From d3f9e9d84ec075ea679a08cfc015dd2dd3760fa1 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 10 Jul 2026 12:15:13 -0700 Subject: [PATCH 01/36] F-6559 - Reject certs with critical policyConstraints/inhibitAnyPolicy --- tests/api/test_certman.c | 93 ++++++++++++++++++++++++++++++++++++++++ tests/api/test_certman.h | 2 + wolfcrypt/src/asn.c | 12 ++++++ 3 files changed, 107 insertions(+) diff --git a/tests/api/test_certman.c b/tests/api/test_certman.c index 25c203a4b28..18b01a6119c 100644 --- a/tests/api/test_certman.c +++ b/tests/api/test_certman.c @@ -2866,6 +2866,99 @@ int test_wolfSSL_CRL_critical_idp(void) return EXPECT_RESULT(); } +int test_wolfSSL_cert_critical_policy_constraints(void) +{ + EXPECT_DECLS; +#if !defined(NO_CERTS) && !defined(NO_RSA) + /* Critical policyConstraints is parsed but never enforced, so RFC 5280 Sec 4.2 requires rejecting the cert rather than silently accepting it. */ + static const unsigned char cert_crit_policy[] = { + 0x30, 0x82, 0x03, 0x38, 0x30, 0x82, 0x02, 0x20, 0xa0, 0x03, 0x02, + 0x01, 0x02, 0x02, 0x14, 0x66, 0xab, 0x3b, 0x5f, 0x2a, 0xe6, 0xda, + 0xf6, 0x8b, 0x6a, 0x7b, 0x6c, 0x7e, 0x05, 0xcc, 0x2e, 0x94, 0x47, + 0xf7, 0x58, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, + 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x23, 0x31, 0x21, 0x30, + 0x1f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x18, 0x50, 0x6f, 0x6c, + 0x69, 0x63, 0x79, 0x43, 0x6f, 0x6e, 0x73, 0x74, 0x72, 0x61, 0x69, + 0x6e, 0x74, 0x43, 0x72, 0x69, 0x74, 0x54, 0x65, 0x73, 0x74, 0x30, + 0x1e, 0x17, 0x0d, 0x32, 0x36, 0x30, 0x37, 0x31, 0x30, 0x31, 0x39, + 0x30, 0x35, 0x35, 0x38, 0x5a, 0x17, 0x0d, 0x33, 0x36, 0x30, 0x37, + 0x30, 0x37, 0x31, 0x39, 0x30, 0x35, 0x35, 0x38, 0x5a, 0x30, 0x23, + 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x18, + 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x43, 0x6f, 0x6e, 0x73, 0x74, + 0x72, 0x61, 0x69, 0x6e, 0x74, 0x43, 0x72, 0x69, 0x74, 0x54, 0x65, + 0x73, 0x74, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, + 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, + 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, + 0x01, 0x00, 0xa5, 0x09, 0xd5, 0xa6, 0xb1, 0x07, 0xb6, 0x7e, 0xa0, + 0x51, 0x74, 0x5d, 0x1b, 0x3f, 0x92, 0x3d, 0xb2, 0xf4, 0x2d, 0xfc, + 0xd9, 0xa1, 0xa7, 0xc4, 0x2d, 0x28, 0x3e, 0xa5, 0x2e, 0xc0, 0xba, + 0xcc, 0x82, 0x3f, 0xf7, 0x80, 0x86, 0x4f, 0xb5, 0x3b, 0xeb, 0x67, + 0x3f, 0x57, 0x43, 0x72, 0xd0, 0x1e, 0xdb, 0xd9, 0x4f, 0xb5, 0x14, + 0x12, 0xec, 0xa4, 0x7a, 0x2a, 0xb8, 0xd7, 0x12, 0x64, 0x30, 0x32, + 0xe9, 0xfc, 0x3a, 0x91, 0xe3, 0xa6, 0x59, 0x08, 0x11, 0xde, 0xd0, + 0xb0, 0xfa, 0xcf, 0x31, 0x37, 0x3d, 0xa8, 0xd6, 0xa1, 0xb0, 0x84, + 0x25, 0x2d, 0x05, 0x8a, 0x33, 0x32, 0x24, 0x94, 0xa5, 0xef, 0x65, + 0xb6, 0x58, 0xfa, 0x94, 0xbd, 0x3a, 0xef, 0xfd, 0xcd, 0xeb, 0x56, + 0xc4, 0x87, 0x65, 0x45, 0x5f, 0xe1, 0x14, 0xa9, 0x3c, 0x6e, 0x94, + 0xa1, 0xc4, 0xfc, 0x67, 0xcd, 0xff, 0xb4, 0xdb, 0xbd, 0x0e, 0x56, + 0x26, 0x94, 0xa8, 0xdc, 0xc2, 0x9d, 0xef, 0xb3, 0x95, 0x27, 0xc4, + 0x97, 0x00, 0xae, 0x9a, 0x42, 0x48, 0x51, 0xe2, 0xbd, 0xb6, 0x12, + 0xf4, 0xe0, 0xaf, 0x21, 0xd2, 0x92, 0xc3, 0xc1, 0x7d, 0xb1, 0xad, + 0x11, 0xc9, 0x4e, 0xed, 0xb6, 0x80, 0x81, 0x2a, 0x86, 0xb2, 0xf2, + 0x6e, 0x8c, 0x6d, 0xe0, 0x55, 0x7a, 0x00, 0x76, 0x81, 0x73, 0x27, + 0x26, 0x3a, 0xd7, 0xe9, 0x86, 0xfb, 0x26, 0x14, 0x10, 0x1f, 0x0f, + 0xf8, 0xfd, 0x41, 0x67, 0x37, 0xdc, 0x51, 0xcf, 0xd7, 0x44, 0x2f, + 0x77, 0x85, 0xb2, 0xbb, 0xd4, 0xe9, 0xf4, 0xbb, 0xfc, 0xb0, 0x08, + 0xaf, 0xba, 0x8a, 0x73, 0x4c, 0x62, 0x97, 0x7b, 0xd2, 0x5d, 0x01, + 0x32, 0x5c, 0x84, 0x2d, 0xc7, 0x06, 0x53, 0x13, 0x25, 0xa7, 0xf2, + 0x85, 0xce, 0x18, 0x7c, 0x80, 0x7d, 0x46, 0xcf, 0x59, 0x4a, 0x6a, + 0x79, 0xad, 0xfd, 0x10, 0xf3, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, + 0x64, 0x30, 0x62, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, + 0x16, 0x04, 0x14, 0x57, 0x3b, 0x53, 0xa1, 0xea, 0xb0, 0x48, 0x46, + 0x26, 0x1c, 0x05, 0xa4, 0xb4, 0xca, 0x4c, 0xe7, 0x2d, 0x6c, 0x69, + 0xc2, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, + 0x16, 0x80, 0x14, 0x57, 0x3b, 0x53, 0xa1, 0xea, 0xb0, 0x48, 0x46, + 0x26, 0x1c, 0x05, 0xa4, 0xb4, 0xca, 0x4c, 0xe7, 0x2d, 0x6c, 0x69, + 0xc2, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x24, 0x01, 0x01, 0xff, + 0x04, 0x05, 0x30, 0x03, 0x80, 0x01, 0x00, 0x30, 0x0f, 0x06, 0x03, + 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, + 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, + 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, + 0x99, 0xcd, 0x9d, 0x93, 0x7e, 0xbc, 0xe7, 0x50, 0x2c, 0xfe, 0xb6, + 0x0e, 0x13, 0x13, 0xaa, 0x42, 0x31, 0x87, 0x6d, 0xcc, 0x13, 0xaf, + 0x25, 0x17, 0x25, 0x4f, 0xa7, 0x9b, 0xed, 0x77, 0x36, 0xe7, 0x32, + 0x59, 0x9a, 0xe0, 0x77, 0xdf, 0x0a, 0x3e, 0xb1, 0x38, 0x23, 0x84, + 0x29, 0x06, 0x13, 0xd9, 0x41, 0xca, 0xd7, 0xf0, 0x1d, 0x6e, 0x3f, + 0xae, 0x04, 0x4c, 0x90, 0xed, 0x7e, 0xd9, 0x95, 0xf3, 0x22, 0xa7, + 0x95, 0x10, 0x44, 0x1d, 0x8f, 0xe7, 0xaa, 0x17, 0xe8, 0x42, 0x78, + 0x1c, 0x03, 0xfb, 0xa8, 0xc4, 0x46, 0x39, 0x27, 0xcc, 0x32, 0x23, + 0x6e, 0x0d, 0xd1, 0xf0, 0x9d, 0x46, 0x7c, 0x92, 0xab, 0x00, 0x76, + 0x49, 0x77, 0x03, 0xb6, 0x3c, 0x98, 0xaa, 0xf4, 0xd4, 0x29, 0x8e, + 0x31, 0x67, 0x1c, 0x08, 0xa3, 0x39, 0x55, 0x32, 0xc3, 0xcf, 0x34, + 0x5b, 0xbb, 0xcd, 0x98, 0x54, 0xf9, 0x1a, 0x82, 0xc4, 0x45, 0x26, + 0x27, 0xaf, 0xdf, 0x71, 0x08, 0x57, 0x92, 0x32, 0x8d, 0xc2, 0xfd, + 0x57, 0x35, 0x4c, 0x1e, 0xb5, 0x9e, 0xc6, 0x69, 0x1f, 0xe7, 0x7c, + 0xc8, 0x6b, 0xd5, 0x00, 0x55, 0x77, 0x44, 0x67, 0x46, 0x68, 0xc2, + 0xa9, 0x8d, 0x0d, 0xf7, 0x1d, 0x2c, 0x33, 0xac, 0x08, 0xa4, 0x0d, + 0xa8, 0x62, 0xc2, 0xe3, 0xd7, 0x6f, 0x70, 0x43, 0xae, 0x2b, 0x23, + 0xfb, 0x44, 0x0d, 