Commit Graph

9149 Commits

Author SHA1 Message Date
Sean Parkinson 7245ad02bb Merge pull request #9748 from gasbytes/wolfSSL_d2i_SSL_SESSION-fix
add missing checks in wolfSSL_d2i_SSL_SESSION
2026-02-10 21:22:16 +10:00
Daniel Pouzzner d36953948b src/ssl_api_pk.c: in wolfSSL_CTX_SetTmpEC_DHE_Sz(), fix gate-dependent syntax error in if construct;
src/ssl_p7p12.c: in wolfSSL_SMIME_read_PKCS7(), fix memleakOnRealloc.
2026-02-07 12:00:00 -06:00
Daniel Pouzzner 51f5f8799d src/ssl_api_pk.c: fix -Wmaybe-uninitialized in check_cert_key_dev() (defect introduced in #9723);
wolfcrypt/test/test.c: fix error-path memory leaks in srtpkdf_test(), and properly gate out incompatible SRTP_KDF_LONG_KEY test on old FIPS (defect introduced in #9733);

.wolfssl_known_macro_extras: get into lexical order and remove unneeded WC_RSA_DIRECT.
2026-02-06 13:06:10 -06:00
Reda Chouk f94eb68ea3 add missing checks in wolfSSL_d2i_SSL_SESSION 2026-02-06 17:00:42 +01:00
Daniel Pouzzner 25db90afe7 Merge pull request #9741 from kareem-wolfssl/variousFixes
Various fixes
2026-02-05 20:32:12 -06:00
Daniel Pouzzner 8e6ebdb8ac Merge pull request #9723 from SparkiDev/ssl_split_cert
Split out code form ssl.c and pk.c
2026-02-05 18:21:36 -06:00
David Garske c3ef6afcfd Merge pull request #9743 from douzzer/20260205-fixes
20260205-fixes
2026-02-05 15:23:57 -08:00
Daniel Pouzzner 1d871879df Merge pull request #9726 from Frauschi/pkcs11_pqc_prep
PKCS#11 PQC preparation work
2026-02-05 16:50:25 -06:00
Paul Adelsbach 635832010e Use WOLFSSL_STACK methods in new AIA functions 2026-02-05 11:54:26 -08:00
Daniel Pouzzner 0cc1dc29c4 src/x509.c: in x509_aia_append_string(), use heap pointer from supplied *head, and initialize WOLFSSL_STACK.type (fixes "Conditional jump or move depends on uninitialised value(s)" from 08c1397cc1);
wolfssl/wolfcrypt/asn.h: use WC_BITFIELD for extAuthInfoListSz and extAuthInfoListOverflow bitfields, for C89 compat (fixes -Wpedantic from 08c1397cc1).
2026-02-05 10:04:17 -06:00
Kareem eae22ab37d Send illegal_parameter alert rather than handshake_failure when the server tries to use a cipher suite that the client does not support. Fixes #9639. 2026-02-04 15:44:16 -07:00
Kareem 1e770e1a0f Send decode_error alert rather than illegal_parameter when receiving an empty/malformed keyshare extension. Fixes #9640. 2026-02-04 15:40:30 -07:00
Paul Adelsbach 08c1397cc1 Enable 8 combined OCSP and URLs instead of 1 of each 2026-02-04 11:04:46 -08:00
Paul Adelsbach aa020f39c4 Extend AIA interface 2026-02-02 08:48:40 -08:00
Daniel Pouzzner f2f9d5bbe7 src/internal.c: in SanityCheckMsgReceived(), gate "TLS 1.2 message order check: certificate before CKE" from 5b6f86bc8e on !WOLFSSL_NO_CLIENT_AUTH. 2026-01-30 22:38:44 -06:00
Daniel Pouzzner 6123febd3f src/ssl_sk.c, src/x509.c, wolfssl/ssl.h: tweaks and fixes to from #9705: remove !WOLFSSL_LINUXKM gates, and fix nullPointerArithmeticRedundantCheck in ExtractHostFromUri(). 2026-01-30 17:34:37 -06:00
JacobBarthelmeh 1dc177fdbe Merge pull request #9718 from SparkiDev/tls12_msg_order_checks
TLS 1.2 message order check: certificate before CKE
2026-01-30 10:50:33 -07:00
JacobBarthelmeh 9ca379f3bb Merge pull request #9719 from dgarske/usersettings_expand
Improve user_settings.h examples and add validation rules
2026-01-29 15:35:12 -07:00
Tobias Frauenschläger 90be76cb94 Misc fixes and improvements regarding PKCS#11 2026-01-29 18:39:15 +01:00
Sean Parkinson be4584784c Split out code form ssl.c and pk.c
Move EC and RSA code out of pk.c into separate file.

