Sean Parkinson
7245ad02bb
Merge pull request #9748 from gasbytes/wolfSSL_d2i_SSL_SESSION-fix
...
add missing checks in wolfSSL_d2i_SSL_SESSION
2026-02-10 21:22:16 +10:00
Daniel Pouzzner
d36953948b
src/ssl_api_pk.c: in wolfSSL_CTX_SetTmpEC_DHE_Sz(), fix gate-dependent syntax error in if construct;
...
src/ssl_p7p12.c: in wolfSSL_SMIME_read_PKCS7(), fix memleakOnRealloc.
2026-02-07 12:00:00 -06:00
Daniel Pouzzner
51f5f8799d
src/ssl_api_pk.c: fix -Wmaybe-uninitialized in check_cert_key_dev() (defect introduced in #9723 );
...
wolfcrypt/test/test.c: fix error-path memory leaks in srtpkdf_test(), and properly gate out incompatible SRTP_KDF_LONG_KEY test on old FIPS (defect introduced in #9733 );
.wolfssl_known_macro_extras: get into lexical order and remove unneeded WC_RSA_DIRECT.
2026-02-06 13:06:10 -06:00
Reda Chouk
f94eb68ea3
add missing checks in wolfSSL_d2i_SSL_SESSION
2026-02-06 17:00:42 +01:00
Daniel Pouzzner
25db90afe7
Merge pull request #9741 from kareem-wolfssl/variousFixes
...
Various fixes
2026-02-05 20:32:12 -06:00
Daniel Pouzzner
8e6ebdb8ac
Merge pull request #9723 from SparkiDev/ssl_split_cert
...
Split out code form ssl.c and pk.c
2026-02-05 18:21:36 -06:00
David Garske
c3ef6afcfd
Merge pull request #9743 from douzzer/20260205-fixes
...
20260205-fixes
2026-02-05 15:23:57 -08:00
Daniel Pouzzner
1d871879df
Merge pull request #9726 from Frauschi/pkcs11_pqc_prep
...
PKCS#11 PQC preparation work
2026-02-05 16:50:25 -06:00
Paul Adelsbach
635832010e
Use WOLFSSL_STACK methods in new AIA functions
2026-02-05 11:54:26 -08:00
Daniel Pouzzner
0cc1dc29c4
src/x509.c: in x509_aia_append_string(), use heap pointer from supplied *head, and initialize WOLFSSL_STACK.type (fixes "Conditional jump or move depends on uninitialised value(s)" from 08c1397cc1);
...
wolfssl/wolfcrypt/asn.h: use WC_BITFIELD for extAuthInfoListSz and extAuthInfoListOverflow bitfields, for C89 compat (fixes -Wpedantic from 08c1397cc1 ).
2026-02-05 10:04:17 -06:00
Kareem
eae22ab37d
Send illegal_parameter alert rather than handshake_failure when the server tries to use a cipher suite that the client does not support. Fixes #9639 .
2026-02-04 15:44:16 -07:00
Kareem
1e770e1a0f
Send decode_error alert rather than illegal_parameter when receiving an empty/malformed keyshare extension. Fixes #9640 .
2026-02-04 15:40:30 -07:00
Paul Adelsbach
08c1397cc1
Enable 8 combined OCSP and URLs instead of 1 of each
2026-02-04 11:04:46 -08:00
Paul Adelsbach
aa020f39c4
Extend AIA interface
2026-02-02 08:48:40 -08:00
Daniel Pouzzner
f2f9d5bbe7
src/internal.c: in SanityCheckMsgReceived(), gate "TLS 1.2 message order check: certificate before CKE" from 5b6f86bc8e on !WOLFSSL_NO_CLIENT_AUTH.
2026-01-30 22:38:44 -06:00
Daniel Pouzzner
6123febd3f
src/ssl_sk.c, src/x509.c, wolfssl/ssl.h: tweaks and fixes to from #9705 : remove !WOLFSSL_LINUXKM gates, and fix nullPointerArithmeticRedundantCheck in ExtractHostFromUri().
2026-01-30 17:34:37 -06:00
JacobBarthelmeh
1dc177fdbe
Merge pull request #9718 from SparkiDev/tls12_msg_order_checks
...
