David Garske
3351eb429a
Merge pull request #10354 from embhorn/zd21725
...
Fix IPSAN and registeredID handling
2026-05-08 12:15:37 -07:00
Sean Parkinson
5fce8025bb
Merge pull request #10386 from JeremiahM37/fenrir-4
...
Harden TLS handshake validation, OpenSSL-compat defaults, and stale code paths
2026-05-08 10:50:55 +10:00
David Garske
7b34be3945
Merge pull request #10331 from embhorn/zd21706
...
Fix IDNA matching
2026-05-07 16:09:33 -07:00
David Garske
bf6c870889
Merge pull request #10304 from JeremiahM37/fenrir-2
...
Zero DH keys, tighten SSL APIs, harden TLS extensions
2026-05-07 14:51:28 -07:00
David Garske
e78418db95
Merge pull request #10306 from sebastian-carpenter/tls-ech-client-oe
...
Add OuterExtensions encoding for TLS ECH client
2026-05-07 14:14:50 -07:00
David Garske
8ac2a1ae1b
Merge pull request #10418 from rlm2002/coverity
...
20260506 Coverity
2026-05-07 14:11:32 -07:00
sebastian-carpenter
15b8c88bf6
Write ECH last in HRR to promote interop
2026-05-07 10:10:00 -06:00
sebastian-carpenter
9d938c12ea
supported_versions added to non-encode list
2026-05-07 10:10:00 -06:00
sebastian-carpenter
e3b291589d
TLS ECH outerExtensions (client-side)
2026-05-07 10:10:00 -06:00
Eric Blankenhorn
c55b77b382
Fix handling of registeredID
2026-05-07 07:33:56 -05:00
Eric Blankenhorn
df7a5e8a85
Fix in CheckForAltNames to handle IPSAN
2026-05-07 07:33:55 -05:00
Eric Blankenhorn
0f50c225e2
Fix IDNA matching
2026-05-07 07:31:25 -05:00
Daniel Pouzzner
d86174cc50
src/ssl.c: in wolfSSL_check_domain_name(), use XSTRCMP(), not strcmp();
...
wolfcrypt/src/asn.c, wolfssl/wolfcrypt/asn.h, src/ssl.c, wolfssl/ssl.h: move wolfssl_local_IsValidFQDN() from ASN.1 layer (where it has no users and is gated out in lean PSK builds) to TLS layer (where its users are);
scripts/crl-revoked.test: use `cp --symbolic-link` opportunistically but fall back to `cp -p`.
2026-05-06 21:40:33 -05:00
Jeremiah Mackey
0e08253b0d
fix logic errors in stale code
2026-05-07 02:34:41 +00:00
Jeremiah Mackey
81b66c9cd8
harden SSL config defaults
2026-05-07 02:34:41 +00:00
Jeremiah Mackey
b5cff8dcca
harden TLS handshake validation
2026-05-07 02:34:41 +00:00
Jeremiah Mackey
3d489d1c10
tests
2026-05-07 02:33:58 +00:00
Jeremiah Mackey
4c76eae0aa
zeroize DH private keys on free
2026-05-07 02:31:51 +00:00
Jeremiah Mackey
88664f7224
guard zero length in DES ncbc
2026-05-07 02:31:51 +00:00
Jeremiah Mackey
31c69bfdbc
harden SSL config and session
2026-05-07 02:31:51 +00:00
Jeremiah Mackey
a5670d7e49
harden TLS extension processing
2026-05-07 02:31:51 +00:00
Daniel Pouzzner
b6de2d3cbc
src/ssl.c: in wolfSSL_check_domain_name(), call wolfssl_local_IsValidFQDN() to validate the argument, with allowance for "localhost".
...
scripts/crl-revoked.test: improve "Workaround to not pollute the certs folder" (don't copy whole source tree, and don't copy file contents).
2026-05-06 18:29:27 -05:00
Ruby Martin
80f971cd6d
clears dereference before null check
2026-05-06 11:22:47 -06:00
Ruby Martin
682b628eed
remove redundant, always true, checks
2026-05-06 10:51:00 -06:00
Juliusz Sosinowicz
061311d6ca
zd/21661: harden X.509 chain validation, session ticket identity binding, and peer cert restore
...
- x509_str: require CA:TRUE unconditionally in wolfSSL_X509_verify_cert;
verify leaf signature even when verify_cb overrides INVALID_CA
- x509_str: align WOLFSSL_X509_V_ERR_INVALID_CA with OpenSSL value (79)
so OPENSSL_COEXIST builds compile; bump WC_OSSL_V509_V_ERR_MAX to 80
and extend error_test() missing-value table for the new gaps
- asn: reject embedded NUL in dNSName / rfc822Name / URI SAN entries
- internal: re-verify restored ticket peer cert against trust store with
CRL/OCSP checks; clear stale state from session cache on verification
failure
- ticket: bind SNI and ALPN into session ticket via compile-time selected
hash (TICKET_BINDING_HASH_TYPE); reject resumption on mismatch in both
TLS 1.3 and TLS 1.2 paths
- ticket: defer SNI/ALPN binding check until after extensions are parsed
by consolidating into VerifyTicketBinding(), called once after
ALPN_Select in DoTls13ClientHello and DoClientHello; the early
per-call sites ran before extensions were parsed and rejected valid
resumptions in nginx, haproxy, grpc, and CPython integration tests
- ssl_sess: free previous session in wolfSSL_d2i_SSL_SESSION before
overwrite
- examples/client: increase SESSION_TICKET_LEN fallback from 256 to 2048
to support larger tickets
- tests: update SAN NUL fixtures and add parse-time rejection coverage;
add test_tls13_ticket_peer_cert_reverify for CA-removal scenario; skip
it under WOLFSSL_NO_DEF_TICKET_ENC_CB
2026-05-06 16:45:58 +02:00
David Garske
6a3eb6f0a8
Merge pull request #10360 from gasbytes/cipher-init-dtls13-fix
...
dtls13: free and null the cipher slot on init failure in Dtls13InitAesCipher and ChaCha equivalent
2026-05-05 13:08:06 -07:00
David Garske
e3a195d394
Merge pull request #10075 from josepho0918/mqx
...
