Align the argument parsing and handling of input group names to align it
with OpenSSL behavior:
* Do a case-insensitive comparison of the input names with our names
* Add aliases for "MLKEMxxx" groups without underscores in addition to
our names with underscores (keep our for backward compatibility)
* Extend unit tests for both
Return PUBLIC_KEY_E for wc_ed25519_export_key if public key is not
present.
Return PUBLIC_KEY_E for wc_ed448_export_key if public key is not
present.
Rename several inLen parameters to outLen for consistency.
Fix F-4427
Robustness fixes in the OpenSSL-compatibility certificate verifier, independent
of the depth-exhaustion fix:
- Fail closed on allocation failure. When the failedCerts working stack could
not be allocated, the function fell through to exit with ret still set to
WOLFSSL_SUCCESS and reported the chain as verified without checking anything
(a fail-open regression from the leak fix that turned the early return into a
goto exit). Also check the ctx->chain allocation. Both now set an error.
- Remove caller-supplied intermediates from the correct stack. The intermediates
appended to the working cert list during chain building were popped from
ctx->store->certs by count, but they are appended to whichever stack is in use
- which may be the caller's setTrustedSk (X509_STORE_CTX_set0_trusted_stack).
Remove them by pointer identity from that same stack, recomputed from
ctxIntermediates. Identity removal also survives the chain-building retries
that reorder the stack, where a positional pop could drop a legitimate trusted
entry and leave an injected intermediate behind - which a later verification
reusing the store/ctx would then snapshot as a trust anchor. The removal helper
walks the list once (O(n)) rather than indexing per position.
- NULL-guard ctx->store->param before dereferencing its flags in the
partial-chain check.
Add regression tests covering: the trusted stack being restored after
verification, and the retry path (tampered plus genuine same-subject
intermediates, both orderings) leaving the store clean for later use.
Fail compatibility-layer verification when the path-building loop runs
out of its depth budget before reaching a configured trust anchor,
instead of accepting the last verified link. Add a regression test.
Ensure caller-supplied intermediate certificates cannot terminate the
chain during compatibility-layer verification; a path must reach a
configured trust anchor. Add a regression test and supporting certs.
wolfcrypt/src/aes.c: enforce AES-XTS K1!=K2 constraint in wc_AesXtsSetKeyNoInit() unless WC_AES_XTS_ALLOW_DUPLICATE_KEYS and !HAVE_FIPS:
tests/api/test_aes.c: add negative tests to test_wc_AesXtsSetKey() for K1==K2;
wolfcrypt/test/test.c: fix keys in aes_xts_128_inplace_test() and aes_xts_192_inplace_test() so that K1!=K2, update test vectors, and remove associated !HAVE_FIPS gating;
linuxkm/lkcapi_aes_glue.c: synchronize aes_xts_128_test() test of ciphertext stealing in-place with wolfcrypt/test/test.c.
wrapper/rust/wolfssl-wolfcrypt/src/aes.rs: synchronize XTS streaming test with wolfcrypt/test/test.c.
linuxkm/: refactor self-test sensing with version-gated setup in linuxkm_wc_port.h and refactored gates in lkcapi_glue.c.
The client's resumed-session EMS (F-5807) and cipher-suite (F-5811) checks
were enforced in CompleteServerHello at ServerHello-parse time. For stateless
ticket resumption the client sends an empty session ID and cannot yet tell
whether the server accepted the ticket (RFC 5077 3.4): a server that declines
the ticket falls back to a full handshake under a freshly negotiated
suite/EMS state, which these checks wrongly aborted with MATCH_SUITE_ERROR,
breaking the RFC 5077 ticket-decline fallback to a full handshake.
Move both checks into CheckResumptionConsistency and run it only once
resumption is confirmed - from whichever the server sends first in the
abbreviated flight: a renewed NewSessionTicket (before SetupSession refreshes
the cached suite/EMS to the current values) or its ChangeCipherSpec. By then
the "Not resuming as thought" path has cleared 'resuming' for any ticket
decline, so the full-handshake fallback proceeds.
Add test_tls12_resume_ticket_decline_fallback (ticket declined by a fresh
server CTX, full handshake under a different suite must succeed) and gate
test_tls12_resume_ticket_wrong_suite on WOLFSSL_NO_DEF_TICKET_ENC_CB so it
skips rather than fails in builds without the default ticket encryption
callback.
crl.c, internal.h: leak of sigParams requiring reorder the struct fields to that it is above memcpy part.
dtl13.c: free the DRLS fragments buffer in Dtls13FreeFsmResources in case fragment is never sent.
ocsp.c: only free cid if locally allocated.
tls.c: make sure ecc_kse is zeroized and can be freed.
tls13.c: set hsHashesEch after init so isn't lost on failure.
evp_pk.c: free key on the BIO error path
Fixed various tests to not leak or crash on memory allocation failure.
Address review on PR #10582:
- The client-side extended_master_secret consistency check skipped all
session-ticket resumptions, leaving a generic ticket resumption open to
an undetected EMS downgrade by a malicious server or MITM. The client
retains the EMS state for ticket sessions too (SetupSession), so the
check now applies to ticket resumption as well, mirroring the adjacent
cipher-suite check. Only EAP-FAST style resumption - where the
session-secret callback supplies the master secret for an opaque PAC
ticket - is exempt, matched precisely via ssl->sessionSecretCb just as
the callback invocation in DoServerHello does.
- Add test_tls_ems_resumption_server_downgrade, exercising the
client-direction downgrade (server resumes but omits EMS from its
ServerHello) for both session-ID and session-ticket resumption. This
client-side branch previously had no test coverage.
Extend wc_MakeCert_ex/wc_SignCert_ex/wc_MakeCertReq_ex to issue HSS/LMS and
XMSS/XMSS^MT certificates and PKCS#10 requests, building on the existing
RFC 9802 verification support. New LMS_TYPE/XMSS_TYPE/XMSSMT_TYPE selectors,
wc_{Lms,Xmss}Key_PublicKeyToDer SPKI encoders, runtime signature-buffer
sizing, and sigType/key consistency checks. Generation is ASN.1-template
only, matching where the verification path lives.
Tests generate self-signed roots, CSRs and a CA->ECC-leaf chain in-process
and verify them, replacing the patched Bouncy Castle fixtures (only the stock
RFC 9802-aligned LMS interop anchor is kept).
The TLS 1.2 client only compared the ServerHello suite against the
cached session suite for session-ID resumption; ticket resumption was
skipped on the assumption the suite is bound in the ticket. But the
ticket is opaque to the client, so it must enforce the match itself -
otherwise a server could resume a ticket under a different (weaker)
suite the client offered and the downgrade would go undetected
(RFC 5246 7.4.1.3).
The check is skipped only when the client retained no suite for the
session (cipherSuite0/cipherSuite both zero), so there is nothing to
compare against - as for EAP-FAST, whose PAC is a TLS ticket whose keys
come from the session-secret callback and which never populates the
cached suite. (0,0) is TLS_NULL_WITH_NULL_NULL, never negotiated, so it
unambiguously means "no retained suite". The EMS check remains
ticket-gated.
Add memio regression tests: a ticket resumption under a different
(retained) suite is rejected with MATCH_SUITE_ERROR, and a resumption
whose cached suite was not retained still succeeds.