TLS 1.2 message order check: certificate before CKE
2026-01-30 10:50:33 -07:00
JacobBarthelmeh
9ca379f3bb
Merge pull request #9719 from dgarske/usersettings_expand
...
Improve user_settings.h examples and add validation rules
2026-01-29 15:35:12 -07:00
Tobias Frauenschläger
90be76cb94
Misc fixes and improvements regarding PKCS#11
2026-01-29 18:39:15 +01:00
Sean Parkinson
be4584784c
Split out code form ssl.c and pk.c
...
Move EC and RSA code out of pk.c into separate file.
Move out of ssl.c into separate files:
- Certificate APIs
- CRL/OCSP APIs
- Public Key APIs
- ECH
Internal Certificate Manager APIs pulled out into ssl_certman.c.
d2i and i2d WOLFSSL_EVP_PKEY APIs pulled out into evp_pk.c.
Fix formatting.
2026-01-29 18:49:56 +10:00
David Garske
c2a987595f
Add new user_settings.h templates for tls13, dtls13, pq, openssl_compat, baremetal, rsa_only, pkcs7, ca
2026-01-28 11:27:01 -08:00
JacobBarthelmeh
a6316114bd
Merge pull request #9716 from SparkiDev/regression_fixes_22
...
Regression test fixes
2026-01-27 22:07:50 -07:00
Sean Parkinson
5b6f86bc8e
TLS 1.2 message order check: certificate before CKE
...
Make sure we received a Certificate message before the ClientKeyExchange
when a certificate is requested. (Certificate message will be empty when
client has no valid certificate.)
2026-01-28 10:35:14 +10:00
Sean Parkinson
eb2fb4a9ce
Merge pull request #9699 from anhu/downg
...
Add cipher suite filtering when downgrade is disabled
2026-01-28 08:59:06 +10:00
Sean Parkinson
bc9e37118e
Regression test fixes
...
Mostly combinations of NO_WOLFSSL_CLIENT, NO_WOLFSSL_SERVER and
WOLFSSL_NO_CLIENT_AUTH were failing.
Added configurations to CI loop.
wc_AesGcmDecryptFinal: use WC_AES_BLOCK_SIZE to satisfy compiler.
2026-01-28 07:37:29 +10:00
JacobBarthelmeh
3e7efe8be2
Merge pull request #9705 from cconlon/nameConstraints
...
Support for extracting and validating X.509 Name Constraints extensions
2026-01-27 10:01:48 -07:00
Chris Conlon
610d530e45
Add Name Constraints extension support with wolfSSL_X509_get_ext_d2i() and wolfSSL_NAME_CONSTRAINTS_check_name()
2026-01-26 10:36:05 -07:00
David Garske
eeaa3a7160
Merge pull request #9596 from kareem-wolfssl/zd19378
...
Add a runtime option to enable or disable the secure renegotiation check.
2026-01-26 08:34:57 -08:00
David Garske
cd88ec57b0
Merge pull request #9685 from kareem-wolfssl/gh7735
...
Always reinitialize the SSL cipher suites in InitSSL_Side as the side and enabled algos have likely changed.
2026-01-23 12:38:46 -08:00
Tobias Frauenschläger
14ce7956f1
Increase test coverage
...
* More PQC configurations
* More CMake setups
* Fix various bugs uncovered by these tests
Added some missing feature additions to CMake to make the example
`user_settings_all.` config file work for the CI test.
2026-01-23 09:27:16 +01:00
Sean Parkinson
27df554e99
Merge pull request #9701 from Frauschi/brainpool-tls13
...
Add support for TLS 1.3 Brainpool curves
2026-01-23 10:42:32 +10:00
David Garske
a17f68f036
Merge pull request #9587 from kareem-wolfssl/zd20850
...
Add duplicate entry error to distinguish cases where a duplicate CRL is rejected.
2026-01-22 15:07:19 -08:00
Kareem
1103552c37
Code review feedback
2026-01-22 15:46:13 -07:00
Kareem
d60dd53165
Merge branch 'master' of https://github.com/wolfSSL/wolfssl into zd19378
2026-01-22 15:37:30 -07:00
Kareem
4c0c51fdff
Merge branch 'master' of https://github.com/wolfSSL/wolfssl into gh7735
2026-01-22 15:13:15 -07:00
Kareem
baedba6a58
Force client haveDH to true in wolfSSL_set_options. haveDH won't be set to true on the client as the server side is what calls DH param generation APIs which set this to true, but we still want the client to support DH cipher suites if enabled. This matches behavior from InitSSL_EitherSide.
