Commit Graph

9741 Commits

Author SHA1 Message Date
Jeremiah Mackey a3baac7dbe zero sensitive material before free 2026-05-14 16:59:48 +00:00
Jeremiah Mackey c61fa7d633 honor OpenSSL fail-open contracts 2026-05-14 16:59:12 +00:00
Jeremiah Mackey a5ee9604c7 tls13: alert illegal_parameter for ctx 2026-05-14 16:59:12 +00:00
Jeremiah Mackey b023a719b1 dtls13: fix window and rtx 2026-05-14 16:59:12 +00:00
Jeremiah Mackey 88fde0fff7 fix copy-paste constant mismatches 2026-05-14 16:59:12 +00:00
David Garske d0073d9e5c Merge pull request #10326 from sebastian-carpenter/tls-ech-maxnamelen
Add maximum_name_length to TLS ECH padding
2026-05-14 09:15:38 -07:00
Sean Parkinson 8d08ff8926 Merge pull request #10428 from kareem-wolfssl/gh10271_10313
tls13.c fixes + Add configure and CMake options for WOLF_CRYPTO_CB_RSA_PAD.
2026-05-14 19:56:23 +10:00
David Garske 497ed9843e Merge pull request #10303 from julek-wolfssl/zd/21675
ocsp: bind responder authorization to CertID issuerKeyHash
2026-05-13 10:33:17 -07:00
Sean Parkinson 16132b4582 Merge pull request #10445 from embhorn/zd21742
Fix in ECC point conversion
2026-05-13 16:09:02 +10:00
sebastian-carpenter d029aed38f shrink ech config decoding for Arduino 2026-05-12 11:32:25 -06:00
Kareem 6aadfaa9ca Code review feedback 2026-05-12 10:30:24 -07:00
Kareem 2dc257834d Code review feedback 2026-05-12 10:30:24 -07:00
Kareem 75e38c360f NULL check wolfSSL_get_cipher_name_by_hash arguments.
Thanks to Cal Page for the report.
2026-05-12 10:30:24 -07:00
Kareem ef7671f664 In DoTls13CertificateRequest, avoid assigned the CertReqCtx to the SSL object until the function has finished.
This avoids ssl->certReqCtx being set when the function returns an error.
Thanks to Cal Page for the report.
2026-05-12 10:30:24 -07:00
Kareem 86d9a6f212 In Tls13_Exporter, check all length arguments before casting and using them.
Thanks to Cal Page for the report.
2026-05-12 10:30:24 -07:00
Juliusz Sosinowicz 49906319f6 ocsp: address review feedback on PR 10303
- Use KEYID_SIZE for Signer key-hash comparisons since
  Signer.{subject,issuer}KeyHash is sized KEYID_SIZE, not OCSP_DIGEST_SIZE.
- Rename subjectHash/issuerHash to subjectNameHash/issuerNameHash in
  CheckOcspResponder/CheckOcspResponderChain to make the name-vs-key
  hash distinction explicit.
- Expand the Signer.issuerKeyHash field comment to clarify it is the
  subject key hash of the immediate issuer CA.
- Add an imposter-root-ca cert (same DN as root-ca, different RSA key)
  for tests that need to exercise the new CertID issuerKeyHash binding.
2026-05-12 14:36:00 +02:00
Juliusz Sosinowicz 0735a0a7b5 ocsp: bind responder authorization to CertID issuerKeyHash
Addresses ZD21675
2026-05-12 14:36:00 +02:00
Sean Parkinson d7bdfd3e90 Merge pull request #10349 from rizlik/dtls13_rtx_fixes
DTLS13:  Fixes unnecessary client rtx and increase server robustness
2026-05-12 22:19:56 +10:00
Sean Parkinson f436fb858e Merge pull request #10437 from gasbytes/CertManagerLoadCABufferType_MoveXMemset
zero-initialize DecodedCert immediately after allocation in wolfSSL_CertManagerCABufferType
2026-05-12 22:08:53 +10:00
Sean Parkinson 218ddb449e Merge pull request #10394 from dgarske/sp_nonblock_rsa_dh
Add RSA/DH SP non-blocking support for C/Small 2048/3072/4096
2026-05-12 13:25:43 +10:00
Eric Blankenhorn 05d73707ef Fixes from review 2026-05-11 15:06:32 -05:00
Eric Blankenhorn 29f3b30651 Fix in ECC point conversion 2026-05-11 15:06:32 -05:00
Reda Chouk 54bb2c2caf zero-initialize DecodedCert immediately after allocation in
wolfssl_certmanagerloadcabuffertype to prevent cleanup on an
uninitialized struct on the pem error path.
2026-05-11 20:12:19 +02:00
kaleb-himes afb90dd2da Fix private key lock issues in master 2026-05-08 17:08:38 -06:00
David Garske 3351eb429a Merge pull request #10354 from embhorn/zd21725
Fix IPSAN and registeredID handling
2026-05-08 12:15:37 -07:00
David Garske d465d8b130 Add RSA/DH SP non-blocking support for C/Small 2048/3072/4096 2026-05-08 10:36:28 -07:00
sebastian-carpenter f6bc39881b tls ech padding improvements 2026-05-08 10:32:04 -06:00
Sean Parkinson 5fce8025bb Merge pull request #10386 from JeremiahM37/fenrir-4
Harden TLS handshake validation, OpenSSL-compat defaults, and stale code paths
2026-05-08 10:50:55 +10:00
David Garske 7b34be3945 Merge pull request #10331 from embhorn/zd21706
Fix IDNA matching
2026-05-07 16:09:33 -07:00
David Garske bf6c870889 Merge pull request #10304 from JeremiahM37/fenrir-2
Zero DH keys, tighten SSL APIs, harden TLS extensions
2026-05-07 14:51:28 -07:00
David Garske e78418db95 Merge pull request #10306 from sebastian-carpenter/tls-ech-client-oe
Add OuterExtensions encoding for TLS ECH client
2026-05-07 14:14:50 -07:00
David Garske 8ac2a1ae1b Merge pull request #10418 from rlm2002/coverity
20260506 Coverity
2026-05-07 14:11:32 -07:00
sebastian-carpenter 15b8c88bf6 Write ECH last in HRR to promote interop 2026-05-07 10:10:00 -06:00
sebastian-carpenter 9d938c12ea supported_versions added to non-encode list 2026-05-07 10:10:00 -06:00
sebastian-carpenter e3b291589d TLS ECH outerExtensions (client-side) 2026-05-07 10:10:00 -06:00
Eric Blankenhorn c55b77b382 Fix handling of registeredID 2026-05-07 07:33:56 -05:00
Eric Blankenhorn df7a5e8a85 Fix in CheckForAltNames to handle IPSAN 2026-05-07 07:33:55 -05:00
Eric Blankenhorn 0f50c225e2 Fix IDNA matching 2026-05-07 07:31:25 -05:00
Daniel Pouzzner d86174cc50 src/ssl.c: in wolfSSL_check_domain_name(), use XSTRCMP(), not strcmp();
wolfcrypt/src/asn.c, wolfssl/wolfcrypt/asn.h, src/ssl.c, wolfssl/ssl.h: move wolfssl_local_IsValidFQDN() from ASN.1 layer (where it has no users and is gated out in lean PSK builds) to TLS layer (where its users are);