Improve compatibility for XINET_PTON
2026-05-05 12:47:45 -07:00
David Garske
e3285850f9
Merge pull request #10289 from julek-wolfssl/zd/21652
...
TLS 1.3: gate 0-RTT on a cache-backed resumption ticket
2026-05-05 12:46:26 -07:00
David Garske
3147a10f23
Merge pull request #10141 from sebastian-carpenter/tls-ech-downgrade
...
TLS ECH Compliance Fixes
2026-05-05 12:14:20 -07:00
David Garske
da038c6d51
Merge pull request #10299 from Frauschi/pqc_key_share_fix
...
Fix PQC key exchange with multiple KEM key shares
2026-05-05 12:03:32 -07:00
David Garske
c3cd71ea02
Merge pull request #9965 from kojo1/mldsa
...
Add ML-DSA to X509_get_pubkey and EVP_PKEY_base_id
2026-05-05 11:57:06 -07:00
David Garske
309ada27a7
Merge pull request #10370 from cconlon/setAKID
...
Fix malformed AKID extension from wolfSSL_X509_set_authority_key_id()
2026-05-05 11:55:38 -07:00
David Garske
644f6171ab
Merge pull request #10290 from LinuxJedi/emnet
...
Fix emNET support and add tests
2026-05-05 11:46:15 -07:00
David Garske
8e46221428
Merge pull request #10336 from julek-wolfssl/wolfSSL_PEM_read_bio_X509_CRL-multi-crl-fix
...
src/x509.c: refactor wolfSSL_PEM_read_bio_X509_CRL onto the per-block reader
2026-05-05 11:42:00 -07:00
David Garske
3b7ac9fd25
Merge pull request #10327 from embhorn/zd21704
...
Hardening in TLSX_KeyShare_ProcessPqcHybridClient
2026-05-05 11:41:43 -07:00
David Garske
678ddd6c73
Merge pull request #10339 from embhorn/zd21707
...
Fix handling of otherName in ConfirmNameConstraints
2026-05-05 11:41:28 -07:00
David Garske
b0fca9df10
Merge pull request #10276 from padelsbach/asn1-time-chars-check
...
Add checks for ascii digits in time decode functions
2026-05-05 11:38:47 -07:00
David Garske
bc15131f60
Merge pull request #10338 from gasbytes/cert-ext-offered-list-fix
...
reject extensions in a TLS 1.3 Certificate message that were not offered in the prior ClientHello/CertificateRequest
2026-05-05 11:38:25 -07:00
David Garske
403f0fe637
Merge pull request #10230 from julek-wolfssl/fenrir/20260415
...
Fenrir fixes
2026-05-05 11:34:43 -07:00
David Garske
7e9635df19
Merge pull request #10208 from ColtonWilley/bio-io-negative-length-checks
...
Guard against negative length in BIO, I/O callbacks and PKCS12 PBKDF
2026-05-05 11:32:21 -07:00
David Garske
c278b614dd
Merge pull request #10337 from embhorn/zd21709
...
Fix DupSSL issue with Poly1305 auth
2026-05-05 11:26:29 -07:00
David Garske
d793452264
Merge pull request #10353 from julek-wolfssl/dtls-13-client-only
...
DTLS 1.3 client-only minimum: WOLFSSL_DTLS_ONLY + autoconf cascade
2026-05-05 11:24:44 -07:00
David Garske
80c9d3f048
Merge pull request #10183 from douzzer/20260409-IsValidFQDN
...
20260409-IsValidFQDN
2026-05-05 11:22:51 -07:00
David Garske
6fb7cb3980
Merge pull request #10277 from kareem-wolfssl/zd21664_5
...
Add some missing length checks and fix length calculation.
2026-05-05 10:39:22 -07:00
sebastian-carpenter
61ba5378fe
TLS ECH compliance fixes
2026-05-04 15:46:18 -06:00
Tobias Frauenschläger
3524ece54e
Fix PQC key exchange with multiple KEM key shares
2026-05-04 10:32:45 +02:00
Takashi Kojo
1a6dee2bb3
Add ML-DSA to X509_get_pubkey and EVP_PKEY_base_id
2026-05-02 08:13:08 +09:00
Chris Conlon
df8e2eedb3
x509: fix malformed AKID extension from wolfSSL_X509_set_authority_key_id
2026-05-01 10:04:31 -06:00
Daniel Pouzzner
d8797f59c4
Merge pull request #10261 from Frauschi/slh-dsa
...
Replace liboqs SPHINCS+ with SLH-DSA in certificate layer
2026-04-30 23:52:36 -05:00
JacobBarthelmeh
fc51a38094
Merge pull request #10135 from lealem47/nid_ED
...
Add Ed25519/Ed448 support to EVP layer
2026-04-30 14:16:05 -06:00