Paul Adelsbach
aa020f39c4
Extend AIA interface
2026-02-02 08:48:40 -08:00
JacobBarthelmeh
c807903088
Merge pull request #9722 from SparkiDev/sha3-harden
...
SHA-3: harden against glitch attack
2026-02-02 09:21:35 -07:00
Tobias Frauenschläger
540b51eb28
CMake fixes and improvements
...
* Minor fixes to the CMakeLists.txt
* Add more options to the CMake infrastructure already present in the
autoconf infrastructure
* An autoconf build now also generates and installs files required to
consume the installed wolfssl library via CMake.
* Added test for autoconf-CMake interworking
Work is mostly done by Codex and Curser.
2026-02-02 10:26:58 +01:00
Sean Parkinson
565ac4c101
ECC: import point, always do some checks when untrusted
...
Always check for infinity and, when B param available, whether the point
is on the curve when point is untrusted.
Change TLS code to treat points from peer as untrusted on import.
2026-02-02 16:12:19 +10:00
Sean Parkinson
5924524920
SHA-3: harden against glitch attack
...
Check loop counts to ensure glitching didn't change number of times loop
was performed.
2026-02-02 15:54:55 +10:00
Sean Parkinson
b56eeb91aa
Merge pull request #9730 from douzzer/20251126-linuxkm-full-reloc-support
...
20251126-linuxkm-full-reloc-support
2026-02-02 15:52:15 +10:00
Daniel Pouzzner
f2f9d5bbe7
src/internal.c: in SanityCheckMsgReceived(), gate "TLS 1.2 message order check: certificate before CKE" from 5b6f86bc8e on !WOLFSSL_NO_CLIENT_AUTH.
2026-01-30 22:38:44 -06:00
Daniel Pouzzner
64bdcce08d
linuxkm/linuxkm_wc_port.h: move implementation of wc_linuxkm_inet_pton() and definition of XINET_PTON() inside BUILDING_WOLFSSL guard.
2026-01-30 22:35:31 -06:00
Daniel Pouzzner
6123febd3f
src/ssl_sk.c, src/x509.c, wolfssl/ssl.h: tweaks and fixes to from #9705 : remove !WOLFSSL_LINUXKM gates, and fix nullPointerArithmeticRedundantCheck in ExtractHostFromUri().
2026-01-30 17:34:37 -06:00
Daniel Pouzzner
0b91a0e913
linuxkm/linuxkm_wc_port.h, linuxkm/module_hooks.c, linuxkm/Makefile: refactor wc_linuxkm_normalize_relocations() and associated types and objects:
...
* change wc_linuxkm_pie_reloc_tab from unsigned int[] to struct wc_linuxkm_pie_reloc_tab_ent[], with dest_segment and reloc_type members;
* add enum wc_reloc_dest_segment and enum wc_reloc_type;
* update GENERATE_RELOC_TAB recipe in Makefile to render the dest segment and reloc type;
* add struct reloc_layout_ent, and reloc_layouts[] fully populated for x86 and ARM relocations;
* refactor find_reloc_tab_offset() and wc_linuxkm_normalize_relocations() to reflect the above;
linuxkm/module_hooks.c: tweak various printf format characters and arguments for compatibility with ARM32;
linuxkm/linuxkm_wc_port.h: include linux/inet.h and define wc_linuxkm_inet_pton() and XINET_PTON(), unless WOLFCRYPT_ONLY.
2026-01-30 17:34:02 -06:00
Daniel Pouzzner
8719df2666
wolfcrypt/src/aes.c: in wc_AesGcmSetKey(), don't VECTOR_REGISTERS_POP() until after GCM_generate_m0_*().
2026-01-30 17:33:30 -06:00
Daniel Pouzzner
e48663248c
wolfssl/wolfcrypt/types.h: in setup for wc_static_assert, include assert.h if __STDC_VERSION__ or __cplusplus denotes presence, even if WOLFSSL_HAVE_ASSERT_H is unset.
