Marco Oliverio
12c2cdafaf
rename wolfSSL_MaybeCheckAlertOnErr in wolfMaybeCheckAlertOnErr
2025-12-22 09:51:06 +01:00
Marco Oliverio
f4c48c19c1
fix: abide unused arguments when WOLFSSL_CHECK_ALER_ON_ERR is disabled
2025-12-22 09:51:06 +01:00
Marco Oliverio
38d8eb6f0d
address reviewer's comments
2025-12-22 09:51:06 +01:00
Marco Oliverio
950c074c25
test: fix typo in structure field
2025-12-22 09:51:06 +01:00
Marco Oliverio
8de68decd2
test: tls13_early_data: test WANT_WRITE in early data
2025-12-22 09:51:06 +01:00
Marco Oliverio
609e30a69c
test: tls13_early_data: refactor splitEarlyData test option
2025-12-22 09:51:06 +01:00
Marco Oliverio
57282140a9
WOLFSSL_CHECK_ALERT_ON_ERR: ignore non fatal errors
2025-12-22 09:51:06 +01:00
Marco Oliverio
093d77727b
early_data: avoid resetting ssl->earlyData after WANT_WRITE retry
2025-12-22 09:51:06 +01:00
Marco Oliverio
a1c8790039
wolfssl: preserve early-data handling across WANT_WRITE retries
...
The early-data logic setups "early" exits in Accept/Connect state machine so
that the data exchanged during the handshake can be delivered to the
caller.
After the caller process the data, it usually calls Accept/Connect again
to cotinue the handshake.
Under non-blocking I/O there is the chance that these early exits are
skipped, this commit fixes that.
Server-side accept (TLS 1.3/DTLS 1.3) could skip the early-data shortcut
whenever sending the Finished flight first hit WANT_WRITE: when Accept
is called again and the data is eventually flushed into the I/O layer
the accept state is advanced past TLS13_ACCEPT_FINISHED_SENT, so the
next wolfSSL_accept() call skipped the block that marks
SERVER_FINISHED_COMPLETE and lets the application drain 0-RTT data. By
keeping the FALL_THROUGH into TLS13_ACCEPT_FINISHED_SENT and only
returning early while that handshake flag is still unset, we revisit the
shortcut immediately after the buffered flight is delivered, preserving
the intentional behaviour even under non-blocking I/O.
On the client, the same pattern showed up after SendTls13ClientHello()
buffered due to WANT_WRITE: after flushing, the connect state is already
CLIENT_HELLO_SENT so the early-data exit is no longer executed. We now
fall through into the CLIENT_HELLO_SENT case and only short-circuit once
per handshake, ensuring the reply-processing loop still executes on the
retry.
2025-12-22 09:51:05 +01:00
Hideki Miyazaki
fc583d068f
add SK-S7G2 support
...
Update README based on copilot suggestion
2025-12-20 10:32:09 +09:00
Kareem
adf38007f4
Document wolfSSL_CTX_New's behavior on failure around WOLFSSL_METHOD.
...
Fixes #9517 .
2025-12-19 17:19:45 -07:00
Kareem
ac98505204
Document wolfSSL_CTX_set_default_passwd_cb and wolfSSL_CTX_set_default_passwd_cb_userdata.
...
Fixes #6008 .
2025-12-19 17:18:45 -07:00
Kareem
7c4feb5e87
Improve the error message returned by BAD_KEY_SHARE_DATA.
...
Fixes #9084 .
2025-12-19 17:17:33 -07:00
Kareem
5b473f6b9b
Add SSL_get_rfd and SSL_get_wfd.
...
Fixes https://github.com/wolfSSL/wolfssl-nginx/issues/25 .
2025-12-19 17:16:35 -07:00
Kareem
b6766106c8
Add documentation for Base16_Encode and Base64_Encode's behavior of adding a NULL terminator byte.
...
Fixes #5602
2025-12-19 17:15:44 -07:00
Kareem
a1999d29ed
Only enforce !NO_FILESYSTEM for WOLFSSL_SYS_CA_CERTS on non Windows/Mac systems.
...
wolfSSL's support for WOLFSSL_SYS_CA_CERTS uses APIs which don't depend on !NO_FILESYSTEM
on Windows/Mac.
Fixes #8152 .
2025-12-19 16:37:50 -07:00
JacobBarthelmeh
0a0c43054f
Merge pull request #9564 from douzzer/20251219-fixes
...
20251219-fixes
2025-12-19 16:24:20 -07:00
Kareem
3e59b83727
Only keep /dev/urandom open, close /dev/random after each use.
...
Improve logic for opening RNG seed FD.
2025-12-19 15:57:49 -07:00
Kareem
fe105d4b48
Add a flag which allows requesting exactly SEED_SZ and using the full seed to instantiate the DRBG during RNG init.
...
This flag can not be used with FIPS.
2025-12-19 15:25:15 -07:00
David Garske
1cb2231ff5
Added build option to allow certificate CA matching using AKID with signers SKID ( WOLFSSL_ALLOW_AKID_SKID_MATCH). Fixed issue with cert->extAuthKeyIdSz not being set with ASN template code.
2025-12-19 14:14:39 -08:00
Daniel Pouzzner
a7550346dd
wolfcrypt/test/test.c: in rng_seed_test(), fix gates for FIPS 5.2.4.
