Commit Graph

4068 Commits

Author SHA1 Message Date
Anthony Hu 2616fe3ff1 Better guards around tests 2026-01-22 22:17:59 -05:00
Sean Parkinson 27df554e99 Merge pull request #9701 from Frauschi/brainpool-tls13
Add support for TLS 1.3 Brainpool curves
2026-01-23 10:42:32 +10:00
Sean Parkinson baaa368a61 Merge pull request #9668 from kaleb-himes/PQ-FS-2026-Part1
PQ FS 2026 part1
2026-01-23 10:30:47 +10:00
Kareem d60dd53165 Merge branch 'master' of https://github.com/wolfSSL/wolfssl into zd19378 2026-01-22 15:37:30 -07:00
kaleb-himes 20b2fd200f Address failure rates from FIPS CRNGT test by implementing alternate RCT/ADP tests
Update ret code to match docs and update docs

Replace magic numbers with appropriate define

Define MAX_ENTROPY_BITS when MEMUSE not enabled

Fix type cast windows detection

Older FIPS modules still need the old check

CodeSpell you're wrong, that is what I want to name my variable

Turn the hostap into a manual dispatch until it gets fixed

Upon closer review we can not skip the test when memuse enabled

Fix whitespace stuff found by multitest

More syntax things

Correct comments based on latest findings
2026-01-22 09:06:17 -07:00
Tobias Frauenschläger eb8ba6124e Support TLS 1.3 ECC Brainpool authentication
This also fixes TLS 1.2 authentication to only succeed in case the
brainpool curve was present in the supported_groups extension.
2026-01-22 14:14:09 +01:00
Tobias Frauenschläger a462398387 Support Brainpool ECC curve TLS 1.3 key exchange
When both TLS 1.3 and Brainpool curves are enabled, three new groups can
be used for the ECDHE key exchange according to RFC 8734:
* WOLFSSL_ECC_BRAINPOOLP256R1TLS13 (31)
* WOLFSSL_ECC_BRAINPOOLP384R1TLS13 (32)
* WOLFSSL_ECC_BRAINPOOLP512R1TLS13 (33)

Also ensure that the existing TLS 1.2 curves are sent properly.

The TLS client application is updated to support handshakes via
Brainpool curves using the new argument "--bpKs".
2026-01-22 14:14:09 +01:00
Anthony Hu d088fee72c Add cipher suite filtering when downgrade is disabled
When wolfSSL_SetVersion() is called to set a specific TLS version,
the downgrade flag is now set to 0. This causes wolfSSL_parse_cipher_list()
to no longer preserve cipher suites from the other TLS version group.

Previously, when using SSLv23 method and setting cipher suites for only
one TLS version (e.g., TLS 1.2), the library would preserve any existing
cipher suites from the other version (e.g., TLS 1.3) for OpenSSL API
compatibility. With this change, if a specific version is set via
wolfSSL_SetVersion(), only the cipher suites for that version are kept.
2026-01-21 18:01:01 -05:00
Kareem 832bcd7f4b Merge branch 'master' of https://github.com/wolfSSL/wolfssl into zd20850 2026-01-20 15:59:05 -07:00
Chris Conlon 0f395a5f9d Fix memory management in wolfssl_dns_entry_othername_to_gn() and
wolfSSL_X509_get_ext_d2i() for otherName SAN handling, add ASN_RID_TYPE case to wolfSSL_X509_get_ext_d2i()
2026-01-19 16:39:33 -07:00
Daniel Pouzzner 4ce6c4c262 Merge pull request #9623 from julek-wolfssl/dtls-1.3-ms-interval
dtls 1.3: allow rtx interval to be less than a second
2026-01-19 17:01:23 -06:00
Daniel Pouzzner c2cf8b1545 Merge pull request #9659 from holtrop-wolfssl/improve-error-for-invalid-helloretryrequest
Improve log message and error code for invalid HelloRetryRequest - fix #9653
2026-01-19 16:23:59 -06:00
Juliusz Sosinowicz 429b690370 Address code review 2026-01-19 09:38:17 +01:00
Juliusz Sosinowicz 48067f1fa7 dtls 1.3: allow rtx interval to be less than a second 2026-01-19 09:32:09 +01:00
Daniel Pouzzner 467d6dd338 tests/api/test_evp_digest.c: fix for copy-paste error in test_wolfSSL_EVP_sm3(), introduced in 43d831ff06. 2026-01-17 09:58:21 -06:00
Daniel Pouzzner 5c7f986925 Merge pull request #9670 from miyazakh/fix_selftest
Fix compilation, crypt test and unit test failures when selftest is enabled
2026-01-16 23:57:27 -06:00
Daniel Pouzzner 9aabef04ba Merge pull request #9641 from SparkiDev/api_c_split_evp
API testing: split out more test cases
2026-01-16 14:58:15 -06:00
Hideki Miyazaki 8ad73d8ac1 Fix compile and crypt test failures when selftest is enabled 2026-01-16 08:55:06 +09:00
Josh Holtrop e7612ff36f Improve log message and error code for invalid HelloRetryRequest - fix #9653 2026-01-15 12:55:17 -05:00
Sean Parkinson 43d831ff06 API testing: split out more test cases
EVP into test_evp_cipher, test_evp_digest, test_evp_pkey and test_evp.
OBJ into test_ossl_obj.
OpenSSL RAND into test_ossl_rand.
OpenSSL PKCS7 and PKCS12 tests into test_ossl_p7p12.
CertificateManager into test_certman.

Move some BIO tests from api.c into test_evp_bio.c.

