Kareem
76c52c31fb
Disallow wildcard partial domains when using MatchDomainName.
2026-03-16 16:21:47 -07:00
JacobBarthelmeh
44de734fa3
add sanity check on keysize found with ECC point import
2026-03-16 16:57:50 -06:00
Kareem
ddc177b669
Check raw pubkey length in wc_ecc_import_x963 before copying to it for KCAPI case.
2026-03-16 15:34:18 -07:00
Juliusz Sosinowicz
7c92fb204d
Use constant-time PKCS#7 padding check in EVP
...
F-763
2026-03-16 15:15:11 -07:00
Juliusz Sosinowicz
fac08427e5
Fix missing op validation in EVP_PKEY_decrypt
...
F-747
2026-03-16 15:15:11 -07:00
Juliusz Sosinowicz
5f7bc0f3a6
Clear sensitive stack buffers in ed448 signing
...
F-765
2026-03-16 15:15:11 -07:00
Juliusz Sosinowicz
109e765b5b
Clear sensitive stack buffers in ed25519 signing
...
F-764
2026-03-16 15:15:11 -07:00
Juliusz Sosinowicz
e4b55be65a
Use mp_forcezero for DH private key in async path
...
F-766
2026-03-16 15:15:11 -07:00
Juliusz Sosinowicz
643427040b
Clear seed buffer after dilithium key generation
...
F-767
2026-03-16 15:15:11 -07:00
Juliusz Sosinowicz
4ee9a263f0
Fix resource leak in wc_InitEccsiKey_ex error path
...
F-752
2026-03-16 15:15:11 -07:00
Juliusz Sosinowicz
b168bfaa6a
Check wc_ecc_init_ex return value in wc_GetKeyOID
...
F-749
2026-03-16 15:15:11 -07:00
Juliusz Sosinowicz
265fbdb3dd
Check wc_InitRsaKey return value in wc_GetKeyOID
...
F-748
2026-03-16 15:15:11 -07:00
Juliusz Sosinowicz
f56356a9b4
test_lms_write_key: check fwrite return
2026-03-16 15:15:11 -07:00
Juliusz Sosinowicz
43a36a17d4
Upgrade deprecated GitHub Actions to v4
...
F-876
2026-03-16 15:14:26 -07:00
Juliusz Sosinowicz
c6f41bce2f
Fix memory leak on hash failure in LoadCertByIssuer
...
F-721
2026-03-16 15:14:26 -07:00
Juliusz Sosinowicz
4596e9e1a7
Fix error return in InitSSL verify param path
...
F-720
2026-03-16 15:14:25 -07:00
Juliusz Sosinowicz
a9a9eae4d9
Fix error propagation in InitSSL QUIC path
...
F-719
2026-03-16 15:14:25 -07:00
Juliusz Sosinowicz
3ff051f3e4
Use secure wipe for RSA temporary
...
F-718
2026-03-16 15:14:25 -07:00
Juliusz Sosinowicz
0d7ef87f09
Fix bounds check in session deserialization
...
F-717
2026-03-16 15:14:25 -07:00
David Garske
b5c532703a
Merge pull request #9954 from kareem-wolfssl/gh9951
...
Fix potential overflows in used size calculation in generic, TI and SE050 hash functions.
2026-03-16 15:09:22 -07:00
David Garske
da635c9004
Merge pull request #9980 from anhu/sphincs_no_elseif
...
Fixes SPHINCS else-if chain key detection
2026-03-16 15:03:59 -07:00
David Garske
90377e10c5
Merge pull request #9979 from anhu/falcon_no_elseif
...
Fixes Falcon else-if chain key detection
2026-03-16 15:03:43 -07:00
David Garske
96661a5dab
Merge pull request #9977 from JacobBarthelmeh/multi-test
...
Minor fixes for nightly multi-test tool
2026-03-16 14:31:39 -07:00
JacobBarthelmeh
57f416fc43
Merge pull request #9961 from sebastian-carpenter/tls-ech-coverity
...
minor coverity fixes for tls ech code
2026-03-16 15:27:27 -06:00
Daniel Pouzzner
416072f298
Merge pull request #9969 from Frauschi/mlkem_wconversion
...
ML-KEM Wconversion fixes
2026-03-16 15:03:26 -05:00
David Garske
77c7418052
Merge pull request #9973 from JacobBarthelmeh/static_analysis
...
fix to sanity check on importing raw session key info
2026-03-16 13:46:53 -06:00
David Garske
87906a38ab
Merge pull request #9974 from JacobBarthelmeh/oss-fuzz
...
fix to free CRL reason extension
2026-03-16 13:46:34 -06:00
Andrew Hutchings
cfd819370a
Fix SE050 RSA-PSS signing, key cleanup, and mutex leaks
...