0x42, 0xf5, 0xe7, 0x31, 0x93, 0x62, 0x5e, 0x6b, + 0x7b, 0x00, 0x95, 0x71, 0xd2, 0x30, 0xad, 0x94, 0x38, 0xe0, 0x50, + 0x5e, 0x73, 0xfb, 0x3d, 0x67, 0x1c, 0x73, 0x93, 0x1b, 0x3b, 0x4e, + 0xcd, 0xd1, 0x99, 0x93, 0xf9, 0x36, 0x56, 0x3d, 0xca, 0x02, 0xd0, + 0x9e, 0xe5, 0x89, 0x5d, 0x5e, 0xdf, 0x51, 0x7a, 0x6f, 0xc7, 0xb2, + 0xe6, 0x79, 0x94, 0xec, 0x24, 0x45, 0x91, 0x61, 0x63, 0xbf, 0x51, + 0x5f, 0xc7, 0x44 + }; + WOLFSSL_CERT_MANAGER* cm = NULL; + + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectIntNE(wolfSSL_CertManagerLoadCABuffer(cm, cert_crit_policy, + sizeof(cert_crit_policy), WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + wolfSSL_CertManagerFree(cm); +#endif + return EXPECT_RESULT(); +} + int test_wolfSSL_CRL_unknown_critical_ext(void) { EXPECT_DECLS; diff --git a/tests/api/test_certman.h b/tests/api/test_certman.h index 35117601452..868dca801d1 100644 --- a/tests/api/test_certman.h +++ b/tests/api/test_certman.h @@ -48,6 +48,7 @@ int test_wolfSSL_CRL_duplicate_extensions(void); int test_wolfSSL_CRL_critical_idp(void); int test_wolfSSL_CRL_unknown_critical_ext(void); int test_wolfSSL_CRL_unknown_critical_entry_ext(void); +int test_wolfSSL_cert_critical_policy_constraints(void); int test_wolfSSL_CertManagerCheckOCSPResponse(void); int test_various_pathlen_chains(void); int test_wolfSSL_CertManagerRejectMD5Cert(void); @@ -82,6 +83,7 @@ int test_wolfSSL_CertManagerNameConstraint_skid_disambiguates(void); TEST_DECL_GROUP("certman", test_wolfSSL_CRL_critical_idp), \ TEST_DECL_GROUP("certman", test_wolfSSL_CRL_unknown_critical_ext), \ TEST_DECL_GROUP("certman", test_wolfSSL_CRL_unknown_critical_entry_ext), \ + TEST_DECL_GROUP("certman", test_wolfSSL_cert_critical_policy_constraints), \ TEST_DECL_GROUP("certman", test_wolfSSL_CertManagerCheckOCSPResponse), \ TEST_DECL_GROUP("certman", test_various_pathlen_chains), \ TEST_DECL_GROUP("certman", test_wolfSSL_CertManagerRejectMD5Cert), \ diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 12d4956caf9..84c2fba196f 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -21637,6 +21637,12 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length, case INHIBIT_ANY_OID: VERIFY_AND_SET_OID(cert->inhibitAnyOidSet); WOLFSSL_MSG("Inhibit anyPolicy extension not supported yet."); + #ifndef WOLFSSL_NO_ASN_STRICT + if (critical) { + WOLFSSL_ERROR_VERBOSE(ASN_CRIT_EXT_E); + ret = ASN_CRIT_EXT_E; + } + #endif break; #ifndef IGNORE_NETSCAPE_CERT_TYPE @@ -21661,6 +21667,12 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length, cert->extPolicyConstCrit = critical ? 1 : 0; if (DecodePolicyConstraints(&input[idx], (int)length, cert) < 0) return ASN_PARSE_E; + #ifndef WOLFSSL_NO_ASN_STRICT + if (critical) { + WOLFSSL_ERROR_VERBOSE(ASN_CRIT_EXT_E); + ret = ASN_CRIT_EXT_E; + } + #endif break; #ifdef WOLFSSL_SUBJ_DIR_ATTR case SUBJ_DIR_ATTR_OID: From cb95598bb067120cd6f9974ee44928534b239f69 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 10 Jul 2026 12:25:51 -0700 Subject: [PATCH 02/36] F-6731 - ForceZero PreSharedKey identity holding resumption secret before free --- src/tls.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/tls.c b/src/tls.c index 59a9b2f373d..eb5ed613fc8 100644 --- a/src/tls.c +++ b/src/tls.c @@ -12152,6 +12152,10 @@ static void TLSX_PreSharedKey_FreeAll(PreSharedKey* list, void* heap) while ((current = list) != NULL) { list = current->next; + /* identity may hold an in-place decrypted ticket whose bytes are the + * resumption master secret; wipe before returning it to the heap. */ + if (current->identity != NULL) + ForceZero(current->identity, current->identityLen); XFREE(current->identity, heap, DYNAMIC_TYPE_TLSX); XFREE(current, heap, DYNAMIC_TYPE_TLSX); } From 010b72df0ea9fc77ef1ccfa09ba8f41580af5fce Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 10 Jul 2026 12:32:09 -0700 Subject: [PATCH 03/36] F-6730 - Use DTLS-aware header size for ECH inner ClientHello buffer --- src/tls.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/src/tls.c b/src/tls.c index eb5ed613fc8..da638f0bdb2 100644 --- a/src/tls.c +++ b/src/tls.c @@ -14593,6 +14593,17 @@ static int TLSX_ECH_ExpandOuterExtensions(WOLFSSL* ssl, WOLFSSL_ECH* ech, return ret; } +/* Header bytes reserved before the ECH inner ClientHello (DTLS uses a larger handshake header than TLS). */ +static word32 TLSX_EchInnerHeaderSz(const WOLFSSL* ssl) +{ +#ifdef WOLFSSL_DTLS13 + return ssl->options.dtls ? DTLS13_HANDSHAKE_HEADER_SZ : HANDSHAKE_HEADER_SZ; +#else + (void)ssl; + return HANDSHAKE_HEADER_SZ; +#endif +} + /* return status after attempting to open the hpke encrypted ech extension, if * successful the inner client hello will be stored in * ech->innerClientHelloLen */ @@ -14680,7 +14691,7 @@ static int TLSX_ExtractEch(WOLFSSL* ssl, WOLFSSL_ECH* ech, if (ret == 0) { ret = wc_HpkeContextOpenBase(ech->hpke, ech->hpkeContext, aad, aadLen, ech->outerClientPayload, ech->innerClientHelloLen, - ech->innerClientHello + HANDSHAKE_HEADER_SZ); + ech->innerClientHello + TLSX_EchInnerHeaderSz(ssl)); } #ifdef HAVE_SECRET_CALLBACK @@ -14898,7 +14909,7 @@ static int TLSX_ECH_Parse(WOLFSSL* ssl, const byte* readBuf, word16 size, XFREE(ech->innerClientHello, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); /* allocate the inner payload buffer */ ech->innerClientHello = - (byte*)XMALLOC(ech->innerClientHelloLen + HANDSHAKE_HEADER_SZ, + (byte*)XMALLOC(ech->innerClientHelloLen + TLSX_EchInnerHeaderSz(ssl), ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); if (ech->innerClientHello == NULL) { XFREE(aadCopy, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); From 2b7a4eb607ccd4ba8d03965224b729d1f5870e7b Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 10 Jul 2026 12:34:38 -0700 Subject: [PATCH 04/36] F-6723 - Silently discard ChangeCipherSpec records on DTLS 1.3 --- src/internal.