Commit Graph

9359 Commits

Author SHA1 Message Date
JacobBarthelmeh 7de150eff0 Merge pull request #9975 from rlm2002/coverity
20260313 Coverity changes
2026-03-16 12:52:27 -06:00
JacobBarthelmeh f8dda213b0 Merge pull request #9972 from cconlon/getCiphersCompatFix
Fix wolfSSL_get_ciphers_compat() to return NULL for empty cipher list
2026-03-16 08:29:00 -06:00
Ruby Martin 1ac4ba282b remove early der free 2026-03-13 17:03:02 -06:00
Chris Conlon 428030a3e8 Fix wolfSSL_get_ciphers_compat to return NULL when no ciphers available 2026-03-13 15:07:25 -06:00
Kareem 94b370f5e2 Rework check to compare only ints. 2026-03-13 11:42:12 -07:00
Kareem 19b99f8072 Ensure the length computed by CheckHeaders in the SSL sniffer does not exceed the actual size of the packets.
Thanks to Haruto Kimura (Stella) for the report.
2026-03-13 11:42:12 -07:00
JacobBarthelmeh 156db7dd2d Merge pull request #9831 from julek-wolfssl/pytho-3.13.4
Fixes to run python with --enable-all
2026-03-13 10:50:23 -06:00
JacobBarthelmeh e5594a6366 Merge pull request #9889 from rlm2002/F29
remove word16 cast, add WOLFSSL_MAX_16BIT check
2026-03-12 14:54:19 -06:00
JacobBarthelmeh 67abcc6f2d Merge pull request #9949 from philljj/fix_d2i_SSL_SESSION
ssl_sess: check fields in wolfSSL_d2i_SSL_SESSION.
2026-03-12 14:45:29 -06:00
JacobBarthelmeh 351d2594ac Merge pull request #9938 from SparkiDev/regression_fixes_23
Fixes from regression testing
2026-03-12 14:41:18 -06:00
JacobBarthelmeh a05a3ed1c2 Merge pull request #9940 from cconlon/pathLenSet
Fix pathlen not copied in ASN1_OBJECT_dup and not marked set in X509_add_ext
2026-03-12 10:34:58 -06:00
Juliusz Sosinowicz 4fbc81916c Address final comments from #9761
- Fix line length
- Remove duplicate comment
- Check return of `wc_HashGetDigestSize`
- Use constant instead of magic number
2026-03-12 12:30:13 +01:00
JacobBarthelmeh a8dfa59bbe Merge pull request #9761 from julek-wolfssl/ocsp-responder
Implement OCSP responder
2026-03-11 17:27:33 -06:00
Sean Parkinson bbd2f6f898 Fixes from regression testing
CRL APIs not usable when NO_ASN_TIME defined.
WOLFSSL_TLS13 needs to be defined with HAVE_ECH.
When session ticket encrypted with CBC, must be a multiple of block
size.
Fix test define protection.
Fix ML-DSA protection of reduction functions.
Need !NO_RSA with WC_RSA_PSS.
Connection ID is not a DTLS 1.3 only extension.
2026-03-12 08:19:39 +10:00
sebastian-carpenter bb7c6a13c8 ECH tidying 2026-03-11 12:07:20 -06:00
sebastian-carpenter 8a7d327d24 ECH fixes F-293, F-201, F-358, F-203 2026-03-11 10:06:37 -06:00
sebastian-carpenter 032dbe6878 ECH fixes F-292, F-28 2026-03-11 10:06:36 -06:00
Chris Conlon 354691d24a Copy pathlen in ASN1_OBJECT_dup() and set pathLengthSet in X509_add_ext() when adding basic constraints with a path length 2026-03-11 09:59:19 -06:00
sebastian-carpenter e17ac41070 TLS ECH fixes [SNI, api.c, server.c, comments] 2026-03-11 09:52:13 -06:00
sebastian-carpenter 58625d1f03 corrections for ECH specification 2026-03-11 09:52:11 -06:00
sebastian-carpenter c3a38dced7 testing + bug fixes for TLS ECH 2026-03-11 08:56:26 -06:00
sebastian-carpenter cb2d693550 bad rebase + fixing dtls13 support for ECH 2026-03-11 08:54:00 -06:00
sebastian-carpenter a2fe12a38a TLS ECH OuterExtensions support (Server side) 2026-03-11 08:54:00 -06:00
sebastian-carpenter 30cfb385eb fixed seg fault when confirmation not present 2026-03-11 08:54:00 -06:00
sebastian-carpenter 3605c2a417 client and server fix for TLS ECH 2026-03-11 08:54:00 -06:00
jordan 0a99a08b0f ssl_sess: check fields in wolfSSL_d2i_SSL_SESSION. 2026-03-11 09:47:15 -05:00
Juliusz Sosinowicz 6bb122d29f Address copilot review 2026-03-11 11:08:44 +01:00
Juliusz Sosinowicz 6fc83e292b Address code review 2026-03-11 10:21:17 +01:00
Juliusz Sosinowicz 9015ae9e17 Return unknown information inside of Basic Responde 2026-03-11 10:21:17 +01:00
Juliusz Sosinowicz 10be06d747 Address copilot feedback 2026-03-11 10:21:17 +01:00
Juliusz Sosinowicz 9a9eb2bf1d Add ocsp responder test to testsuite.c and tested on windows 2026-03-11 10:21:16 +01:00
Juliusz Sosinowicz a795b19db2 Implement copilot suggestions 2026-03-11 10:21:16 +01:00
Juliusz Sosinowicz 4578e1390f Implement OCSP responder
OCSP Responder Core API:

- Add new public API for creating and managing an OCSP responder
- Add public wrappers for internal OCSP request/response functions
- OcspRespCheck: fix check when authorized responder is loaded into CM

Header Cleanup:

- Remove circular dependency when including `#include <wolfssl/wolfcrypt/asn.h>` from wolfssl/wolfcrypt/ecc.h and wolfssl/wolfcrypt/rsa.h

OCSP Responder Example (examples/ocsp_responder/):

- Add a command-line OCSP responder for interoperability testing with OpenSSL's `openssl ocsp` client

Test Scripts (scripts/):

- ocsp-responder-openssl-interop.test: Tests wolfSSL OCSP responder with `openssl ocsp` client
- ocsp-stapling-with-wolfssl-responder.test: Tests wolfSSL OCSP responder when doing OCSP stapling

Certificate Infrastructure (certs/ocsp/):

- Add DER-format certificates and keys for OCSP testing
- Update renewcerts.sh to generate DER versions

Known Limitations (documented in src/ocsp.c header comment):

  - Single request/response per OCSP exchange only
  - Key-hash responder ID only (no name-based responder ID)
  - No singleExtensions support
2026-03-11 10:21:16 +01:00
Daniel Pouzzner fc7c19bb07 Merge pull request #9934 from SparkiDev/tls_length_fixes_1
TLS: Better handling of parsing TLS extensions
2026-03-10 22:34:10 -05:00
Daniel Pouzzner ad21c89ba8 Merge pull request #9944 from JacobBarthelmeh/revert-pr9909
revert PR 9909
2026-03-10 19:38:57 -05:00
Daniel Pouzzner e8a53c2e6d Merge pull request #9941 from kaleb-himes/v6-wolfentropy-combofix
Ensure user-space wolfentropy builds of the v6 module compile the cor…
2026-03-10 19:36:52 -05:00
Daniel Pouzzner e4dea8f261 Merge pull request #9885 from Frauschi/missing_force_zero
Add missing ForceZero calls
2026-03-10 19:36:07 -05:00
Daniel Pouzzner f9b15210d9 Merge pull request #9921 from Frauschi/zd21310
Zeroize preMasterSecret in hybrid PQ/T error cases
2026-03-10 19:35:12 -05:00
Daniel Pouzzner 3203610249 Merge pull request #9925 from sameehj/fix-compilation
Fix undefined variable tls1 in InitSuites for PSK cipher suite
2026-03-10 19:34:05 -05:00
Daniel Pouzzner f1508c910a Merge pull request #9930 from julek-wolfssl/fenrir/260903
Fenrir fixes
2026-03-10 19:32:56 -05:00
Daniel Pouzzner e3e5179cf8 Merge pull request #9869 from JacobBarthelmeh/f356
fix for sanity checks on serial input
2026-03-10 19:30:46 -05:00
Daniel Pouzzner df504300db Merge pull request #9863 from JacobBarthelmeh/f361
Fix for setting curve using all caps with wolfSSL_set1_curves_list
2026-03-10 19:29:46 -05:00
Daniel Pouzzner 65092ab5eb Merge pull request #9838 from SparkiDev/slhdsa_1
FIPS 205, SLH-DSA: implementation
2026-03-10 19:28:59 -05:00
Sean Parkinson 0683dab9ac TLS: Better handling of parsing TLS extensions
TLSX_CSR2_Parse: check didn't include length bytes

TLSX_UseSRTP_Parse: validate profile_len

TLSX_CA_Names_Parse: fix for integer overflow

TLSX_SignatureAlgorithms_Parse: set new length before checking

TLSX_ECH_Parse: better parsing
2026-03-11 07:41:13 +10:00
JacobBarthelmeh 528b22140b revert PR 9909 2026-03-10 14:47:21 -06:00
kaleb-himes b2520f120f Ensure user-space wolfentropy builds of the v6 module compile the correct resource 2026-03-10 10:48:43 -06:00
Juliusz Sosinowicz afed9d4b79 fixup! ProcessServerHello: verify extension lengths 2026-03-10 09:52:06 +01:00
Juliusz Sosinowicz 3a8e4a34ce ProcessSessionTicket: verify nonce length 2026-03-10 09:52:06 +01:00
Juliusz Sosinowicz 2febc1c7f2 ProcessServerHello: verify extension lengths
F-428
2026-03-10 09:52:06 +01:00
Juliusz Sosinowicz 9c4e77d47d DoTls13ClientHello: session length is a sender side requirement
F-433
2026-03-10 09:52:06 +01:00