wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2026-01-31 04:49:17 +01:00
Code Issues Packages Projects Releases Wiki Activity
25,519 Commits 12 Branches 184 Tags
7c1980fe012d664feca8cbe6c66c97bf3ab96dcc
Commit Graph

8618 Commits

Author SHA1 Message Date
David Garske
2fc1110a13 Merge pull request #8587 from lealem47/gh8574 
Fix bug in ParseCRL_Extensions
 2025-06-12 12:09:52 -07:00
David Garske
6571f42cb9 Merge pull request #8867 from JacobBarthelmeh/rng 
Improvements to RNG and compatibility layer
 2025-06-11 14:31:53 -07:00
JacobBarthelmeh
ae87afa677 Merge pull request #8857 from miyazakh/tsip_fix 
fix TSIP TLS example program
 2025-06-10 16:26:34 -06:00
JacobBarthelmeh
47cf634965 add a way to restore previous pid behavior 2025-06-10 16:12:09 -06:00
JacobBarthelmeh
fbbb6b7707 add mutex locking and compat layer FIPS case 2025-06-10 14:37:11 -06:00
JacobBarthelmeh
31490ab813 add sanity checks on pid with RNG 2025-06-10 14:37:11 -06:00
JacobBarthelmeh
2d892f07eb Merge pull request #8861 from gasbytes/psk-handshake-failure-fix 
tls13: clear tls1_3 on downgrade
 2025-06-10 10:24:17 -06:00
JacobBarthelmeh
047f0bb5fc Merge pull request #8847 from gojimmypi/pr-platformio-cert-bundles 
Improve PlatformIO Certificate Bundle Support
 2025-06-10 10:23:07 -06:00
JacobBarthelmeh
94f5948f20 Merge pull request #8858 from rizlik/dtls13_set_epoch_fix 
dtls13: move Dtls13NewEpoch into DeriveTls13Keys
 2025-06-10 09:48:58 -06:00
Marco Oliverio
3e6703e1fb fixup! dtls13: move Dtls13NewEpoch into DeriveTls13Keys 2025-06-09 19:20:06 +02:00
Marco Oliverio
1024bf0109 fixup! dtls13: move Dtls13NewEpoch into DeriveTls13Keys 2025-06-09 18:00:23 +02:00
Reda Chouk
92b6e2f2e9 tls13: clear tls1_3 on downgrade 
Unset ssl->options.tls1_3 whenever we drop to TLS 1.2 so PSK
handshakes don’t hit -326 VERSION_ERROR.
 2025-06-09 17:12:56 +02:00
Marco Oliverio
59ff71f936 fixup! dtls13: move Dtls13NewEpoch into DeriveTls13Keys 2025-06-09 16:11:17 +02:00
Andrew Hutchings
5e6cb2b0b6 Allow trusted_ca_keys with TLSv1.3 
It is possible that the client will provied `trusted_ca_keys` during a
TLSv1.3 connection with 1.2 downgrade. wolfSSL would error with
`EXT_NOT_ALLOWED`. The TLSv1.3 spec states that it can be provided and
should be ignored.

ZD 19936
 2025-06-09 08:31:54 +01:00
Marco Oliverio
c1c1929e55 dtls13: move Dtls13NewEpoch into DeriveTls13Keys 
Dlts13NewEpoch saves the keys currently derived in the ssl object.
Moving Dtls13NewEpoch inside DeriveTls13Keys avoid the risk of using the wrong
keys when creating a new Epoch.

This fixes at least he following scenario:

- Client has encryption epoch != 2 in the handshake (eg. due to rtx)

- Client derives traffic0 keys after receiving server Finished message

- Client set encryption epoch to 2 again to send the Finished message, this
   override the traffic key computed