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/internal.c b/src/internal.c index fc8bc191f1f..4f56f2ae4a4 100644 --- a/src/internal.c +++ b/src/internal.c @@ -23775,6 +23775,14 @@ static int CheckResumptionConsistency(WOLFSSL* ssl) static int DoChangeCipherSpecTls13(WOLFSSL* ssl) { word32 i = ssl->buffers.inputBuffer.idx; +#ifdef WOLFSSL_DTLS13 + if (ssl->options.dtls) { + /* CCS is not part of DTLS 1.3; discard the record without alerting so a + * spoofed CCS cannot tear down the handshake. */ + ssl->buffers.inputBuffer.idx += ssl->curSize; + return 0; + } +#endif if (ssl->options.handShakeState == HANDSHAKE_DONE) { SendAlert(ssl, alert_fatal, unexpected_message); WOLFSSL_ERROR_VERBOSE(UNKNOWN_RECORD_TYPE); From bde3f7776f4c05f140575bf7da805debecc2f07a Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 10 Jul 2026 12:40:23 -0700 Subject: [PATCH 05/36] F-6711 - Publish bn_one via atomic compare-exchange to fix init race --- src/ssl_bn.c | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/src/ssl_bn.c b/src/ssl_bn.c index 74d828da934..a88ee73a6c9 100644 --- a/src/ssl_bn.c +++ b/src/ssl_bn.c @@ -326,23 +326,21 @@ const WOLFSSL_BIGNUM* wolfSSL_BN_value_one(void) wolfSSL_BN_free(one); one = NULL; } - else + else { #ifndef SINGLE_THREADED - /* Ensure global has not been set by another thread. */ - if (bn_one == NULL) - #endif - { + void* expected = NULL; + /* Publish atomically so a losing thread frees only its own object, + * never a pointer already handed to another thread. */ + if (!wolfSSL_Atomic_Ptr_CompareExchange((void* volatile*)&bn_one, + &expected, one)) { + wolfSSL_BN_free(one); + one = (WOLFSSL_BIGNUM*)expected; + } + #else /* Set this big number as the global. */ bn_one = one; - } - #ifndef SINGLE_THREADED - /* Check if another thread has set the global. */ - if (bn_one != one) { - /* Dispose of this big number and return the global. */ - wolfSSL_BN_free(one); - one = bn_one; - } #endif + } } return one; From 61f3b880cda86b099e9122bf589e9b85d5a1b5d7 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 10 Jul 2026 12:46:04 -0700 Subject: [PATCH 06/36] F-4112 - Map check_cert_key errors to failure in dual-alg check_private_key --- src/ssl_api_pk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ssl_api_pk.c b/src/ssl_api_pk.c index d18590e8acf..59adff14822 100644 --- a/src/ssl_api_pk.c +++ b/src/ssl_api_pk.c @@ -393,7 +393,7 @@ int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx) res = check_cert_key(ctx->certificate, privateKey, altPrivateKey, ctx->heap, ctx->privateKeyDevId, ctx->privateKeyLabel, ctx->privateKeyId, ctx->altPrivateKeyDevId, - ctx->altPrivateKeyLabel, ctx->altPrivateKeyId) != 0; + ctx->altPrivateKeyLabel, ctx->altPrivateKeyId) == 1; } #ifdef WOLFSSL_BLIND_PRIVATE_KEY /* Dispose of the unblinded buffers. */ From ce7b94c8b706a1f461bb6d24aea6097342a558c3 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 10 Jul 2026 12:46:04 -0700 Subject: [PATCH 07/36] F-4111 - NULL-check ssl in wolfSSL_get_ocsp_producedDate accessors --- src/ssl_api_crl_ocsp.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/ssl_api_crl_ocsp.c b/src/ssl_api_crl_ocsp.c index 677aad46812..1cb77a3c663 100644 --- a/src/ssl_api_crl_ocsp.c +++ b/src/ssl_api_crl_ocsp.c @@ -395,6 +395,9 @@ int wolfSSL_get_ocsp_producedDate( size_t producedDate_space, int *producedDateFormat) { + if (ssl == NULL) + return BAD_FUNC_ARG; + if ((ssl->ocspProducedDateFormat != ASN_UTC_TIME) && (ssl->ocspProducedDateFormat != ASN_GENERALIZED_TIME)) return BAD_FUNC_ARG; @@ -415,6 +418,9 @@ int wolfSSL_get_ocsp_producedDate( int wolfSSL_get_ocsp_producedDate_tm(WOLFSSL *ssl, struct tm *produced_tm) { int idx = 0; + if (ssl == NULL) + return BAD_FUNC_ARG; + if ((ssl->ocspProducedDateFormat != ASN_UTC_TIME) && (ssl->ocspProducedDateFormat != ASN_GENERALIZED_TIME)) return BAD_FUNC_ARG; From 39c7639b6b9ca779dfbdf30c397546b0157886d4 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 10 Jul 2026 12:50:01 -0700 Subject: [PATCH 08/36] F-6328 - Fix mis-gated key->dp NULL check in wc_BuildEccKeyDer --- wolfcrypt/src/asn.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 84c2fba196f..22511585436 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -32950,8 +32950,9 @@ int wc_BuildEccKeyDer(ecc_key* key, byte* output, word32 *outLen, ret = BAD_FUNC_ARG; } - /* Check key has parameters when encoding curve. */ - if ((ret == 0) && curveIn && (key->dp == NULL)) { + /* Check key has parameters: key->dp->size is dereferenced below regardless + * of curveIn. */ + if ((ret == 0) && (key->dp == NULL)) { ret = BAD_FUNC_ARG; } if (ret == 0) From 44b3f1a5dfc0be54a2cf58d8a9506a9905f0046e Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 10 Jul 2026 12:50:01 -0700 Subject: [PATCH 09/36] F-6704 - Free WOLFSSL_X509 on CopyDecodedToX509 failure in X509_STORE_GetCerts --- src/x509_str.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/x509_str.c b/src/x509_str.c index 710d18b74c0..bcef5268659 100644 --- a/src/x509_str.c +++ b/src/x509_str.c @@ -2374,6 +2374,8 @@ WOLFSSL_STACK* wolfSSL_X509_STORE_GetCerts(WOLFSSL_X509_STORE_CTX* s) } } else { + wolfSSL_X509_free(x509); + x509 = NULL; goto error; } found = 1; From 356fdf27c980ad20b2bfb3798f61fac96e6ba817 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 10 Jul 2026 12:50:01 -0700 Subject: [PATCH 10/36] F-6705 - Log peerCert copy failure only on actual failure --- src/internal.