Jeremiah Mackey
a3baac7dbe
zero sensitive material before free
2026-05-14 16:59:48 +00:00
Jeremiah Mackey
c61fa7d633
honor OpenSSL fail-open contracts
2026-05-14 16:59:12 +00:00
Jeremiah Mackey
a5ee9604c7
tls13: alert illegal_parameter for ctx
2026-05-14 16:59:12 +00:00
Jeremiah Mackey
b023a719b1
dtls13: fix window and rtx
2026-05-14 16:59:12 +00:00
Jeremiah Mackey
88fde0fff7
fix copy-paste constant mismatches
2026-05-14 16:59:12 +00:00
David Garske
d0073d9e5c
Merge pull request #10326 from sebastian-carpenter/tls-ech-maxnamelen
...
Add maximum_name_length to TLS ECH padding
2026-05-14 09:15:38 -07:00
Sean Parkinson
8d08ff8926
Merge pull request #10428 from kareem-wolfssl/gh10271_10313
...
tls13.c fixes + Add configure and CMake options for WOLF_CRYPTO_CB_RSA_PAD.
2026-05-14 19:56:23 +10:00
David Garske
497ed9843e
Merge pull request #10303 from julek-wolfssl/zd/21675
...
ocsp: bind responder authorization to CertID issuerKeyHash
2026-05-13 10:33:17 -07:00
Sean Parkinson
16132b4582
Merge pull request #10445 from embhorn/zd21742
...
Fix in ECC point conversion
2026-05-13 16:09:02 +10:00
sebastian-carpenter
d029aed38f
shrink ech config decoding for Arduino
2026-05-12 11:32:25 -06:00
Kareem
6aadfaa9ca
Code review feedback
2026-05-12 10:30:24 -07:00
Kareem
2dc257834d
Code review feedback
2026-05-12 10:30:24 -07:00
Kareem
75e38c360f
NULL check wolfSSL_get_cipher_name_by_hash arguments.
...
Thanks to Cal Page for the report.
2026-05-12 10:30:24 -07:00
Kareem
ef7671f664
In DoTls13CertificateRequest, avoid assigned the CertReqCtx to the SSL object until the function has finished.
...
This avoids ssl->certReqCtx being set when the function returns an error.
Thanks to Cal Page for the report.
2026-05-12 10:30:24 -07:00
Kareem
86d9a6f212
In Tls13_Exporter, check all length arguments before casting and using them.
...
Thanks to Cal Page for the report.
2026-05-12 10:30:24 -07:00
Juliusz Sosinowicz
49906319f6
ocsp: address review feedback on PR 10303
...
- Use KEYID_SIZE for Signer key-hash comparisons since
Signer.{subject,issuer}KeyHash is sized KEYID_SIZE, not OCSP_DIGEST_SIZE.
- Rename subjectHash/issuerHash to subjectNameHash/issuerNameHash in
CheckOcspResponder/CheckOcspResponderChain to make the name-vs-key
hash distinction explicit.
- Expand the Signer.issuerKeyHash field comment to clarify it is the
subject key hash of the immediate issuer CA.
- Add an imposter-root-ca cert (same DN as root-ca, different RSA key)
for tests that need to exercise the new CertID issuerKeyHash binding.
2026-05-12 14:36:00 +02:00
Juliusz Sosinowicz
0735a0a7b5
ocsp: bind responder authorization to CertID issuerKeyHash
...
Addresses ZD21675
2026-05-12 14:36:00 +02:00
Sean Parkinson
d7bdfd3e90
Merge pull request #10349 from rizlik/dtls13_rtx_fixes
...
DTLS13: Fixes unnecessary client rtx and increase server robustness
2026-05-12 22:19:56 +10:00
Sean Parkinson
f436fb858e
Merge pull request #10437 from gasbytes/CertManagerLoadCABufferType_MoveXMemset
...
zero-initialize DecodedCert immediately after allocation in wolfSSL_CertManagerCABufferType
2026-05-12 22:08:53 +10:00
Sean Parkinson
218ddb449e
Merge pull request #10394 from dgarske/sp_nonblock_rsa_dh
...
Add RSA/DH SP non-blocking support for C/Small 2048/3072/4096
2026-05-12 13:25:43 +10:00
Eric Blankenhorn
05d73707ef
Fixes from review
2026-05-11 15:06:32 -05:00
Eric Blankenhorn
29f3b30651
Fix in ECC point conversion
2026-05-11 15:06:32 -05:00
Reda Chouk
54bb2c2caf
zero-initialize DecodedCert immediately after allocation in
...
wolfssl_certmanagerloadcabuffertype to prevent cleanup on an
uninitialized struct on the pem error path.
