wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2026-01-27 03:52:19 +01:00
Code Issues Packages Projects Releases Wiki Activity
26,876 Commits 12 Branches 184 Tags
bb8673070abfd1bc558ae7fd44a595dee6ae08f9
Commit Graph

8949 Commits

Author SHA1 Message Date
Josh Holtrop
bb8673070a Use uppercase U 2025-11-19 23:52:21 -05:00
Josh Holtrop
268b81c29e TLSv1.3 certificate verify: report rsa_pss_pss_* signature algorithm when supported 2025-11-19 09:47:05 -05:00
Daniel Pouzzner
c430cc75ea src/ssl.c and wolfssl/ssl.h: fix signature on wolfSSL_CTX_get0_privatekey() -- ctx is not const; 
wolfcrypt/src/wc_port.c and wolfssl/wolfcrypt/wc_port.h: tweak gates on atomic implementations to maximize availability within currently supported targets;

fix some whitespace.
 2025-11-13 17:11:52 -06:00
Daniel Pouzzner
26ba6344f2 add wolfSSL_Atomic_Ptr_CompareExchange(); mitigate race on ctx->privateKeyPKey in wolfSSL_CTX_get0_privatekey(). 2025-11-13 16:25:49 -06:00
David Garske
5a8411a1ad Merge pull request #9418 from SparkiDev/tls13_ks_dup_check_fix 
TLS 1.3 duplicate KeyShare entry fix
 2025-11-12 16:09:11 -08:00
David Garske
f53191bae2 Merge pull request #9416 from julek-wolfssl/priv-key-blinding 
Fix errors when blinding private keys
 2025-11-12 16:09:03 -08:00
Sean Parkinson
1ec18949bc TLS 1.3 duplicate KeyShare entry fix 
Fix comparison to be greater than or equal in case count is incremented
after maxing out.
 2025-11-13 08:23:19 +10:00
David Garske
7cfffd5bbc Merge pull request #9308 from kareem-wolfssl/zd20603 
Add IPv6 support to wolfSSL_BIO_new_accept and wolfIO_TcpBind.
 2025-11-12 11:09:17 -08:00
Juliusz Sosinowicz
d1c321abdc Don't override errors when blinding the priv key 2025-11-12 17:12:22 +01:00
Kareem
fbb7ae2257 Add NULL check to wolfSSL_BIO_new_accept. 2025-11-11 16:20:09 -07:00
Kareem
3296e6a1f0 Merge remote-tracking branch 'upstream/master' into zd20603 2025-11-11 16:15:22 -07:00
David Garske
6914f08f5e Merge pull request #9391 from holtrop/check-dup-extensions-fix 
Check for duplicate extensions in client hello when HAVE_TLS_EXTENSIONS is not set - fix #9377
 2025-11-11 14:05:14 -08:00
Josh Holtrop
798b16dcef Address more code review feedback for PR 9391 2025-11-11 15:36:28 -05:00
Josh Holtrop
32b00fd10b Address code review feedback for PR 9391 2025-11-11 14:06:44 -05:00
David Garske
2db1c7a522 Merge pull request #9395 from SparkiDev/tls12_cv_sig_check 
TLS 1.2 CertificateVerify: validate sig alg matches peer key
 2025-11-11 09:18:11 -08:00
Sean Parkinson
f54ca0d481 TLS 1.2 CertificateVerify: req sig alg to have been in CR 
The signature algorithm specified in CertificateVerify must have been in
the CertificateRequest. Add check.