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/internal.c b/src/internal.c index 4f56f2ae4a4..4cb9a3e5eab 100644 --- a/src/internal.c +++ b/src/internal.c @@ -15355,7 +15355,7 @@ int SetupStoreCtxCallback(WOLFSSL_X509_STORE_CTX** store_pt, if (args->certIdx == 0) { FreeX509(&ssl->peerCert); InitX509(&ssl->peerCert, 0, ssl->heap); - if (CopyDecodedToX509(&ssl->peerCert, args->dCert) == 0) + if (CopyDecodedToX509(&ssl->peerCert, args->dCert) != 0) WOLFSSL_MSG("Unable to copy to ssl->peerCert"); store->current_cert = &ssl->peerCert; /* use existing X509 */ } From e720f36dd220530f9ba3742c8d28554b0a702cbb Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 10 Jul 2026 12:50:01 -0700 Subject: [PATCH 11/36] F-5585 - Take cert ownership after incorporation to avoid double-free --- src/ssl_p7p12.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/ssl_p7p12.c b/src/ssl_p7p12.c index 27cf6c89635..23aa47d297b 100644 --- a/src/ssl_p7p12.c +++ b/src/ssl_p7p12.c @@ -903,6 +903,7 @@ int wolfSSL_PKCS7_encode_certs(PKCS7* pkcs7, WOLFSSL_STACK* certs, { int ret; WOLFSSL_PKCS7* p7; + WOLFSSL_STACK* certHead = certs; WOLFSSL_ENTER("wolfSSL_PKCS7_encode_certs"); if (!pkcs7 || !certs || !out) { @@ -912,10 +913,6 @@ int wolfSSL_PKCS7_encode_certs(PKCS7* pkcs7, WOLFSSL_STACK* certs, p7 = (WOLFSSL_PKCS7*)pkcs7; - /* take ownership of certs */ - p7->certs = certs; - /* TODO: takes ownership even on failure below but not on above failure. */ - if (pkcs7->certList) { WOLFSSL_MSG("wolfSSL_PKCS7_encode_certs called multiple times on same " "struct"); @@ -957,6 +954,9 @@ int wolfSSL_PKCS7_encode_certs(PKCS7* pkcs7, WOLFSSL_STACK* certs, certs = certs->next; } + /* certs are now incorporated into pkcs7; take ownership (earlier failures leave ownership with the caller). */ + p7->certs = certHead; + if (wc_PKCS7_SetSignerIdentifierType(pkcs7, DEGENERATE_SID) != 0) { WOLFSSL_MSG("wc_PKCS7_SetSignerIdentifierType error"); return WOLFSSL_FAILURE; From 00c38cd12c0c119646e2d1d41bbe61bb738edbfb Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 10 Jul 2026 12:55:09 -0700 Subject: [PATCH 12/36] F-6712 - Guard gDrbgDefCtx lazy init/free with globalRNGMutex --- src/ssl.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index f5a309552c1..b32409a7665 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -16941,8 +16941,11 @@ void wolfSSL_FIPS_drbg_free(WOLFSSL_DRBG_CTX *ctx) if (ctx != NULL) { /* As safety check if free'ing the default drbg, then mark global NULL. * Technically the user should not call free on the default drbg. */ - if (ctx == gDrbgDefCtx) { - gDrbgDefCtx = NULL; + if (wc_LockMutex(&globalRNGMutex) == 0) { + if (ctx == gDrbgDefCtx) { + gDrbgDefCtx = NULL; + } + wc_UnLockMutex(&globalRNGMutex); } wolfSSL_FIPS_drbg_uninstantiate(ctx); XFREE(ctx, NULL, DYNAMIC_TYPE_OPENSSL); @@ -16950,9 +16953,12 @@ void wolfSSL_FIPS_drbg_free(WOLFSSL_DRBG_CTX *ctx) } WOLFSSL_DRBG_CTX* wolfSSL_FIPS_get_default_drbg(void) { + if (wc_LockMutex(&globalRNGMutex) != 0) + return NULL; if (gDrbgDefCtx == NULL) { gDrbgDefCtx = wolfSSL_FIPS_drbg_new(0, 0); } + wc_UnLockMutex(&globalRNGMutex); return gDrbgDefCtx; } void wolfSSL_FIPS_get_timevec(unsigned char* buf, unsigned long* pctr) From fa1b6cacd999b7861b126e9458a7e85512736195 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 10 Jul 2026 12:55:09 -0700 Subject: [PATCH 13/36] F-5625 - Cap BIO file read at MAX_WOLFSSL_FILE_SIZE --- src/ssl_misc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/ssl_misc.c b/src/ssl_misc.c index 072f2cc133e..fc7e1a4a9bf 100644 --- a/src/ssl_misc.c +++ b/src/ssl_misc.c @@ -70,6 +70,11 @@ static int wolfssl_read_bio_file(WOLFSSL_BIO* bio, char** data) /* Update total read. */ ret += sz; + /* Cap total like the direct-file path to avoid int overflow. */ + if (ret > MAX_WOLFSSL_FILE_SIZE) { + sz = BUFFER_E; + break; + } /* Calculate remaining unused memory. */ remaining = READ_BIO_FILE_CHUNK - (ret % READ_BIO_FILE_CHUNK); /* Check for space remaining. */ From eac4c97857609cb7e1180113b91a27456c32bd0f Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 10 Jul 2026 12:57:20 -0700 Subject: [PATCH 14/36] F-6557 - Lock ticket key/expiry read against concurrent regeneration --- src/internal.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/internal.c b/src/internal.c index 4cb9a3e5eab..f40b43a01d5 100644 --- a/src/internal.c +++ b/src/internal.c @@ -42556,8 +42556,18 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ], /* Update AAD with index. */ aad[WOLFSSL_TICKET_NAME_SZ - 1] |= keyIdx; +#ifndef SINGLE_THREADED + /* Hold the lock over the key/expiry read so a concurrent regen can't swap the key mid-decrypt. */ + if (wc_LockMutex(&keyCtx->mutex) != 0) { + WOLFSSL_MSG("Couldn't lock key context mutex"); + return WOLFSSL_TICKET_RET_REJECT; + } +#endif /* Check expirary */ if (keyCtx->expirary[keyIdx] <= LowResTimer()) { +#ifndef SINGLE_THREADED + wc_UnLockMutex(&keyCtx->mutex); +#endif return WOLFSSL_TICKET_RET_REJECT; } @@ -42565,6 +42575,9 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ], ret = TicketEncDec(keyCtx->key[keyIdx], WOLFSSL_TICKET_KEY_SZ, iv, aad, aadSz, ticket, inLen, ticket, outLen, mac, ssl->heap, 0); +#ifndef SINGLE_THREADED + wc_UnLockMutex(&keyCtx->mutex); +#endif if (ret != 0) { return WOLFSSL_TICKET_RET_REJECT; } From b6bbbfa949aff70f9812490c4cefbfe48a981fd9 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 10 Jul 2026 12:58:26 -0700 Subject: [PATCH 15/36] F-5729 - Guard PKCS7 streaming content size against word32 overflow --- wolfcrypt/src/pkcs7.