JacobBarthelmeh
b5738236d9
Merge pull request #10187 from embhorn/zd21587
...
Fixes in TLS ECH, handle empty records, and ASN len check
2026-04-22 14:44:15 -06:00
Sean Parkinson
967780f1b7
Merge pull request #10239 from gasbytes/crl-idp-extension-fix
...
reject crls with unrecognized critical extensions
2026-04-21 10:21:31 +10:00
JacobBarthelmeh
ad8b6dbc32
Merge pull request #10217 from ColtonWilley/null-checks-evp-ocsp-x509
...
Fix NULL derefs, buffer overflow, and i2d contract in EVP/OCSP/X509
2026-04-20 17:27:19 -06:00
Sean Parkinson
fa9f24ff27
Merge pull request #10223 from rlm2002/zd21611
...
CN constraints fix
2026-04-19 21:28:29 +10:00
Ruby Martin
797ba3f03b
test DNS name constraints on CA are applied against Subject CN name when SAN name is unavailable
...
test correct CN with no SAN available is accepted
2026-04-17 12:10:25 -06:00
Reda Chouk
857141da35
reject crls with unrecognized critical extensions per rfc 5280 section 5.2
2026-04-17 19:36:55 +02:00
Tobias Frauenschläger
0de3925207
Add RFC8773bis cert_with_extern_psk support
...
Implement RFC8773bis (draft-ietf-tls-8773bis-13)
cert_with_extern_psk for TLS 1.3, including protocol checks
and API support.
Includes unit tests for API and handshake behavior as well
as tests in the testsuite using extended examples.
2026-04-17 15:12:04 +02:00
Sean Parkinson
318cd62d44
Merge pull request #10231 from JeremiahM37/fenrir-issues-3
...
Fix PEM input validation and zeroize sensitive key buffers
2026-04-17 10:44:55 +10:00
Sean Parkinson
460463aa8f
Merge pull request #10166 from JeremiahM37/test-coverage
...
Add negative tests for TLS handshake verification paths
2026-04-17 10:41:53 +10:00
Sean Parkinson
9d1fe652b1
Merge pull request #10224 from embhorn/zd21594
...
Various fixes in internal.c
2026-04-17 09:44:33 +10:00
Brett Nicholas
4bf334c299
Merge pull request #10009 from night1rider/SHE-update
...
Add SHE (Secure Hardware Extension) support to wolfCrypt
2026-04-16 16:49:00 -06:00
Daniel Pouzzner
801c412ad2
src/tls.c, wolfssl/ssl.h, tests/api.c: followup to ff7a32d022 ( #10182 ):
...
* Fix OOB heap reads via TLSX_ExtractEch() by preemptively rejecting oversized
SNI names in TLSX_UseSNI().
* In TLSX_EchChangeSNI(), don't attempt to truncate if an oversized name is
seen, just return error.
* Move definition of WOLFSSL_HOST_NAME_MAX to an ungated context in ssl.h, and
use it consistently in tls.c, eliminating the duplicative
WOLFSSL_HOST_NAME_MAX.
2026-04-16 11:12:02 -05:00
Jeremiah Mackey
a0614dd3c0
add negative tests for TLS handshake verification paths
2026-04-16 14:37:07 +00:00
Daniel Pouzzner
4cd7126092
tests/api/test_aes.c: fix gating for test_wc_AesGcm_MonteCarlo() to exclude WOLFSSL_AFALG and WOLFSSL_DEVCRYPTO.
2026-04-15 21:29:17 -05:00
night1rider
64a1ac8dd2
wc_SHE_ImportM1M2M3: fix guard from || to && so it gates on WOLF_CRYPTO_CB
2026-04-15 18:03:39 -06:00
Sean Parkinson
cd6b062847
Merge pull request #10136 from JeremiahM37/fenrir-issues-2
...
Fenrir fixes
2026-04-16 08:51:17 +10:00
Sean Parkinson
d2175f3b42
Merge pull request #10222 from embhorn/zd21597
...
