JacobBarthelmeh
7de150eff0
Merge pull request #9975 from rlm2002/coverity
...
20260313 Coverity changes
2026-03-16 12:52:27 -06:00
JacobBarthelmeh
f8dda213b0
Merge pull request #9972 from cconlon/getCiphersCompatFix
...
Fix wolfSSL_get_ciphers_compat() to return NULL for empty cipher list
2026-03-16 08:29:00 -06:00
Ruby Martin
1ac4ba282b
remove early der free
2026-03-13 17:03:02 -06:00
Chris Conlon
428030a3e8
Fix wolfSSL_get_ciphers_compat to return NULL when no ciphers available
2026-03-13 15:07:25 -06:00
Kareem
94b370f5e2
Rework check to compare only ints.
2026-03-13 11:42:12 -07:00
Kareem
19b99f8072
Ensure the length computed by CheckHeaders in the SSL sniffer does not exceed the actual size of the packets.
...
Thanks to Haruto Kimura (Stella) for the report.
2026-03-13 11:42:12 -07:00
JacobBarthelmeh
156db7dd2d
Merge pull request #9831 from julek-wolfssl/pytho-3.13.4
...
Fixes to run python with --enable-all
2026-03-13 10:50:23 -06:00
JacobBarthelmeh
e5594a6366
Merge pull request #9889 from rlm2002/F29
...
remove word16 cast, add WOLFSSL_MAX_16BIT check
2026-03-12 14:54:19 -06:00
JacobBarthelmeh
67abcc6f2d
Merge pull request #9949 from philljj/fix_d2i_SSL_SESSION
...
ssl_sess: check fields in wolfSSL_d2i_SSL_SESSION.
2026-03-12 14:45:29 -06:00
JacobBarthelmeh
351d2594ac
Merge pull request #9938 from SparkiDev/regression_fixes_23
...
Fixes from regression testing
2026-03-12 14:41:18 -06:00
JacobBarthelmeh
a05a3ed1c2
Merge pull request #9940 from cconlon/pathLenSet
...
Fix pathlen not copied in ASN1_OBJECT_dup and not marked set in X509_add_ext
2026-03-12 10:34:58 -06:00
Juliusz Sosinowicz
4fbc81916c
Address final comments from #9761
...
- Fix line length
- Remove duplicate comment
- Check return of `wc_HashGetDigestSize`
- Use constant instead of magic number
2026-03-12 12:30:13 +01:00
JacobBarthelmeh
a8dfa59bbe
Merge pull request #9761 from julek-wolfssl/ocsp-responder
...
Implement OCSP responder
2026-03-11 17:27:33 -06:00
Sean Parkinson
bbd2f6f898
Fixes from regression testing
...
CRL APIs not usable when NO_ASN_TIME defined.
WOLFSSL_TLS13 needs to be defined with HAVE_ECH.
When session ticket encrypted with CBC, must be a multiple of block
size.
Fix test define protection.
Fix ML-DSA protection of reduction functions.
Need !NO_RSA with WC_RSA_PSS.
Connection ID is not a DTLS 1.3 only extension.
2026-03-12 08:19:39 +10:00
sebastian-carpenter
bb7c6a13c8
ECH tidying
2026-03-11 12:07:20 -06:00
sebastian-carpenter
8a7d327d24
ECH fixes F-293, F-201, F-358, F-203
2026-03-11 10:06:37 -06:00
sebastian-carpenter
032dbe6878
ECH fixes F-292, F-28
2026-03-11 10:06:36 -06:00
Chris Conlon
354691d24a
Copy pathlen in ASN1_OBJECT_dup() and set pathLengthSet in X509_add_ext() when adding basic constraints with a path length
2026-03-11 09:59:19 -06:00
sebastian-carpenter
e17ac41070
TLS ECH fixes [SNI, api.c, server.c, comments]
2026-03-11 09:52:13 -06:00
sebastian-carpenter
58625d1f03
corrections for ECH specification
2026-03-11 09:52:11 -06:00
sebastian-carpenter
c3a38dced7
testing + bug fixes for TLS ECH
2026-03-11 08:56:26 -06:00
sebastian-carpenter
cb2d693550
bad rebase + fixing dtls13 support for ECH
2026-03-11 08:54:00 -06:00
sebastian-carpenter
a2fe12a38a
TLS ECH OuterExtensions support (Server side)
2026-03-11 08:54:00 -06:00
sebastian-carpenter
30cfb385eb
fixed seg fault when confirmation not present
2026-03-11 08:54:00 -06:00
sebastian-carpenter
3605c2a417
client and server fix for TLS ECH
2026-03-11 08:54:00 -06:00
jordan
0a99a08b0f
ssl_sess: check fields in wolfSSL_d2i_SSL_SESSION.