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index 882a2af1ae2..af15d1992a8 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -6727,6 +6727,17 @@ static int wc_PKCS7_HandleOctetStrings(wc_PKCS7* pkcs7, byte* in, word32 inSz, /* grow content buffer */ contBufSz = pkcs7->stream->accumContSz; + /* Reject before the word32 add wraps and yields a tiny alloc for an oversized copy. */ + if (pkcs7->stream->expected > + WOLFSSL_PKCS7_MAX_STREAM_ALLOC - + pkcs7->stream->accumContSz) { + WOLFSSL_MSG("PKCS7 accumulated content size too large"); + if (tempBuf != NULL) { + XFREE(tempBuf, pkcs7->heap, DYNAMIC_TYPE_PKCS7); + } + ret = BUFFER_E; + break; + } pkcs7->stream->accumContSz += pkcs7->stream->expected; pkcs7->stream->content = From b6cd139c8150ae79fa55ce51a5e225ef2b432dd7 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 10 Jul 2026 13:00:55 -0700 Subject: [PATCH 16/36] F-6708 - Honor verify callback rejection in X509StoreVerifyCert --- src/x509_str.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/x509_str.c b/src/x509_str.c index bcef5268659..80415817c85 100644 --- a/src/x509_str.c +++ b/src/x509_str.c @@ -448,7 +448,7 @@ static int X509StoreVerifyCert(WOLFSSL_X509_STORE_CTX* ctx) #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) if (ctx->store->verify_cb) ret = ctx->store->verify_cb(ret >= 0 ? 1 : 0, ctx) == 1 ? - WOLFSSL_SUCCESS : ret; + WOLFSSL_SUCCESS : -1; #endif } #if !defined(NO_ASN_TIME) && defined(OPENSSL_ALL) From f53288d52bc0ef3863a402fae2c0fab69775516a Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 10 Jul 2026 13:00:55 -0700 Subject: [PATCH 17/36] F-4154 - Zero ML-KEM key struct so unconditional free is safe --- src/tls.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/tls.c b/src/tls.c index da638f0bdb2..9ceb6f292f2 100644 --- a/src/tls.c +++ b/src/tls.c @@ -10089,6 +10089,11 @@ static int TLSX_KeyShare_ProcessPqcClient_ex(WOLFSSL* ssl, WOLFSSL_MSG("GenPqcKey memory error"); ret = MEMORY_E; } + else { + /* Zero so an unconditional wc_MlKemKey_Free is safe even if Init is + * skipped on an id2type failure. */ + XMEMSET(kem, 0, sizeof(MlKemKey)); + } if (ret == 0) { ret = mlkem_id2type(keyShareEntry->group, &type); } From bc68c89bd37fc8762c04f16ad9647609dbdb0ef2 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 10 Jul 2026 13:02:29 -0700 Subject: [PATCH 18/36] F-4155 - Add INT_MAX guard on plainlen/aadlen in quic_aead_encrypt --- src/quic.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/quic.c b/src/quic.c index caf8ab9e71b..dbb9bbe8a7d 100644 --- a/src/quic.c +++ b/src/quic.c @@ -1348,6 +1348,10 @@ int wolfSSL_quic_aead_encrypt(uint8_t* dest, WOLFSSL_EVP_CIPHER_CTX* ctx, * TODO: there is some fiddling in OpenSSL+quic in regard to CCM ciphers * which we need to check. */ + if (plainlen > INT_MAX || aadlen > INT_MAX) { + return WOLFSSL_FAILURE; + } + if (wolfSSL_EVP_CipherInit(ctx, NULL, NULL, iv, 1) != WOLFSSL_SUCCESS || wolfSSL_EVP_CipherUpdate( ctx, NULL, &len, aad, (int)aadlen) != WOLFSSL_SUCCESS From 772e0a6c836405cb5b6440a838377ea7af0275c6 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 10 Jul 2026 13:02:57 -0700 Subject: [PATCH 19/36] F-5755 - Add INT_MAX guard on aadlen in quic_aead_decrypt --- src/quic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/quic.c b/src/quic.c index dbb9bbe8a7d..5fe11f63f01 100644 --- a/src/quic.c +++ b/src/quic.c @@ -1377,7 +1377,7 @@ int wolfSSL_quic_aead_decrypt(uint8_t* dest, WOLFSSL_EVP_CIPHER_CTX* ctx, const uint8_t* tag; /* See rationale for wolfSSL_quic_aead_encrypt() on why this is here */ - if (enclen > INT_MAX || ctx->authTagSz > (int)enclen) { + if (enclen > INT_MAX || aadlen > INT_MAX || ctx->authTagSz > (int)enclen) { return WOLFSSL_FAILURE; } From 79ffdf3514fecf747a3a7fc29acdeb80506b161e Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 10 Jul 2026 13:03:26 -0700 Subject: [PATCH 20/36] F-5859 - Add INT_MAX guards on secretlen/infolen in quic_hkdf_expand --- src/quic.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/quic.c b/src/quic.c index 5fe11f63f01..10a6e910af2 100644 --- a/src/quic.c +++ b/src/quic.c @@ -1239,6 +1239,11 @@ int wolfSSL_quic_hkdf_expand(uint8_t* dest, size_t destlen, WOLFSSL_ENTER("wolfSSL_quic_hkdf_expand"); + if (secretlen > INT_MAX || infolen > INT_MAX) { + ret = WOLFSSL_FAILURE; + goto cleanup; + } + pctx = wolfSSL_EVP_PKEY_CTX_new_id(WC_NID_hkdf, NULL); if (pctx == NULL) { ret = WOLFSSL_FAILURE; From 12955cad6725c44b7606ebb4ca9e92343884eceb Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 10 Jul 2026 13:03:50 -0700 Subject: [PATCH 21/36] F-5860 - Add INT_MAX guards on saltlen/secretlen/infolen in quic_hkdf --- src/quic.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/quic.c b/src/quic.c index 10a6e910af2..4ff27285ed3 100644 --- a/src/quic.c +++ b/src/quic.c @@ -1284,6 +1284,11 @@ int wolfSSL_quic_hkdf(uint8_t* dest, size_t destlen, WOLFSSL_ENTER("wolfSSL_quic_hkdf"); + if (secretlen > INT_MAX || saltlen > INT_MAX || infolen > INT_MAX) { + ret = WOLFSSL_FAILURE; + goto cleanup; + } + pctx = wolfSSL_EVP_PKEY_CTX_new_id(WC_NID_hkdf, NULL); if (pctx == NULL) { ret = WOLFSSL_FAILURE; From b40a9f588bf23353bbca59ec2d1c3704099527b5 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 10 Jul 2026 13:06:23 -0700 Subject: [PATCH 22/36] F-6523 - Read remaining length (fcur) not total (flen) in d2i_OCSP_RESPONSE_bio --- src/ocsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ocsp.c b/src/ocsp.c index 4048e7628ea..85be2e16e48 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -1159,7 +1159,7 @@ OcspResponse* wolfSSL_d2i_OCSP_RESPONSE_bio(WOLFSSL_BIO* bio, return NULL; dataAlloced = 1; - len = wolfSSL_BIO_read(bio, (char *)data, (int)flen); + len = wolfSSL_BIO_read(bio, (char *)data, (int)fcur); } #endif else From 81f8ec248d88fd4eca955a38bbfda4734493459b Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 10 Jul 2026 13:06:23 -0700 Subject: [PATCH 23/36] F-5626 - Reject out-of-range port in wolfSSL_BIO_new_connect --- src/bio.