Commit Graph

3297 Commits

Author SHA1 Message Date
Sean Parkinson bc9e37118e Regression test fixes
Mostly combinations of NO_WOLFSSL_CLIENT, NO_WOLFSSL_SERVER and
WOLFSSL_NO_CLIENT_AUTH were failing.
Added configurations to CI loop.

wc_AesGcmDecryptFinal: use WC_AES_BLOCK_SIZE to satisfy compiler.
2026-01-28 07:37:29 +10:00
JacobBarthelmeh 3e7efe8be2 Merge pull request #9705 from cconlon/nameConstraints
Support for extracting and validating X.509 Name Constraints extensions
2026-01-27 10:01:48 -07:00
Chris Conlon 610d530e45 Add Name Constraints extension support with wolfSSL_X509_get_ext_d2i() and wolfSSL_NAME_CONSTRAINTS_check_name() 2026-01-26 10:36:05 -07:00
David Garske eeaa3a7160 Merge pull request #9596 from kareem-wolfssl/zd19378
Add a runtime option to enable or disable the secure renegotiation check.
2026-01-26 08:34:57 -08:00
David Garske cd88ec57b0 Merge pull request #9685 from kareem-wolfssl/gh7735
Always reinitialize the SSL cipher suites in InitSSL_Side as the side and enabled algos have likely changed.
2026-01-23 12:38:46 -08:00
Tobias Frauenschläger 14ce7956f1 Increase test coverage
* More PQC configurations
* More CMake setups
* Fix various bugs uncovered by these tests

Added some missing feature additions to CMake to make the example
`user_settings_all.` config file work for the CI test.
2026-01-23 09:27:16 +01:00
Sean Parkinson 27df554e99 Merge pull request #9701 from Frauschi/brainpool-tls13
Add support for TLS 1.3 Brainpool curves
2026-01-23 10:42:32 +10:00
David Garske a17f68f036 Merge pull request #9587 from kareem-wolfssl/zd20850
Add duplicate entry error to distinguish cases where a duplicate CRL is rejected.
2026-01-22 15:07:19 -08:00
Kareem 1103552c37 Code review feedback 2026-01-22 15:46:13 -07:00
Kareem d60dd53165 Merge branch 'master' of https://github.com/wolfSSL/wolfssl into zd19378 2026-01-22 15:37:30 -07:00
Kareem 4c0c51fdff Merge branch 'master' of https://github.com/wolfSSL/wolfssl into gh7735 2026-01-22 15:13:15 -07:00
Tobias Frauenschläger eb8ba6124e Support TLS 1.3 ECC Brainpool authentication
This also fixes TLS 1.2 authentication to only succeed in case the
brainpool curve was present in the supported_groups extension.
2026-01-22 14:14:09 +01:00
David Garske e4e79dd8a3 Merge pull request #9694 from SparkiDev/tls_msg_sanity_fix
TLS: more sanity checks on message order
2026-01-21 15:11:11 -08:00
David Garske f52930b844 More fixes for NO RNG and NO check key (broken in #9606 and #9576) 2026-01-21 10:31:57 -08:00
Sean Parkinson 8902afdcea TLS: more sanity checks on message order
Add more checks on message ordering for TLS 1.2 and below.
Reformat code.
2026-01-21 10:00:38 +10:00
Kareem 832bcd7f4b Merge branch 'master' of https://github.com/wolfSSL/wolfssl into zd20850 2026-01-20 15:59:05 -07:00
Kareem 0f0163d888 Merge branch 'master' of https://github.com/wolfSSL/wolfssl into gh7735 2026-01-20 15:18:26 -07:00
David Garske 6bdc6a7550 Merge pull request #9618 from SparkiDev/volatile_multi_statement
Multiple volatile variables in a C statement undefined
2026-01-20 10:42:49 -08:00
Kareem d505c0b7c5 Only reinitialize suites in InitSSL_Side if they were not set by the user. Always allocate suites in InitSSL_Side if they're NULL so InitSSL_Suites will set them. 2026-01-20 11:40:37 -07:00
Kareem 89931bd884 Always reinitialize the SSL cipher suites in InitSSL_Side as the side and enabled algos have likely changed. 2026-01-19 17:50:26 -07:00
Sean Parkinson c71a4dd66f Merge pull request #9662 from AlexLanzano/tls1.2-empty-cert-fix
[TLS 1.2, TLS 1.3] Fail immediately if server sends empty certificate message for TLS 1.2 and beyond
2026-01-20 09:45:29 +10:00
Brett 65a2b06d89 ANCV: support server-side policy creation 2026-01-15 11:59:59 -07:00
Brett 22a9665e6d Prevent verify callback from blocking ANCV invocation when verify
callback is registered. Reverts behavior to pre-PR#9144
2026-01-15 11:59:59 -07:00
Alex Lanzano bdc525dd6d [TLS 1.2, TLS 1.3] Fail immediately if server sends empty certificate message for TLS 1.2 and beyond 2026-01-14 11:30:13 -05:00
Sean Parkinson 1aa79af41e Multiple volatile variables in a C statement undefined
Undefined behaviour when there are multiple volatile variables accessed
in the one C statement.
Changes to introduce non-volatile temporaries, split statement or make
variable non-volatile.
2026-01-13 15:08:50 +10:00
Sean Parkinson ce69f1cec0 Merge pull request #9635 from miyazakh/x509errstr_handling
Fix OpenSSL error code handling in ERR_reason_error_string()
2026-01-12 08:57:17 +10:00
Hideki Miyazaki 8571a67f13 fix PR test 2026-01-10 14:53:23 +09:00
Hideki Miyazaki 0e8af03f1d OpenSSL error code handling in reason_error_string 2026-01-10 13:50:08 +09:00
Sean Parkinson 819eab8b46 Merge pull request #9609 from Frauschi/memory_leak_fix
Fix memory leak in case of handshake error
2026-01-09 10:10:31 +10:00
David Garske 198eac24d3 Merge pull request #9606 from Frauschi/cleanup_decode_private_key
Cleanup for DecodePrivateKey() functionality
2026-01-08 11:09:44 -08:00
David Garske d290caa848 Merge pull request #9608 from Frauschi/typo_fix
Fix for WOLFSSL_BLIND_PRIVATE_KEY and WOLFSSL_DUAL_ALG_CERTS
2026-01-08 10:23:30 -08:00
Tobias Frauenschläger 05dc9f0449 Fix memory leak in case of handshake error
Make sure peer dilithium key is properly freed in case the handshakes fails.
2026-01-08 16:50:28 +01:00
Tobias Frauenschläger b8cb5bee87 Cleanup for DecodePrivateKey() functionality
* Create a new method DecodePrivateKey_ex() that gets the key to decode as parameters
* Adapt DecodePrivateKey() and DecodeAltPrivateKey() to use this new method
* Fix unblinding for TLS 1.3 Dual Algorithm Certificate alternative keys

