David Garske
e78418db95
Merge pull request #10306 from sebastian-carpenter/tls-ech-client-oe
...
Add OuterExtensions encoding for TLS ECH client
2026-05-07 14:14:50 -07:00
David Garske
8ac2a1ae1b
Merge pull request #10418 from rlm2002/coverity
...
20260506 Coverity
2026-05-07 14:11:32 -07:00
David Garske
52847ed7e0
Merge pull request #10420 from SparkiDev/mldsa_small_1
...
ML-DSA fixes: small vfy key object, small SHA-3, fix test
2026-05-07 13:52:50 -07:00
Daniel Pouzzner
fcf23dcd04
Merge pull request #10357 from sameehj/km-fixes
...
Km fixes
2026-05-07 14:54:48 -05:00
Daniel Pouzzner
4b00525e90
Merge pull request #10407 from Frauschi/Wconversion
...
Add LMS, XMSS and ML-DSA to Wconversion testing
2026-05-07 12:05:48 -05:00
sebastian-carpenter
15b8c88bf6
Write ECH last in HRR to promote interop
2026-05-07 10:10:00 -06:00
sebastian-carpenter
9d938c12ea
supported_versions added to non-encode list
2026-05-07 10:10:00 -06:00
sebastian-carpenter
e3b291589d
TLS ECH outerExtensions (client-side)
2026-05-07 10:10:00 -06:00
Tobias Frauenschläger
da427efd89
Add LMS, XMSS and ML-DSA to Wconversion
2026-05-07 11:16:06 +02:00
Sean Parkinson
e98fb8f72b
Merge pull request #10415 from douzzer/20260506-fixes
...
20260506-fixes
2026-05-07 17:00:02 +10:00
Sean Parkinson
94e3caac18
Merge pull request #10419 from douzzer/20260506-check_domain_name-local_IsValidFQDN
...
20260506-check_domain_name-local_IsValidFQDN
2026-05-07 16:59:04 +10:00
Daniel Pouzzner
d86174cc50
src/ssl.c: in wolfSSL_check_domain_name(), use XSTRCMP(), not strcmp();
...
wolfcrypt/src/asn.c, wolfssl/wolfcrypt/asn.h, src/ssl.c, wolfssl/ssl.h: move wolfssl_local_IsValidFQDN() from ASN.1 layer (where it has no users and is gated out in lean PSK builds) to TLS layer (where its users are);
scripts/crl-revoked.test: use `cp --symbolic-link` opportunistically but fall back to `cp -p`.
2026-05-06 21:40:33 -05:00
Sean Parkinson
55d7ed8d0e
ML-DSA fixes: small vfy key object, small SHA-3, fix test
...
Only have the public key in the ML-DSA key object when verify-only.
Be able to leave out SHA-3 APIs when only needing SHAKE.
Fix ML-DSA testing to only have data for compiled in parameters.
2026-05-07 10:03:41 +10:00
Daniel Pouzzner
b6de2d3cbc
src/ssl.c: in wolfSSL_check_domain_name(), call wolfssl_local_IsValidFQDN() to validate the argument, with allowance for "localhost".
...
scripts/crl-revoked.test: improve "Workaround to not pollute the certs folder" (don't copy whole source tree, and don't copy file contents).
2026-05-06 18:29:27 -05:00
Ruby Martin
f6019467fa
add unit test for NULL SHAKE parameters
2026-05-06 15:25:06 -06:00
Ruby Martin
e085d468d8
clear potential null dereference
2026-05-06 14:33:14 -06:00
David Garske
980fc51ea7
Merge pull request #10275 from twcook86/make_rpm_fix
...
Fix a few issues with "make rpm"
2026-05-06 13:06:42 -07:00
Daniel Pouzzner
03cee6f2bf
tests/api/test_ed25519.c and tests/api/test_ed448.c: add missing FIPS v7+ gating in test_wc_ed25519_export() and test_wc_ed448_export().
...
wolfcrypt/test/test.c: in aes_cbc_test(), use unconditional static on msg4 and verify4 to work around gcc optimizer bug (probably same bug as noted in ac11279c60 ).
2026-05-06 14:24:18 -05:00
David Garske
490c1062e4
Merge pull request #10274 from gasbytes/crl-idp-extension-fix-follow-up
...
Reject CRLs with unrecognized critical entry extensions per RFC 5280 section 5.3
2026-05-06 12:13:28 -07:00
David Garske
545376c477
Merge pull request #10279 from julek-wolfssl/zd/21661
...
zd/21661: harden X.509 chain validation, session ticket identity binding, and peer cert restore
2026-05-06 11:59:55 -07:00
David Garske
27413e0a3f
Merge pull request #10403 from Frauschi/hostap_interal_retry
...
hostap CI tests: incorporate internal retries
2026-05-06 11:59:49 -07:00
David Garske
c38e6cac36
Merge pull request #10414 from night1rider/zephyr/4.x-workflow-fixes
...
Zephyr 4.x workflow: stabilize CI for renamed forks and slashed branch names
2026-05-06 11:58:19 -07:00
Ruby Martin
80f971cd6d
clears dereference before null check
2026-05-06 11:22:47 -06:00
Ruby Martin
682b628eed
remove redundant, always true, checks
2026-05-06 10:51:00 -06:00
night1rider
dc3ba1e299
stabilize CI for renamed forks and slashed branch names
2026-05-06 10:04:33 -06:00
Ruby Martin
d960d02c80
compare against MAX_UNICODE_SZ, readability change
2026-05-06 09:28:43 -06:00
Ruby Martin
dbdd066737
remove dead length check
2026-05-06 09:24:01 -06:00
Juliusz Sosinowicz
061311d6ca
zd/21661: harden X.509 chain validation, session ticket identity binding, and peer cert restore
...
