David Garske
bf6c870889
Merge pull request #10304 from JeremiahM37/fenrir-2
...
Zero DH keys, tighten SSL APIs, harden TLS extensions
2026-05-07 14:51:28 -07:00
David Garske
fea8d1b5bc
Merge pull request #10413 from JeremiahM37/fenrir-7
...
zeroize sensitive memory and validate public API inputs
2026-05-07 14:47:32 -07:00
David Garske
9a46ecb263
Merge pull request #10380 from padelsbach/lms-xmss
...
Add crypto callbacks for LMS and XMSS
2026-05-07 14:46:56 -07:00
David Garske
58ca6a1fa7
Merge pull request #10302 from JacobBarthelmeh/ecc
...
additional sanity checks on invalid input
2026-05-07 14:39:21 -07:00
David Garske
80a04551cf
Merge pull request #10405 from SparkiDev/mlkem_fixes_1
...
ML-KEM: fix comments, API signatures, minor issues
2026-05-07 14:37:59 -07:00
David Garske
b306f2d846
Merge pull request #10422 from Frauschi/socat
...
Make socat tests less flaky
2026-05-07 14:36:24 -07:00
David Garske
8c74977eee
Merge pull request #10297 from kareem-wolfssl/zd21676
...
Properly handle fallback cipher type case in wc_Pkcs11_CryptoDevCb.
2026-05-07 14:36:05 -07:00
David Garske
6efbacf402
Merge pull request #10416 from jackctj117/v6-fix
...
fix: guard wc_Ed448PublicKeyToDer ed448_export_public call for FIPS<7
2026-05-07 14:32:48 -07:00
David Garske
aeeb98cc04
Merge pull request #10400 from embhorn/gh10383
...
Fix Dilithium signing when WC_DILITHIUM_CACHE_MATRIX_A is enabled
2026-05-07 14:30:46 -07:00
David Garske
e78418db95
Merge pull request #10306 from sebastian-carpenter/tls-ech-client-oe
...
Add OuterExtensions encoding for TLS ECH client
2026-05-07 14:14:50 -07:00
David Garske
8ac2a1ae1b
Merge pull request #10418 from rlm2002/coverity
...
20260506 Coverity
2026-05-07 14:11:32 -07:00
David Garske
52847ed7e0
Merge pull request #10420 from SparkiDev/mldsa_small_1
...
ML-DSA fixes: small vfy key object, small SHA-3, fix test
2026-05-07 13:52:50 -07:00
Daniel Pouzzner
fcf23dcd04
Merge pull request #10357 from sameehj/km-fixes
...
Km fixes
2026-05-07 14:54:48 -05:00
Daniel Pouzzner
4b00525e90
Merge pull request #10407 from Frauschi/Wconversion
...
Add LMS, XMSS and ML-DSA to Wconversion testing
2026-05-07 12:05:48 -05:00
sebastian-carpenter
15b8c88bf6
Write ECH last in HRR to promote interop
2026-05-07 10:10:00 -06:00
sebastian-carpenter
9d938c12ea
supported_versions added to non-encode list
2026-05-07 10:10:00 -06:00
sebastian-carpenter
e3b291589d
TLS ECH outerExtensions (client-side)
2026-05-07 10:10:00 -06:00
Tobias Frauenschläger
bca5610508
Make socat tests less flaky
2026-05-07 15:25:19 +02:00
Eric Blankenhorn
935c3901d9
Fix from review
2026-05-07 07:34:39 -05:00
Eric Blankenhorn
8ce4e126ae
Fix from review
2026-05-07 07:34:39 -05:00
Eric Blankenhorn
4191d46d95
Fix Dilithium signing when WC_DILITHIUM_CACHE_MATRIX_A is enabled
2026-05-07 07:34:39 -05:00
Tobias Frauenschläger
da427efd89
Add LMS, XMSS and ML-DSA to Wconversion
2026-05-07 11:16:06 +02:00
Sean Parkinson
e98fb8f72b
Merge pull request #10415 from douzzer/20260506-fixes
...
20260506-fixes
2026-05-07 17:00:02 +10:00
Sean Parkinson
94e3caac18
Merge pull request #10419 from douzzer/20260506-check_domain_name-local_IsValidFQDN
...
20260506-check_domain_name-local_IsValidFQDN
2026-05-07 16:59:04 +10:00
Daniel Pouzzner
d86174cc50
src/ssl.c: in wolfSSL_check_domain_name(), use XSTRCMP(), not strcmp();
...
wolfcrypt/src/asn.c, wolfssl/wolfcrypt/asn.h, src/ssl.c, wolfssl/ssl.h: move wolfssl_local_IsValidFQDN() from ASN.1 layer (where it has no users and is gated out in lean PSK builds) to TLS layer (where its users are);
scripts/crl-revoked.test: use `cp --symbolic-link` opportunistically but fall back to `cp -p`.