Move out of ssl.c into separate files:
  - Certificate APIs
  - CRL/OCSP APIs
  - Public Key APIs
  - ECH

Internal Certificate Manager APIs pulled out into ssl_certman.c.
d2i and i2d WOLFSSL_EVP_PKEY APIs pulled out into evp_pk.c.

Fix formatting.
2026-01-29 18:49:56 +10:00
David Garske c2a987595f Add new user_settings.h templates for tls13, dtls13, pq, openssl_compat, baremetal, rsa_only, pkcs7, ca 2026-01-28 11:27:01 -08:00
JacobBarthelmeh a6316114bd Merge pull request #9716 from SparkiDev/regression_fixes_22
Regression test fixes
2026-01-27 22:07:50 -07:00
Sean Parkinson 5b6f86bc8e TLS 1.2 message order check: certificate before CKE
Make sure we received a Certificate message before the ClientKeyExchange
when a certificate is requested. (Certificate message will be empty when
client has no valid certificate.)
2026-01-28 10:35:14 +10:00
Sean Parkinson eb2fb4a9ce Merge pull request #9699 from anhu/downg
Add cipher suite filtering when downgrade is disabled
2026-01-28 08:59:06 +10:00
Sean Parkinson bc9e37118e Regression test fixes
Mostly combinations of NO_WOLFSSL_CLIENT, NO_WOLFSSL_SERVER and
WOLFSSL_NO_CLIENT_AUTH were failing.
Added configurations to CI loop.

wc_AesGcmDecryptFinal: use WC_AES_BLOCK_SIZE to satisfy compiler.
2026-01-28 07:37:29 +10:00
JacobBarthelmeh 3e7efe8be2 Merge pull request #9705 from cconlon/nameConstraints
Support for extracting and validating X.509 Name Constraints extensions
2026-01-27 10:01:48 -07:00
Chris Conlon 610d530e45 Add Name Constraints extension support with wolfSSL_X509_get_ext_d2i() and wolfSSL_NAME_CONSTRAINTS_check_name() 2026-01-26 10:36:05 -07:00
David Garske eeaa3a7160 Merge pull request #9596 from kareem-wolfssl/zd19378
Add a runtime option to enable or disable the secure renegotiation check.
2026-01-26 08:34:57 -08:00
David Garske cd88ec57b0 Merge pull request #9685 from kareem-wolfssl/gh7735
Always reinitialize the SSL cipher suites in InitSSL_Side as the side and enabled algos have likely changed.
2026-01-23 12:38:46 -08:00
Tobias Frauenschläger 14ce7956f1 Increase test coverage
* More PQC configurations
* More CMake setups
* Fix various bugs uncovered by these tests

