Commit Graph

9713 Commits

Author SHA1 Message Date
David Garske 3351eb429a Merge pull request #10354 from embhorn/zd21725
Fix IPSAN and registeredID handling
2026-05-08 12:15:37 -07:00
Sean Parkinson 5fce8025bb Merge pull request #10386 from JeremiahM37/fenrir-4
Harden TLS handshake validation, OpenSSL-compat defaults, and stale code paths
2026-05-08 10:50:55 +10:00
David Garske 7b34be3945 Merge pull request #10331 from embhorn/zd21706
Fix IDNA matching
2026-05-07 16:09:33 -07:00
David Garske bf6c870889 Merge pull request #10304 from JeremiahM37/fenrir-2
Zero DH keys, tighten SSL APIs, harden TLS extensions
2026-05-07 14:51:28 -07:00
David Garske e78418db95 Merge pull request #10306 from sebastian-carpenter/tls-ech-client-oe
Add OuterExtensions encoding for TLS ECH client
2026-05-07 14:14:50 -07:00
David Garske 8ac2a1ae1b Merge pull request #10418 from rlm2002/coverity
20260506 Coverity
2026-05-07 14:11:32 -07:00
sebastian-carpenter 15b8c88bf6 Write ECH last in HRR to promote interop 2026-05-07 10:10:00 -06:00
sebastian-carpenter 9d938c12ea supported_versions added to non-encode list 2026-05-07 10:10:00 -06:00
sebastian-carpenter e3b291589d TLS ECH outerExtensions (client-side) 2026-05-07 10:10:00 -06:00
Eric Blankenhorn c55b77b382 Fix handling of registeredID 2026-05-07 07:33:56 -05:00
Eric Blankenhorn df7a5e8a85 Fix in CheckForAltNames to handle IPSAN 2026-05-07 07:33:55 -05:00
Eric Blankenhorn 0f50c225e2 Fix IDNA matching 2026-05-07 07:31:25 -05:00
Daniel Pouzzner d86174cc50 src/ssl.c: in wolfSSL_check_domain_name(), use XSTRCMP(), not strcmp();
wolfcrypt/src/asn.c, wolfssl/wolfcrypt/asn.h, src/ssl.c, wolfssl/ssl.h: move wolfssl_local_IsValidFQDN() from ASN.1 layer (where it has no users and is gated out in lean PSK builds) to TLS layer (where its users are);

