Commit Graph

4068 Commits

Author SHA1 Message Date
David Garske 7d77446964 Merge pull request #8882 from rizlik/dtls13_always_transmit_explicit_ack
dtls13: always send ACKs on detected retransmission
2025-06-17 11:35:07 -07:00
Kareem 7e4ec84124 Add macros for legacy get_digit functions for FIPS/selftest. 2025-06-17 10:12:06 -07:00
Kareem 9c9465aa23 Also account for selftest for mp_get_digit refactor. 2025-06-17 10:12:06 -07:00
Kareem 05aa4f5f08 Make mp_get_digit refactor FIPS friendly. 2025-06-17 10:12:06 -07:00
Kareem e8c110d2ac Rename get_digit* to mp_get_digit* to avoid conflicts with other functions named get_digit. 2025-06-17 10:12:06 -07:00
Josh Holtrop 3bd9b2e0bc Add generation instructions for empty issuer cert and change expiry to 100 years 2025-06-16 11:39:01 -04:00
Marco Oliverio b1b49c9ffb dtls13: always send ACKs on detected retransmission
Otherwise the connection can stall due the indefinite delay of an explicit ACK,
for exapmle:

 -> client sends the last Finished message
<- server sends the ACK, but the ACK is lost
 -> client rentrasmit the Finished message
 - server delay sending of the ACK until a fast timeout
 -> client rentrasmit the Finished message quicker than the server timeout
 - server resets the timeout, delaying sending the ACK
 -> client rentrasmit the Finished...
2025-06-16 14:19:32 +02:00
Marco Oliverio 509491f554 dtls13: wolfSSL_is_init_finished true after last server ACK
Do not consider the handshake finished until the last server ACK.
This way the application knows where to switch from
wolfSSL_negotiate/wolfSSL_connect to wolfSSL_read/wolfSSL_write.
2025-06-16 14:19:31 +02:00
Josh Holtrop 8bde5e6982 Fix printing empty names in certificates
The empty-issuer-cert.pem certificate was created with:

    wolfssl genkey rsa -size 2048 -out mykey -outform pem -output KEY
    wolfssl req -new -days 3650 -key mykey.priv -out empty-issuer-cert.pem -x509

Prior to this fix this command would error printing the certificate:

    wolfssl x509 -inform pem -in empty-issuer-cert.pem -text
2025-06-13 11:22:52 -04:00
David Garske 2fc1110a13 Merge pull request #8587 from lealem47/gh8574
Fix bug in ParseCRL_Extensions
2025-06-12 12:09:52 -07:00
David Garske 701e3ba64e Merge pull request #8808 from rlm2002/coverity
Coverity: api.c fix
2025-06-12 12:03:14 -07:00
David Garske 6571f42cb9 Merge pull request #8867 from JacobBarthelmeh/rng
Improvements to RNG and compatibility layer
2025-06-11 14:31:53 -07:00
JacobBarthelmeh 8ee1f8f287 add macro guard on test case 2025-06-11 10:43:47 -06:00
JacobBarthelmeh 47cf634965 add a way to restore previous pid behavior 2025-06-10 16:12:09 -06:00
JacobBarthelmeh 4207affc72 adding additional RAND test cases 2025-06-10 16:01:52 -06:00
Ruby Martin d0134f2212 coverity: address reuse after free, add NULL checks 2025-06-10 15:33:47 -06:00
Ruby Martin a7a5062c7a add api test for checking domain name
use SNI example.com in client ssl
2025-06-10 15:22:01 -06:00
JacobBarthelmeh eb3c324ea4 Merge pull request #8852 from holtrop/reseed-drbg-in-rand-poll-test
Add additional compatibility layer RAND tests
2025-06-10 10:20:46 -06:00
JacobBarthelmeh 94f5948f20 Merge pull request #8858 from rizlik/dtls13_set_epoch_fix
dtls13: move Dtls13NewEpoch into DeriveTls13Keys
2025-06-10 09:48:58 -06:00
Sean Parkinson cb90b78688 ML-DSA: fix tests for different configs
Setting the private key into SSL object requires signing to be
available.
Only enable the parameters that are compiled in.
2025-06-10 20:44:27 +10:00
Josh Holtrop 1c6e3d729a Check that fork() returns >= 0 in RAND_poll fork test 2025-06-10 06:23:06 -04:00
JacobBarthelmeh 106bcb22d3 Merge pull request #8860 from LinuxJedi/tls13-trusted-ca
Allow `trusted_ca_keys` with TLSv1.3
2025-06-09 17:43:44 -06:00
Josh Holtrop 133e238359 Wait on child process in RAND_poll fork test 2025-06-09 15:59:22 -04:00
Marco Oliverio 59ff71f936 fixup! dtls13: move Dtls13NewEpoch into DeriveTls13Keys 2025-06-09 16:11:17 +02:00
Andrew Hutchings 5e6cb2b0b6 Allow trusted_ca_keys with TLSv1.3
It is possible that the client will provied `trusted_ca_keys` during a
TLSv1.3 connection with 1.2 downgrade. wolfSSL would error with
`EXT_NOT_ALLOWED`. The TLSv1.3 spec states that it can be provided and
should be ignored.

