Lealem Amedie
1f260ccb0a
Add TLS-ALPN-01 challenge cert support (RFC 8737 acmeId extension)
2026-04-27 17:15:06 -06:00
Daniel Pouzzner
aab90d7a25
tests/api.c: fix false-positive -Wmaybe-uninitialized in test_wolfSSL_clear_secure_renegotiation() with --enable-all CFLAGS=-Og.
2026-04-25 11:47:25 -05:00
Daniel Pouzzner
91f66fb9c0
tests/api/test_pkcs7.c: in test_wc_PKCS7_BER(), in expected-failure wc_PKCS7_DecodeEnvelopedData() in WOLFSSL_SP_MATH build, allow failure with either WC_KEY_SIZE_E or BUFFER_E, to accommodate blinding added by #10128 / 589feabc0c.
2026-04-25 11:47:24 -05:00
Daniel Pouzzner
1f1b572548
tests/api.c: fix -Wnull-dereferences in wolfSSL_UseSecureRenegotiation().
2026-04-25 11:47:24 -05:00
David Garske
21921408b9
Merge pull request #10216 from ColtonWilley/add-null-checks-public-api
...
Add missing NULL checks in public API functions
2026-04-24 14:42:24 -07:00
JacobBarthelmeh
734a71180c
Merge pull request #10220 from embhorn/zd21596
...
Fix TLS ext bounds checking
2026-04-24 15:10:05 -06:00
JacobBarthelmeh
c6953b868a
Merge pull request #10260 from Frauschi/ecc_fix
...
Fix ECC validation regression
2026-04-24 14:39:50 -06:00
JacobBarthelmeh
b9514e70be
Merge pull request #10148 from julek-wolfssl/openvpn-master-bn2binpad
...
Add BN_bn2binpad API and enable OpenVPN master CI testing
2026-04-24 13:54:06 -06:00
kaleb-himes
08fd7bde58
PQ FIPS v7.0.0 Phase 2 & 3: All changes
...
Implement peer review feedback
2026-04-24 06:52:49 -06:00
Eric Blankenhorn
412c428b0a
Fix TLS ext bounds checking
2026-04-24 07:23:07 -05:00
Juliusz Sosinowicz
31278ee8bd
Merge pull request #10296 from JacobBarthelmeh/hostap
2026-04-24 14:13:02 +02:00
JacobBarthelmeh
29f674e5b6
avoid glitch hardening false positive byte collision with small messages and adjust test case
2026-04-24 01:08:00 -06:00
Sean Parkinson
936f8e5423
Merge pull request #10203 from Frauschi/pkcs7_fixes
...
PKCS#7 fixes
2026-04-24 10:13:43 +10:00
JacobBarthelmeh
72c7d12cfb
exclude the trust anchor from prospective certification path with pathlen check
2026-04-23 16:23:07 -06:00
JacobBarthelmeh
2ba4d7e6c9
Merge pull request #10210 from ColtonWilley/fix-scr-dangling-ptr-after-tlsx-freeall
...
Fix dangling secure_renegotiation pointer after TLSX_FreeAll
2026-04-23 13:58:24 -06:00
Daniel Pouzzner
9d46b57af3
Merge pull request #10246 from sameehj/aes-gcm-fix
...
Zero TLS 1.3 traffic keys after AES SE offload
2026-04-23 13:26:59 -05:00
Tobias Frauenschläger
6c5de29758
Fix ECC validation regression
2026-04-23 11:26:33 +02:00
Tobias Frauenschläger
22d1441331
Bounds-check the RecipientInfo SET length in wc_PKCS7_ParseToRecipientInfoSet()
2026-04-23 11:03:24 +02:00
Tobias Frauenschläger
b7f6e77a95
Reject PKCS#7 SignedData signer-identity forgery
2026-04-23 09:36:32 +02:00
Tobias Frauenschläger
589feabc0c
Harden PKCS#7 EnvelopedData key unwrap
2026-04-23 09:36:32 +02:00
Tobias Frauenschläger
3fd4060458
Add more PKCS#7 tests
2026-04-23 09:36:32 +02:00
Tobias Frauenschläger
5634cfd67c
Fix PKCS#7 regression with --enable-all and NO_PKCS7_STREAM
2026-04-23 09:36:32 +02:00
Tobias Frauenschläger
84fb0f694c
Fix various range and size bugs in PKCS#7 code
2026-04-23 09:36:32 +02:00
JacobBarthelmeh
b5738236d9
Merge pull request #10187 from embhorn/zd21587
...
Fixes in TLS ECH, handle empty records, and ASN len check
2026-04-22 14:44:15 -06:00
Mattia Moffa
389d15fa45
Fix compile error
2026-04-21 03:30:39 +02:00
Mattia Moffa
6f37b17757
Address Copilot suggestions
2026-04-21 02:56:36 +02:00
Mattia Moffa
c3e5f19643
Address Copilot suggestions
2026-04-21 02:35:57 +02:00
Sean Parkinson
967780f1b7
Merge pull request #10239 from gasbytes/crl-idp-extension-fix
...
reject crls with unrecognized critical extensions
2026-04-21 10:21:31 +10:00
JacobBarthelmeh
ad8b6dbc32
Merge pull request #10217 from ColtonWilley/null-checks-evp-ocsp-x509
...
Fix NULL derefs, buffer overflow, and i2d contract in EVP/OCSP/X509
2026-04-20 17:27:19 -06:00
Sameeh Jubran
ba51fbd30b
Zero TLS 1.3 traffic keys after AES SE offload
...