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/bio.c b/src/bio.c index 9d94144f57f..51e18973fc0 100644 --- a/src/bio.c +++ b/src/bio.c @@ -2456,6 +2456,7 @@ int wolfSSL_BIO_flush(WOLFSSL_BIO* bio) bio = wolfSSL_BIO_new(wolfSSL_BIO_s_socket()); if (bio) { const char* port; + int portVal = 0; #ifdef WOLFSSL_IPV6 const char* ipv6Start = XSTRSTR(str, "["); const char* ipv6End = XSTRSTR(str, "]"); @@ -2466,8 +2467,13 @@ int wolfSSL_BIO_flush(WOLFSSL_BIO* bio) #endif port = XSTRSTR(str, ":"); - if (port != NULL) - bio->port = (word16)XATOI(port + 1); + if (port != NULL) { + portVal = XATOI(port + 1); + /* Reject out-of-range ports instead of truncating to word16. */ + if ((portVal < 0) || (portVal > 65535)) + portVal = 0; + bio->port = (word16)portVal; + } else port = str + XSTRLEN(str); /* point to null terminator */ From 0f86261eb1960de974f4af77a55ed780a64e50f9 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 10 Jul 2026 13:23:45 -0700 Subject: [PATCH 24/36] F-3886 - NULL-check ssl and validate depth in wolfSSL_set_verify_depth --- src/ssl.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/ssl.c b/src/ssl.c index b32409a7665..c869d51410a 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -12361,7 +12361,13 @@ void* wolfSSL_GetHKDFExtractCtx(WOLFSSL* ssl) { #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) WOLFSSL_ENTER("wolfSSL_set_verify_depth"); - ssl->options.verifyDepth = (byte)depth; + /* Reject out-of-range depths; valid range is 0 to MAX_CHAIN_DEPTH. */ + if ((ssl == NULL) || (depth < 0) || (depth > MAX_CHAIN_DEPTH)) { + WOLFSSL_MSG("Bad depth argument, too large or less than 0"); + } + else { + ssl->options.verifyDepth = (byte)depth; + } #endif } From 6ef96928ac2ff978d295777c4289902f218ddb7d Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 10 Jul 2026 13:23:45 -0700 Subject: [PATCH 25/36] F-4149 - ForceZero MD5 CertVerify digest scratch buffer --- src/internal.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/internal.c b/src/internal.c index f40b43a01d5..b4f9340a6d8 100644 --- a/src/internal.c +++ b/src/internal.c @@ -25234,6 +25234,8 @@ static int BuildMD5_CertVerify(const WOLFSSL* ssl, byte* digest) } } + ForceZero(md5_result, WC_MD5_DIGEST_SIZE); + WC_FREE_VAR_EX(md5, ssl->heap, DYNAMIC_TYPE_HASHCTX); return ret; From c9f67933b927827f5b10bb483f63d719fcaa58ad Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 10 Jul 2026 13:23:45 -0700 Subject: [PATCH 26/36] F-4150 - ForceZero SHA CertVerify digest scratch buffer --- src/internal.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/internal.c b/src/internal.c index b4f9340a6d8..02cd04e803f 100644 --- a/src/internal.c +++ b/src/internal.c @@ -25282,6 +25282,8 @@ static int BuildSHA_CertVerify(const WOLFSSL* ssl, byte* digest) } } + ForceZero(sha_result, WC_SHA_DIGEST_SIZE); + WC_FREE_VAR_EX(sha, ssl->heap, DYNAMIC_TYPE_HASHCTX); return ret; From 2b7f6a7e7a19393749a44b5ef285125e9b6d0737 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 10 Jul 2026 13:23:45 -0700 Subject: [PATCH 27/36] F-4616 - ForceZero MD5 SSLv3 Finished digest scratch buffer --- src/internal.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/internal.c b/src/internal.c index 02cd04e803f..9a35b3ce523 100644 --- a/src/internal.c +++ b/src/internal.c @@ -12867,6 +12867,8 @@ static int BuildMD5(WOLFSSL* ssl, Hashes* hashes, const byte* sender) } } + ForceZero(md5_result, WC_MD5_DIGEST_SIZE); + WC_FREE_VAR_EX(md5, ssl->heap, DYNAMIC_TYPE_HASHCTX); return ret; From aaba9a2a5293339f9945e72bb89157efe5a17430 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 10 Jul 2026 13:23:46 -0700 Subject: [PATCH 28/36] F-4617 - ForceZero SHA SSLv3 Finished digest scratch buffer --- src/internal.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/internal.c b/src/internal.c index 9a35b3ce523..7114801c045 100644 --- a/src/internal.c +++ b/src/internal.c @@ -12914,6 +12914,8 @@ static int BuildSHA(WOLFSSL* ssl, Hashes* hashes, const byte* sender) } } + ForceZero(sha_result, WC_SHA_DIGEST_SIZE); + WC_FREE_VAR_EX(sha, ssl->heap, DYNAMIC_TYPE_HASHCTX); return ret; From a512c7893b860e6e836b8ea82c15f8c4fb35c736 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 10 Jul 2026 13:25:42 -0700 Subject: [PATCH 29/36] F-1839 - ForceZero entropy seed in wolfSSL_RAND_pseudo_bytes --- src/ssl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/ssl.c b/src/ssl.c index c869d51410a..259b52e27ab 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -16071,6 +16071,7 @@ int wolfSSL_RAND_pseudo_bytes(unsigned char* buf, int num) (void)hash; (void)secret; #endif + ForceZero(secret, DRBG_SEED_LEN); return ret; } From 687c9eafbfbbf8df68bc400933b9609ac64f2485 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 10 Jul 2026 13:25:42 -0700 Subject: [PATCH 30/36] F-1842 - ForceZero assembled 3DES key in wolfSSL_DES_ede3_cbc_encrypt --- src/ssl_crypto.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/ssl_crypto.c b/src/ssl_crypto.c index 92ae36e5824..294afb1096a 100644 --- a/src/ssl_crypto.c +++ b/src/ssl_crypto.c @@ -2880,6 +2880,8 @@ void wolfSSL_DES_ede3_cbc_encrypt(const unsigned char* input, } } wc_Des3Free(des3); + + ForceZero(key, DES3_KEY_SIZE); } WC_FREE_VAR_EX(des3, NULL, DYNAMIC_TYPE_CIPHER); From b2aa338c6837a5cdb7cf4689cc2e34097ece0d93 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 10 Jul 2026 13:31:44 -0700 Subject: [PATCH 31/36] F-6729 - Reject un-offered certificate type selected by peer --- src/tls.