Added some missing feature additions to CMake to make the example
`user_settings_all.` config file work for the CI test.
2026-01-23 09:27:16 +01:00
Sean Parkinson 27df554e99 Merge pull request #9701 from Frauschi/brainpool-tls13
Add support for TLS 1.3 Brainpool curves
2026-01-23 10:42:32 +10:00
David Garske a17f68f036 Merge pull request #9587 from kareem-wolfssl/zd20850
Add duplicate entry error to distinguish cases where a duplicate CRL is rejected.
2026-01-22 15:07:19 -08:00
Kareem 1103552c37 Code review feedback 2026-01-22 15:46:13 -07:00
Kareem d60dd53165 Merge branch 'master' of https://github.com/wolfSSL/wolfssl into zd19378 2026-01-22 15:37:30 -07:00
Kareem 4c0c51fdff Merge branch 'master' of https://github.com/wolfSSL/wolfssl into gh7735 2026-01-22 15:13:15 -07:00
Kareem baedba6a58 Force client haveDH to true in wolfSSL_set_options. haveDH won't be set to true on the client as the server side is what calls DH param generation APIs which set this to true, but we still want the client to support DH cipher suites if enabled. This matches behavior from InitSSL_EitherSide. 2026-01-22 15:13:08 -07:00
Tobias Frauenschläger eb8ba6124e Support TLS 1.3 ECC Brainpool authentication
This also fixes TLS 1.2 authentication to only succeed in case the
brainpool curve was present in the supported_groups extension.
2026-01-22 14:14:09 +01:00
Tobias Frauenschläger a462398387 Support Brainpool ECC curve TLS 1.3 key exchange
When both TLS 1.3 and Brainpool curves are enabled, three new groups can
be used for the ECDHE key exchange according to RFC 8734:
* WOLFSSL_ECC_BRAINPOOLP256R1TLS13 (31)
* WOLFSSL_ECC_BRAINPOOLP384R1TLS13 (32)
* WOLFSSL_ECC_BRAINPOOLP512R1TLS13 (33)

Also ensure that the existing TLS 1.2 curves are sent properly.

The TLS client application is updated to support handshakes via
Brainpool curves using the new argument "--bpKs".
2026-01-22 14:14:09 +01:00
David Garske e4e79dd8a3 Merge pull request #9694 from SparkiDev/tls_msg_sanity_fix
TLS: more sanity checks on message order
2026-01-21 15:11:11 -08:00
Anthony Hu d088fee72c Add cipher suite filtering when downgrade is disabled
When wolfSSL_SetVersion() is called to set a specific TLS version,
the downgrade flag is now set to 0. This causes wolfSSL_parse_cipher_list()
to no longer preserve cipher suites from the other TLS version group.

Previously, when using SSLv23 method and setting cipher suites for only
one TLS version (e.g., TLS 1.2), the library would preserve any existing
cipher suites from the other version (e.g., TLS 1.3) for OpenSSL API
compatibility. With this change, if a specific version is set via
wolfSSL_SetVersion(), only the cipher suites for that version are kept.
2026-01-21 18:01:01 -05:00
David Garske f52930b844 More fixes for NO RNG and NO check key (broken in #9606 and #9576) 2026-01-21 10:31:57 -08:00
Sean Parkinson 8902afdcea TLS: more sanity checks on message order
Add more checks on message ordering for TLS 1.2 and below.
Reformat code.
2026-01-21 10:00:38 +10:00
Kareem 832bcd7f4b Merge branch 'master' of https://github.com/wolfSSL/wolfssl into zd20850 2026-01-20 15:59:05 -07:00
Kareem 0f0163d888 Merge branch 'master' of https://github.com/wolfSSL/wolfssl into gh7735 2026-01-20 15:18:26 -07:00
David Garske 17401da6ae Merge pull request #9678 from cconlon/otherNameSan
Fix GENERAL_NAME memory management for otherName and RID SANs
2026-01-20 10:56:37 -08:00
David Garske 6bdc6a7550 Merge pull request #9618 from SparkiDev/volatile_multi_statement
Multiple volatile variables in a C statement undefined
2026-01-20 10:42:49 -08:00
Kareem d505c0b7c5 Only reinitialize suites in InitSSL_Side if they were not set by the user. Always allocate suites in InitSSL_Side if they're NULL so InitSSL_Suites will set them. 2026-01-20 11:40:37 -07:00
Kareem 89931bd884 Always reinitialize the SSL cipher suites in InitSSL_Side as the side and enabled algos have likely changed. 2026-01-19 17:50:26 -07:00
Sean Parkinson c71a4dd66f Merge pull request #9662 from AlexLanzano/tls1.2-empty-cert-fix
[TLS 1.2, TLS 1.3] Fail immediately if server sends empty certificate message for TLS 1.2 and beyond
2026-01-20 09:45:29 +10:00
Chris Conlon 0f395a5f9d Fix memory management in wolfssl_dns_entry_othername_to_gn() and
wolfSSL_X509_get_ext_d2i() for otherName SAN handling, add ASN_RID_TYPE case to wolfSSL_X509_get_ext_d2i()
2026-01-19 16:39:33 -07:00