2026-01-30 17:33:13 -06:00
Daniel Pouzzner
1feb7d247d
.github/workflows/linuxkm.yml: in first scenario, remove --disable-opensslextra (i.e. retain opensslextra implicit to --enable-all), remove -DWOLFSSL_LINUXKM_VERBOSE_DEBUG, and use --enable-all-asm rather than --enable-intelasm --disable-sp-asm; in second secnario, add -DDEBUG_LINUXKM_PIE_SUPPORT.
2026-01-30 17:32:55 -06:00
JacobBarthelmeh
ff28a114b3
Merge pull request #9724 from holtrop-wolfssl/rust-ecc-allow-empty-pub_buf_slice-on-import-private
...
Rust wrapper: ECC: Allow import_private_*() calls with empty pub_buf slice
2026-01-30 10:54:01 -07:00
JacobBarthelmeh
1dc177fdbe
Merge pull request #9718 from SparkiDev/tls12_msg_order_checks
...
TLS 1.2 message order check: certificate before CKE
2026-01-30 10:50:33 -07:00
JacobBarthelmeh
9ca379f3bb
Merge pull request #9719 from dgarske/usersettings_expand
...
Improve user_settings.h examples and add validation rules
2026-01-29 15:35:12 -07:00
Tobias Frauenschläger
90be76cb94
Misc fixes and improvements regarding PKCS#11
2026-01-29 18:39:15 +01:00
Tobias Frauenschläger
f59a27cdc6
Support PKCS#11 ECDSA verify with stored key
2026-01-29 18:39:04 +01:00
Tobias Frauenschläger
55946d5bdf
Add support for PKCS#11 version 3.2
2026-01-29 18:38:10 +01:00
Tobias Frauenschläger
ee16b9506f
Add support for PKCS#11 Version 3.0 and 3.1
2026-01-29 18:38:03 +01:00
David Garske
7077a7bdd8
Fix for macros not longer needed in .wolfssl_known_macro_extras
2026-01-29 09:28:23 -08:00
Josh Holtrop
88b34a68d8
Rust wrapper: ECC: Allow import_private_*() calls with empty pub_buf slice
2026-01-29 10:32:50 -05:00
Sean Parkinson
be4584784c
Split out code form ssl.c and pk.c
...
Move EC and RSA code out of pk.c into separate file.
Move out of ssl.c into separate files:
- Certificate APIs
- CRL/OCSP APIs
- Public Key APIs
- ECH
Internal Certificate Manager APIs pulled out into ssl_certman.c.
d2i and i2d WOLFSSL_EVP_PKEY APIs pulled out into evp_pk.c.
Fix formatting.
2026-01-29 18:49:56 +10:00
jackctj117
6d6d0ab088
Add PKCS7 ECC raw sign callback support
2026-01-28 14:44:00 -07:00
David Garske
c2a987595f
Add new user_settings.h templates for tls13, dtls13, pq, openssl_compat, baremetal, rsa_only, pkcs7, ca
2026-01-28 11:27:01 -08:00
David Garske
3946ba8de3
Improve user_settings.h examples and add validation rules
...
- Standardize header guards to WOLFSSL_USER_SETTINGS_H across all files
- Add #if 0/1 gates with labels for easy feature toggling
- Fix bugs: typos in eccnonblock (WOLFSL_SHA*), duplicates in fipsv5/all
- Add NO_DES3_TLS_SUITES alongside NO_DES3 where needed
- Update wolfboot_keytools with upstream PQ algorithms (ML-DSA, LMS, XMSS)
- Add settings.h validation rules with descriptive error messages
- Auto-define NO_DES3_TLS_SUITES when NO_DES3 is set (instead of error)
- Update README.md and add missing files to CI tests
2026-01-28 09:52:24 -08:00
JacobBarthelmeh
a6316114bd
Merge pull request #9716 from SparkiDev/regression_fixes_22
...
Regression test fixes
2026-01-27 22:07:50 -07:00
JacobBarthelmeh
ba3653d8d0
Merge pull request #9717 from dgarske/config_rules
...
Make sure all configure.ac rules are also enforced in settings.h
2026-01-27 21:53:51 -07:00
Sean Parkinson
5b6f86bc8e
TLS 1.2 message order check: certificate before CKE
...
Make sure we received a Certificate message before the ClientKeyExchange
when a certificate is requested. (Certificate message will be empty when
client has no valid certificate.)
