Commit Graph

840 Commits

Author SHA1 Message Date
Daniel Pouzzner 0703dc9c6e Merge pull request #10815 from SparkiDev/tls13_test_cv_sig_alg
TLSv1.3 test: CertificateVerify signature algorithm test
2026-07-01 17:27:48 -05:00
Daniel Pouzzner 7afcc3eef6 Merge pull request #10687 from rlm2002/zd-NameConstraints
Name Constraints cert chain walk
2026-07-01 17:24:52 -05:00
Daniel Pouzzner 9f48aef47f Merge pull request #10638 from rizlik/nc_uri_trailing_dot
NameConstraints fixes
2026-07-01 17:14:08 -05:00
Daniel Pouzzner 5a9a49d5d5 Merge pull request #10730 from rizlik/dtlsv13_interop
dtlsv13: fix: send correct CH2 when server do not send HRR
2026-07-01 16:40:29 -05:00
Daniel Pouzzner 323027d1d2 Merge pull request #10820 from lealem47/dh_min_sz
FIPS: Default to 2048 bit min DH crypto
2026-07-01 14:40:04 -05:00
JacobBarthelmeh 64a4c7a7ae Merge pull request #10750 from night1rider/SHAKE-Callbacks
SHAKE 128/256 callback wiring and tests, along with fix to devCTX initialization
2026-07-01 10:53:57 -06:00
Lealem Amedie 277bd66624 FIPS: Default to 2048 bit min DH crypto 2026-07-01 08:26:23 -06:00
Tobias Frauenschläger 9e71da21ac Merge pull request #10751 from aidangarske/tinytls13
Add --enable-tinytls13 TLS 1.3-only footprint profile.

Merging with PRB-master-job failing. Failures are unrelated to this PR.
2026-07-01 15:21:04 +02:00
Sean Parkinson 95e798e897 TLSv1.3 test: CertificateVerify signature algorithm test
F-2917
Added test for signature algorithms sent not matching available.
2026-06-30 15:51:51 +10:00
Daniel Pouzzner 8452f2b2e0 wolfssl/wolfcrypt/wc_port.h: keep #define INLINE WC_INLINE even for latest FIPS;
tests/api.c: use WOLFSSL_FILETYPE_PEM, not SSL_FILETYPE_PEM;

tests/api/test_dtls.c and tests/api/test_dtls13.c: use WOLFSSL_ERROR_WANT_READ, not SSL_ERROR_WANT_READ.
2026-06-27 22:31:48 -05:00
David Garske 039e97df89 Merge pull request #10779 from lealem47/guard_rsa_modulus_test
Testing: Guard RSA OversizedModulus test result by FIPS version
2026-06-25 12:06:14 -07:00
David Garske cee4b2bb47 Merge pull request #10713 from SparkiDev/curve25519_hibit_mask
X25519: standard requires masking of top bit
2026-06-25 10:34:49 -07:00
Lealem Amedie b707c00f80 Testing: Guard RSA OversizedModulus test result by FIPS version 2026-06-25 08:16:06 -06:00
night1rider fed375fcea SHAKE 128/256 callback wiring and tests, along with fix to devCTX initialization. 2026-06-22 13:35:37 -06:00
aidan garske 8bce9f0ead Add --enable-tinytls13 TLS 1.3-only footprint profile (PSK+ECDHE floor + minimal X.509) 2026-06-19 15:22:59 -07:00
Ruby Martin 0052ec44dd add regression tests for name-constraint ancestor walk
- test_wolfSSL_CertManagerNameConstraint_valid_chain
  - test_wolfSSL_CertManagerNameConstraint_skid_disambiguates
  - Cert/key fixtures under certs/test/nc-ancestor/
  - gen-nc-ancestor.sh to regenerate from committed keys
2026-06-18 14:52:08 -06:00
JacobBarthelmeh 1001428637 adjust test case macro guard for ALLOW_INVALID_CERTSIGN builds 2026-06-18 08:20:33 -06:00
Marco Oliverio 9e7958c108 dtlsv13: fix: send correct CH2 when server do not send HRR 2026-06-18 13:46:08 +02:00
JacobBarthelmeh 506a8649e9 add macro guard around new test case for specific builds 2026-06-18 00:48:26 -06:00
JacobBarthelmeh 633784e91b Merge pull request #10714 from Frauschi/zd21992_2
Some more fixes
2026-06-17 17:34:15 -06:00
Tobias Frauenschläger dedba75ad4 Reject duplicate certificatePolicies extension in WOLFSSL_CERT_EXT builds
DecodeExtensionType() guarded the certificatePolicies duplicate check
(VERIFY_AND_SET_OID) under WOLFSSL_SEP only, because the extCertPolicySet
tracking bit was SEP-only. In a WOLFSSL_CERT_EXT-without-WOLFSSL_SEP build a
cert with two certificatePolicies extensions was accepted and the second
silently overwrote the first (RFC 5280 4.2 forbids repeats). Make the bit and
the guard available under WOLFSSL_CERT_EXT too, matching every other
non-repeatable extension.

