Commit Graph

27715 Commits

Author SHA1 Message Date
Andrew Hutchings 060a2b3395 Fix DTLS 1.3 unified header fixed bits mask
DTLS13_FIXED_BITS_MASK used 0x111 (hex 273) instead of 0x7 (decimal 7,
binary 111). Per RFC 9147 Section 4, the top 3 bits of the unified
header flags byte must be 001. The incorrect hex value caused the mask
to only check bit 5 instead of bits 5, 6, and 7, allowing bytes with
bits 6 or 7 set to be misidentified as unified DTLS 1.3 headers.
2026-02-17 10:39:41 +00:00
Andrew Hutchings 00de3f3918 Use XMEMSET instead of memset in QUIC 2026-02-17 10:36:47 +00:00
Andrew Hutchings f31ed0d0cd Fix logic bug in TLSX_TCA_Find causing incorrect Trusted CA matching
The while loop conditions in TLSX_TCA_Find were inverted, causing two
bugs: the loop short-circuited on type match alone without checking the
id content, and the XMEMCMP sense was reversed (continuing on match,
stopping on mismatch). This meant any TCA entry with a matching type
would be returned as a match regardless of whether the identifier
actually matched.

Restructure the loop to correctly require both type and id (size +
content) to match before returning an entry, and to match any entry
immediately for PRE_AGREED type.

Add test_TLSX_TCA_Find unit test exercising exact match, mismatched id,
and PRE_AGREED cases via memio handshake.
2026-02-17 10:35:54 +00:00
David Garske d81bb7234a Merge pull request #9778 from LinuxJedi/exp-fixes
Fixes to big-endian bugs found in Curve448 and Blake2S
2026-02-16 14:30:47 -08:00
Chris Conlon 36a28ac08c Merge pull request #9713 from padelsbach/crl-generation-cert-updates
Add cert/CRL capabilities: skid, akid, dist point, netscape
2026-02-16 15:29:18 -07:00
David Garske cf4bf83ab2 Merge pull request #9762 from rizlik/bench_ed25519_use_devid
wolfcrypt: benchmark: use WC_USE_DEVID to benchmark ed25519 if defined
2026-02-16 13:49:53 -08:00
David Garske db82c3ef59 Merge pull request #9777 from Pushyanth-Infineon/fix_TLSX_IsGroupSupported_switch_case_handling
Fix switch case handling in TLSX_IsGroupSupported function
2026-02-16 13:13:46 -08:00
David Garske be9f3853fa Merge pull request #9764 from lealem47/wolfEntropy_arm32
wolfEntropy: Add ARM Generic Timer virtual counter as time src
2026-02-16 13:00:26 -08:00
David Garske 2111249508 Merge pull request #9759 from gasbytes/test_wolfSSL_d2i_SSL_SESSION
add test for session deserialization input validation
2026-02-16 12:35:58 -08:00
David Garske 10ca06cebe Merge pull request #9769 from anhu/midbox
Middle box compatibility compliance.
2026-02-16 12:27:07 -08:00
David Garske 1b05b26604 Merge pull request #9779 from LinuxJedi/src-fixes
Fix issues found during src/ code review
2026-02-16 10:45:40 -08:00
Andrew Hutchings 8b44b00317 Fix issues found during src/ code review
- ECH: add bounds check on hpkePubkeyLen against HPKE_Npk_MAX to
  prevent heap buffer overflow from untrusted ECH config data

- Sniffer: fix reassembly memory limit check typo, MaxRecoveryMemory -1
  should be MaxRecoveryMemory != -1

- Sniffer: add bounds check in IPv6 extension header parsing loop to
  prevent OOB read when next_header never matches TCP or NO_NEXT_HEADER

- Sniffer: validate tlsFragOffset + rhSize against tlsFragSize before
  XMEMCPY in both TLS handshake fragment reassembly paths