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/src/tls.c b/src/tls.c index 9ceb6f292f2..9ebdfaf082e 100644 --- a/src/tls.c +++ b/src/tls.c @@ -13494,6 +13494,14 @@ static int TLSX_ClientCertificateType_Parse(WOLFSSL* ssl, const byte* input, else if (msgType == server_hello || msgType == encrypted_extensions) { /* parse it in client side */ if (length == 1) { + /* Reject a server-selected type the client did not offer. */ + if (!IsCertTypeListed(*input, + ssl->options.rpkState.sending_ClientCertTypeCnt, + ssl->options.rpkState.sending_ClientCertTypes)) { + SendAlert(ssl, alert_fatal, illegal_parameter); + WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER); + return INVALID_PARAMETER; + } ssl->options.rpkState.received_ClientCertTypeCnt = 1; ssl->options.rpkState.received_ClientCertTypes[0] = *input; } @@ -13694,6 +13702,15 @@ static int TLSX_ServerCertificateType_Parse(WOLFSSL* ssl, const byte* input, if (length != 1) /* length slould be 1 */ return BUFFER_E; + /* Reject a server-selected type the client did not offer. */ + if (!IsCertTypeListed(*input, + ssl->options.rpkState.sending_ServerCertTypeCnt, + ssl->options.rpkState.sending_ServerCertTypes)) { + SendAlert(ssl, alert_fatal, illegal_parameter); + WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER); + return INVALID_PARAMETER; + } + ssl->options.rpkState.received_ServerCertTypeCnt = 1; ssl->options.rpkState.received_ServerCertTypes[0] = *input; } From e2a52abfad6e985089902ce145a9cb7ba44500f6 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 10 Jul 2026 13:32:43 -0700 Subject: [PATCH 32/36] F-6303 - Bounds-check ato24 reads in sniffer ProcessCertificate --- src/sniffer.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/sniffer.c b/src/sniffer.c index 7f0c4322552..380121c8dbe 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -4482,6 +4482,10 @@ static int ProcessCertificate(const byte* input, int* sslBytes, } #endif + if (OPAQUE24_LEN > *sslBytes) { + SetError(BAD_CERT_MSG_STR, error, session, FATAL_ERROR_STATE); + return WOLFSSL_FATAL_ERROR; + } ato24(input, &certChainSz); *sslBytes -= CERT_HEADER_SZ; input += CERT_HEADER_SZ; @@ -4491,6 +4495,10 @@ static int ProcessCertificate(const byte* input, int* sslBytes, return WOLFSSL_FATAL_ERROR; } + if (OPAQUE24_LEN > *sslBytes) { + SetError(BAD_CERT_MSG_STR, error, session, FATAL_ERROR_STATE); + return WOLFSSL_FATAL_ERROR; + } ato24(input, &certSz); input += OPAQUE24_LEN; if (*sslBytes < (int)certSz) { From 283834efd5a27ec88ab21e2575465f804fcb5e9a Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 10 Jul 2026 14:03:58 -0700 Subject: [PATCH 33/36] F-6712 - Skip globalRNGMutex lock when unavailable during cleanup --- src/ssl.c | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 259b52e27ab..04afe47409c 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -16946,26 +16946,39 @@ int wolfSSL_FIPS_drbg_uninstantiate(WOLFSSL_DRBG_CTX *ctx) void wolfSSL_FIPS_drbg_free(WOLFSSL_DRBG_CTX *ctx) { if (ctx != NULL) { + int locked = 0; /* As safety check if free'ing the default drbg, then mark global NULL. * Technically the user should not call free on the default drbg. */ - if (wc_LockMutex(&globalRNGMutex) == 0) { - if (ctx == gDrbgDefCtx) { - gDrbgDefCtx = NULL; - } - wc_UnLockMutex(&globalRNGMutex); + #ifndef WOLFSSL_MUTEX_INITIALIZER + /* wolfSSL_Cleanup may free the mutex before this runs. */ + if ((globalRNGMutex_valid == 1) && (wc_LockMutex(&globalRNGMutex) == 0)) + #else + if (wc_LockMutex(&globalRNGMutex) == 0) + #endif + locked = 1; + if (ctx == gDrbgDefCtx) { + gDrbgDefCtx = NULL; } + if (locked) + wc_UnLockMutex(&globalRNGMutex); wolfSSL_FIPS_drbg_uninstantiate(ctx); XFREE(ctx, NULL, DYNAMIC_TYPE_OPENSSL); } } WOLFSSL_DRBG_CTX* wolfSSL_FIPS_get_default_drbg(void) { - if (wc_LockMutex(&globalRNGMutex) != 0) - return NULL; + int locked = 0; +#ifndef WOLFSSL_MUTEX_INITIALIZER + if ((globalRNGMutex_valid == 1) && (wc_LockMutex(&globalRNGMutex) == 0)) +#else + if (wc_LockMutex(&globalRNGMutex) == 0) +#endif + locked = 1; if (gDrbgDefCtx == NULL) { gDrbgDefCtx = wolfSSL_FIPS_drbg_new(0, 0); } - wc_UnLockMutex(&globalRNGMutex); + if (locked) + wc_UnLockMutex(&globalRNGMutex); return gDrbgDefCtx; } void wolfSSL_FIPS_get_timevec(unsigned char* buf, unsigned long* pctr) From b7ca35357f78800ec1a293d1dbb13f1a401bc28b Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 10 Jul 2026 14:22:53 -0700 Subject: [PATCH 34/36] F-6559 - Gate critical policyConstraints test to strict-ASN builds --- tests/api/test_certman.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/api/test_certman.c b/tests/api/test_certman.c index 18b01a6119c..e9c2feaba02 100644 --- a/tests/api/test_certman.c +++ b/tests/api/test_certman.c @@ -2869,7 +2869,7 @@ int test_wolfSSL_CRL_critical_idp(void) int test_wolfSSL_cert_critical_policy_constraints(void) { EXPECT_DECLS; -#if !defined(NO_CERTS) && !defined(NO_RSA) +#if !defined(NO_CERTS) && !defined(NO_RSA) && !defined(WOLFSSL_NO_ASN_STRICT) /* Critical policyConstraints is parsed but never enforced, so RFC 5280 Sec 4.2 requires rejecting the cert rather than silently accepting it. */ static const unsigned char cert_crit_policy[] = { 0x30, 0x82, 0x03, 0x38, 0x30, 0x82, 0x02, 0x20, 0xa0, 0x03, 0x02, From a5c250817b174076dd80fd2504ba74df911c165c Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 10 Jul 2026 14:41:12 -0700 Subject: [PATCH 35/36] F-6559 - Backdate policyConstraints test cert so only critical-ext rejection fails it --- tests/api/test_certman.c | 60 ++++++++++++++++++++-------------------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/tests/api/test_certman.c b/tests/api/test_certman.c index e9c2feaba02..f8c13f4a2d9 100644 --- a/tests/api/test_certman.c +++ b/tests/api/test_certman.c @@ -2873,16 +2873,16 @@ int test_wolfSSL_cert_critical_policy_constraints(void) /* Critical policyConstraints is parsed but never enforced, so RFC 5280 Sec 4.2 requires rejecting the cert rather than silently accepting it. */ static