Andrew Hutchings
060a2b3395
Fix DTLS 1.3 unified header fixed bits mask
...
DTLS13_FIXED_BITS_MASK used 0x111 (hex 273) instead of 0x7 (decimal 7,
binary 111). Per RFC 9147 Section 4, the top 3 bits of the unified
header flags byte must be 001. The incorrect hex value caused the mask
to only check bit 5 instead of bits 5, 6, and 7, allowing bytes with
bits 6 or 7 set to be misidentified as unified DTLS 1.3 headers.
2026-02-17 10:39:41 +00:00
Andrew Hutchings
00de3f3918
Use XMEMSET instead of memset in QUIC
2026-02-17 10:36:47 +00:00
Andrew Hutchings
f31ed0d0cd
Fix logic bug in TLSX_TCA_Find causing incorrect Trusted CA matching
...
The while loop conditions in TLSX_TCA_Find were inverted, causing two
bugs: the loop short-circuited on type match alone without checking the
id content, and the XMEMCMP sense was reversed (continuing on match,
stopping on mismatch). This meant any TCA entry with a matching type
would be returned as a match regardless of whether the identifier
actually matched.
Restructure the loop to correctly require both type and id (size +
content) to match before returning an entry, and to match any entry
immediately for PRE_AGREED type.
Add test_TLSX_TCA_Find unit test exercising exact match, mismatched id,
and PRE_AGREED cases via memio handshake.
2026-02-17 10:35:54 +00:00
David Garske
d81bb7234a
Merge pull request #9778 from LinuxJedi/exp-fixes
...
Fixes to big-endian bugs found in Curve448 and Blake2S
2026-02-16 14:30:47 -08:00
Chris Conlon
36a28ac08c
Merge pull request #9713 from padelsbach/crl-generation-cert-updates
...
Add cert/CRL capabilities: skid, akid, dist point, netscape
2026-02-16 15:29:18 -07:00
David Garske
cf4bf83ab2
Merge pull request #9762 from rizlik/bench_ed25519_use_devid
...
wolfcrypt: benchmark: use WC_USE_DEVID to benchmark ed25519 if defined
2026-02-16 13:49:53 -08:00
David Garske
db82c3ef59
Merge pull request #9777 from Pushyanth-Infineon/fix_TLSX_IsGroupSupported_switch_case_handling
...
Fix switch case handling in TLSX_IsGroupSupported function
2026-02-16 13:13:46 -08:00
David Garske
be9f3853fa
Merge pull request #9764 from lealem47/wolfEntropy_arm32
...
wolfEntropy: Add ARM Generic Timer virtual counter as time src
2026-02-16 13:00:26 -08:00
David Garske
2111249508
Merge pull request #9759 from gasbytes/test_wolfSSL_d2i_SSL_SESSION
...
add test for session deserialization input validation
2026-02-16 12:35:58 -08:00
David Garske
10ca06cebe
Merge pull request #9769 from anhu/midbox
...
Middle box compatibility compliance.
2026-02-16 12:27:07 -08:00
David Garske
1b05b26604
Merge pull request #9779 from LinuxJedi/src-fixes
...
Fix issues found during src/ code review
2026-02-16 10:45:40 -08:00
Andrew Hutchings
8b44b00317
Fix issues found during src/ code review
...
- ECH: add bounds check on hpkePubkeyLen against HPKE_Npk_MAX to
prevent heap buffer overflow from untrusted ECH config data
- Sniffer: fix reassembly memory limit check typo, MaxRecoveryMemory -1
should be MaxRecoveryMemory != -1
- Sniffer: add bounds check in IPv6 extension header parsing loop to
prevent OOB read when next_header never matches TCP or NO_NEXT_HEADER
- Sniffer: validate tlsFragOffset + rhSize against tlsFragSize before
XMEMCPY in both TLS handshake fragment reassembly paths
- Internal: use WC_SAFE_SUM_WORD32 in GrowAnOutputBuffer to prevent
integer overflow on allocation size, matching existing pattern in
GrowOutputBuffer
2026-02-16 17:27:10 +00:00
Andrew Hutchings
451cb45670
Fix Blake2s overlapping writes
...
We are copying from a 32bit buffer, so are overlapping writes. This
could cause damage the hash on big-endian platforms.
2026-02-16 16:08:27 +00:00
Andrew Hutchings
180c66ba70
Fix curve448
...
`wc_curve448_check_public` can get into an infinite loop in the
big-endian code path.
2026-02-16 15:56:41 +00:00
Sean Parkinson
4fe05d7fe0
Merge pull request #9771 from padelsbach/pk-ec-fix-null-check
...
Fix null check in ECDSA encode
2026-02-16 22:07:29 +10:00
Pushyanth Kamatham
33c14ead5c
Fix switch case handling in TLSX_IsGroupSupported function
2026-02-16 15:59:34 +05:30
Daniel Pouzzner
2c0c28d999
Merge pull request #9770 from padelsbach/sort-known-macros
...
Fix sorting in .wolfssl_known_macro_extras
2026-02-14 11:17:45 -06:00
Paul Adelsbach
aafc876759
Add cert/CRL capabilities: skid, akid, dist point, netscape
2026-02-13 20:35:44 -08:00
Daniel Pouzzner
1c92c74116
Merge pull request #9631 from padelsbach/crl-generation
...