2026-01-28 10:35:14 +10:00
Sean Parkinson
eb2fb4a9ce
Merge pull request #9699 from anhu/downg
...
Add cipher suite filtering when downgrade is disabled
2026-01-28 08:59:06 +10:00
David Garske
46251bb401
Fix issue with NO_DES3_TLS_SUITES
2026-01-27 14:42:41 -08:00
Sean Parkinson
bc9e37118e
Regression test fixes
...
Mostly combinations of NO_WOLFSSL_CLIENT, NO_WOLFSSL_SERVER and
WOLFSSL_NO_CLIENT_AUTH were failing.
Added configurations to CI loop.
wc_AesGcmDecryptFinal: use WC_AES_BLOCK_SIZE to satisfy compiler.
2026-01-28 07:37:29 +10:00
JacobBarthelmeh
f7b5f00973
Merge pull request #9710 from rlm2002/xChaCha20_Poly1305_unitTest
...
Unit test updates for XChacha20-Poly1305
2026-01-27 13:56:16 -07:00
JacobBarthelmeh
4f84be8e66
Merge pull request #9715 from dgarske/rsa_key_parsing
...
Fix for RSA private key parsing (allowing public) and RSA keygen no malloc support
2026-01-27 13:11:14 -07:00
David Garske
74a4bcb546
Enforce all configure.ac rules in settings.h also. Keeping configure.ac for early error checking.
2026-01-27 10:46:29 -08:00
Anthony Hu
3aa758c615
renegotiation indication changes number of ciphersuites so gate on that
2026-01-27 12:57:31 -05:00
JacobBarthelmeh
3e7efe8be2
Merge pull request #9705 from cconlon/nameConstraints
...
Support for extracting and validating X.509 Name Constraints extensions
2026-01-27 10:01:48 -07:00
Anthony Hu
9a53125794
Simplify testing gating logic.
2026-01-27 11:19:50 -05:00
David Garske
c8fa1e915b
Fix for RSA private key parsing (allowing public) and RSA keygen no malloc support.
2026-01-26 16:06:05 -08:00
Ruby Martin
38cb14f2a9
add API unit test for XChacha20-Poly1305
...
Expand XChacha20-Poly1305 unit test
2026-01-26 15:33:35 -07:00
Chris Conlon
610d530e45
Add Name Constraints extension support with wolfSSL_X509_get_ext_d2i() and wolfSSL_NAME_CONSTRAINTS_check_name()
2026-01-26 10:36:05 -07:00
David Garske
eeaa3a7160
Merge pull request #9596 from kareem-wolfssl/zd19378
...
Add a runtime option to enable or disable the secure renegotiation check.
2026-01-26 08:34:57 -08:00
Anthony Hu
d6985a6ee3
AES-GCM guard.
2026-01-23 16:23:44 -05:00
Kaleb Himes
4574a0c10e
Merge pull request #9706 from miyazakh/selftest_pqc
...
Enable kyber and dilithium in selftest
2026-01-23 13:41:44 -07:00
David Garske
6ae5555718
Merge pull request #9704 from douzzer/20260122-toolchain-workarounds
...
20260122-toolchain-workarounds
2026-01-23 12:39:05 -08:00
David Garske
cd88ec57b0
Merge pull request #9685 from kareem-wolfssl/gh7735
...
Always reinitialize the SSL cipher suites in InitSSL_Side as the side and enabled algos have likely changed.
2026-01-23 12:38:46 -08:00
JacobBarthelmeh
2f388dde4c
Merge pull request #9703 from dgarske/stsafe-a120-ecdhe
...
Fixes for STSAFE-A120 ECDHE
2026-01-23 10:59:45 -07:00
David Garske
4773ea6d44
Merge pull request #9637 from Frauschi/test_coverage
...
Increase test coverage for PQC and CMake
2026-01-23 07:51:40 -08:00
David Garske
b5209344e0
Merge pull request #9707 from danielinux/enable_stm32g0_AES_only
...
Add STM32G0 hardware crypto support
2026-01-23 07:50:30 -08:00
Michal Jahelka
269c28be16
Add STM32G0 hardware crypto support
2026-01-23 11:09:08 +01:00