 748678715a F-5807: extend EMS resumption check to ticket resumption
Address review on PR #10582:

- The client-side extended_master_secret consistency check skipped all
  session-ticket resumptions, leaving a generic ticket resumption open to
  an undetected EMS downgrade by a malicious server or MITM. The client
  retains the EMS state for ticket sessions too (SetupSession), so the
  check now applies to ticket resumption as well, mirroring the adjacent
  cipher-suite check. Only EAP-FAST style resumption - where the
  session-secret callback supplies the master secret for an opaque PAC
  ticket - is exempt, matched precisely via ssl->sessionSecretCb just as
  the callback invocation in DoServerHello does.

- Add test_tls_ems_resumption_server_downgrade, exercising the
  client-direction downgrade (server resumes but omits EMS from its
  ServerHello) for both session-ID and session-ticket resumption. This
  client-side branch previously had no test coverage.
2026-06-10 20:50:51 +00:00
David Garske fdfb0a9fe7 Merge pull request #10627 from julek-wolfssl/fenrir-fixes-20260601-dtls13-recv-epoch
F-5606: don't enforce DTLS 1.3 2^48-1 epoch cap on the receive side
2026-06-10 10:06:26 -07:00
Daniel Pouzzner 03825c17f8 src/ssl_api_ext.c and src/ssl_api_pk.c: restore early BAD_FUNC_ARG returns that were refactored away in 359e688dc3, fixing null pointer deref regression in wolfSSL_UseALPN() (possibly others too). 2026-06-10 12:05:00 -05:00
Daniel Pouzzner 332c249c7a Merge pull request #10572 from Frauschi/lms_xmss_cert_gen
Support RFC 9802 LMS and XMSS in X.509 certificate and CSR generation
2026-06-10 11:14:43 -05:00