2026-05-06 21:40:33 -05:00
Jeremiah Mackey
3d489d1c10
tests
2026-05-07 02:33:58 +00:00
Jeremiah Mackey
4c76eae0aa
zeroize DH private keys on free
2026-05-07 02:31:51 +00:00
Jeremiah Mackey
88664f7224
guard zero length in DES ncbc
2026-05-07 02:31:51 +00:00
Jeremiah Mackey
31c69bfdbc
harden SSL config and session
2026-05-07 02:31:51 +00:00
Jeremiah Mackey
a5670d7e49
harden TLS extension processing
2026-05-07 02:31:51 +00:00
Jeremiah Mackey
51072bbce9
tests: cover input validation fixes
2026-05-07 02:31:25 +00:00
Jeremiah Mackey
a075a99729
evp: fix sm4-ctr debug message
2026-05-07 02:31:25 +00:00
Jeremiah Mackey
8667bd0f92
wolfcrypt: validate API input sizes
2026-05-07 02:31:25 +00:00
Jeremiah Mackey
90eb7253b6
wolfcrypt: zero sensitive buffers
2026-05-07 02:31:25 +00:00
Jeremiah Mackey
a454248791
eddsa: zero orig_k after sign
2026-05-07 02:31:25 +00:00
Jeremiah Mackey
6711389e3b
pkcs7: zero plaintext before free
2026-05-07 02:31:25 +00:00
Jeremiah Mackey
a2aa3691f0
srp: harden secret intermediates
2026-05-07 02:31:25 +00:00
Paul Adelsbach
7f5138fb9a
More review feedback: pass hash to LMS export, and drop len check in XMSS verify
2026-05-06 17:46:42 -07:00
Sean Parkinson
55d7ed8d0e
ML-DSA fixes: small vfy key object, small SHA-3, fix test
...
Only have the public key in the ML-DSA key object when verify-only.
Be able to leave out SHA-3 APIs when only needing SHAKE.
Fix ML-DSA testing to only have data for compiled in parameters.
2026-05-07 10:03:41 +10:00
Daniel Pouzzner
b6de2d3cbc
src/ssl.c: in wolfSSL_check_domain_name(), call wolfssl_local_IsValidFQDN() to validate the argument, with allowance for "localhost".
...
scripts/crl-revoked.test: improve "Workaround to not pollute the certs folder" (don't copy whole source tree, and don't copy file contents).
2026-05-06 18:29:27 -05:00
Sean Parkinson
15398c26d0
ML-KEM: fix comments, API signatures, minor issues
...
More checks for public or private key not set.
wc_MlKemKey_Free clears key->flags
wc_MlKemKey_DecodePrivateKey now checks the public key is valid.
wc_MlKemKey_EncodePrivateKey doesn't need calculate hash of public key
as encoding the public key will do this.
EncodePrivateKey/EncodePublicKey now return BAD_STATE_E when flags not
set.
mlkem_kdf, mlkem_check_public, mlkem_xof_absorb pointer parameters are
now const.
Now all mlkem_redistribute_*_rand_avx2 functions are WOLFSSL_LOCAL.
Changed Kyber uses to MlKem.
2026-05-07 08:17:27 +10:00
Kareem
3f1c6bdac8
Code review feedback.
2026-05-06 15:13:48 -07:00
Kareem
d1b6ddca75
Properly handle fallback cipher type case in wc_Pkcs11_CryptoDevCb.
...
Thanks to Zou Dikai for the report.
2026-05-06 15:12:09 -07:00
Ruby Martin
f6019467fa
add unit test for NULL SHAKE parameters
2026-05-06 15:25:06 -06:00
Ruby Martin
e085d468d8
clear potential null dereference
2026-05-06 14:33:14 -06:00
jackctj117
a3799cffda
fix: guard wc_Ed448PublicKeyToDer ed448_export_public call for FIPS<7
2026-05-06 14:09:56 -06:00
David Garske
980fc51ea7
Merge pull request #10275 from twcook86/make_rpm_fix
...
Fix a few issues with "make rpm"
2026-05-06 13:06:42 -07:00
Daniel Pouzzner
03cee6f2bf
tests/api/test_ed25519.c and tests/api/test_ed448.c: add missing FIPS v7+ gating in test_wc_ed25519_export() and test_wc_ed448_export().
...
wolfcrypt/test/test.c: in aes_cbc_test(), use unconditional static on msg4 and verify4 to work around gcc optimizer bug (probably same bug as noted in ac11279c60 ).
2026-05-06 14:24:18 -05:00
David Garske
490c1062e4
Merge pull request #10274 from gasbytes/crl-idp-extension-fix-follow-up
...
Reject CRLs with unrecognized critical entry extensions per RFC 5280 section 5.3
2026-05-06 12:13:28 -07:00
David Garske
545376c477
Merge pull request #10279 from julek-wolfssl/zd/21661
...
zd/21661: harden X.509 chain validation, session ticket identity binding, and peer cert restore
2026-05-06 11:59:55 -07:00