- Client creates the new epoch with the wrong key
 2025-06-09 02:35:29 +02:00
Hideki Miyazaki
1f8efc3c14 fix TSIP example 
fix Client Certificate Verify using RSA sign/verify
 2025-06-07 12:38:18 +09:00
gojimmypi
3254f56d32 Improve PlatformIO Certificate Bundle Support 2025-06-06 15:48:07 -07:00
JacobBarthelmeh
0bac2c2b34 Merge pull request #8846 from lealem47/zd20027 
Don't include AEAD nonce in decrypted data size
 2025-06-06 15:43:20 -06:00
JacobBarthelmeh
369f9f0339 Merge pull request #8849 from holtrop/reseed-drbg-in-rand-poll 
Reseed DRBG in RAND_poll()
 2025-06-06 11:55:46 -06:00
JacobBarthelmeh
f4821eb0f4 Merge pull request #8827 from SparkiDev/ml_kem_codepoints 
ML_KEM IDs backward compat
 2025-06-06 11:06:15 -06:00
JacobBarthelmeh
570c1fc390 Merge pull request #8824 from JeremiahM37/tlsCurveFix 
tls fix for set_groups
 2025-06-06 10:47:06 -06:00
Josh Holtrop
0c12337194 Reseed DRBG in RAND_poll() 2025-06-06 12:20:58 -04:00
JacobBarthelmeh
bfc55d9016 Merge pull request #8848 from julek-wolfssl/gh/8841 
dtlsProcessPendingPeer: correctly set the current peer
 2025-06-06 09:52:35 -06:00
Daniel Pouzzner
efc36655e6 src/internal.c: add pedantic-compatible NO_TLS codepath for cipher_names[] and GetCipherNamesSize(). 2025-06-06 18:02:19 +04:00
Sean Parkinson
7eca4fb331 ML_KEM IDs backward compat 
Allow backward compatibilitly of Hybrid ML_KEM codepoints in TLS with
version before wolfSSL 5.8.0.
When WOLFSSL_ML_KEM_USE_OLD_IDS is defined, it will accept the old
codepoints for P256 with ML-KEM-512, P384 with ML-KEM-768, P521 with
ML-KEM-10124. (Others combinations were not know pre 5.8.0.)
Both old client with new server and new client with new server work with
old codepoints.
 2025-06-06 09:17:40 +10:00
JacobBarthelmeh
3ecc58cc0e Merge pull request #8842 from julek-wolfssl/zd/19966 
ALT_NAMES_OID: Mark IP address as WOLFSSL_V_ASN1_OCTET_STRING
 2025-06-05 17:07:47 -06:00
Juliusz Sosinowicz
736a5e1f89 dtlsProcessPendingPeer: correctly set the current peer 2025-06-06 00:12:38 +02:00
Lealem Amedie
53f3e74bf1 Sniffer: Don't include AEAD nonce in decrypted data size 2025-06-05 14:13:45 -06:00
Juliusz Sosinowicz
edfc5360d4 TLSX_SupportedCurve_Parse: fix commonCurves wouldn't be free'd on error 2025-06-05 22:04:50 +02:00
Juliusz Sosinowicz
761f0f1d1f Simplify TLSX_SupportedCurve_Parse 
Server only uses curves that are supported by both the client and the server. If no common groups are found, the connection will fail in TLS 1.2 and below. In TLS 1.3, HRR may still be used to resolve the group mismatch.
 2025-06-05 22:04:49 +02:00
JeremiahM37
888407e40b Updated fix for set_groups 2025-06-05 22:04:49 +02:00
JeremiahM37
3c1c4792da tls fix for set_groups 2025-06-05 22:04:49 +02:00
Juliusz Sosinowicz
f2584fd5fa ALT_NAMES_OID: Mark IP address as WOLFSSL_V_ASN1_OCTET_STRING 2025-06-05 19:17:00 +02:00
JacobBarthelmeh
c207e2d198 Merge pull request #8838 from miyazakh/fsp_fix2 
Fix Renesas SCE on RA6M4
 2025-06-05 09:43:05 -06:00
Brett
89be92f1a8 formatting 2025-06-04 18:29:05 -06:00
Brett
0e2a3fd0b6 add missing error trace macro 2025-06-04 16:56:16 -06:00
Brett
bc8eeea703 prevent apple native cert validation from overriding error codes other than ASN_NO_SIGNER_E 2025-06-04 15:48:15 -06:00
Lealem Amedie
02a49693e2 Fix bug in ParseCRL_Extensions 2025-06-04 10:23:53 -06:00
Hideki Miyazaki
6d2a8b3f4c ready-for-use flag fix 2025-06-04 13:41:01 +09:00
Ruby Martin
9864959e41 create policy for WOLFSSL_APPLE_NATIVE_CERT_VALIDATION, domain name 
checking
 2025-06-03 10:08:58 -06:00
Sean Parkinson
8ea01056c3 Merge pull request #8788 from julek-wolfssl/gh/8765 
tls13: handle malformed CCS and CCS before CH
 2025-05-28 09:45:09 +10:00
David Garske
6de7bb74ed Merge pull request #8787 from julek-wolfssl/refactor-GetHandshakeHeader 
Refactor GetHandshakeHeader/GetHandShakeHeader into one
 2025-05-27 15:26:24 -07:00
Juliusz Sosinowicz
2ec6b92b41 tls13: handle malformed CCS and CCS before CH 
- fix incorrect alert type being sent
- error out when we receive a CCS before a CH
- error out when we receive an encrypted CCS
 2025-05-23 15:04:22 +02:00
Sean Parkinson
999641d9b1 Merge pull request #8642 from rizlik/dtls_no_span_records 
DTLS: drop records that span datagrams
 2025-05-23 14:57:24 +10:00
Ruby Martin
5352e100db Add NO_OLD_TLS macroguard, remove dead code 2025-05-22 14:21:38 -06:00
Juliusz Sosinowicz
5e7ef142e8 Refactor GetHandshakeHeader/GetHandShakeHeader into one 2025-05-20 13:23:14 +02:00
Juliusz Sosinowicz
83ce63ac1a TLSX_UseSupportedCurve: Check group correctness outside of TLS 1.3 too 2025-05-19 14:19:59 +02:00
Marco Oliverio
cbe1fb2c62 dtls: drop DTLS messages that span across datagrams 
A new macro "WOLFSSL_DTLS_RECORDS_CAN_SPAN_DATAGRAMS" restores the old
behaviour.
 2025-05-19 10:28:13 +02:00
Marco Oliverio
80bdd1736a internal: refactor out Decryption in DoDecrypt function 
To uniform error handling for the SanityCheckCipherText check.
 2025-05-19 10:25:24 +02:00
Daniel Pouzzner
91af9073b0 Merge pull request #8777 from rizlik/dtls_reject_v11 
Drop DTLS packets with bogus minor version number
 2025-05-16 14:45:25 -05:00