Commit Graph

27583 Commits

Author SHA1 Message Date
Sean Parkinson be4584784c Split out code form ssl.c and pk.c
Move EC and RSA code out of pk.c into separate file.

Move out of ssl.c into separate files:
  - Certificate APIs
  - CRL/OCSP APIs
  - Public Key APIs
  - ECH

Internal Certificate Manager APIs pulled out into ssl_certman.c.
d2i and i2d WOLFSSL_EVP_PKEY APIs pulled out into evp_pk.c.

Fix formatting.
2026-01-29 18:49:56 +10:00
JacobBarthelmeh a6316114bd Merge pull request #9716 from SparkiDev/regression_fixes_22
Regression test fixes
2026-01-27 22:07:50 -07:00
JacobBarthelmeh ba3653d8d0 Merge pull request #9717 from dgarske/config_rules
Make sure all configure.ac rules are also enforced in settings.h
2026-01-27 21:53:51 -07:00
Sean Parkinson eb2fb4a9ce Merge pull request #9699 from anhu/downg
Add cipher suite filtering when downgrade is disabled
2026-01-28 08:59:06 +10:00
David Garske 46251bb401 Fix issue with NO_DES3_TLS_SUITES 2026-01-27 14:42:41 -08:00
Sean Parkinson bc9e37118e Regression test fixes
Mostly combinations of NO_WOLFSSL_CLIENT, NO_WOLFSSL_SERVER and
WOLFSSL_NO_CLIENT_AUTH were failing.
Added configurations to CI loop.

wc_AesGcmDecryptFinal: use WC_AES_BLOCK_SIZE to satisfy compiler.
2026-01-28 07:37:29 +10:00
JacobBarthelmeh f7b5f00973 Merge pull request #9710 from rlm2002/xChaCha20_Poly1305_unitTest
Unit test updates for XChacha20-Poly1305
2026-01-27 13:56:16 -07:00
JacobBarthelmeh 4f84be8e66 Merge pull request #9715 from dgarske/rsa_key_parsing
Fix for RSA private key parsing (allowing public) and RSA keygen no malloc support
2026-01-27 13:11:14 -07:00
David Garske 74a4bcb546 Enforce all configure.ac rules in settings.h also. Keeping configure.ac for early error checking. 2026-01-27 10:46:29 -08:00
Anthony Hu 3aa758c615 renegotiation indication changes number of ciphersuites so gate on that 2026-01-27 12:57:31 -05:00
JacobBarthelmeh 3e7efe8be2 Merge pull request #9705 from cconlon/nameConstraints
Support for extracting and validating X.509 Name Constraints extensions
2026-01-27 10:01:48 -07:00
Anthony Hu 9a53125794 Simplify testing gating logic. 2026-01-27 11:19:50 -05:00
David Garske c8fa1e915b Fix for RSA private key parsing (allowing public) and RSA keygen no malloc support. 2026-01-26 16:06:05 -08:00
Ruby Martin 38cb14f2a9 add API unit test for XChacha20-Poly1305
Expand XChacha20-Poly1305 unit test
2026-01-26 15:33:35 -07:00
Chris Conlon 610d530e45 Add Name Constraints extension support with wolfSSL_X509_get_ext_d2i() and wolfSSL_NAME_CONSTRAINTS_check_name() 2026-01-26 10:36:05 -07:00
David Garske eeaa3a7160 Merge pull request #9596 from kareem-wolfssl/zd19378
Add a runtime option to enable or disable the secure renegotiation check.
2026-01-26 08:34:57 -08:00
Anthony Hu d6985a6ee3 AES-GCM guard. 2026-01-23 16:23:44 -05:00
Kaleb Himes 4574a0c10e Merge pull request #9706 from miyazakh/selftest_pqc
Enable kyber and dilithium in selftest
2026-01-23 13:41:44 -07:00
David Garske 6ae5555718 Merge pull request #9704 from douzzer/20260122-toolchain-workarounds
20260122-toolchain-workarounds
2026-01-23 12:39:05 -08:00
David Garske cd88ec57b0 Merge pull request #9685 from kareem-wolfssl/gh7735
Always reinitialize the SSL cipher suites in InitSSL_Side as the side and enabled algos have likely changed.
2026-01-23 12:38:46 -08:00
JacobBarthelmeh 2f388dde4c Merge pull request #9703 from dgarske/stsafe-a120-ecdhe
Fixes for STSAFE-A120 ECDHE
2026-01-23 10:59:45 -07:00
David Garske 4773ea6d44 Merge pull request #9637 from Frauschi/test_coverage
Increase test coverage for PQC and CMake
2026-01-23 07:51:40 -08:00
David Garske b5209344e0 Merge pull request #9707 from danielinux/enable_stm32g0_AES_only
Add STM32G0 hardware crypto support
2026-01-23 07:50:30 -08:00
Michal Jahelka 269c28be16 Add STM32G0 hardware crypto support 2026-01-23 11:09:08 +01:00
Tobias Frauenschläger 14ce7956f1 Increase test coverage
* More PQC configurations
* More CMake setups
* Fix various bugs uncovered by these tests