Report cert verify failure with MD5
2026-04-16 08:45:15 +10:00
Sean Parkinson
f286f62cb3
Merge pull request #10201 from gasbytes/quic_record_cap
...
add missing WOLFSSL_QUIC_MAX_RECORD_CAPACITY check on the early-data
2026-04-16 08:42:35 +10:00
Sean Parkinson
6be03a5dab
Merge pull request #10182 from embhorn/zd21576
...
Fix TLSX_EchChangeSNI to check hostname termination
2026-04-16 08:37:42 +10:00
Sean Parkinson
1fab25301f
Merge pull request #10221 from julek-wolfssl/gh/10197
...
TLS 1.3: evict session from cache after accepted 0-RTT resumption
2026-04-16 08:16:31 +10:00
David Garske
26a7d594e3
Merge pull request #10232 from douzzer/20260415-confusing_globals
...
20260415-confusing_globals
2026-04-15 15:02:40 -07:00
David Garske
faa6e985a5
Merge pull request #10226 from SparkiDev/api_test_cipher_algs_3
...
API tests: more cipher tests
2026-04-15 14:32:11 -07:00
Eric Blankenhorn
c429a41121
Fix from review
2026-04-15 15:26:46 -05:00
night1rider
1078e797f8
Fix CMake SHE deps, const-correctness in CryptoCb uid, stale comment, XSTRLEN double call, configure.ac AES-CBC guard, and add LoadKey/LoadKey_Verify test coverage
2026-04-15 11:28:03 -06:00
night1rider
f081a08c5c
Address comments from bigbrett and Fenrir bot. Rename she.{c,h} to wc_she.{c,h}, fix naming consistency, auto-enable CMAC/AES dependencies, add WC_SHE_SW_DEFAULT opt-inAddress PR #10009 review comments from bigbrett and Fenrir
2026-04-15 11:28:03 -06:00
night1rider
802c34018c
Add more in depth comments in header file for she.h
2026-04-15 11:28:03 -06:00
night1rider
ee7fe9e1b1
SHE API: remove key storage from context, add direct output params
2026-04-15 11:28:03 -06:00
night1rider
8c0999a352
fix macro guarding in tests/api.c
2026-04-15 11:28:03 -06:00
night1rider
eeedc470e9
Add SHE (Secure Hardware Extension) support to wolfCrypt
2026-04-15 11:27:44 -06:00
David Garske
1a67eb7223
Merge pull request #9851 from night1rider/setkey-callbacks
...
Setkey/Export callbacks
2026-04-15 10:17:38 -07:00
Daniel Pouzzner
d8085cc427
src/ssl_load.c, wolfssl/ssl.h, tests/api.c: rename wolfSSL*PrivateKey_id() to wolfSSL*PrivateKey_Id_ex(), and add missing WOLF_PRIVATE_KEY_ID gating.
2026-04-15 11:53:06 -05:00
Jeremiah Mackey
bdebcfc5a0
reject negative pemSz in PEM-to-DER APIs
2026-04-15 16:46:32 +00:00
Reda Chouk
1576cf9edc
add exact-boundary tests at wolfssl_quic_max_record_capacity and cap+1 to catch off-by-onee mutations in the early data capacity check
2026-04-15 14:36:35 +02:00
Sean Parkinson
b44d8c66d7
Merge pull request #10192 from mattia-moffa/20260409-fixes
...
Various fixes
2026-04-15 20:35:04 +10:00
Sean Parkinson
c905033acf
API tests: more cipher tests
...
1. Unaligned Buffer Tests
Verify correct output when input/output buffers are byte-offset by 1,
2, and 3 bytes.
- AES-CBC, AES-CTS, AES-CTR, AES-GCM, AES-CCM, AES-XTS
- ChaCha20, ChaCha20-Poly1305
2. In-Place (Overlapping) Buffer Tests
Verify correct output when out == in (same pointer for input and
output).
- AES-CTS, AES-GCM, AES-CCM, AES-XTS
- ChaCha20, ChaCha20-Poly1305
3. Cross-Cipher Verification Tests
Verify that a higher-level mode produces identical output when
manually reconstructed from a lower-level primitive (typically AES-ECB +
XOR).