This removes a lot of nearly duplicate code and simplifies maintenance.
2026-01-07 13:45:11 +01:00
Sean Parkinson 5343cb386a Merge pull request #9588 from kareem-wolfssl/ghAlerts
Fix incorrect alerts.
2026-01-06 20:22:51 +10:00
Tobias Frauenschläger 116260762f Fix for WOLFSSL_BLIND_PRIVATE_KEY and WOLFSSL_DUAL_ALG_CERTS 2026-01-05 17:26:11 +01:00
Kareem ddb2fb628e Add a runtime option to enable or disable the secure renegotation check. 2025-12-30 13:19:04 -07:00
Kareem 1773a4ab41 Send no_renegotiation alert when rejecting renegotation attempt as defined in RFC 5246 section 7.2.2. 2025-12-30 13:18:48 -07:00
Juliusz Sosinowicz f2d24404c8 Fix Coverity (D)TLS fragmentation size checks
Add MAX_RECORD_SIZE-based bounds checks in SendHandshakeMsg and Dtls13SendFragmentedInternal to prevent negative/overflowed fragment sizes from reaching memcpy/BuildMessage/DtlsMsgPoolSave.
2025-12-29 17:16:04 +01:00
Kareem a7b83b06c1 Alert on out of order message with unexpected_message.
Fixes #9531.
2025-12-26 15:23:23 -07:00
Kareem d09b5ee1f1 Add duplicate entry error to distinguish cases where a duplicate CRL is rejected. 2025-12-26 12:02:35 -07:00
David Garske 1744c11686 Merge pull request #9570 from kareem-wolfssl/variousFixes
Add SSL_get_rfd and SSL_get_wfd.  Various documentation updates.
2025-12-26 07:47:17 -08:00
David Garske 2354ea196b Merge pull request #9513 from rizlik/dtls_header_fix
fix DTLS header headroom accounting
2025-12-23 17:20:12 -08:00
David Garske 0fae0a7ba6 Merge pull request #9397 from rizlik/earlydata_want_write_fixes
wolfssl: preserve early-data handling across WANT_WRITE retries
2025-12-23 17:19:39 -08:00
David Garske 57ef8a7caf Merge pull request #9574 from anhu/dtls_guard
Guard a bit of DTLS code.
2025-12-23 15:03:46 -08:00
Marco Oliverio 149bf19b4c split overlong line 2025-12-23 23:41:52 +01:00
Marco Oliverio 2e63845531 use wolfssl_local as local functions prefix 2025-12-23 23:39:07 +01:00
Marco Oliverio bafb8e56d5 use wolfssl_local_ as local functions prefix 2025-12-23 23:32:08 +01:00
David Garske d36bfabe18 Merge pull request #9560 from JacobBarthelmeh/clang
fix for shadows global declaration warning
2025-12-23 08:54:50 -08:00
Sean Parkinson b766f11e7b TLS 1.3, plaintext alert: ignore when expecting encrypted
In TLS 1.3, ignore valid unencrypted alerts that appear after encryption
has started.
Only ignore WOLFSSL_ALERT_COUNT_MAX-1 alerts.
2025-12-23 09:09:06 +10:00
Anthony Hu cb2a80bf53 Guard a bit of DTLS code. 2025-12-22 17:05:47 -05:00