2026-01-22 15:13:08 -07:00
Tobias Frauenschläger
eb8ba6124e
Support TLS 1.3 ECC Brainpool authentication
...
This also fixes TLS 1.2 authentication to only succeed in case the
brainpool curve was present in the supported_groups extension.
2026-01-22 14:14:09 +01:00
Tobias Frauenschläger
a462398387
Support Brainpool ECC curve TLS 1.3 key exchange
...
When both TLS 1.3 and Brainpool curves are enabled, three new groups can
be used for the ECDHE key exchange according to RFC 8734:
* WOLFSSL_ECC_BRAINPOOLP256R1TLS13 (31)
* WOLFSSL_ECC_BRAINPOOLP384R1TLS13 (32)
* WOLFSSL_ECC_BRAINPOOLP512R1TLS13 (33)
Also ensure that the existing TLS 1.2 curves are sent properly.
The TLS client application is updated to support handshakes via
Brainpool curves using the new argument "--bpKs".
2026-01-22 14:14:09 +01:00
David Garske
e4e79dd8a3
Merge pull request #9694 from SparkiDev/tls_msg_sanity_fix
...
TLS: more sanity checks on message order
2026-01-21 15:11:11 -08:00
Anthony Hu
d088fee72c
Add cipher suite filtering when downgrade is disabled
...
When wolfSSL_SetVersion() is called to set a specific TLS version,
the downgrade flag is now set to 0. This causes wolfSSL_parse_cipher_list()
to no longer preserve cipher suites from the other TLS version group.
Previously, when using SSLv23 method and setting cipher suites for only
one TLS version (e.g., TLS 1.2), the library would preserve any existing
cipher suites from the other version (e.g., TLS 1.3) for OpenSSL API
compatibility. With this change, if a specific version is set via
wolfSSL_SetVersion(), only the cipher suites for that version are kept.
2026-01-21 18:01:01 -05:00
David Garske
f52930b844
More fixes for NO RNG and NO check key (broken in #9606 and #9576 )
2026-01-21 10:31:57 -08:00
Sean Parkinson
8902afdcea
TLS: more sanity checks on message order
...
Add more checks on message ordering for TLS 1.2 and below.
Reformat code.
2026-01-21 10:00:38 +10:00
Kareem
832bcd7f4b
Merge branch 'master' of https://github.com/wolfSSL/wolfssl into zd20850
2026-01-20 15:59:05 -07:00
Kareem
0f0163d888
Merge branch 'master' of https://github.com/wolfSSL/wolfssl into gh7735
2026-01-20 15:18:26 -07:00
David Garske
17401da6ae
Merge pull request #9678 from cconlon/otherNameSan
...
Fix GENERAL_NAME memory management for otherName and RID SANs
2026-01-20 10:56:37 -08:00
David Garske
6bdc6a7550
Merge pull request #9618 from SparkiDev/volatile_multi_statement
...
Multiple volatile variables in a C statement undefined
2026-01-20 10:42:49 -08:00
Kareem
d505c0b7c5
Only reinitialize suites in InitSSL_Side if they were not set by the user. Always allocate suites in InitSSL_Side if they're NULL so InitSSL_Suites will set them.
2026-01-20 11:40:37 -07:00
Kareem
89931bd884
Always reinitialize the SSL cipher suites in InitSSL_Side as the side and enabled algos have likely changed.
2026-01-19 17:50:26 -07:00
Sean Parkinson
c71a4dd66f
Merge pull request #9662 from AlexLanzano/tls1.2-empty-cert-fix
...
[TLS 1.2, TLS 1.3] Fail immediately if server sends empty certificate message for TLS 1.2 and beyond
2026-01-20 09:45:29 +10:00
Chris Conlon
0f395a5f9d
Fix memory management in wolfssl_dns_entry_othername_to_gn() and
...
wolfSSL_X509_get_ext_d2i() for otherName SAN handling, add ASN_RID_TYPE case to wolfSSL_X509_get_ext_d2i()
2026-01-19 16:39:33 -07:00