Anthony Hu
00d0b09401
Fix buffer-overflow in LMS leaf cache indexing
...
wc_lms_treehash_init() writes leaf node hashes into the leaf cache
using an absolute index (i * hash_len), but the cache is only
max_cb entries starting from leaf->idx. When leaf->idx > 0 (which
occurs when wc_LmsKey_Reload is called after signing more than
max_cb times), the write goes past the end of the cache buffer.
Fix by using the relative offset (i - leaf->idx) * hash_len instead.
Added unit tests (test_lms.c):
- test_wc_LmsKey_sign_verify: basic sign/verify sanity check
- test_wc_LmsKey_reload_cache: (TDD) reproduces the overflow by
signing 33 times then reloading the key
2026-03-11 16:58:48 -04:00
sebastian-carpenter
bb7c6a13c8
ECH tidying
2026-03-11 12:07:20 -06:00
sebastian-carpenter
8a7d327d24
ECH fixes F-293, F-201, F-358, F-203
2026-03-11 10:06:37 -06:00
sebastian-carpenter
032dbe6878
ECH fixes F-292, F-28
2026-03-11 10:06:36 -06:00
Chris Conlon
354691d24a
Copy pathlen in ASN1_OBJECT_dup() and set pathLengthSet in X509_add_ext() when adding basic constraints with a path length
2026-03-11 09:59:19 -06:00
sebastian-carpenter
e17ac41070
TLS ECH fixes [SNI, api.c, server.c, comments]
2026-03-11 09:52:13 -06:00
sebastian-carpenter
58625d1f03
corrections for ECH specification
2026-03-11 09:52:11 -06:00
Daniel Pouzzner
ecf71e745b
.wolfssl_known_macro_extras: fix for disorder and unneeded entries.
2026-03-11 10:22:11 -05:00
Daniel Pouzzner
aeb4c042fd
wolfcrypt/benchmark/benchmark.c: smallstack (WC_*_VAR*()) refactor for bench_slhdsa().
2026-03-11 10:21:55 -05:00
sebastian-carpenter
c3a38dced7
testing + bug fixes for TLS ECH
2026-03-11 08:56:26 -06:00
sebastian-carpenter
cb2d693550
bad rebase + fixing dtls13 support for ECH
2026-03-11 08:54:00 -06:00
sebastian-carpenter
a2fe12a38a
TLS ECH OuterExtensions support (Server side)
2026-03-11 08:54:00 -06:00
sebastian-carpenter
30cfb385eb
fixed seg fault when confirmation not present
2026-03-11 08:54:00 -06:00
sebastian-carpenter
3605c2a417
client and server fix for TLS ECH
2026-03-11 08:54:00 -06:00
jordan
0a99a08b0f
ssl_sess: check fields in wolfSSL_d2i_SSL_SESSION.
2026-03-11 09:47:15 -05:00
Juliusz Sosinowicz
c920d2882c
Restore body size calculation and add comment
2026-03-11 12:46:22 +01:00
Juliusz Sosinowicz
5a4c63423b
Address code review
2026-03-11 12:28:11 +01:00
Juliusz Sosinowicz
6bb122d29f
Address copilot review
2026-03-11 11:08:44 +01:00
Juliusz Sosinowicz
6fc83e292b
Address code review
2026-03-11 10:21:17 +01:00
Juliusz Sosinowicz
0a1b4f9185
fix shaCopy errors
2026-03-11 10:21:17 +01:00
Juliusz Sosinowicz
7ae2ecc686
fixup! Implement OCSP responder
2026-03-11 10:21:17 +01:00
Juliusz Sosinowicz
3be004f3ef
fixup! Implement OCSP responder
2026-03-11 10:21:17 +01:00
Juliusz Sosinowicz
9015ae9e17
Return unknown information inside of Basic Responde
2026-03-11 10:21:17 +01:00
Juliusz Sosinowicz
00c6436cce
Refactor date parsing
2026-03-11 10:21:17 +01:00
Juliusz Sosinowicz
cec611987a
fixup! Implement OCSP responder
2026-03-11 10:21:17 +01:00
Juliusz Sosinowicz
10be06d747
Address copilot feedback
2026-03-11 10:21:17 +01:00
Juliusz Sosinowicz
fcd6c4f203
Enhance OCSP responder error handling for serial validation and HTTP response truncation
2026-03-11 10:21:16 +01:00
Juliusz Sosinowicz
931d056688
Add stapling to test scripts/ocsp-stapling-with-wolfssl-responder.test
2026-03-11 10:21:16 +01:00
Juliusz Sosinowicz
9a9eb2bf1d
Add ocsp responder test to testsuite.c and tested on windows
2026-03-11 10:21:16 +01:00
Juliusz Sosinowicz
a795b19db2
Implement copilot suggestions
2026-03-11 10:21:16 +01:00
Juliusz Sosinowicz
4578e1390f
Implement OCSP responder
...