- AES-CBC (= ECB + XOR chaining)
- AES-CFB (= ECB(ciphertext feedback) + XOR)
- AES-OFB (= ECB(output feedback) + XOR)
- AES-CTR (= ECB(counter) + XOR with big-endian increment)
- AES-GCM (ciphertext portion = CTR starting at counter J0+1)
- ChaCha20-Poly1305 (ciphertext = raw ChaCha20 keystream XOR; tag =
independent Poly1305)
4. Counter Overflow Tests
Verify correct carry propagation when the internal block counter wraps
around.
- AES-CTR (32-bit big-endian carry across 4 bytes: 0xFFFFFFFE → wrap)
- ChaCha20 (32-bit counter: 0xFFFFFFFF → 0x00000000)
5. AEAD Edge Case Tests
Verify correct behavior for empty inputs, empty AAD, and invalid auth
tag rejection.
- Ascon-AEAD128
- AES-CCM
- ChaCha20-Poly1305
6. Non-Standard Parameter Tests
Verify behavior outside the common fast path.
- AES-GCM: non-96-bit nonce lengths (1-byte, 60-byte, variable-length
loop, zero-length rejection)
7. Streaming API State Tests
Verify mid-stream state behavior and re-initialization after a final
call.
- AES-GCM stream, AES-XTS stream
- ChaCha20-Poly1305 stream
2026-04-15 17:05:32 +10:00
Sean Parkinson
6ac0f82b85
Merge pull request #10204 from mattia-moffa/20260413-fixes
...
SetSuitesHashSigAlgo fix
2026-04-15 11:39:26 +10:00
Mattia Moffa
6b535a4bd3
Initialize ctTampered in test
2026-04-15 03:09:11 +02:00
Mattia Moffa
41e54ba4f0
Initialize fullMac in test
2026-04-15 03:09:11 +02:00
Mattia Moffa
7bd2c3c946
Fix clang-tidy complaints
2026-04-15 03:09:11 +02:00
Mattia Moffa
1d4c5f7022
Fix codespell false positive
2026-04-15 03:09:11 +02:00
Mattia Moffa
0749f20c33
Require exact tag length in EVP_DigestVerifyFinal HMAC path
...
ZD#21457 (31)
2026-04-15 03:09:11 +02:00
Mattia Moffa
0a00b47c75
Fix ML-KEM ARM64 NEON ciphertext comparison reduction
...
ZD#21457 (30)
2026-04-15 03:09:11 +02:00
Mattia Moffa
9c304bdc09
PKCS12: check mismatch between hash algo and hash size
...
ZD#21457 (27)
2026-04-15 03:08:50 +02:00
Sean Parkinson
5ad6097f15
Merge pull request #10168 from night1rider/zd-21534
...
Address bug fixes sent in by ZD 21534
2026-04-15 09:11:04 +10:00
Sean Parkinson
0b88017e20
Merge pull request #10181 from embhorn/zd21567
...
Fix ReqCertFromX509 to check bounds
2026-04-15 09:01:25 +10:00
Sean Parkinson
409b5fcf38
Merge pull request #10172 from embhorn/zd21568
...
Fix pkcs12 parse issue
2026-04-15 09:00:12 +10:00
Sean Parkinson
14ebd3d649
Merge pull request #10170 from embhorn/zd21566
...
Fix partial chain verification
2026-04-15 08:58:28 +10:00
night1rider
642a65a34d
Add export hooks for ecc
2026-04-14 16:21:50 -06:00
night1rider
79b0d9f9f5
Add setkey/exportkey/eccgetsize test coverage in api.c
2026-04-14 16:21:50 -06:00
night1rider
1295f4fe0e
Add WOLF_CRYPTO_CB_SETKEY and WOLF_CRYPTO_CB_EXPORT_KEY crypto callback
...
utilities for generic SetKey and ExportKey operations on HMAC, RSA, ECC,
and AES. Add wc_ecc_size/wc_ecc_sig_size callback hooks for hardware-only
keys. Integrate into configure.ac as --enable-cryptocbutils=setkey,export
options with CI test configurations in os-check.yml.
Add test handlers in test.c and api.c with export/import delegation
pattern, small-stack-safe allocations, custom curve support, and
DEBUG_CRYPTOCB helpers.
2026-04-14 16:21:50 -06:00