2026-03-11 09:47:15 -05:00
Juliusz Sosinowicz
6bb122d29f
Address copilot review
2026-03-11 11:08:44 +01:00
Juliusz Sosinowicz
6fc83e292b
Address code review
2026-03-11 10:21:17 +01:00
Juliusz Sosinowicz
9015ae9e17
Return unknown information inside of Basic Responde
2026-03-11 10:21:17 +01:00
Juliusz Sosinowicz
10be06d747
Address copilot feedback
2026-03-11 10:21:17 +01:00
Juliusz Sosinowicz
9a9eb2bf1d
Add ocsp responder test to testsuite.c and tested on windows
2026-03-11 10:21:16 +01:00
Juliusz Sosinowicz
a795b19db2
Implement copilot suggestions
2026-03-11 10:21:16 +01:00
Juliusz Sosinowicz
4578e1390f
Implement OCSP responder
...
OCSP Responder Core API:
- Add new public API for creating and managing an OCSP responder
- Add public wrappers for internal OCSP request/response functions
- OcspRespCheck: fix check when authorized responder is loaded into CM
Header Cleanup:
- Remove circular dependency when including `#include <wolfssl/wolfcrypt/asn.h>` from wolfssl/wolfcrypt/ecc.h and wolfssl/wolfcrypt/rsa.h
OCSP Responder Example (examples/ocsp_responder/):
- Add a command-line OCSP responder for interoperability testing with OpenSSL's `openssl ocsp` client
Test Scripts (scripts/):
- ocsp-responder-openssl-interop.test: Tests wolfSSL OCSP responder with `openssl ocsp` client
- ocsp-stapling-with-wolfssl-responder.test: Tests wolfSSL OCSP responder when doing OCSP stapling
Certificate Infrastructure (certs/ocsp/):
- Add DER-format certificates and keys for OCSP testing
- Update renewcerts.sh to generate DER versions
Known Limitations (documented in src/ocsp.c header comment):
- Single request/response per OCSP exchange only
- Key-hash responder ID only (no name-based responder ID)
- No singleExtensions support
2026-03-11 10:21:16 +01:00
Daniel Pouzzner
fc7c19bb07
Merge pull request #9934 from SparkiDev/tls_length_fixes_1
...
TLS: Better handling of parsing TLS extensions
2026-03-10 22:34:10 -05:00
Daniel Pouzzner
ad21c89ba8
Merge pull request #9944 from JacobBarthelmeh/revert-pr9909
...
revert PR 9909
2026-03-10 19:38:57 -05:00
Daniel Pouzzner
e8a53c2e6d
Merge pull request #9941 from kaleb-himes/v6-wolfentropy-combofix
...
Ensure user-space wolfentropy builds of the v6 module compile the cor…
2026-03-10 19:36:52 -05:00
Daniel Pouzzner
e4dea8f261
Merge pull request #9885 from Frauschi/missing_force_zero
...
Add missing ForceZero calls
2026-03-10 19:36:07 -05:00
Daniel Pouzzner
f9b15210d9
Merge pull request #9921 from Frauschi/zd21310
...
Zeroize preMasterSecret in hybrid PQ/T error cases
2026-03-10 19:35:12 -05:00
Daniel Pouzzner
3203610249
Merge pull request #9925 from sameehj/fix-compilation
...
Fix undefined variable tls1 in InitSuites for PSK cipher suite
2026-03-10 19:34:05 -05:00
Daniel Pouzzner
f1508c910a
Merge pull request #9930 from julek-wolfssl/fenrir/260903
...
Fenrir fixes
2026-03-10 19:32:56 -05:00
Daniel Pouzzner
e3e5179cf8
Merge pull request #9869 from JacobBarthelmeh/f356
...
fix for sanity checks on serial input
2026-03-10 19:30:46 -05:00
Daniel Pouzzner
df504300db
Merge pull request #9863 from JacobBarthelmeh/f361
...
Fix for setting curve using all caps with wolfSSL_set1_curves_list
2026-03-10 19:29:46 -05:00
Daniel Pouzzner
65092ab5eb
Merge pull request #9838 from SparkiDev/slhdsa_1
...
FIPS 205, SLH-DSA: implementation
2026-03-10 19:28:59 -05:00
Sean Parkinson
0683dab9ac
TLS: Better handling of parsing TLS extensions
...
TLSX_CSR2_Parse: check didn't include length bytes
TLSX_UseSRTP_Parse: validate profile_len
TLSX_CA_Names_Parse: fix for integer overflow
TLSX_SignatureAlgorithms_Parse: set new length before checking
TLSX_ECH_Parse: better parsing
2026-03-11 07:41:13 +10:00
JacobBarthelmeh
528b22140b
revert PR 9909
2026-03-10 14:47:21 -06:00
kaleb-himes
b2520f120f
Ensure user-space wolfentropy builds of the v6 module compile the correct resource
2026-03-10 10:48:43 -06:00
Juliusz Sosinowicz
afed9d4b79
fixup! ProcessServerHello: verify extension lengths
2026-03-10 09:52:06 +01:00
Juliusz Sosinowicz
3a8e4a34ce
ProcessSessionTicket: verify nonce length
2026-03-10 09:52:06 +01:00
Juliusz Sosinowicz
2febc1c7f2
ProcessServerHello: verify extension lengths
...
F-428
2026-03-10 09:52:06 +01:00
Juliusz Sosinowicz
9c4e77d47d
DoTls13ClientHello: session length is a sender side requirement
...
F-433
2026-03-10 09:52:06 +01:00