scripts/crl-revoked.test: use `cp --symbolic-link` opportunistically but fall back to `cp -p`.
2026-05-06 21:40:33 -05:00
Jeremiah Mackey 0e08253b0d fix logic errors in stale code 2026-05-07 02:34:41 +00:00
Jeremiah Mackey 81b66c9cd8 harden SSL config defaults 2026-05-07 02:34:41 +00:00
Jeremiah Mackey b5cff8dcca harden TLS handshake validation 2026-05-07 02:34:41 +00:00
Jeremiah Mackey 3d489d1c10 tests 2026-05-07 02:33:58 +00:00
Jeremiah Mackey 4c76eae0aa zeroize DH private keys on free 2026-05-07 02:31:51 +00:00
Jeremiah Mackey 88664f7224 guard zero length in DES ncbc 2026-05-07 02:31:51 +00:00
Jeremiah Mackey 31c69bfdbc harden SSL config and session 2026-05-07 02:31:51 +00:00
Jeremiah Mackey a5670d7e49 harden TLS extension processing 2026-05-07 02:31:51 +00:00
Daniel Pouzzner b6de2d3cbc src/ssl.c: in wolfSSL_check_domain_name(), call wolfssl_local_IsValidFQDN() to validate the argument, with allowance for "localhost".
scripts/crl-revoked.test: improve "Workaround to not pollute the certs folder" (don't copy whole source tree, and don't copy file contents).
2026-05-06 18:29:27 -05:00
Ruby Martin 80f971cd6d clears dereference before null check 2026-05-06 11:22:47 -06:00
Ruby Martin 682b628eed remove redundant, always true, checks 2026-05-06 10:51:00 -06:00
Juliusz Sosinowicz 061311d6ca zd/21661: harden X.509 chain validation, session ticket identity binding, and peer cert restore
- x509_str: require CA:TRUE unconditionally in wolfSSL_X509_verify_cert;
  verify leaf signature even when verify_cb overrides INVALID_CA
- x509_str: align WOLFSSL_X509_V_ERR_INVALID_CA with OpenSSL value (79)
  so OPENSSL_COEXIST builds compile; bump WC_OSSL_V509_V_ERR_MAX to 80
  and extend error_test() missing-value table for the new gaps
- asn: reject embedded NUL in dNSName / rfc822Name / URI SAN entries
- internal: re-verify restored ticket peer cert against trust store with
  CRL/OCSP checks; clear stale state from session cache on verification
  failure
- ticket: bind SNI and ALPN into session ticket via compile-time selected
  hash (TICKET_BINDING_HASH_TYPE); reject resumption on mismatch in both
  TLS 1.3 and TLS 1.2 paths
- ticket: defer SNI/ALPN binding check until after extensions are parsed
  by consolidating into VerifyTicketBinding(), called once after
  ALPN_Select in DoTls13ClientHello and DoClientHello; the early
  per-call sites ran before extensions were parsed and rejected valid
  resumptions in nginx, haproxy, grpc, and CPython integration tests
- ssl_sess: free previous session in wolfSSL_d2i_SSL_SESSION before
  overwrite
- examples/client: increase SESSION_TICKET_LEN fallback from 256 to 2048
  to support larger tickets
- tests: update SAN NUL fixtures and add parse-time rejection coverage;
  add test_tls13_ticket_peer_cert_reverify for CA-removal scenario; skip
  it under WOLFSSL_NO_DEF_TICKET_ENC_CB
2026-05-06 16:45:58 +02:00
David Garske 6a3eb6f0a8 Merge pull request #10360 from gasbytes/cipher-init-dtls13-fix
dtls13: free and null the cipher slot on init failure in Dtls13InitAesCipher and ChaCha equivalent
2026-05-05 13:08:06 -07:00
David Garske e3a195d394 Merge pull request #10075 from josepho0918/mqx
Improve compatibility for XINET_PTON
2026-05-05 12:47:45 -07:00
David Garske e3285850f9 Merge pull request #10289 from julek-wolfssl/zd/21652
TLS 1.3: gate 0-RTT on a cache-backed resumption ticket
2026-05-05 12:46:26 -07:00
David Garske 3147a10f23 Merge pull request #10141 from sebastian-carpenter/tls-ech-downgrade
TLS ECH Compliance Fixes
2026-05-05 12:14:20 -07:00
David Garske da038c6d51 Merge pull request #10299 from Frauschi/pqc_key_share_fix
Fix PQC key exchange with multiple KEM key shares
2026-05-05 12:03:32 -07:00
David Garske c3cd71ea02 Merge pull request #9965 from kojo1/mldsa
Add ML-DSA to X509_get_pubkey and EVP_PKEY_base_id
2026-05-05 11:57:06 -07:00
David Garske 309ada27a7 Merge pull request #10370 from cconlon/setAKID
Fix malformed AKID extension from wolfSSL_X509_set_authority_key_id()
2026-05-05 11:55:38 -07:00
David Garske 644f6171ab Merge pull request #10290 from LinuxJedi/emnet
Fix emNET support and add tests
2026-05-05 11:46:15 -07:00
David Garske 8e46221428 Merge pull request #10336 from julek-wolfssl/wolfSSL_PEM_read_bio_X509_CRL-multi-crl-fix
src/x509.c: refactor wolfSSL_PEM_read_bio_X509_CRL onto the per-block reader
2026-05-05 11:42:00 -07:00
David Garske 3b7ac9fd25 Merge pull request #10327 from embhorn/zd21704
Hardening in TLSX_KeyShare_ProcessPqcHybridClient
2026-05-05 11:41:43 -07:00
David Garske 678ddd6c73 Merge pull request #10339 from embhorn/zd21707
Fix handling of otherName in ConfirmNameConstraints
2026-05-05 11:41:28 -07:00
David Garske b0fca9df10 Merge pull request #10276 from padelsbach/asn1-time-chars-check
Add checks for ascii digits in time decode functions
2026-05-05 11:38:47 -07:00
David Garske bc15131f60 Merge pull request #10338 from gasbytes/cert-ext-offered-list-fix
reject extensions in a TLS 1.3 Certificate message that were not offered in the prior ClientHello/CertificateRequest
2026-05-05 11:38:25 -07:00
David Garske 403f0fe637 Merge pull request #10230 from julek-wolfssl/fenrir/20260415
Fenrir fixes
2026-05-05 11:34:43 -07:00
David Garske 7e9635df19 Merge pull request #10208 from ColtonWilley/bio-io-negative-length-checks
Guard against negative length in BIO, I/O callbacks and PKCS12 PBKDF
2026-05-05 11:32:21 -07:00
David Garske c278b614dd Merge pull request #10337 from embhorn/zd21709
Fix DupSSL issue with Poly1305 auth
2026-05-05 11:26:29 -07:00
David Garske d793452264 Merge pull request #10353 from julek-wolfssl/dtls-13-client-only
DTLS 1.3 client-only minimum: WOLFSSL_DTLS_ONLY + autoconf cascade
2026-05-05 11:24:44 -07:00
David Garske 80c9d3f048 Merge pull request #10183 from douzzer/20260409-IsValidFQDN
20260409-IsValidFQDN
2026-05-05 11:22:51 -07:00
David Garske 6fb7cb3980 Merge pull request #10277 from kareem-wolfssl/zd21664_5
Add some missing length checks and fix length calculation.
2026-05-05 10:39:22 -07:00
sebastian-carpenter 61ba5378fe TLS ECH compliance fixes 2026-05-04 15:46:18 -06:00
Tobias Frauenschläger 3524ece54e Fix PQC key exchange with multiple KEM key shares 2026-05-04 10:32:45 +02:00
Takashi Kojo 1a6dee2bb3 Add ML-DSA to X509_get_pubkey and EVP_PKEY_base_id 2026-05-02 08:13:08 +09:00
Chris Conlon df8e2eedb3 x509: fix malformed AKID extension from wolfSSL_X509_set_authority_key_id 2026-05-01 10:04:31 -06:00
Daniel Pouzzner d8797f59c4 Merge pull request #10261 from Frauschi/slh-dsa
Replace liboqs SPHINCS+ with SLH-DSA in certificate layer
2026-04-30 23:52:36 -05:00
JacobBarthelmeh fc51a38094 Merge pull request #10135 from lealem47/nid_ED
Add Ed25519/Ed448 support to EVP layer
2026-04-30 14:16:05 -06:00