Commit Graph

8664 Commits

Author SHA1 Message Date
JacobBarthelmeh ff80d62db2 Merge pull request #8942 from rlm2002/coverity
Coverity: address unresolved issue from previous change
2025-07-01 16:09:32 -06:00
Ruby Martin c06fa48e75 return NULL on negative length 2025-07-01 14:25:35 -06:00
Sean Parkinson 7c4de54e73 EVP HMAC: get working with WOLFSSL_HMAC_COPY_HASH
Get the EVP layer working with the wolfSSL HMAC implementation when
WOLFSSL_HMAC_COPY_HASH is defined.
This define hashes the ipad and opad into temporary hashes and copies
the required hash into the working hash when needed. Uses more memory
but is faster when starting a new hash with the same key.
2025-07-01 13:14:26 +10:00
JacobBarthelmeh 7fb750962b Merge pull request #8935 from philljj/fix_coverity
coverity: prune dead code in ssl_sess.c.
2025-06-30 13:32:34 -06:00
Daniel Pouzzner 1127dabe98 Merge pull request #8926 from dgarske/various_20250625
Improvement to allow building OPENSSL_EXTRA without KEEP_PEER_CERT
2025-06-27 22:29:24 -05:00
jordan 68cf96e7f6 coverity: do not free x509 on error in wolfSSL_add0_chain_cert. 2025-06-27 17:25:28 -05:00
jordan d998d01a0c coverity: prune dead code in ssl_sess.c. 2025-06-27 15:40:01 -05:00
David Garske 1db3dbcc28 Improvement to allow building OPENSSL_EXTRA without KEEP_PEER_CERT. Workaround to avoid large WOLFSSL structure size with compatibility layer enabled (the struct WOLFSSL_X509 is over 5KB). Note: May investigate way to place into heap instead. Fix issues building compatibility layer without MD5. 2025-06-27 12:42:52 -07:00
Ruby Martin 9b6b41627e move CFErrorRef instantiation
cleanup
2025-06-26 09:06:01 -06:00
Ruby Martin 79b6e62668 modify check domain test
void code for unused variable warning

do not run check_domain_name test if ssl_verify_none has been set
2025-06-26 08:39:32 -06:00
Ruby Martin 7c44f14e77 add apple test to github actions 2025-06-26 08:38:30 -06:00
Ruby Martin d3b30f8d51 Check underlying error, want only maximum validity period error
add apple test macros to tests requiring cert manager
2025-06-26 08:38:28 -06:00
Brett 877bade216 additional debugging 2025-06-26 08:38:28 -06:00
Brett 7232b3a6bb Apple native cert validation: add WOLFSSL_TEST_APPLE_CERT_VALIDATION feature macro that forces system CA certs on and makes all CA certs added to CM via xxx_load_verify_xxx APIs to instead be loaded as system trust anchors when used for TLS cert verification 2025-06-26 08:38:26 -06:00
Daniel Pouzzner 23a37b2ebc Merge pull request #8916 from dgarske/revert_pr8911
Revert PR #8911
2025-06-25 21:52:34 -05:00
Daniel Pouzzner d6d124bb85 Merge pull request #8774 from SparkiDev/armv8_ghs
Armv8 (Aarch64) ASM fixes for Green Hills compiler
2025-06-25 21:46:48 -05:00
Daniel Pouzzner 38892fdd07 Merge pull request #8757 from anhu/recalc_suites
Recalculate suites at ssl initialization.
2025-06-25 21:32:38 -05:00
JacobBarthelmeh fe7d458d29 random.c is also locked in FIPS v6 2025-06-24 16:08:25 -06:00
David Garske bfebeae533 Revert PR #8911. For TLS v1.2 RSA only is only supported with WOLFSSL_STATIC_RSA. For TLS v1.3 RSA only is not supported (must be PFS). 2025-06-24 09:40:15 -07:00
Anthony Hu 43df11c9c1 Add gate on having DH 2025-06-24 10:37:26 -04:00
Anthony Hu 8c1298a1d8 Check if DH's P and G are set 2025-06-24 09:59:12 -04:00
Sean Parkinson fc1d281268 Green Hills compiler fixes
internal.c: Move non-enumeration value out of switch.
ssl.c: Only declare globalRNGMutex when required.
x509.c: initialize ret