When WOLF_CRYPTO_CB_AES_SETKEY is enabled and a CryptoCB callback
imports the AES key into a Secure Element (aes->devCtx != NULL), the
TLS-layer copy in keys->{client,server}_write_key has no further
consumer: the software key schedule is not populated on offload.
ForceZero it in SetKeysSide() per provisioned side.
The static IVs (keys->{client,server}_write_IV and
keys->aead_{enc,dec}_imp_IV) are left intact because BuildTls13Nonce()
reads aead_{enc,dec}_imp_IV on every record (RFC 8446 Section 5.3).
Scope: TLS 1.3, non-DTLS, non-QUIC. DTLS 1.3 needs the write keys
in Dtls13EpochCopyKeys; TLS 1.2 needs them for rehandshake; QUIC is
untouched pending audit.
Add two memio tests (test_wc_CryptoCb_Tls13_Key_{Zero_After_Offload,
No_Zero_Without_Offload}) that pin AES-GCM and check key / IV state
after the handshake and a KeyUpdate round.
Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com >
2026-04-20 10:45:23 +03:00
Sean Parkinson
fa9f24ff27
Merge pull request #10223 from rlm2002/zd21611
...
CN constraints fix
2026-04-19 21:28:29 +10:00
Ruby Martin
797ba3f03b
test DNS name constraints on CA are applied against Subject CN name when SAN name is unavailable
...
test correct CN with no SAN available is accepted
2026-04-17 12:10:25 -06:00
Reda Chouk
857141da35
reject crls with unrecognized critical extensions per rfc 5280 section 5.2
2026-04-17 19:36:55 +02:00
Tobias Frauenschläger
0de3925207
Add RFC8773bis cert_with_extern_psk support
...
Implement RFC8773bis (draft-ietf-tls-8773bis-13)
cert_with_extern_psk for TLS 1.3, including protocol checks
and API support.
Includes unit tests for API and handshake behavior as well
as tests in the testsuite using extended examples.
2026-04-17 15:12:04 +02:00
Sean Parkinson
318cd62d44
Merge pull request #10231 from JeremiahM37/fenrir-issues-3
...
Fix PEM input validation and zeroize sensitive key buffers
2026-04-17 10:44:55 +10:00
Sean Parkinson
460463aa8f
Merge pull request #10166 from JeremiahM37/test-coverage
...
Add negative tests for TLS handshake verification paths
2026-04-17 10:41:53 +10:00
Sean Parkinson
9d1fe652b1
Merge pull request #10224 from embhorn/zd21594
...
Various fixes in internal.c
2026-04-17 09:44:33 +10:00
Brett Nicholas
4bf334c299
Merge pull request #10009 from night1rider/SHE-update
...
Add SHE (Secure Hardware Extension) support to wolfCrypt
2026-04-16 16:49:00 -06:00
Daniel Pouzzner
801c412ad2
src/tls.c, wolfssl/ssl.h, tests/api.c: followup to ff7a32d022 ( #10182 ):
...
* Fix OOB heap reads via TLSX_ExtractEch() by preemptively rejecting oversized
SNI names in TLSX_UseSNI().
* In TLSX_EchChangeSNI(), don't attempt to truncate if an oversized name is
seen, just return error.
* Move definition of WOLFSSL_HOST_NAME_MAX to an ungated context in ssl.h, and
use it consistently in tls.c, eliminating the duplicative
WOLFSSL_HOST_NAME_MAX.
2026-04-16 11:12:02 -05:00
Jeremiah Mackey
a0614dd3c0
add negative tests for TLS handshake verification paths
2026-04-16 14:37:07 +00:00
Daniel Pouzzner
4cd7126092
tests/api/test_aes.c: fix gating for test_wc_AesGcm_MonteCarlo() to exclude WOLFSSL_AFALG and WOLFSSL_DEVCRYPTO.
2026-04-15 21:29:17 -05:00
night1rider
64a1ac8dd2
wc_SHE_ImportM1M2M3: fix guard from || to && so it gates on WOLF_CRYPTO_CB
2026-04-15 18:03:39 -06:00
Sean Parkinson
cd6b062847
Merge pull request #10136 from JeremiahM37/fenrir-issues-2
...
Fenrir fixes
2026-04-16 08:51:17 +10:00
Sean Parkinson
d2175f3b42
Merge pull request #10222 from embhorn/zd21597
...
Report cert verify failure with MD5
2026-04-16 08:45:15 +10:00
Sean Parkinson
f286f62cb3
Merge pull request #10201 from gasbytes/quic_record_cap
...
add missing WOLFSSL_QUIC_MAX_RECORD_CAPACITY check on the early-data
2026-04-16 08:42:35 +10:00
Sean Parkinson
6be03a5dab
Merge pull request #10182 from embhorn/zd21576
...
Fix TLSX_EchChangeSNI to check hostname termination
2026-04-16 08:37:42 +10:00
Sean Parkinson
1fab25301f
Merge pull request #10221 from julek-wolfssl/gh/10197
...
TLS 1.3: evict session from cache after accepted 0-RTT resumption
2026-04-16 08:16:31 +10:00
David Garske
26a7d594e3
Merge pull request #10232 from douzzer/20260415-confusing_globals
...
20260415-confusing_globals
2026-04-15 15:02:40 -07:00
David Garske
faa6e985a5
Merge pull request #10226 from SparkiDev/api_test_cipher_algs_3
...
API tests: more cipher tests
2026-04-15 14:32:11 -07:00
Eric Blankenhorn
c429a41121
Fix from review
2026-04-15 15:26:46 -05:00