RSA-PSS fix:
Skip SE050 hardware path for RSA-PSS sign and verify operations in
RsaPublicEncryptEx() and RsaPrivateDecryptEx(). The SE050's PSS sign
API (Se05x_API_RSASign) is a hash-then-sign operation, which
double-hashes when wolfSSL passes a pre-computed digest (as done during
TLS CertificateVerify). PSS operations now fall through to the software
RSA path. PKCS#1 v1.5 signing continues to use SE050 hardware.
Key object leak fix:
Add se050_rsa_free_key() called from wc_FreeRsaKey() to erase
wolfSSL-allocated RSA key objects from SE050 persistent storage on
free. Without this, persistent key slots on the SE050 are never
reclaimed and eventually exhaust secure storage. Add matching
sss_key_store_erase_key() calls to se050_ecc_free_key(),
se050_ed25519_free_key(), and se050_curve25519_free_key(). Only keys
with keyId >= SE050_KEYID_START are erased (pre-provisioned keys are
left intact).
Mutex leak fix:
Add missing wolfSSL_CryptHwMutexUnLock() calls before early returns in
se050_rsa_sign(), se050_rsa_verify(), se050_rsa_public_encrypt(), and
se050_rsa_private_decrypt() when the algorithm lookup fails after the
mutex has already been acquired.
ZD 21212
2026-03-16 19:19:14 +00:00
JacobBarthelmeh
7de150eff0
Merge pull request #9975 from rlm2002/coverity
...
20260313 Coverity changes
2026-03-16 12:52:27 -06:00
Tobias Frauenschläger
987a705318
Fix stack tracking in wolfCrypt benchmark
2026-03-16 18:33:55 +01:00
Daniel Pouzzner
30d8cf1a66
Merge pull request #9971 from JacobBarthelmeh/linuxkm
...
Use ENOMEM return and add goto out on AAD error with linuxkm
2026-03-16 11:43:15 -05:00
Juliusz Sosinowicz
2051297ab0
DoTls13CertificateRequest: call CertSetupCbWrapper only once
2026-03-16 17:02:02 +01:00
Daniel Pouzzner
49796a5159
configure.ac: don't include enable_ocsp_responder in enable-all if $enable_sha = no, remove enable_ocsp_responder from enable-all-crypto setup, and remove superseded fixup clause for ENABLED_OCSP_RESPONDER with ENABLED_SHA = no.
...
.wolfssl_known_macro_extras: remove unneeded WOLFSSL_PYTHON.
2026-03-16 10:20:48 -05:00
JacobBarthelmeh
7ad9c25a5b
Merge pull request #9978 from SparkiDev/xmss_sign_idx_fix
...
XMSS: Fix index copy for signing.
2026-03-16 09:20:38 -06:00
Anthony Hu
2939ab7f6a
Fixes SPHINCS else-if chain key detection
...
F-751
2026-03-16 11:20:19 -04:00
JacobBarthelmeh
93fc517dd1
add NO_RSA macro guard to test case
2026-03-16 08:58:15 -06:00
Anthony Hu
3b36db0c9d
Fixes Falcon else-if chain key detection
...
F-750
2026-03-16 10:55:28 -04:00
JacobBarthelmeh
f8dda213b0
Merge pull request #9972 from cconlon/getCiphersCompatFix
...
Fix wolfSSL_get_ciphers_compat() to return NULL for empty cipher list
2026-03-16 08:29:00 -06:00
Sean Parkinson
9590255ceb
XMSS: Fix index copy for signing.
...
The index is already big-endian encoded but it needs to be front padded
with zeros instead of back end padded.
2026-03-16 21:24:08 +10:00
JacobBarthelmeh
8f810c2705
clear q with integer.c and mp_div_3 in error case
2026-03-16 00:09:37 -06:00
JacobBarthelmeh
73e425923b
setting heap pointer based on if key is null
2026-03-16 00:08:04 -06:00
JacobBarthelmeh
9b96f49505
check return value of fwrite in test case
2026-03-16 00:07:09 -06:00
JacobBarthelmeh
681fb41fcb
Null check on SNI pointer before potential use
2026-03-16 00:06:38 -06:00
JacobBarthelmeh
eaa6db9462
account for --enable-all-crypto and --disable-sha build now having OCSP responder
2026-03-16 00:06:13 -06:00
Ruby Martin
2ca2781756
reallocate tmp buffer with space for null terminator
2026-03-13 17:28:00 -06:00
Ruby Martin
8b7b6754d9
macro guard with WOLFSSL_SMALL_STACK to prevent dead code
2026-03-13 17:03:02 -06:00
Ruby Martin
1ac4ba282b
remove early der free
2026-03-13 17:03:02 -06:00
Kareem
0b26791168
Code review feedback
2026-03-13 15:57:18 -07:00
Kareem
3cc15548bc
Code review feedback. Error out on len = 0 as well.
2026-03-13 15:57:18 -07:00
Kareem
0a082b08ca
Code review feedback
2026-03-13 15:57:18 -07:00