2026-05-11 20:12:19 +02:00
kaleb-himes
afb90dd2da
Fix private key lock issues in master
2026-05-08 17:08:38 -06:00
David Garske
3351eb429a
Merge pull request #10354 from embhorn/zd21725
...
Fix IPSAN and registeredID handling
2026-05-08 12:15:37 -07:00
David Garske
d465d8b130
Add RSA/DH SP non-blocking support for C/Small 2048/3072/4096
2026-05-08 10:36:28 -07:00
sebastian-carpenter
f6bc39881b
tls ech padding improvements
2026-05-08 10:32:04 -06:00
Sean Parkinson
5fce8025bb
Merge pull request #10386 from JeremiahM37/fenrir-4
...
Harden TLS handshake validation, OpenSSL-compat defaults, and stale code paths
2026-05-08 10:50:55 +10:00
David Garske
7b34be3945
Merge pull request #10331 from embhorn/zd21706
...
Fix IDNA matching
2026-05-07 16:09:33 -07:00
David Garske
bf6c870889
Merge pull request #10304 from JeremiahM37/fenrir-2
...
Zero DH keys, tighten SSL APIs, harden TLS extensions
2026-05-07 14:51:28 -07:00
David Garske
e78418db95
Merge pull request #10306 from sebastian-carpenter/tls-ech-client-oe
...
Add OuterExtensions encoding for TLS ECH client
2026-05-07 14:14:50 -07:00
David Garske
8ac2a1ae1b
Merge pull request #10418 from rlm2002/coverity
...
20260506 Coverity
2026-05-07 14:11:32 -07:00
sebastian-carpenter
15b8c88bf6
Write ECH last in HRR to promote interop
2026-05-07 10:10:00 -06:00
sebastian-carpenter
9d938c12ea
supported_versions added to non-encode list
2026-05-07 10:10:00 -06:00
sebastian-carpenter
e3b291589d
TLS ECH outerExtensions (client-side)
2026-05-07 10:10:00 -06:00
Eric Blankenhorn
c55b77b382
Fix handling of registeredID
2026-05-07 07:33:56 -05:00
Eric Blankenhorn
df7a5e8a85
Fix in CheckForAltNames to handle IPSAN
2026-05-07 07:33:55 -05:00
Eric Blankenhorn
0f50c225e2
Fix IDNA matching
2026-05-07 07:31:25 -05:00
Daniel Pouzzner
d86174cc50
src/ssl.c: in wolfSSL_check_domain_name(), use XSTRCMP(), not strcmp();
...
wolfcrypt/src/asn.c, wolfssl/wolfcrypt/asn.h, src/ssl.c, wolfssl/ssl.h: move wolfssl_local_IsValidFQDN() from ASN.1 layer (where it has no users and is gated out in lean PSK builds) to TLS layer (where its users are);
scripts/crl-revoked.test: use `cp --symbolic-link` opportunistically but fall back to `cp -p`.
2026-05-06 21:40:33 -05:00
Jeremiah Mackey
0e08253b0d
fix logic errors in stale code
2026-05-07 02:34:41 +00:00
Jeremiah Mackey
81b66c9cd8
harden SSL config defaults
2026-05-07 02:34:41 +00:00
Jeremiah Mackey
b5cff8dcca
harden TLS handshake validation
2026-05-07 02:34:41 +00:00
Jeremiah Mackey
3d489d1c10
tests
2026-05-07 02:33:58 +00:00
Jeremiah Mackey
4c76eae0aa
zeroize DH private keys on free
2026-05-07 02:31:51 +00:00
Jeremiah Mackey
88664f7224
guard zero length in DES ncbc
2026-05-07 02:31:51 +00:00
Jeremiah Mackey
31c69bfdbc
harden SSL config and session
2026-05-07 02:31:51 +00:00
Jeremiah Mackey
a5670d7e49
harden TLS extension processing
2026-05-07 02:31:51 +00:00
Daniel Pouzzner
b6de2d3cbc
src/ssl.c: in wolfSSL_check_domain_name(), call wolfssl_local_IsValidFQDN() to validate the argument, with allowance for "localhost".
...
scripts/crl-revoked.test: improve "Workaround to not pollute the certs folder" (don't copy whole source tree, and don't copy file contents).
2026-05-06 18:29:27 -05:00
Ruby Martin
80f971cd6d
clears dereference before null check
2026-05-06 11:22:47 -06:00
Ruby Martin
682b628eed
remove redundant, always true, checks
2026-05-06 10:51:00 -06:00