const unsigned char cert_crit_policy[] = { 0x30, 0x82, 0x03, 0x38, 0x30, 0x82, 0x02, 0x20, 0xa0, 0x03, 0x02, - 0x01, 0x02, 0x02, 0x14, 0x66, 0xab, 0x3b, 0x5f, 0x2a, 0xe6, 0xda, - 0xf6, 0x8b, 0x6a, 0x7b, 0x6c, 0x7e, 0x05, 0xcc, 0x2e, 0x94, 0x47, - 0xf7, 0x58, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, + 0x01, 0x02, 0x02, 0x14, 0x39, 0xd1, 0x63, 0xf8, 0xb6, 0x8f, 0x51, + 0xc0, 0x2c, 0xef, 0x38, 0x87, 0x6d, 0x40, 0x1c, 0x2c, 0xc0, 0xcd, + 0xa1, 0x9a, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x23, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x18, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x43, 0x6f, 0x6e, 0x73, 0x74, 0x72, 0x61, 0x69, 0x6e, 0x74, 0x43, 0x72, 0x69, 0x74, 0x54, 0x65, 0x73, 0x74, 0x30, - 0x1e, 0x17, 0x0d, 0x32, 0x36, 0x30, 0x37, 0x31, 0x30, 0x31, 0x39, - 0x30, 0x35, 0x35, 0x38, 0x5a, 0x17, 0x0d, 0x33, 0x36, 0x30, 0x37, - 0x30, 0x37, 0x31, 0x39, 0x30, 0x35, 0x35, 0x38, 0x5a, 0x30, 0x23, + 0x1e, 0x17, 0x0d, 0x32, 0x30, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30, + 0x30, 0x30, 0x30, 0x30, 0x5a, 0x17, 0x0d, 0x34, 0x30, 0x30, 0x31, + 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x23, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x18, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x43, 0x6f, 0x6e, 0x73, 0x74, 0x72, 0x61, 0x69, 0x6e, 0x74, 0x43, 0x72, 0x69, 0x74, 0x54, 0x65, @@ -2924,30 +2924,30 @@ int test_wolfSSL_cert_critical_policy_constraints(void) 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, - 0x99, 0xcd, 0x9d, 0x93, 0x7e, 0xbc, 0xe7, 0x50, 0x2c, 0xfe, 0xb6, - 0x0e, 0x13, 0x13, 0xaa, 0x42, 0x31, 0x87, 0x6d, 0xcc, 0x13, 0xaf, - 0x25, 0x17, 0x25, 0x4f, 0xa7, 0x9b, 0xed, 0x77, 0x36, 0xe7, 0x32, - 0x59, 0x9a, 0xe0, 0x77, 0xdf, 0x0a, 0x3e, 0xb1, 0x38, 0x23, 0x84, - 0x29, 0x06, 0x13, 0xd9, 0x41, 0xca, 0xd7, 0xf0, 0x1d, 0x6e, 0x3f, - 0xae, 0x04, 0x4c, 0x90, 0xed, 0x7e, 0xd9, 0x95, 0xf3, 0x22, 0xa7, - 0x95, 0x10, 0x44, 0x1d, 0x8f, 0xe7, 0xaa, 0x17, 0xe8, 0x42, 0x78, - 0x1c, 0x03, 0xfb, 0xa8, 0xc4, 0x46, 0x39, 0x27, 0xcc, 0x32, 0x23, - 0x6e, 0x0d, 0xd1, 0xf0, 0x9d, 0x46, 0x7c, 0x92, 0xab, 0x00, 0x76, - 0x49, 0x77, 0x03, 0xb6, 0x3c, 0x98, 0xaa, 0xf4, 0xd4, 0x29, 0x8e, - 0x31, 0x67, 0x1c, 0x08, 0xa3, 0x39, 0x55, 0x32, 0xc3, 0xcf, 0x34, - 0x5b, 0xbb, 0xcd, 0x98, 0x54, 0xf9, 0x1a, 0x82, 0xc4, 0x45, 0x26, - 0x27, 0xaf, 0xdf, 0x71, 0x08, 0x57, 0x92, 0x32, 0x8d, 0xc2, 0xfd, - 0x57, 0x35, 0x4c, 0x1e, 0xb5, 0x9e, 0xc6, 0x69, 0x1f, 0xe7, 0x7c, - 0xc8, 0x6b, 0xd5, 0x00, 0x55, 0x77, 0x44, 0x67, 0x46, 0x68, 0xc2, - 0xa9, 0x8d, 0x0d, 0xf7, 0x1d, 0x2c, 0x33, 0xac, 0x08, 0xa4, 0x0d, - 0xa8, 0x62, 0xc2, 0xe3, 0xd7, 0x6f, 0x70, 0x43, 0xae, 0x2b, 0x23, - 0xfb, 0x44, 0x0d, 0x42, 0xf5, 0xe7, 0x31, 0x93, 0x62, 0x5e, 0x6b, - 0x7b, 0x00, 0x95, 0x71, 0xd2, 0x30, 0xad, 0x94, 0x38, 0xe0, 0x50, - 0x5e, 0x73, 0xfb, 0x3d, 0x67, 0x1c, 0x73, 0x93, 0x1b, 0x3b, 0x4e, - 0xcd, 0xd1, 0x99, 0x93, 0xf9, 0x36, 0x56, 0x3d, 0xca, 0x02, 0xd0, - 0x9e, 0xe5, 0x89, 0x5d, 0x5e, 0xdf, 0x51, 0x7a, 0x6f, 0xc7, 0xb2, - 0xe6, 0x79, 0x94, 0xec, 0x24, 0x45, 0x91, 0x61, 0x63, 0xbf, 0x51, - 0x5f, 0xc7, 0x44 + 0x25, 0xb6, 0xa5, 0xb5, 0xbd, 0xa3, 0x8e, 0xcf, 0x06, 0x09, 0x67, + 0x28, 0x03, 0xf4, 0x6e, 0x6d, 0xa9, 0x4a, 0xe4, 0xac, 0x2e, 0xda, + 0xdb, 0x98, 0x38, 0x50, 0x5b, 0xdf, 0xc6, 0x17, 0xc7, 0x1c, 0xea, + 0x05, 0xd8, 0xea, 0xf4, 0x84, 0x41, 0x21, 0xc1, 0x3c, 0x59, 0x4e, + 0xa3, 0x6e, 0x82, 0xa8, 0xda, 0x28, 0x81, 0x29, 0x02, 0x74, 0x75, + 0x56, 0xf2, 0xd3, 0x70, 0x3f, 0x24, 0x21, 0x08, 0x73, 0xe9, 0xb2, + 0x15, 0xc8, 0x30, 0x8c, 0x3b, 0xbe, 0x2a, 0x1c, 0x64, 0xfc, 0xb8, + 0x9d, 0x9d, 0xa4, 0xf7, 0xda, 0x05, 0x93, 0x6c, 0x1c, 0xaf, 0xa8, + 0xd3, 0xef, 0x0f, 0x9a, 0x52, 0x84, 0xce, 0x03, 0xbb, 0x06, 0x64, + 0x8e, 0xa2, 0x70, 0x5e, 0x03, 0xb8, 0xa0, 0xe4, 0x58, 0x84, 0x1b, + 0xf9, 0xa9, 0xfd, 0x9c, 0xc8, 0xf1, 0x8c, 0x98, 0x0d, 0x22, 0x3d, + 0x54, 0x80, 0xb2, 0x12, 0xf9, 0xba, 0xa7, 0xfa, 0xcc, 0x77, 0x48, + 0xe3, 0xe9, 0x46, 0x54, 0x49, 0xd4, 0x9c, 0x60, 0x53, 0x02, 0x4c, + 0x6b, 0x0a, 0x73, 0xe5, 0x16, 0x0f, 0xea, 0xa2, 0xed, 0xbb, 0xab, + 0xce, 0xbe, 0x29, 0x45, 0xff, 0xc1, 0xcf, 0x4e, 0x4a, 0x25, 0x8b, + 0xc8, 0x32, 0x50, 0x62, 0x6a, 0x4a, 0x4c, 0x1a, 0xbc, 0xc4, 0xf4, + 0x66, 0xf2, 0x19, 0x57, 0x4f, 0x5c, 0x7a, 0xab, 0xe0, 0x79, 0x19, + 0xeb, 0x9d, 0xc3, 0x56, 0xfa, 0x99, 0xf5, 0xb0, 0x5c, 0xe3, 0x92, + 0xa4, 0x8a, 0x7c, 0x42, 0xcf, 0xd8, 0x25, 0x80, 0x47, 0x8d, 0x83, + 0x3e, 0xd7, 0xef, 0x60, 0x1c, 0xfd, 0xe0, 0xd1, 0x2d, 0x04, 0xbf, + 0xe7, 0x3d, 0x1d, 0xb2, 0xda, 0xfd, 0x4c, 0x7f, 0x20, 0x73, 0xa7, + 0x7a, 0xd1, 0xf2, 0x43, 0x64, 0x22, 0x9d, 0x7e, 0x2b, 0x7a, 0xeb, + 0xe6, 0xcd, 0xea, 0x57, 0xea, 0xe1, 0x86, 0x78, 0xcf, 0x09, 0x4d, + 0x90, 0xb9, 0x62 }; WOLFSSL_CERT_MANAGER* cm = NULL; From 9d194306f3c7d073cf146e365c92f6f2ad010ee3 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 10 Jul 2026 15:13:25 -0700 Subject: [PATCH 36/36] F-6708 - Make verify callback rejection terminal to prevent second-pass override --- src/x509_str.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/src/x509_str.c b/src/x509_str.c index 80415817c85..3ee233165da 100644 --- a/src/x509_str.c +++ b/src/x509_str.c @@ -446,9 +446,15 @@ static int X509StoreVerifyCert(WOLFSSL_X509_STORE_CTX* ctx) #endif SetupStoreCtxError(ctx, ret); #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) - if (ctx->store->verify_cb) - ret = ctx->store->verify_cb(ret >= 0 ? 1 : 0, ctx) == 1 ? - WOLFSSL_SUCCESS : -1; + if (ctx->store->verify_cb) { + if (ctx->store->verify_cb(ret >= 0 ? 1 : 0, ctx) == 1) { + ret = WOLFSSL_SUCCESS; + } + else { + /* Callback rejection is terminal; don't let a later pass override it. */ + return -1; + } + } #endif } #if !defined(NO_ASN_TIME) && defined(OPENSSL_ALL)