Sean Parkinson
abfff1ec2f
Merge pull request #10167 from embhorn/zd21571
...
Fix ETM on resumption
2026-04-10 07:45:20 +10:00
David Garske
8059fbdbe8
Merge pull request #10129 from rlm2002/coverity_fix
...
03042026 Coverity tests fix
2026-04-09 13:35:36 -07:00
David Garske
9e199f3ae7
Merge pull request #10165 from rlm2002/coverity
...
Coverity fix
2026-04-09 13:34:26 -07:00
David Garske
cc72851694
Merge pull request #10026 from LinuxJedi/actions-composite-caching
...
Composite GHA action with caching
2026-04-09 12:01:24 -07:00
David Garske
a91096501f
Merge pull request #10153 from sebastian-carpenter/GH-10067
...
do not enable TLSX with --enable-ech
2026-04-09 11:43:52 -07:00
David Garske
a3ef93567e
Merge pull request #10147 from julek-wolfssl/ocsp-responder-docs
...
Add documentation for new OCSP responder and cert accessor APIs
2026-04-09 11:42:03 -07:00
Eric Blankenhorn
31eb54f950
Fix from review
2026-04-09 11:32:47 -05:00
JacobBarthelmeh
044a5f8b81
Merge pull request #10143 from dgarske/qat_aes_gcm
...
Improve QAT AES GCM tag checking
2026-04-09 09:40:25 -06:00
Eric Blankenhorn
191b827579
Fix from review
2026-04-09 10:14:45 -05:00
Sean Parkinson
3e0679ee17
Merge pull request #10156 from douzzer/20260407-SHA3-unaligned-access
...
20260407-SHA3-unaligned-access
2026-04-09 18:47:06 +10:00
Sean Parkinson
6617863249
Merge pull request #10145 from Frauschi/ecc_follow_up
...
ECC curve validation follow-up
2026-04-09 18:35:56 +10:00
Sean Parkinson
2a064607e4
Merge pull request #10150 from julek-wolfssl/enable-ocsp-responder-disable-tls13
...
Guard OCSP signature params with WC_RSA_PSS ifdef
2026-04-09 18:13:00 +10:00
Sean Parkinson
139042e6d5
Merge pull request #10159 from Frauschi/dual_alg_fix
...
Fix build failure for DUAL_ALG_CERTS
2026-04-09 18:00:47 +10:00
Eric Blankenhorn
b218b29403
Fix from review
2026-04-08 16:13:23 -05:00
Eric Blankenhorn
af5369636a
Fix ETM on resumption
2026-04-08 15:06:11 -05:00
David Garske
1d363f3adc
Merge pull request #10163 from JacobBarthelmeh/release
...
prepare for release 5.9.1
2026-04-08 10:40:06 -07:00
Juliusz Sosinowicz
bfad5398b1
MSVC: replace UINT32_MAX with WOLFSSL_MAX_32BIT in dilithium.c
2026-04-08 10:00:52 -07:00
Ruby Martin
5e87b82dfa
initialize key and rng in test_DhAgree_rejects_p_minus_1()
2026-04-08 09:48:06 -06:00
JacobBarthelmeh
719e98f717
prepare for release 5.9.1
2026-04-08 07:34:41 -06:00
Juliusz Sosinowicz
78e5ae3978
Address review comments
2026-04-08 11:35:48 +02:00
Tobias Frauenschläger
178d2f61f4
Fix build with WOLFSSL_DUAL_ALG_CERTS and HAVE_PK_CALLBACKS
2026-04-08 10:18:00 +02:00
Daniel Pouzzner
750f3b119e
Merge pull request #10088 from anhu/new_various
...
Various security fixes and tests
2026-04-07 22:13:18 -05:00
JacobBarthelmeh
4fd0df42e7
add adjustment for review
2026-04-07 21:08:11 -06:00
JacobBarthelmeh
9a79c412a5
Merge pull request #10154 from douzzer/20260407-fips-ready-WC_FIPS_186_4
...
20260407-fips-ready-WC_FIPS_186_4
2026-04-07 16:46:16 -06:00
JacobBarthelmeh
7f84fb2624
Merge pull request #10152 from douzzer/20260407-BLAKE-gating
...
20260407-BLAKE-gating
2026-04-07 16:18:09 -06:00
JacobBarthelmeh
d1c6423b82
make the padding check constant time and move evp exponent print size macro to local file
2026-04-07 16:09:52 -06:00
David Garske
852ddcb37d
Improve QAT AES GCM tag checking
2026-04-07 13:53:41 -07:00
Daniel Pouzzner
296148b4e6
wolfcrypt/src/sha3.c: fix Load64Unaligned() implementation with unaligned integer access when WC_SHA3_FAULT_HARDEN && !BIG_ENDIAN_ORDER.
2026-04-07 15:39:31 -05:00
JacobBarthelmeh
ecfd1174bb
refactor sanity pointer set of session and clean up macro guards
2026-04-07 14:10:25 -06:00
Daniel Pouzzner
5fa8b1535a
wolfssl/wolfcrypt/settings.h: for fips-ready, set WC_FIPS_186_4, not _5, to match v5/v6.