OCSP Responder Core API:
- Add new public API for creating and managing an OCSP responder
- Add public wrappers for internal OCSP request/response functions
- OcspRespCheck: fix check when authorized responder is loaded into CM
Header Cleanup:
- Remove circular dependency when including `#include <wolfssl/wolfcrypt/asn.h>` from wolfssl/wolfcrypt/ecc.h and wolfssl/wolfcrypt/rsa.h
OCSP Responder Example (examples/ocsp_responder/):
- Add a command-line OCSP responder for interoperability testing with OpenSSL's `openssl ocsp` client
Test Scripts (scripts/):
- ocsp-responder-openssl-interop.test: Tests wolfSSL OCSP responder with `openssl ocsp` client
- ocsp-stapling-with-wolfssl-responder.test: Tests wolfSSL OCSP responder when doing OCSP stapling
Certificate Infrastructure (certs/ocsp/):
- Add DER-format certificates and keys for OCSP testing
- Update renewcerts.sh to generate DER versions
Known Limitations (documented in src/ocsp.c header comment):
- Single request/response per OCSP exchange only
- Key-hash responder ID only (no name-based responder ID)
- No singleExtensions support
2026-03-11 10:21:16 +01:00
Sean Parkinson
31cfcdf3f0
sp_int.c: comment fixes
...
Fix comments.
Reformat @param lines.
Reformat XMALLOC lines.
Fix lines to be no longer than 80 characters.
2026-03-11 14:45:10 +10:00
Daniel Pouzzner
3540d89c0d
Merge pull request #9945 from holtrop-wolfssl/zd21327
...
Avoid one-byte read outside of allocated encrypted content buffer in wc_PKCS7_DecodeEnvelopedData()
2026-03-10 22:39:24 -05:00
Daniel Pouzzner
a5bc0cd929
Merge pull request #9887 from rlm2002/static_analysis
...
20260305 Coverity fixes
2026-03-10 22:34:57 -05:00
Daniel Pouzzner
fc7c19bb07
Merge pull request #9934 from SparkiDev/tls_length_fixes_1
...
TLS: Better handling of parsing TLS extensions
2026-03-10 22:34:10 -05:00
Daniel Pouzzner
2db5fbb04e
Merge pull request #9933 from rlm2002/coverity
...
20260309 Coverity changes for Sunday build
2026-03-10 22:32:23 -05:00
Daniel Pouzzner
bfe0b21829
Merge pull request #9765 from night1rider/zephyr-4_3_0-posix-fix
...
Add Zephyr 4.1+ build compatibility for wolfssl_tls_sock sample.
2026-03-10 22:28:43 -05:00
Daniel Pouzzner
ad21c89ba8
Merge pull request #9944 from JacobBarthelmeh/revert-pr9909
...
revert PR 9909
2026-03-10 19:38:57 -05:00
Daniel Pouzzner
be6e088f46
Merge pull request #9942 from padelsbach/padelsbach/crl-gen-script-fix
...
Generate CRLs from unit test script
2026-03-10 19:38:29 -05:00
Daniel Pouzzner
8246fa2900
Merge pull request #9910 from holtrop-wolfssl/rust-lms
...
Rust wrapper: add lms module
2026-03-10 19:37:41 -05:00
Daniel Pouzzner
e8a53c2e6d
Merge pull request #9941 from kaleb-himes/v6-wolfentropy-combofix
...
Ensure user-space wolfentropy builds of the v6 module compile the cor…
2026-03-10 19:36:52 -05:00
Daniel Pouzzner
e4dea8f261
Merge pull request #9885 from Frauschi/missing_force_zero
...
Add missing ForceZero calls
2026-03-10 19:36:07 -05:00
Daniel Pouzzner
f9b15210d9
Merge pull request #9921 from Frauschi/zd21310
...
Zeroize preMasterSecret in hybrid PQ/T error cases
2026-03-10 19:35:12 -05:00
Daniel Pouzzner
51693156fe
Merge pull request #9939 from SparkiDev/mlkem_comments_fixes
...
ML-KEM: Fixes for comments plus bug fixes
2026-03-10 19:34:39 -05:00
Daniel Pouzzner
3203610249
Merge pull request #9925 from sameehj/fix-compilation
...
Fix undefined variable tls1 in InitSuites for PSK cipher suite
2026-03-10 19:34:05 -05:00
Daniel Pouzzner
4e84c7e05a
Merge pull request #9931 from aidangarske/fix-wolfcrypt-fenrir-1
...
Fix Fenrir 376
2026-03-10 19:33:32 -05:00
Daniel Pouzzner
f1508c910a
Merge pull request #9930 from julek-wolfssl/fenrir/260903
...
Fenrir fixes
2026-03-10 19:32:56 -05:00
Daniel Pouzzner
7af6decbf3
Merge pull request #9856 from anhu/rsa_guard
...
Macro guard parameter null check.
2026-03-10 19:32:19 -05:00
Daniel Pouzzner
f18d5ba359
Merge pull request #9928 from philljj/fix_f_451
...
ascon: don't skip wc_AsconAEAD128_Clear on auth error.
2026-03-10 19:31:20 -05:00
Daniel Pouzzner
e3e5179cf8
Merge pull request #9869 from JacobBarthelmeh/f356
...
fix for sanity checks on serial input
2026-03-10 19:30:46 -05:00