2025-12-19 15:50:27 -06:00
Daniel Pouzzner
d3f74557fe
wolfcrypt/src/wolfentropy.c: add volatile attribute to entropy_memuse_initialized declaration; in wc_Entropy_Get(), if HAVE_FIPS, call Entropy_Init() if necessary, to accommodate FIPS KATs; in Entropy_Init(), add thread safety.
2025-12-19 15:45:17 -06:00
JacobBarthelmeh
d5723d0d89
Merge pull request #9544 from julek-wolfssl/gh/9362
...
Check KeyShare after HRR
2025-12-19 14:36:31 -07:00
David Garske
1825bd86f5
Merge pull request #9550 from JacobBarthelmeh/caam
...
sanity checks on buffer size with AES and CAAM Integrity use
2025-12-19 11:03:40 -08:00
JacobBarthelmeh
d26c11c626
Merge pull request #9551 from josepho0918/iar
...
Add IAR support to WC_OFFSETOF macro
2025-12-19 11:36:33 -07:00
JacobBarthelmeh
8153ea6189
Merge pull request #9559 from cconlon/pkcs7SignedNonOctet
...
Fix PKCS#7 SignedData parsing for non-OCTET_STRING content types
2025-12-19 11:12:06 -07:00
Daniel Pouzzner
6f95a9c58e
wolfcrypt/src/random.c: in _InitRng(), remove "drbg_instantiated" conditional cleanup logic (Coverity true-benign-positive: DEADCODE because drbg_instantiated is always false when ret != DRBG_SUCCESS).
2025-12-19 10:30:14 -06:00
Daniel Pouzzner
fb26b2dfe1
wolfcrypt/test/test.c: in HMAC tests, initialize ret, to silence uninitvar from cppcheck-force-source.
2025-12-19 09:07:14 -06:00
Daniel Pouzzner
96c47cd18c
wolfcrypt/test/test.c: in _rng_test(), inhibit the WC_RESEED_INTERVAL subtest if an rng callback is installed.
2025-12-19 08:55:35 -06:00
Juliusz Sosinowicz
dd35f10b57
ed25519: validate presence of keys in export functions
2025-12-19 10:14:26 +01:00
JacobBarthelmeh
a3072c7a8d
fix for shadows global declaration warning
2025-12-18 17:18:39 -07:00
Chris Conlon
afe82b9512
Fix PKCS#7 degenerate detection based on signerInfos length
2025-12-18 16:28:03 -07:00
Chris Conlon
d6dcd30736
Fix PKCS#7 streaming for non OCTET STRING content types
2025-12-18 16:28:01 -07:00
JacobBarthelmeh
bbc3a72ea8
Merge pull request #9556 from julek-wolfssl/rng-tools-timeout-fix
...
rng-tools: increase jitter timeout
2025-12-18 15:59:42 -07:00
Kareem
b0b840aa0f
Rename fdOpen to seedFdOpen to avoid potential conflicts.
...
Gate keeping the seed FD open behind WOLFSSL_KEEP_RNG_SEED_FD_OPEN and only
enable by default for HAProxy. It is causing issues on OS X and may
cause issues on other OSes, and is generally a major behavior change.
2025-12-18 15:55:35 -07:00
Kareem
c238defe23
Add cast for public_size
2025-12-18 15:32:59 -07:00
Kareem
755097d512
Track if RNG seed FD was opened and only close it if it was already open. This fixes the case where wc_FreeRng is called when _InitRng was not called on the RNG. Since the FD value defaults to 0 before _InitRng was called, and 0 is potentially a valid FD, it was being closed.
2025-12-18 15:27:00 -07:00
JacobBarthelmeh
4162f24434
Merge pull request #9555 from embhorn/zd20964
...
Null deref check in Pkcs11ECDH
2025-12-18 15:14:35 -07:00
Chris Conlon
5eef52c6fa
Add test for PKCS#7 SignedData with non-OCTET_STRING content
2025-12-18 15:02:02 -07:00
Kareem
81d32f4fe6
Move Curve25519 public key check to make_pub/make_pub_blind to cover the case where they are called directly by an application.
2025-12-18 14:37:59 -07:00
David Garske
4e96b11cce
Merge pull request #9557 from douzzer/20251218-fixes
...
20251218-fixes
2025-12-18 12:35:44 -08:00
Kareem
0420c942a0
Only use -1 for uninitialized fds as 0 is a valid fd.
2025-12-18 11:22:22 -07:00
Kareem
2e83b97909
Only attempt to close RNG file descriptor on platforms with XCLOSE.
2025-12-18 11:15:33 -07:00
Kareem
fb880e943b
Reset fd after closing it.
2025-12-18 11:15:33 -07:00
Kareem
6bcbfec200
Initalize RNG seed fd in _InitRng.
2025-12-18 11:15:33 -07:00
Kareem
ea43bcba72
Keep RNG seed file descriptor open until the RNG is freed.
2025-12-18 11:15:33 -07:00
Daniel Pouzzner
8a8ef3512e
src/internal.c: in FreeSSL_Ctx(), use wolfSSL_RefWithMutexFree(&ctx->ref), matching refactor in #8187 .
2025-12-18 11:48:31 -06:00
Juliusz Sosinowicz
4e15ccec35
rng-tools: increase jitter timeout
2025-12-18 18:40:54 +01:00
Daniel Pouzzner
83e9a0780f
wolfcrypt/src/wc_lms.c: fix leak in wc_LmsKey_Reload().
2025-12-18 11:09:37 -06:00
Daniel Pouzzner
59b3219c0f
wolfcrypt/test/test.c: fix memory leaks in Hmac tests.
2025-12-18 10:47:21 -06:00