2026-04-07 14:35:15 -05:00
sebastian-carpenter
faf93cba85
do not enable TLSX with --enable-ech
2026-04-07 12:40:38 -06:00
Daniel Pouzzner
60d1e222b2
globally fix all "BLAKE2" references (implicit BLAKE2B) to explicit "BLAKE2B":
...
* implement legacy compatibility in settings.h and configure.ac (adds --enable-blake2b while retaining --enable-blake2);
* fix incorrect Blake2 gates in wolfcrypt/src/hash.c wc_HashGetDigestSize() and wc_HashGetBlockSize();
* in wolfcrypt/test/test.c hash_test(), backfill missing Blake2 test coverage and separate blake2b from blake2s in typesHashBad[];
* in tests/api/test_hash.c, separate blake2b from blake2s in notCompiledHash[], sizeSupportedHash[], and sizeNotCompiledHash[].
2026-04-07 13:18:53 -05:00
JacobBarthelmeh
ad1cc4e87f
adjust test case return value check after rebase
2026-04-07 10:26:16 -06:00
Paul Adelsbach
c335f7dd6f
Remove UTF-8 chars
...
Get rid of weird character
Fix warning found by CI
Style changes
Addressed 1 and 2.
2026-04-07 10:07:12 -06:00
Anthony Hu
2e32094545
Add regression tests for fixes
2026-04-07 10:05:56 -06:00
Anthony Hu
5bd5f36dff
Fix RSA exponent printing (ZD 21426)
...
Increase buff size from 8 to 24 bytes in PrintPubKeyRSA and related
EVP PKEY print functions.
2026-04-07 10:05:48 -06:00
Anthony Hu
985cceaa97
Fix session cache restore dangling pointer (ZD 21423)
...
Reinitialize pointer fields in WOLFSSL_SESSION after raw XMEMCPY or
XFREAD in wolfSSL_memrestore_session_cache and
wolfSSL_restore_session_cache. After restore, ticket is reset to
staticTicket, ticketLenAlloc to 0, and peer to NULL.
2026-04-07 10:05:31 -06:00
Anthony Hu
c563f3932a
Fix PKCS7 CBC padding oracle in EnvelopedData and EncryptedData (ZD 21422)
...
Replace single last-byte padding check with full PKCS#5/PKCS#7
validation: verify padLen is non-zero and within block size.
Both wc_PKCS7_DecodeEnvelopedData and wc_PKCS7_DecodeEncryptedData
paths are fixed.
2026-04-07 10:05:21 -06:00
Anthony Hu
d14b506c51
Fix Dilithium with USE_INTEL_SPEEDUP (ZD 21417)
...
Add check before word32 addition in dilithium_hash256() that
could wrap to zero, bypassing the size check.
Also reject absurdly large msgLen (> UINT32_MAX/2) in
wc_dilithium_verify_ctx_msg.
2026-04-07 10:04:41 -06:00
Anthony Hu
b3278af8dc
Fix wc_*_delete() functions (ZD 21415)
...
Save key->heap before calling wc_*_free(), which zeros the entire key
structure via ForceZero. The saved heap pointer is then passed to XFREE
instead of the now-zeroed key->heap.
2026-04-07 10:04:35 -06:00
Anthony Hu
e0421828ff
Fix TLS 1.3 PQC key share over heap read (ZD 21413)
...
Validate that the received key share data length (keLen) is at least
as large as the expected ciphertext size (ctSz) before passing it to
wc_KyberKey_Decapsulate. A malicious TLS 1.3 server could send a
short ML-KEM key share.
2026-04-07 10:04:19 -06:00
Juliusz Sosinowicz
8d54e2213f
Guard OCSP signature params with WC_RSA_PSS ifdef
...
OCSPBASICRESPASN_IDX_SIGNATURE_PARAMS is only defined when WC_RSA_PSS
is enabled but was used unconditionally in EncodeBasicOcspResponse,
causing a build error when WC_RSA_PSS is not defined.
2026-04-07 17:30:30 +02:00
JacobBarthelmeh
7aac9e5766
Merge pull request #10139 from philljj/fix_nightly_mem
...
Fix nightly mem
2026-04-07 09:08:01 -06:00
Juliusz Sosinowicz
a96f20e26b
Add documentation for new OCSP responder and cert accessor APIs
2026-04-07 14:25:35 +02:00
Tobias Frauenschläger
06e63f0a7b
ECC curve validation follow-up
2026-04-07 12:40:44 +02:00
philljj
b5874a6d9e
Merge pull request #10132 from douzzer/20260404-default_rng_bank
...
20260404-default_rng_bank
2026-04-06 22:54:20 -05:00
Daniel Pouzzner
efe6ad4bd6
Merge pull request #10116 from Frauschi/zd21457
...
Additional fixes
2026-04-06 20:23:25 -05:00
Daniel Pouzzner
9347c895fc
Merge pull request #10133 from Frauschi/ecc_curve_validation
...
Improved ECC curve validation
2026-04-06 20:20:35 -05:00
Daniel Pouzzner
ede15b4ff4
Merge pull request #10137 from JacobBarthelmeh/acert
...
fix for acert builds
2026-04-06 19:17:48 -05:00
Daniel Pouzzner
32502e9963
Merge pull request #10102 from Frauschi/zd21460
...
Various fixes
2026-04-06 18:41:31 -05:00