Add CRL generation code
2026-02-13 21:59:52 -06:00
Paul Adelsbach
70fa2c4e2a
Fix null check in ECDSA encode
2026-02-13 12:07:19 -08:00
Paul Adelsbach
b5380cf1b4
Fix sorting in .wolfssl_known_macro_extras
2026-02-13 10:59:00 -08:00
Paul Adelsbach
81ae472e50
Add CRL generation code
2026-02-13 10:54:47 -08:00
Daniel Pouzzner
c4131659cc
Merge pull request #9767 from SparkiDev/sp_thumb2_mont_sub_reg_fix
...
Thumb2 SP ASM: mont_sub fix
2026-02-13 11:35:36 -06:00
David Garske
16ba668ebe
Merge pull request #9632 from jackctj117/CSR-signing
...
Add wc_SignCert_cb API for external signing callbacks
2026-02-13 09:07:37 -08:00
Anthony Hu
c3c9acc5bf
Middle box compatibility compliance.
2026-02-13 10:28:12 -05:00
Sean Parkinson
e48c867f6f
Thumb2 SP ASM: mont_sub fix
...
Always use all the parameters and always use the parameter name and not
the assumed register.
2026-02-13 11:49:21 +10:00
Lealem Amedie
d9b934323a
Check if _POSIX_C_SOURCE is defined
2026-02-12 18:13:29 -07:00
Lealem Amedie
17287cd595
wolfEntropy: Add ARM Generic Timer virtual counter as time src
2026-02-12 18:13:29 -07:00
Daniel Pouzzner
1c77414798
Merge pull request #9766 from padelsbach/libssh2-docker-fix
...
Fix libssh2 workflow with Docker 29
2026-02-12 18:02:46 -06:00
Paul Adelsbach
f0222c36a5
Experimental: fix libssh2 workflow with Docker 29
2026-02-12 14:40:05 -08:00
David Garske
49ed1fa21f
Merge pull request #9684 from SparkiDev/ecc_import_pub_check_fix
...
ECC: import point, always do some checks
2026-02-11 21:53:03 -08:00
David Garske
1b0b4b1444
Merge pull request #9756 from SparkiDev/arm_asm_fixes_1
...
ARM assembly fixes
2026-02-11 21:51:51 -08:00
Sean Parkinson
29835c2281
Merge pull request #9755 from julek-wolfssl/fix-script-checks
...
Fix compilation checks in test scripts
2026-02-12 08:02:52 +10:00
Sean Parkinson
2f53add6a5
Merge pull request #9758 from LinuxJedi/lxj-fixes
...
Minor fixes to EVP and PKCS12 code
2026-02-12 08:01:28 +10:00
Sean Parkinson
1847c6e778
Merge pull request #9721 from dgarske/x25519_nb
...
Add X25519 non-blocking support and async example improvements
2026-02-12 07:56:58 +10:00
Sean Parkinson
cb169ca64c
Merge pull request #9763 from LinuxJedi/no-fips-selftest
...
Don't allow `--enable-selftest` with empty file
2026-02-12 07:53:06 +10:00
Andrew Hutchings
0a1c40b365
Don't allow --enable-selftest with empty file
...
It probably won't compile anyway.
2026-02-11 15:32:45 +00:00
Marco Oliverio
b767d8218a
wolfcrypt: benchmark: use WC_USE_DEVID to benchmark ed25519 if defined
2026-02-11 15:25:28 +01:00
Sean Parkinson
2ef096a21b
Merge pull request #9754 from julek-wolfssl/zd/21171
...
Add check for KS in SH
2026-02-11 09:11:05 +10:00
David Garske
bc12b7563f
Peer review improvements
2026-02-10 14:51:51 -08:00
Reda Chouk
86212fd33f
add test for session deserialization input validation
2026-02-10 20:37:02 +01:00
Andrew Hutchings
33abaca065
Fix test for AESGC_STREAM
2026-02-10 18:06:47 +00:00
Andrew Hutchings
54e8e80e81
Added integer overflow protection to PKCS12
...
PKCS12_ConcatenateContent() could overflow.
2026-02-10 15:53:29 +00:00
Andrew Hutchings
6b4fd431da
Fix leak in PKCS12 error path
2026-02-10 15:47:10 +00:00
Andrew Hutchings
a8d844003e
Fix potential buffer overflow in EVP
...
It is potentially possible on a 32bit system to get realloc to overflow
with several of the EVP functions.
2026-02-10 14:49:20 +00:00
Juliusz Sosinowicz
5f755f6bd5
Fix compilation checks in test scripts
...
Correct the logic for checking if the client and server examples are compiled
in the test scripts. The previous logic was inverted, causing the tests to
always skip if the examples *were* compiled.
2026-02-10 13:14:55 +01:00
Juliusz Sosinowicz
f810dc2a01
Add check for KeyShare in ServerHello
...
Fixes ZD21171
2026-02-10 12:39:27 +01:00
Sean Parkinson
7245ad02bb
Merge pull request #9748 from gasbytes/wolfSSL_d2i_SSL_SESSION-fix
...
add missing checks in wolfSSL_d2i_SSL_SESSION
2026-02-10 21:22:16 +10:00
Sean Parkinson
bf86450c01
Merge pull request #9749 from holtrop-wolfssl/rust-wolfssl-wolfcrypt-crate-1.1.0
...
Rust wrapper: update wolfssl-wolfcrypt crate to v1.1.0
2026-02-10 21:21:15 +10:00
Sean Parkinson
5bb39eb5c4
Merge pull request #9617 from julek-wolfssl/ada-testing
...
Ada Bindings and CI Improvements
2026-02-10 21:20:32 +10:00