- Internal: use WC_SAFE_SUM_WORD32 in GrowAnOutputBuffer to prevent
  integer overflow on allocation size, matching existing pattern in
  GrowOutputBuffer
2026-02-16 17:27:10 +00:00
Andrew Hutchings 451cb45670 Fix Blake2s overlapping writes
We are copying from a 32bit buffer, so are overlapping writes. This
could cause damage the hash on big-endian platforms.
2026-02-16 16:08:27 +00:00
Andrew Hutchings 180c66ba70 Fix curve448
`wc_curve448_check_public` can get into an infinite loop in the
big-endian code path.
2026-02-16 15:56:41 +00:00
Sean Parkinson 4fe05d7fe0 Merge pull request #9771 from padelsbach/pk-ec-fix-null-check
Fix null check in ECDSA encode
2026-02-16 22:07:29 +10:00
Pushyanth Kamatham 33c14ead5c Fix switch case handling in TLSX_IsGroupSupported function 2026-02-16 15:59:34 +05:30
Daniel Pouzzner 2c0c28d999 Merge pull request #9770 from padelsbach/sort-known-macros
Fix sorting in .wolfssl_known_macro_extras
2026-02-14 11:17:45 -06:00
Paul Adelsbach aafc876759 Add cert/CRL capabilities: skid, akid, dist point, netscape 2026-02-13 20:35:44 -08:00
Daniel Pouzzner 1c92c74116 Merge pull request #9631 from padelsbach/crl-generation
Add CRL generation code
2026-02-13 21:59:52 -06:00
Paul Adelsbach 70fa2c4e2a Fix null check in ECDSA encode 2026-02-13 12:07:19 -08:00
Paul Adelsbach b5380cf1b4 Fix sorting in .wolfssl_known_macro_extras 2026-02-13 10:59:00 -08:00
Paul Adelsbach 81ae472e50 Add CRL generation code 2026-02-13 10:54:47 -08:00
Daniel Pouzzner c4131659cc Merge pull request #9767 from SparkiDev/sp_thumb2_mont_sub_reg_fix
Thumb2 SP ASM: mont_sub fix
2026-02-13 11:35:36 -06:00
David Garske 16ba668ebe Merge pull request #9632 from jackctj117/CSR-signing
Add wc_SignCert_cb API for external signing callbacks
2026-02-13 09:07:37 -08:00
Anthony Hu c3c9acc5bf Middle box compatibility compliance. 2026-02-13 10:28:12 -05:00
Sean Parkinson e48c867f6f Thumb2 SP ASM: mont_sub fix
Always use all the parameters and always use the parameter name and not
the assumed register.
2026-02-13 11:49:21 +10:00
Lealem Amedie d9b934323a Check if _POSIX_C_SOURCE is defined 2026-02-12 18:13:29 -07:00
Lealem Amedie 17287cd595 wolfEntropy: Add ARM Generic Timer virtual counter as time src 2026-02-12 18:13:29 -07:00
Daniel Pouzzner 1c77414798 Merge pull request #9766 from padelsbach/libssh2-docker-fix
Fix libssh2 workflow with Docker 29
2026-02-12 18:02:46 -06:00
Paul Adelsbach f0222c36a5 Experimental: fix libssh2 workflow with Docker 29 2026-02-12 14:40:05 -08:00
David Garske 49ed1fa21f Merge pull request #9684 from SparkiDev/ecc_import_pub_check_fix
ECC: import point, always do some checks
2026-02-11 21:53:03 -08:00
David Garske 1b0b4b1444 Merge pull request #9756 from SparkiDev/arm_asm_fixes_1
ARM assembly fixes
2026-02-11 21:51:51 -08:00
Sean Parkinson 29835c2281 Merge pull request #9755 from julek-wolfssl/fix-script-checks
Fix compilation checks in test scripts
2026-02-12 08:02:52 +10:00
Sean Parkinson 2f53add6a5 Merge pull request #9758 from LinuxJedi/lxj-fixes
Minor fixes to EVP and PKCS12 code
2026-02-12 08:01:28 +10:00
Sean Parkinson 1847c6e778 Merge pull request #9721 from dgarske/x25519_nb
Add X25519 non-blocking support and async example improvements
2026-02-12 07:56:58 +10:00
Sean Parkinson cb169ca64c Merge pull request #9763 from LinuxJedi/no-fips-selftest
Don't allow `--enable-selftest` with empty file
2026-02-12 07:53:06 +10:00
Andrew Hutchings 0a1c40b365 Don't allow --enable-selftest with empty file
It probably won't compile anyway.
2026-02-11 15:32:45 +00:00
Marco Oliverio b767d8218a wolfcrypt: benchmark: use WC_USE_DEVID to benchmark ed25519 if defined 2026-02-11 15:25:28 +01:00
Sean Parkinson 2ef096a21b Merge pull request #9754 from julek-wolfssl/zd/21171
Add check for KS in SH
2026-02-11 09:11:05 +10:00
David Garske bc12b7563f Peer review improvements 2026-02-10 14:51:51 -08:00
Reda Chouk 86212fd33f add test for session deserialization input validation 2026-02-10 20:37:02 +01:00
Andrew Hutchings 33abaca065 Fix test for AESGC_STREAM 2026-02-10 18:06:47 +00:00
Andrew Hutchings 54e8e80e81 Added integer overflow protection to PKCS12
PKCS12_ConcatenateContent() could overflow.
2026-02-10 15:53:29 +00:00
Andrew Hutchings 6b4fd431da Fix leak in PKCS12 error path 2026-02-10 15:47:10 +00:00
Andrew Hutchings a8d844003e Fix potential buffer overflow in EVP
It is potentially possible on a 32bit system to get realloc to overflow
with several of the EVP functions.
2026-02-10 14:49:20 +00:00
Juliusz Sosinowicz 5f755f6bd5 Fix compilation checks in test scripts
Correct the logic for checking if the client and server examples are compiled
in the test scripts. The previous logic was inverted, causing the tests to
always skip if the examples *were* compiled.
2026-02-10 13:14:55 +01:00
Juliusz Sosinowicz f810dc2a01 Add check for KeyShare in ServerHello
Fixes ZD21171
2026-02-10 12:39:27 +01:00
Sean Parkinson 7245ad02bb Merge pull request #9748 from gasbytes/wolfSSL_d2i_SSL_SESSION-fix
add missing checks in wolfSSL_d2i_SSL_SESSION
2026-02-10 21:22:16 +10:00
Sean Parkinson bf86450c01 Merge pull request #9749 from holtrop-wolfssl/rust-wolfssl-wolfcrypt-crate-1.1.0
Rust wrapper: update wolfssl-wolfcrypt crate to v1.1.0
2026-02-10 21:21:15 +10:00
Sean Parkinson 5bb39eb5c4 Merge pull request #9617 from julek-wolfssl/ada-testing
Ada Bindings and CI Improvements
2026-02-10 21:20:32 +10:00