Sean Parkinson
bac0563669
Merge pull request #9919 from anhu/lms-leaf-idx
...
Fix buffer-overflow in LMS leaf cache indexing
2026-03-13 10:02:50 +10:00
JacobBarthelmeh
424af6eb5b
Merge pull request #9956 from rlm2002/coverity
...
20260311 Coverity changes
2026-03-12 16:53:39 -06:00
JacobBarthelmeh
351d2594ac
Merge pull request #9938 from SparkiDev/regression_fixes_23
...
Fixes from regression testing
2026-03-12 14:41:18 -06:00
JacobBarthelmeh
a05a3ed1c2
Merge pull request #9940 from cconlon/pathLenSet
...
Fix pathlen not copied in ASN1_OBJECT_dup and not marked set in X509_add_ext
2026-03-12 10:34:58 -06:00
Ruby Martin
6ebd967345
bounds check on ext_dump
2026-03-12 09:53:35 -06:00
JacobBarthelmeh
a8dfa59bbe
Merge pull request #9761 from julek-wolfssl/ocsp-responder
...
Implement OCSP responder
2026-03-11 17:27:33 -06:00
Sean Parkinson
bbd2f6f898
Fixes from regression testing
...
CRL APIs not usable when NO_ASN_TIME defined.
WOLFSSL_TLS13 needs to be defined with HAVE_ECH.
When session ticket encrypted with CBC, must be a multiple of block
size.
Fix test define protection.
Fix ML-DSA protection of reduction functions.
Need !NO_RSA with WC_RSA_PSS.
Connection ID is not a DTLS 1.3 only extension.
2026-03-12 08:19:39 +10:00
Anthony Hu
00d0b09401
Fix buffer-overflow in LMS leaf cache indexing
...
wc_lms_treehash_init() writes leaf node hashes into the leaf cache
using an absolute index (i * hash_len), but the cache is only
max_cb entries starting from leaf->idx. When leaf->idx > 0 (which
occurs when wc_LmsKey_Reload is called after signing more than
max_cb times), the write goes past the end of the cache buffer.
Fix by using the relative offset (i - leaf->idx) * hash_len instead.
Added unit tests (test_lms.c):
- test_wc_LmsKey_sign_verify: basic sign/verify sanity check
- test_wc_LmsKey_reload_cache: (TDD) reproduces the overflow by
signing 33 times then reloading the key
2026-03-11 16:58:48 -04:00
sebastian-carpenter
bb7c6a13c8
ECH tidying
2026-03-11 12:07:20 -06:00
sebastian-carpenter
8a7d327d24
ECH fixes F-293, F-201, F-358, F-203
2026-03-11 10:06:37 -06:00
Chris Conlon
354691d24a
Copy pathlen in ASN1_OBJECT_dup() and set pathLengthSet in X509_add_ext() when adding basic constraints with a path length
2026-03-11 09:59:19 -06:00
sebastian-carpenter
e17ac41070
TLS ECH fixes [SNI, api.c, server.c, comments]
2026-03-11 09:52:13 -06:00
sebastian-carpenter
58625d1f03
corrections for ECH specification
2026-03-11 09:52:11 -06:00
sebastian-carpenter
c3a38dced7
testing + bug fixes for TLS ECH
2026-03-11 08:56:26 -06:00
Juliusz Sosinowicz
6fc83e292b
Address code review
2026-03-11 10:21:17 +01:00
Juliusz Sosinowicz
4578e1390f
Implement OCSP responder
...
OCSP Responder Core API:
- Add new public API for creating and managing an OCSP responder
- Add public wrappers for internal OCSP request/response functions
- OcspRespCheck: fix check when authorized responder is loaded into CM
Header Cleanup:
- Remove circular dependency when including `#include <wolfssl/wolfcrypt/asn.h>` from wolfssl/wolfcrypt/ecc.h and wolfssl/wolfcrypt/rsa.h
OCSP Responder Example (examples/ocsp_responder/):
- Add a command-line OCSP responder for interoperability testing with OpenSSL's `openssl ocsp` client
Test Scripts (scripts/):
- ocsp-responder-openssl-interop.test: Tests wolfSSL OCSP responder with `openssl ocsp` client
- ocsp-stapling-with-wolfssl-responder.test: Tests wolfSSL OCSP responder when doing OCSP stapling
Certificate Infrastructure (certs/ocsp/):
- Add DER-format certificates and keys for OCSP testing
- Update renewcerts.sh to generate DER versions
Known Limitations (documented in src/ocsp.c header comment):
- Single request/response per OCSP exchange only
- Key-hash responder ID only (no name-based responder ID)
- No singleExtensions support
2026-03-11 10:21:16 +01:00
Daniel Pouzzner
ad21c89ba8
Merge pull request #9944 from JacobBarthelmeh/revert-pr9909
...
revert PR 9909
2026-03-10 19:38:57 -05:00
Daniel Pouzzner
e3e5179cf8
Merge pull request #9869 from JacobBarthelmeh/f356
...
fix for sanity checks on serial input
2026-03-10 19:30:46 -05:00
Daniel Pouzzner
df504300db
Merge pull request #9863 from JacobBarthelmeh/f361
...
Fix for setting curve using all caps with wolfSSL_set1_curves_list
2026-03-10 19:29:46 -05:00
Daniel Pouzzner
65092ab5eb
Merge pull request #9838 from SparkiDev/slhdsa_1
...