Added some missing feature additions to CMake to make the example
`user_settings_all.` config file work for the CI test.
2026-01-23 09:27:16 +01:00
Anthony Hu 2616fe3ff1 Better guards around tests 2026-01-22 22:17:59 -05:00
Hideki Miyazaki 0f72d2eafe enable kyber and dilithium in selftest 2026-01-23 11:59:46 +09:00
Sean Parkinson 27df554e99 Merge pull request #9701 from Frauschi/brainpool-tls13
Add support for TLS 1.3 Brainpool curves
2026-01-23 10:42:32 +10:00
Sean Parkinson baaa368a61 Merge pull request #9668 from kaleb-himes/PQ-FS-2026-Part1
PQ FS 2026 part1
2026-01-23 10:30:47 +10:00
David Garske 2c83711319 Merge pull request #9693 from kareem-wolfssl/zd21012
Use MinGW XINET_PTON definition for 32-bit MinGW as well as 64-bit.
2026-01-22 15:24:31 -08:00
Daniel Pouzzner a1b43ab3fa wolfssl/wolfcrypt/dilithium.h: add a check for whether all supported levels are disabled, in WOLFSSL_WC_DILITHIUM setup. 2026-01-22 17:20:46 -06:00
Daniel Pouzzner 71bffcc5eb linuxkm/Kbuild: move FORCE_GLOBAL_OBJTOOL_OFF setup outside ENABLED_LINUXKM_PIE setup, i.e. always usable. 2026-01-22 17:20:46 -06:00
David Garske a17f68f036 Merge pull request #9587 from kareem-wolfssl/zd20850
Add duplicate entry error to distinguish cases where a duplicate CRL is rejected.
2026-01-22 15:07:19 -08:00
David Garske 2fb19f84e5 Fixes for STSAFE-A120 ECDHE 2026-01-22 22:46:35 +00:00
Kareem 1103552c37 Code review feedback 2026-01-22 15:46:13 -07:00
Kareem d60dd53165 Merge branch 'master' of https://github.com/wolfSSL/wolfssl into zd19378 2026-01-22 15:37:30 -07:00
Kareem 4c0c51fdff Merge branch 'master' of https://github.com/wolfSSL/wolfssl into gh7735 2026-01-22 15:13:15 -07:00
Kareem baedba6a58 Force client haveDH to true in wolfSSL_set_options. haveDH won't be set to true on the client as the server side is what calls DH param generation APIs which set this to true, but we still want the client to support DH cipher suites if enabled. This matches behavior from InitSSL_EitherSide. 2026-01-22 15:13:08 -07:00
kaleb-himes 20fc2de29d Restore sanity to < SEED_BLOCK_SZ 2026-01-22 09:09:29 -07:00
kaleb-himes 20b2fd200f Address failure rates from FIPS CRNGT test by implementing alternate RCT/ADP tests
Update ret code to match docs and update docs