Fix line lengths.
2026-01-13 06:34:49 +10:00
Sean Parkinson ce69f1cec0 Merge pull request #9635 from miyazakh/x509errstr_handling
Fix OpenSSL error code handling in ERR_reason_error_string()
2026-01-12 08:57:17 +10:00
Sean Parkinson 84ca4a05fa Merge pull request #9628 from miyazakh/fix_crlnumber
Fix CRL Number hex string buffer overflow in CRL parser
2026-01-12 08:52:57 +10:00
Hideki Miyazaki 0e8af03f1d OpenSSL error code handling in reason_error_string 2026-01-10 13:50:08 +09:00
Hideki Miyazaki d052128830 addressed review comments 2026-01-09 09:01:14 +09:00
David Garske d25f98fd82 Merge pull request #9584 from miyazakh/fix_qtfail
Fix qt jenkins nightly test failure
2026-01-08 10:58:20 -08:00
David Garske 133d29dcef Merge pull request #9626 from rizlik/name_contraints_fixes
asn: MatchBaseName fixes
2026-01-08 10:56:53 -08:00
David Garske 97d9bfcea6 Merge pull request #9601 from rizlik/early_data_client_side_fixes
check that we are resuming in write_early_data + minor fixes
2026-01-08 10:26:48 -08:00
Hideki Miyazaki 08876e278a Fix CRL Number hex string buffer overflow in CRL parser 2026-01-08 17:25:19 +09:00
Sean Parkinson 883ceecf8a ChaCha20 Aarch64 ASM fix: 256-bit case fixed
Fixed the 256-bits at a time crypt assembly code.

Add a chunking test for ChaCha20.
2026-01-08 18:01:15 +10:00
Hideki Miyazaki 6392c2b420 undo changes
fix indentation
2026-01-08 07:10:25 +09:00
Marco Oliverio 94dc7ae9ad asn: MatchBaseName fixes 2026-01-07 17:53:43 +01:00
Marco Oliverio 50b39c91da fixup! (d)tls13: check if early data is possible in write_early_data 2026-01-07 14:30:16 +01:00
Hideki Miyazaki c6dd1a745e boundary check 2026-01-07 09:19:43 +09:00
Hideki Miyazaki 30fe079763 Addressed review comments 2026-01-07 06:55:22 +09:00
Hideki Miyazaki 10d3e251fd fix qt jenkins nightly test failure 2026-01-07 06:55:22 +09:00
Sean Parkinson 5343cb386a Merge pull request #9588 from kareem-wolfssl/ghAlerts
Fix incorrect alerts.
2026-01-06 20:22:51 +10:00
Fabian Keil 21f35137a1 tests: Unbreak the build on FreeBSD-based systems
... by using the same additional includes as on Linux.

Fixes:

      CC       tests/api/unit_test-test_rsa.o
    tests/api.c:19554:9: error: call to undeclared function 'waitpid'; ISO C99 and later do not support implicit function declarations [-Werror,-Wimplicit-function-declaration]
     19554 |         waitpid(pid, &waitstatus, 0);
	   |         ^

Tested on ElectroBSD amd64 14.3-STABLE.
2025-12-31 14:48:06 +01:00
Kareem ddb2fb628e Add a runtime option to enable or disable the secure renegotation check. 2025-12-30 13:19:04 -07:00
Anthony Hu 48ebe99372 Validate asn date based on position of Z (#8603) 2025-12-29 16:01:22 -06:00
Kareem 7d04a53a6c Update X509_get_default_cert_* stubs to return empty strings.
According to the documentation, these functions must return static strings, so NULL was not valid.

Fixes #6474.
2025-12-26 15:26:05 -07:00
Kareem d09b5ee1f1 Add duplicate entry error to distinguish cases where a duplicate CRL is rejected. 2025-12-26 12:02:35 -07:00
David Garske 2354ea196b Merge pull request #9513 from rizlik/dtls_header_fix
fix DTLS header headroom accounting
2025-12-23 17:20:12 -08:00
David Garske 0fae0a7ba6 Merge pull request #9397 from rizlik/earlydata_want_write_fixes
wolfssl: preserve early-data handling across WANT_WRITE retries
2025-12-23 17:19:39 -08:00
David Garske 57ef8a7caf Merge pull request #9574 from anhu/dtls_guard
Guard a bit of DTLS code.
2025-12-23 15:03:46 -08:00
David Garske 18176392fa Merge pull request #9576 from douzzer/20251222-linuxkm-PK-initrng-optimize
20251222-linuxkm-PK-initrng-optimize
2025-12-23 15:02:53 -08:00
Anthony Hu 40327b7fe3 Binary consts to hexidecimal. C2X feature. 2025-12-23 14:45:36 -05:00
Daniel Pouzzner da4fc4921e tests/api/test_ed25519.c: in test_wc_Ed25519PublicKeyToDer(), on old FIPS, tolerate old error code from wc_Ed25519PublicKeyToDer(). 2025-12-23 12:25:10 -06:00
Sean Parkinson b766f11e7b TLS 1.3, plaintext alert: ignore when expecting encrypted
In TLS 1.3, ignore valid unencrypted alerts that appear after encryption
has started.
Only ignore WOLFSSL_ALERT_COUNT_MAX-1 alerts.
2025-12-23 09:09:06 +10:00
night1rider afbc65a6c3 Aes Free callback support 2025-12-22 12:39:41 -07:00
Marco Oliverio 540fae80ab test_dtls: test payload split when WOLFSSL_NO_DTLS_SIZE_CHECK 2025-12-22 13:41:33 +01:00