FIPS 205, SLH-DSA: implementation
2026-03-10 19:28:59 -05:00
JacobBarthelmeh
528b22140b
revert PR 9909
2026-03-10 14:47:21 -06:00
JacobBarthelmeh
cbf5264d1c
replace comment character with allowed character
2026-03-10 10:23:10 -06:00
JacobBarthelmeh
6e56635a09
Fix for setting curve using all caps with wolfSSL_set1_curves_list
2026-03-09 10:41:01 -06:00
Eric Blankenhorn
4b09fb36d9
Add test test_tls13_derive_keys_no_key
2026-03-09 09:49:37 -06:00
Sean Parkinson
39b34333d6
FIPS 205, SLH-DSA: implementation
...
Adding implementation of SLH-DSA.
Included optimizations for Intel x64.
Some tests added.
2026-03-09 19:06:34 +10:00
Daniel Pouzzner
b3f08f33b8
Merge pull request #9873 from miyazakh/fix_larger_crlnum
...
fix lareger(>57 octets) CRL number
2026-03-06 22:49:03 -06:00
Daniel Pouzzner
467f16f47d
Merge pull request #9913 from julek-wolfssl/fenrir/365
...
Enforce null compression in compression_methods list
2026-03-06 22:29:59 -06:00
Daniel Pouzzner
68e085df45
Merge pull request #9918 from douzzer/20260306-NO_SHA-test_ocsp_cert_unknown_crl_fallback
...
20260306-NO_SHA-test_ocsp_cert_unknown_crl_fallback (approved by @JacobBarthelmeh)
2026-03-06 22:24:45 -06:00
Daniel Pouzzner
2655c436da
Merge pull request #9861 from JacobBarthelmeh/f360
...
additional sanity check on number of groups passed to set groups func…
2026-03-06 22:23:40 -06:00
JacobBarthelmeh
68a1f6f756
remove special characters, use simple ASCII characters
2026-03-06 17:30:48 -07:00
JacobBarthelmeh
013e2c8fdf
remove special characters, use simple ASCII characters
2026-03-06 17:22:25 -07:00
Daniel Pouzzner
b08f959412
tests/api/test_ocsp.c: don't build test_ocsp_cert_unknown_crl_fallback and related helpers if NO_SHA.
2026-03-06 17:01:40 -06:00
Tobias Frauenschläger
a2622746cd
Error out in case of unknown extensions in response message in TLS 1.3
2026-03-06 17:09:49 +01:00
Juliusz Sosinowicz
1537f83c24
Enforce null compression in compression_methods list`
...
F-365
2026-03-06 16:56:09 +01:00
Hideki Miyazaki
cfb7f35e72
fix lareger(>57 octets) crlnum
2026-03-06 10:51:54 +09:00
Daniel Pouzzner
ed8f67cb37
Merge pull request #9858 from JacobBarthelmeh/ticket
...
additional sanity check with session ticket size
2026-03-05 16:35:51 -06:00
Daniel Pouzzner
63bee12c92
Merge pull request #9875 from Frauschi/f-158
...
Treat alerts as fatal errors regardless of level in TLS1.3
2026-03-05 16:06:40 -06:00
Daniel Pouzzner
663187150e
Merge pull request #9878 from embhorn/f377
...
Fix checkPad to test for zero padding
2026-03-05 15:38:54 -06:00
Daniel Pouzzner
13c02b92b2
Merge pull request #9839 from padelsbach/crl-enhancements-ossl
...
CRL enhancements for revoked entries
2026-03-05 15:35:53 -06:00
Daniel Pouzzner
ff493c2979
Merge pull request #9834 from padelsbach/padelsbach/finding-23
...
Fix OCSP->CRL fallback
2026-03-05 15:33:25 -06:00
JacobBarthelmeh
37e3a8f3bd
fix for sanity checks on serial input
2026-03-05 14:23:44 -07:00
Daniel Pouzzner
c65e3e50fd
Merge pull request #9825 from embhorn/zd21240
...
Fix issue in TLS_hmac size calculation
2026-03-05 15:16:47 -06:00
Daniel Pouzzner
178f96c483
Merge pull request #9854 from sameehj/rsa-pss-fix
...
Add RSA-PSS certificate support for PKCS7 EnvelopedData KTRI
2026-03-05 15:03:46 -06:00
Daniel Pouzzner
26e2f05bfd
Merge pull request #9848 from Frauschi/dtls_hrr_group
...
Fix for DTLS1.3 HRR group handling
2026-03-05 15:02:16 -06:00
Tobias Frauenschläger
11fc781d0d
Treat alerts as fatal errors regardless of level in TLS1.3
2026-03-05 18:21:02 +01:00
Eric Blankenhorn
998967ea41
Fix review feedback
2026-03-05 08:51:52 -06:00
Eric Blankenhorn
7f487b9869
Fix checkPad to test for zero padding
2026-03-05 08:32:18 -06:00
Paul Adelsbach
569a96fbd2
Fix for C++ compilers
2026-03-04 15:01:08 -08:00
Paul Adelsbach
22d7550f8e
CRL enhancements for revoked entries
2026-03-04 14:53:28 -08:00
Daniel Pouzzner
f04e6e8718
tests/api.c and tests/api/test_pkcs7.c: fixes for CFLAGS="-Og" --enable-all (PRB-single-flag.txt line 3).
2026-03-04 14:46:20 -06:00