ZD 19936
2025-06-09 08:31:54 +01:00
Koji Takeda 0260ff789b Clarify supported PKCS12 encryption algorithms 2025-06-09 12:03:47 +09:00
Marco Oliverio c1c1929e55 dtls13: move Dtls13NewEpoch into DeriveTls13Keys
Dlts13NewEpoch saves the keys currently derived in the ssl object.
Moving Dtls13NewEpoch inside DeriveTls13Keys avoid the risk of using the wrong
keys when creating a new Epoch.

This fixes at least he following scenario:

- Client has encryption epoch != 2 in the handshake (eg. due to rtx)

- Client derives traffic0 keys after receiving server Finished message

- Client set encryption epoch to 2 again to send the Finished message, this
   override the traffic key computed

- Client creates the new epoch with the wrong key
2025-06-09 02:35:29 +02:00
Josh Holtrop 10b3cc8dd2 Add fork test for RAND_poll() 2025-06-06 20:45:01 -04:00
JacobBarthelmeh 9ffca6b39c Merge pull request #8822 from kojiws/support_cert_aes_cbc_on_pkcs12_export
Support PBE_AES(256|128)_CBC certificate encryptions on wc_PKCS12_create()
2025-06-06 11:35:13 -06:00
JacobBarthelmeh 45306e9378 Merge pull request #8845 from rlm2002/coverityTests
Coverity: test adjustments and variable checks
2025-06-06 11:29:56 -06:00
JacobBarthelmeh 570c1fc390 Merge pull request #8824 from JeremiahM37/tlsCurveFix
tls fix for set_groups
2025-06-06 10:47:06 -06:00
JacobBarthelmeh bfc55d9016 Merge pull request #8848 from julek-wolfssl/gh/8841
dtlsProcessPendingPeer: correctly set the current peer
2025-06-06 09:52:35 -06:00
Daniel Pouzzner 4572dcf9f9 tests/api/test_x509.c: in test_x509_rfc2818_verification_callback(), add dependency on HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES;
wolfcrypt/test/test.c: in lms_test(), fix -Wdeclaration-after-statement;

add .github/workflows/no-tls.yml;

.github/workflows/pq-all.yml: add smallstack scenario.
2025-06-06 17:18:50 +04:00
JacobBarthelmeh 3ecc58cc0e Merge pull request #8842 from julek-wolfssl/zd/19966
ALT_NAMES_OID: Mark IP address as WOLFSSL_V_ASN1_OCTET_STRING
2025-06-05 17:07:47 -06:00
Juliusz Sosinowicz 736a5e1f89 dtlsProcessPendingPeer: correctly set the current peer 2025-06-06 00:12:38 +02:00
Juliusz Sosinowicz 0ac6ca3cf7 Fix hard tabs and c++ style comments 2025-06-05 22:04:50 +02:00
Juliusz Sosinowicz 761f0f1d1f Simplify TLSX_SupportedCurve_Parse
Server only uses curves that are supported by both the client and the server. If no common groups are found, the connection will fail in TLS 1.2 and below. In TLS 1.3, HRR may still be used to resolve the group mismatch.
2025-06-05 22:04:49 +02:00
JeremiahM37 a160ba1379 Supported_group unit test fix 2025-06-05 22:04:49 +02:00
JeremiahM37 9d342bae83 unit tests for set_groups curve fix 2025-06-05 22:04:49 +02:00
Ruby Martin a413be1984 remove null assignment, add null check 2025-06-05 12:25:50 -06:00
Juliusz Sosinowicz f2584fd5fa ALT_NAMES_OID: Mark IP address as WOLFSSL_V_ASN1_OCTET_STRING 2025-06-05 19:17:00 +02:00
Chris Conlon e51702043f Merge pull request #8837 from BridgerVoss/code_cov
Unit test for Dh.c code coverage
2025-06-05 09:37:42 -06:00
Chris Conlon a17b3b4985 Merge pull request #8831 from JeremiahM37/UnitTest
Unit test for wolfcrypt pkcs12 file to improve code coverage
2025-06-05 09:30:48 -06:00
Koji Takeda 1f78923590 Add a test for mixture of algorithms 2025-06-05 09:26:44 +09:00
JeremiahM37 a6580d3916 Unit test for wolfcrypt pkcs12 file to improve code coverage 2025-06-04 16:01:35 -06:00
Bridger Voss 80c6ac141a Unit test for Dh.c wc_DhSetNamedKey code coverage 2025-06-04 15:48:52 -06:00
Sebastian Carpenter a29d12fd3f WOLFSSL_ASN_ALLOW_0_SERIAL not handled in make check
test_MakeCertWith0Ser needed an extra #define check for WOLFSSL_ASN_ALLOW_0_SERIAL. Previously, it was validating that a 0 serial should not work -> now it validates that a 0 serial does work.
2025-06-04 12:21:41 -06:00
Lealem Amedie 02a49693e2 Fix bug in ParseCRL_Extensions 2025-06-04 10:23:53 -06:00
Koji Takeda 7c33096398 Support PBE_AES256_CBC and PBE_AES128_CBC cert encryption on wc_PKCS12_create() 2025-06-04 16:43:30 +09:00
Sean Parkinson 8ea01056c3 Merge pull request #8788 from julek-wolfssl/gh/8765
tls13: handle malformed CCS and CCS before CH
2025-05-28 09:45:09 +10:00