Add test_DecodeCertExtensions_dup_certpol (DecodeExtensionType now
WOLFSSL_TEST_VIS).
2026-06-17 19:14:21 +02:00
Tobias Frauenschläger 160b3179a1 Add regression tests for various d2i_* methods 2026-06-17 18:44:11 +02:00
Sean Parkinson e017e6cba7 X25519: standard requires masking of top bit
Instead of failing when top bit is set, the standard and current research says to mask it.
WOLFSSL_X25519_NO_MASK_PEER is added to allow the rejection when required.
2026-06-17 15:37:26 +10:00
JacobBarthelmeh e6f02ecf4d fix for clang-tidy warning on variable not read 2026-06-16 16:09:42 -06:00
Tobias Frauenschläger eaa563419e BIO: reject negative length in memory BIO read
Reject a negative read length in the memory BIO read path so it cannot bypass
the signed bounds checks and reach a wild copy. Adds a regression test.
2026-06-16 20:56:45 +02:00
Tobias Frauenschläger 8f55480a1d SP math: validate ECDH shared-secret output buffer against the field size
Regenerate the SP backends so the ECDH secret generators check the caller's
buffer against the number of bytes actually written. Adds a P-384/P-521
buffer-size regression test.
2026-06-16 20:56:45 +02:00
Tobias Frauenschläger f23544f094 TLS 1.3: fix for post-handshake authentication
Only exempt the missing-certificate check during the initial handshake; once a
post-handshake CertificateRequest is outstanding the server again requires the
client certificate (and its CertificateVerify). Adds a post-handshake auth
test.
2026-06-16 20:56:45 +02:00
Tobias Frauenschläger c929798460 TLS: validate negotiated certificate type for raw public keys
Ensure a peer's certificate form (X.509 vs raw public key) matches the
negotiated certificate type, defaulting to X.509 when none was negotiated,
on both the client and server. Adds RPK regression tests covering both
directions.
2026-06-16 20:31:36 +02:00
Tobias Frauenschläger 3e30e69c35 certman: enforce keyCertSign usage on chain-supplied intermediate CAs
Require the keyCertSign key usage on non-root intermediate CAs added during
path building when a KeyUsage extension is present, per RFC 5280. Adds a
regression test.
2026-06-16 20:31:36 +02:00
Tobias Frauenschläger d382439c7c PKCS7: tighten signature presence check in PKCS7_verify
Ensure a signer signature is actually verified before reporting a
PKCS7 SignedData object as verified, and add a regression test.
2026-06-16 20:19:22 +02:00
Marco Oliverio 44a22af323 Handle wildcard DNS names in compat name-constraint checks
MatchNameConstraint() compared wildcard DNS SANs literally, so
*.example.com was not rejected by an excluded subtree covering
foo.example.com. Route WOLFSSL_GEN_DNS through
wolfssl_local_MatchDnsNameConstraint(), passing the subtree direction:
permitted subtrees require every wildcard expansion to stay inside the
subtree, excluded subtrees reject when any expansion can fall inside.
This matches what ConfirmNameConstraints() already does.
2026-06-15 12:10:40 +02:00
Marco Oliverio eb9cd6c9c5 Use the shared URI name-constraint matcher in the compat layer
Replace ExtractHostFromUri() plus DNS-style base matching in
MatchNameConstraint() with wolfssl_local_MatchUriNameConstraint(), and
make wolfSSL_NAME_CONSTRAINTS_check_name() fail closed like
ConfirmNameConstraints(): when URI subtrees are present, a URI name
without a DNS host is rejected instead of passing excluded-only
constraints as a plain non-match.