scripts/crl-revoked.test: use `cp --symbolic-link` opportunistically but fall back to `cp -p`.
2026-05-06 21:40:33 -05:00
Jeremiah Mackey 0e08253b0d fix logic errors in stale code 2026-05-07 02:34:41 +00:00
Jeremiah Mackey 81b66c9cd8 harden SSL config defaults 2026-05-07 02:34:41 +00:00
Jeremiah Mackey b5cff8dcca harden TLS handshake validation 2026-05-07 02:34:41 +00:00
Jeremiah Mackey 3d489d1c10 tests 2026-05-07 02:33:58 +00:00
Jeremiah Mackey 4c76eae0aa zeroize DH private keys on free 2026-05-07 02:31:51 +00:00
Jeremiah Mackey 88664f7224 guard zero length in DES ncbc 2026-05-07 02:31:51 +00:00
Jeremiah Mackey 31c69bfdbc harden SSL config and session 2026-05-07 02:31:51 +00:00
Jeremiah Mackey a5670d7e49 harden TLS extension processing 2026-05-07 02:31:51 +00:00
Daniel Pouzzner b6de2d3cbc src/ssl.c: in wolfSSL_check_domain_name(), call wolfssl_local_IsValidFQDN() to validate the argument, with allowance for "localhost".
scripts/crl-revoked.test: improve "Workaround to not pollute the certs folder" (don't copy whole source tree, and don't copy file contents).
2026-05-06 18:29:27 -05:00
Ruby Martin 80f971cd6d clears dereference before null check 2026-05-06 11:22:47 -06:00
Ruby Martin 682b628eed remove redundant, always true, checks 2026-05-06 10:51:00 -06:00