The cipher suite test cases, when client auth and RSA are built-in and
use the default client certificate and use the *-ECDSA-* cipher
suites, no longer work. The client certificate must be ECC when the
cipher suite has ECDSA. Don't run them for that build.
 2025-11-11 13:20:46 +10:00
Josh Holtrop
3af60ff85d Check for duplicate extensions in client hello when HAVE_TLS_EXTENSIONS is not set - fix #9377 2025-11-10 10:06:07 -05:00
Daniel Pouzzner
9e9a7392d4 Merge pull request #9373 from julek-wolfssl/WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY 
Add missing WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY guards
 2025-11-08 11:04:43 -06:00
Daniel Pouzzner
ea4311666e Merge pull request #9367 from julek-wolfssl/wolfDTLS_accept_stateless-early-data 
wolfDTLS_accept_stateless: Fix handling for early data
 2025-11-08 11:04:19 -06:00
JacobBarthelmeh
4f4826ae92 Merge pull request #9385 from anhu/not_len 
Use suites->hashSigAlgoSz when calling TLSX_SignatureAlgorithms_MapPss
 2025-11-07 13:49:30 -07:00
JacobBarthelmeh
4c5bc5f8fe Merge pull request #9387 from SparkiDev/tls12_cr_order 
TLS 1.2: client message order check
 2025-11-07 10:00:39 -07:00
Sean Parkinson
58bd6a8d94 TLS 1.2 CertificateVerify: validate sig alg matches peer key 
Don't proceed with parsing CertificateVerify message in TLS 1.2 if the
signature algorithm doesn't match the peer's key (key from client
certificate).
 2025-11-07 13:26:26 +10:00
Sean Parkinson
f376c8d910 Merge pull request #9388 from lealem47/scan_build 
Various fixes for nightly tests
 2025-11-07 09:30:08 +10:00
Juliusz Sosinowicz
c2377fd266 DTLS: Clear userSet when peer is set in EmbedReceiveFrom 
This allows us to differentiate between the user explicitly setting a peer and wolfio setting it. When wolfio sets the peer, we want to be able to update the peer address while in stateless parsing (governed by the `newPeer` variable).
 2025-11-06 17:13:45 +01:00
Juliusz Sosinowicz
975033c64f DTLS: Introduce returnOnGoodCh option for early ClientHello processing return 2025-11-06 17:13:45 +01:00
Juliusz Sosinowicz
0d7fe2f0a4 DTLS: Introduce custom I/O callbacks API and structure 2025-11-06 17:13:45 +01:00
Juliusz Sosinowicz
3ebc0c5f99 Update logs 2025-11-06 16:39:48 +01:00
Juliusz Sosinowicz
ed970e7cd8 Add missing WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY guards 2025-11-06 16:35:11 +01:00
Lealem Amedie
08db159c5d Fixes for minor scan-build warnings 2025-11-05 21:27:06 -07:00
Sean Parkinson
3ec882cd66 Merge pull request #9380 from julek-wolfssl/ip-addr-check 
Improve domain and IP address matching in certificate verification
 2025-11-06 09:49:07 +10:00
Sean Parkinson
958fa1af60 TLS 1.2: client message order check 
Error when client receives CertificateRequest out of order: not after
Certificate and not after ServerKeyExchange if being sent.
 2025-11-05 10:00:11 +10:00
Anthony Hu
6e583a01f1 Use suites->hashSigAlgoSz instead of len in call to TLSX_SignatureAlgorithms_MapPss 2025-11-04 15:36:33 -05:00
Juliusz Sosinowicz
f95cb4e9bf Improve domain and IP address matching in certificate verification 
- Distinguish between domain and IP address checks.
- Update curl action to test with httpd server
 2025-11-04 18:36:29 +01:00
Marco Oliverio
0127571238 dtls13: advance buffer index on error 2025-11-03 13:43:33 +01:00
Daniel Pouzzner
5922b5def5 Merge pull request #9363 from julek-wolfssl/refactor-zero-return 
Improve TLS 1.3 early data handling.
 2025-10-31 17:39:11 -05:00
Daniel Pouzzner
643cbe127d Merge pull request #9354 from rlm2002/coverity 
20251027 Coverity fixes
 2025-10-30 23:54:18 -05:00
Daniel Pouzzner
7085421dd0 Merge pull request #9340 from julek-wolfssl/tls13-hrr-cs-change 
Validate cipher suite after HelloRetryRequest
 2025-10-30 23:46:50 -05:00
Daniel Pouzzner
a2b3af095d Merge pull request #9339 from effbiae/EcMakeKey 
refactor to EcMakeKey
 2025-10-30 23:45:22 -05:00
Daniel Pouzzner
9c031608ef Merge pull request #9349 from effbiae/EcExportHsKey 
refactor to EcExportHsKey
 2025-10-30 23:44:58 -05:00
Juliusz Sosinowicz
3209d264b8 Improve TLS 1.3 early data handling. 
Introduce `clientInEarlyData` to only return when in `wolfSSL_read_early_data`. This makes sure that other API don't return `ZERO_RETURN` when not in `wolfSSL_read_early_data`. Chose `APP_DATA_READY` as it won't result in a false positive return from `wolfSSL_read_early_data`.
 2025-10-29 19:04:36 +01:00
Daniel Pouzzner
d260493642 src/internal.c: in HashOutput(), check for null output pointer; 
examples/pem/pem.c: in main(), add missing check that ret == 0 in _DER_TO_PEM code path.
 2025-10-29 10:04:24 -05:00
Juliusz Sosinowicz
7b7f9a4fe0 dtls: Check PSK ciphersuite against local list 2025-10-29 13:14:50 +01:00
Juliusz Sosinowicz
c14b1a0504 Validate cipher suite after HelloRetryRequest 
- Add validation to ensure the cipher suite in the ServerHello matches the one specified in the HelloRetryRequest.
- test_TLSX_CA_NAMES_bad_extension: use the same ciphersuite in HRR and SH
 2025-10-29 13:14:50 +01:00
Daniel Pouzzner
8c60b7b250 src/internal.c and tests/api.c: fix clang-analyzer-core.NullPointerArithms. 2025-10-28 16:42:14 -05:00
Daniel Pouzzner
9b90ea83eb src/x509.c: in wolfSSL_X509_get_ext_by_OBJ() and wolfSSL_X509_load_cert_crl_file(), add local protection from null derefs (fixes -Wnull-dereferences); 
wolfcrypt/src/chacha.c and wolfssl/wolfcrypt/chacha.h: implement USE_ARM_CHACHA_SPEEDUP gate;

wolfcrypt/src/kdf.c: in wc_SSH_KDF(), add early return if _HashInit() fails (fixes _HashFree() of uninited _hash);

wolfcrypt/src/sha256.c: initialize sha256->W in ARMASM variant of wc_InitSha256_ex(), and pass sha256->heap to XMALLOC/XFREE consistently.
 2025-10-28 16:42:14 -05:00
Ruby Martin
7aec2a8280 separate BAD_FUNC_ARG error from ASN_NO_PEM_HEADER 2025-10-28 10:01:10 -06:00
effbiae
1c8e7885b4 refactor to EcMakeKey 2025-10-28 08:46:47 -07:00
effbiae
993ecad16a refactor to EcExportHsKey 2025-10-28 16:01:39 +11:00
David Garske
e6af5bcd4f Merge pull request #9353 from embhorn/gh9347 
Build errors in memtest config and sniffer
 2025-10-27 13:15:00 -07:00
David Garske
594a3bc963 Merge pull request #9350 from SparkiDev/split_ssl_sk 
Stack API: Pull out implementation into separate file
 2025-10-27 08:46:43 -07:00