This aligns the compat layer with RFC 5280 URI constraint semantics: a
base without a leading dot now matches the host exactly instead of as a
DNS subtree, and IP hosts no longer match at all.
2026-06-15 12:10:20 +02:00
Marco Oliverio ef8836a346 Handle the absolute-FQDN trailing dot in URI name constraints
One trailing dot marks an absolute FQDN and is not part of the host:
"host.com." and "host.com" denote the same host. Strip it from the
URI host before classification (so "12.31.2.3." is still recognized
as an IPv4 address) and from the constraint base before the exact-match
comparison, mirroring what wolfssl_local_MatchBaseName() already does
for DNS name constraints. Only a single dot is the marker: an empty
last label ("host.com..") is rejected.
2026-06-15 11:56:31 +02:00
Marco Oliverio 4b3bb49b27 NameConstraints: Require DNS reg-name host for URI name constraints
RFC 5280 4.2.1.10 defines URI name constraints in terms of a host that
is a fully qualified domain name; RFC 3986 IP-literal ([...]) and
IPv4address hosts are not DNS reg-names and cannot be meaningfully
matched against a DNS-style constraint base.

- Classify the host extracted by GetUriHost (IP-literal, IPv4address,
  reg-name) and validate that a reg-name has no empty labels.
- wolfssl_local_MatchUriNameConstraint() no longer matches URIs whose
  host is an IP address.
- ConfirmNameConstraints() fails closed: when URI constraints are
  present, a URI SAN without a DNS host is rejected. A plain non-match
  would otherwise let such names pass excluded-only constraints.
2026-06-15 11:04:27 +02:00
JacobBarthelmeh 86ba8f7770 Merge pull request #10652 from SparkiDev/regression_fixes_25
Regression testing fixes - memory allocation failure testing
2026-06-12 16:30:57 -06:00
David Garske bfef92c343 Merge pull request #10656 from holtrop-wolfssl/f-4427
Ed448: check for public key presence on export
2026-06-12 15:30:07 -07:00
David Garske e4b7b67f06 Merge pull request #10674 from Frauschi/cert_chain_fix
Fixes for OpenSSL compatibility layer
2026-06-12 14:10:13 -07:00
Josh Holtrop 8c1e3a261f Fix Ed448/25519 export private-only key unit tests for FIPS pre-v7 2026-06-12 15:58:27 -04:00
Josh Holtrop 955ffb92d3 Free RNG from updated Ed448/Ed25519 unit tests 2026-06-12 15:58:27 -04:00
Josh Holtrop 92500e728f Preserve Ed25519/448 PublicKeyToDer unit testing for BUFFER_E 2026-06-12 15:58:27 -04:00
Josh Holtrop 3d517841d5 Ed448: check for public key presence on export
Return PUBLIC_KEY_E for wc_ed25519_export_key if public key is not
present.
Return PUBLIC_KEY_E for wc_ed448_export_key if public key is not
present.
Rename several inLen parameters to outLen for consistency.

Fix F-4427
2026-06-12 15:58:27 -04:00
David Garske 6081106ae3 Merge pull request #10647 from philljj/misc_fixes
Misc wolfcrypt fixes
2026-06-12 09:13:26 -07:00
Tobias Frauenschläger 5c1225e6ab x509: harden wolfSSL_X509_verify_cert() against alloc failure and stack pollution
Robustness fixes in the OpenSSL-compatibility certificate verifier, independent
of the depth-exhaustion fix:

- Fail closed on allocation failure. When the failedCerts working stack could
  not be allocated, the function fell through to exit with ret still set to
  WOLFSSL_SUCCESS and reported the chain as verified without checking anything
  (a fail-open regression from the leak fix that turned the early return into a
  goto exit). Also check the ctx->chain allocation. Both now set an error.

- Remove caller-supplied intermediates from the correct stack. The intermediates
  appended to the working cert list during chain building were popped from
  ctx->store->certs by count, but they are appended to whichever stack is in use
  - which may be the caller's setTrustedSk (X509_STORE_CTX_set0_trusted_stack).
  Remove them by pointer identity from that same stack, recomputed from
  ctxIntermediates. Identity removal also survives the chain-building retries
  that reorder the stack, where a positional pop could drop a legitimate trusted
  entry and leave an injected intermediate behind - which a later verification
  reusing the store/ctx would then snapshot as a trust anchor. The removal helper
  walks the list once (O(n)) rather than indexing per position.