armv8-aes.c, armv8-chacha.c: fix branch instructions
armv8-mlkem*: ensure only required constants are input operands and move
constants closer to first use.
armv8-poly1305.c: remove POLY1305_BLOCK_SIZE from input operands.
armv8-sha3-asm_c.c, armv8-sha512-asm_c.c: use constraint ':' instead of
'S'.
armv8-sha512.c: initialize initfp. Is always used.
2025-06-24 19:39:40 +10:00
David Garske 978a29da0b Merge pull request #8898 from cconlon/getpidOptionsH
Add HAVE_GETPID to options.h if getpid detected
2025-06-23 17:11:55 -07:00
Anthony Hu d45e42e2e6 keySz is only in Buffers if NO_CERTS not defined. 2025-06-23 18:29:39 -04:00
Anthony Hu 6385999ae9 Recalculate suites at ssl initialization. 2025-06-23 18:29:39 -04:00
David Garske caf8494d65 Merge pull request #8911 from gojimmypi/pr-allow-only-rsa
Allow configuration with only RSA cipher suites
2025-06-23 11:18:27 -07:00
Daniel Pouzzner b361c62372 Merge pull request #8903 from dgarske/cadate_calist
Expose API to access "store" error code and depth for cert failure callback
2025-06-23 10:08:41 -05:00
gojimmypi afa22dfc2b Allow configuration with only RSA cipher suites 2025-06-21 14:54:10 -07:00
David Garske 1be303866e Merge pull request #8908 from douzzer/20250620-clang-tidy-and-cppcheck-fixes-and-workarounds
20250620-clang-tidy-and-cppcheck-fixes-and-workarounds
2025-06-20 15:07:09 -07:00
David Garske f30c54abdd Merge pull request #8894 from SparkiDev/ppc32_sha256_asm
PPC 32 ASM: SHA-256
2025-06-20 14:29:47 -07:00
Daniel Pouzzner 7977a605c5 src/internal.c: in FreeSskeArgs(), move nullness check on args to the start, and make it unconditional, to resolve nullPointerRedundantChecks. 2025-06-20 15:04:07 -05:00
David Garske b98cf8882b Remove HAVE_LIGHTY from the client_ca_names feature. 2025-06-20 11:29:02 -07:00
David Garske 9b50708741 Fix to expose API to access "store" error code and error depth for cert failure callback (from set_verify). Useful for C# wrapper or clients that cannot directly dereference X509_STORE. Fixes for building with WOLFSSL_EXTRA and WOLFSSL_NO_CA_NAMES (and added new tests). Added example in CSharp TLS client for overriding a begin date error (useful if date is not set). 2025-06-19 14:49:00 -07:00
Chris Conlon cdd02f9665 Add check for reseed in ssl.c for HAVE_SELFTEST, similar to old FIPS bundles that do not have older random.c files 2025-06-18 17:21:55 -06:00
David Garske 27176a5eeb Merge pull request #8870 from kareem-wolfssl/zd20030
Various minor fixes.
2025-06-18 08:55:07 -07:00
Sean Parkinson c39f1fe721 PPC 32 ASM: SHA-256
Pure and inline  ASM for the PowerPC 32-bit.
2025-06-18 21:23:15 +10:00
David Garske 7d77446964 Merge pull request #8882 from rizlik/dtls13_always_transmit_explicit_ack
dtls13: always send ACKs on detected retransmission
2025-06-17 11:35:07 -07:00
David Garske 6b68797b4f Merge pull request #8883 from JacobBarthelmeh/rng
account for Intel RDRAND build without HAVE_HASHDRBG
2025-06-17 11:33:16 -07:00
Kareem 2366718d5a Add args->input free in FreeSskeArgs.
This free is redundant in most cases but it covers the specific
case of using async, exiting SendServerKeyExchange early due to
WANT_WRITE or WC_PENDING_E, then later freeing the async context
without calling SendServerKeyExchange again.
2025-06-17 10:12:06 -07:00
David Garske 5e6c1ba05f Merge pull request #8879 from julek-wolfssl/openssh-10.0p2
Updates for OpenSSH 10.0p2
2025-06-17 09:36:45 -07:00
Marco Oliverio e82c099bec fix indentation 2025-06-16 18:42:17 +02:00
JacobBarthelmeh ce61f0d517 account for Intel RDRAND build without HAVE_HASHDRBG 2025-06-16 09:04:50 -06:00
Marco Oliverio b1b49c9ffb dtls13: always send ACKs on detected retransmission
Otherwise the connection can stall due the indefinite delay of an explicit ACK,
for exapmle:

 -> client sends the last Finished message
<- server sends the ACK, but the ACK is lost
 -> client rentrasmit the Finished message
 - server delay sending of the ACK until a fast timeout
 -> client rentrasmit the Finished message quicker than the server timeout
 - server resets the timeout, delaying sending the ACK
 -> client rentrasmit the Finished...
2025-06-16 14:19:32 +02:00
Marco Oliverio 509491f554 dtls13: wolfSSL_is_init_finished true after last server ACK
Do not consider the handshake finished until the last server ACK.
This way the application knows where to switch from
wolfSSL_negotiate/wolfSSL_connect to wolfSSL_read/wolfSSL_write.
2025-06-16 14:19:31 +02:00
Juliusz Sosinowicz 37554a13db Updates for OpenSSH 10.0p2
- random.c: use getrandom when available and fall back to direct file access
- openssh.yml: run more tests
- openssh.yml: add 10.0p2 and 9.9p2
- configure.ac: detect if `getrandom` is available on the system
- configure.ac: openssh requires WC_RNG_SEED_CB to always use `getrandom` so that the RNG doesn't get killed by SECCOMP
2025-06-13 18:06:19 +02:00
Josh Holtrop 8bde5e6982 Fix printing empty names in certificates
The empty-issuer-cert.pem certificate was created with:

    wolfssl genkey rsa -size 2048 -out mykey -outform pem -output KEY
    wolfssl req -new -days 3650 -key mykey.priv -out empty-issuer-cert.pem -x509

Prior to this fix this command would error printing the certificate:

    wolfssl x509 -inform pem -in empty-issuer-cert.pem -text
2025-06-13 11:22:52 -04:00
David Garske 2fc1110a13 Merge pull request #8587 from lealem47/gh8574
Fix bug in ParseCRL_Extensions
2025-06-12 12:09:52 -07:00
David Garske 6571f42cb9 Merge pull request #8867 from JacobBarthelmeh/rng
Improvements to RNG and compatibility layer
2025-06-11 14:31:53 -07:00
JacobBarthelmeh ae87afa677 Merge pull request #8857 from miyazakh/tsip_fix
fix TSIP TLS example program
2025-06-10 16:26:34 -06:00
JacobBarthelmeh 47cf634965 add a way to restore previous pid behavior 2025-06-10 16:12:09 -06:00