Replace magic numbers with appropriate define

Define MAX_ENTROPY_BITS when MEMUSE not enabled

Fix type cast windows detection

Older FIPS modules still need the old check

CodeSpell you're wrong, that is what I want to name my variable

Turn the hostap into a manual dispatch until it gets fixed

Upon closer review we can not skip the test when memuse enabled

Fix whitespace stuff found by multitest

More syntax things

Correct comments based on latest findings
2026-01-22 09:06:17 -07:00
Tobias Frauenschläger bde1bf6ce7 Fix user_settings ASM multiple define 2026-01-22 14:14:15 +01:00
Tobias Frauenschläger eb8ba6124e Support TLS 1.3 ECC Brainpool authentication
This also fixes TLS 1.2 authentication to only succeed in case the
brainpool curve was present in the supported_groups extension.
2026-01-22 14:14:09 +01:00
Tobias Frauenschläger a462398387 Support Brainpool ECC curve TLS 1.3 key exchange
When both TLS 1.3 and Brainpool curves are enabled, three new groups can
be used for the ECDHE key exchange according to RFC 8734:
* WOLFSSL_ECC_BRAINPOOLP256R1TLS13 (31)
* WOLFSSL_ECC_BRAINPOOLP384R1TLS13 (32)
* WOLFSSL_ECC_BRAINPOOLP512R1TLS13 (33)

Also ensure that the existing TLS 1.2 curves are sent properly.

The TLS client application is updated to support handshakes via
Brainpool curves using the new argument "--bpKs".
2026-01-22 14:14:09 +01:00
David Garske 62ca34497c Merge pull request #9633 from douzzer/20260108-DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS
20260108-DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS
2026-01-21 17:39:56 -08:00
David Garske baeffb2f6a Merge pull request #9692 from anhu/aead
wc_XChaCha20Poly1305_Init: NULL check aead, not ad
2026-01-21 17:22:32 -08:00
Daniel Pouzzner 142f493964 configure.ac: if ENABLED_32BIT, add -DWC_32BIT_CPU to AM_CFLAGS, and don't add WOLFSSL_X86_64_BUILD to AM_CFLAGS; fix handling for --enable-bump;
wolfssl/wolfcrypt/settings.h: classify OPENSSL_EXTRA as "desktop type system" in bump up of default FP_MAX_BITS and SP_INT_BITS;

wolfssl/wolfcrypt/types.h: if WC_32BIT_CPU, don't define WC_64BIT_CPU.
2026-01-21 18:21:16 -06:00
David Garske e4e79dd8a3 Merge pull request #9694 from SparkiDev/tls_msg_sanity_fix
TLS: more sanity checks on message order
2026-01-21 15:11:11 -08:00
Anthony Hu d088fee72c Add cipher suite filtering when downgrade is disabled
When wolfSSL_SetVersion() is called to set a specific TLS version,
the downgrade flag is now set to 0. This causes wolfSSL_parse_cipher_list()
to no longer preserve cipher suites from the other TLS version group.

Previously, when using SSLv23 method and setting cipher suites for only
one TLS version (e.g., TLS 1.2), the library would preserve any existing
cipher suites from the other version (e.g., TLS 1.3) for OpenSSL API
compatibility. With this change, if a specific version is set via
wolfSSL_SetVersion(), only the cipher suites for that version are kept.
2026-01-21 18:01:01 -05:00
Anthony Hu 7d7299e254 Do not allow NULL with non-zero length. 2026-01-21 17:49:30 -05:00
David Garske 11ddec3f69 Merge pull request #9681 from tmael/wfb1_
Fix cert SW issues in Aes and rng
2026-01-21 13:41:01 -08:00