- NULL-guard ctx->store->param before dereferencing its flags in the
  partial-chain check.

Add regression tests covering: the trusted stack being restored after
verification, and the retry path (tampered plus genuine same-subject
intermediates, both orderings) leaving the store clean for later use.
2026-06-12 17:29:31 +02:00
Tobias Frauenschläger 2d76a68925 x509: reject depth-exhausted chains in wolfSSL_X509_verify_cert()
Fail compatibility-layer verification when the path-building loop runs
out of its depth budget before reaching a configured trust anchor,
instead of accepting the last verified link. Add a regression test.
2026-06-12 17:29:31 +02:00
Tobias Frauenschläger 3e2c46001e x509: require a trusted anchor in wolfSSL_X509_verify_cert()
Ensure caller-supplied intermediate certificates cannot terminate the
chain during compatibility-layer verification; a path must reach a
configured trust anchor. Add a regression test and supporting certs.
2026-06-12 17:29:31 +02:00
jordan ab09d0c95b misc_fixes: cleanup for skoll review. 2026-06-12 00:12:45 -05:00
Daniel Pouzzner 3e390b1b29 Merge pull request #10666 from douzzer/20260611-AES-XTS-key-half-inequality
20260611-AES-XTS-key-half-inequality

approved by @dgarske and @kareem-wolfssl, final by @SparkiDev.
2026-06-11 21:55:37 -05:00
David Garske 29f14ed2ee Merge pull request #10582 from julek-wolfssl/fenrir-20260602
Fenrir 2026-06-02: TLS/DTLS correctness, resumption & renegotiation safety fixes
2026-06-11 15:29:51 -07:00
Daniel Pouzzner 0097739dd8 fixes for F-3325:
wolfcrypt/src/aes.c: enforce AES-XTS K1!=K2 constraint in wc_AesXtsSetKeyNoInit() unless WC_AES_XTS_ALLOW_DUPLICATE_KEYS and !HAVE_FIPS:

tests/api/test_aes.c: add negative tests to test_wc_AesXtsSetKey() for K1==K2;

wolfcrypt/test/test.c: fix keys in aes_xts_128_inplace_test() and aes_xts_192_inplace_test() so that K1!=K2, update test vectors, and remove associated !HAVE_FIPS gating;

linuxkm/lkcapi_aes_glue.c: synchronize aes_xts_128_test() test of ciphertext stealing in-place with wolfcrypt/test/test.c.

wrapper/rust/wolfssl-wolfcrypt/src/aes.rs: synchronize XTS streaming test with wolfcrypt/test/test.c.

linuxkm/: refactor self-test sensing with version-gated setup in linuxkm_wc_port.h and refactored gates in lkcapi_glue.c.
2026-06-11 15:38:28 -05:00
Juliusz Sosinowicz 2352d73f7f F-5811: defer resumed-session consistency checks to confirmed resumption
The client's resumed-session EMS (F-5807) and cipher-suite (F-5811) checks
were enforced in CompleteServerHello at ServerHello-parse time. For stateless
ticket resumption the client sends an empty session ID and cannot yet tell
whether the server accepted the ticket (RFC 5077 3.4): a server that declines
the ticket falls back to a full handshake under a freshly negotiated
suite/EMS state, which these checks wrongly aborted with MATCH_SUITE_ERROR,
breaking the RFC 5077 ticket-decline fallback to a full handshake.

Move both checks into CheckResumptionConsistency and run it only once
resumption is confirmed - from whichever the server sends first in the
abbreviated flight: a renewed NewSessionTicket (before SetupSession refreshes
the cached suite/EMS to the current values) or its ChangeCipherSpec. By then
the "Not resuming as thought" path has cleared 'resuming' for any ticket
decline, so the full-handshake fallback proceeds.

Add test_tls12_resume_ticket_decline_fallback (ticket declined by a fresh
server CTX, full handshake under a different suite must succeed) and gate
test_tls12_resume_ticket_wrong_suite on WOLFSSL_NO_DEF_TICKET_ENC_CB so it
skips rather than fails in builds without the default ticket encryption
callback.
2026-06-11 19:22:35 +00:00