- x509_str: require CA:TRUE unconditionally in wolfSSL_X509_verify_cert;
verify leaf signature even when verify_cb overrides INVALID_CA
- x509_str: align WOLFSSL_X509_V_ERR_INVALID_CA with OpenSSL value (79)
so OPENSSL_COEXIST builds compile; bump WC_OSSL_V509_V_ERR_MAX to 80
and extend error_test() missing-value table for the new gaps
- asn: reject embedded NUL in dNSName / rfc822Name / URI SAN entries
- internal: re-verify restored ticket peer cert against trust store with
CRL/OCSP checks; clear stale state from session cache on verification
failure
- ticket: bind SNI and ALPN into session ticket via compile-time selected
hash (TICKET_BINDING_HASH_TYPE); reject resumption on mismatch in both
TLS 1.3 and TLS 1.2 paths
- ticket: defer SNI/ALPN binding check until after extensions are parsed
by consolidating into VerifyTicketBinding(), called once after
ALPN_Select in DoTls13ClientHello and DoClientHello; the early
per-call sites ran before extensions were parsed and rejected valid
resumptions in nginx, haproxy, grpc, and CPython integration tests
- ssl_sess: free previous session in wolfSSL_d2i_SSL_SESSION before
overwrite
- examples/client: increase SESSION_TICKET_LEN fallback from 256 to 2048
to support larger tickets
- tests: update SAN NUL fixtures and add parse-time rejection coverage;
add test_tls13_ticket_peer_cert_reverify for CA-removal scenario; skip
it under WOLFSSL_NO_DEF_TICKET_ENC_CB
2026-05-06 16:45:58 +02:00
Daniel Pouzzner
50da0c0a26
Merge pull request #10390 from Frauschi/lms_Wconversion
...
LMS Wconversion fixes
2026-05-06 09:16:23 -05:00
Daniel Pouzzner
29343708df
Merge pull request #10391 from Frauschi/xmss_Wconversion
...
XMSS Wconversion fixes
2026-05-06 09:15:59 -05:00
Daniel Pouzzner
01f500b938
Merge pull request #10399 from Frauschi/mldsa_Wconversion
...
ML-DSA Wconversion fixes
2026-05-06 09:15:53 -05:00
Tobias Frauenschläger
2833a4b1e8
ML-DSA Wconversion fixes
2026-05-06 15:33:17 +02:00
Tobias Frauenschläger
40b583fbcb
Wconversion fixes for LMS
2026-05-06 15:31:00 +02:00
Tobias Frauenschläger
fe353af409
XMSS Wconversion fixes
2026-05-06 15:29:08 +02:00
Tobias Frauenschläger
57f4b231c4
hostap CI tests: incorporate internal retries
2026-05-06 10:36:19 +02:00
David Garske
6a3eb6f0a8
Merge pull request #10360 from gasbytes/cipher-init-dtls13-fix
...
dtls13: free and null the cipher slot on init failure in Dtls13InitAesCipher and ChaCha equivalent
2026-05-05 13:08:06 -07:00
David Garske
13f459127c
Merge pull request #10372 from MarkAtwood/fix/ed448-der-const
...
fix: add const to wc_Ed448 DER export function key parameters
2026-05-05 12:49:30 -07:00
David Garske
44564dd5fd
Merge pull request #10368 from holtrop-wolfssl/gh10359
...
Allow SubjectInfoAccess extension without id-ad-caRepository entry
2026-05-05 12:49:19 -07:00
David Garske
e3a195d394
Merge pull request #10075 from josepho0918/mqx
...
Improve compatibility for XINET_PTON
2026-05-05 12:47:45 -07:00
David Garske
e3285850f9
Merge pull request #10289 from julek-wolfssl/zd/21652
...
TLS 1.3: gate 0-RTT on a cache-backed resumption ticket
2026-05-05 12:46:26 -07:00
David Garske
5f1e0d0f0d
Merge pull request #10314 from night1rider/zephyr-4.x-workflows
...
workflow tests for zephyr 4.3 and 4.1
2026-05-05 12:46:00 -07:00
David Garske
c73f431687
Merge pull request #10392 from JeremiahM37/fenrir-5
...
wolfCrypt input validation and side-channel hardening
2026-05-05 12:24:17 -07:00
Daniel Pouzzner
c1b2660a08
Merge pull request #10396 from douzzer/20260501-fips-v7-fixes
...
20260501-fips-v7-fixes -- reviewed+approved by @Frauschi
2026-05-05 14:20:49 -05:00
David Garske
b47f71678d
Merge pull request #10363 from MarkAtwood/fix/curve25519-clamp-check-rule3
...
fix: curve25519 clamp check missing rule 3 (bit 6 of byte 31) (ZD-21731)
2026-05-05 12:16:06 -07:00
David Garske
3147a10f23
Merge pull request #10141 from sebastian-carpenter/tls-ech-downgrade
...
TLS ECH Compliance Fixes
2026-05-05 12:14:20 -07:00
David Garske
00abce3474
Merge pull request #10310 from cconlon/d2iMLDSA
...
Add ML-DSA SPKI/PKCS#8 DER support to d2i_PUBKEY and d2i_PrivateKey
2026-05-05 12:11:49 -07:00
David Garske
ba5132831f
Merge pull request #10389 from Frauschi/hostap
...
Increase hostap retry count
2026-05-05 12:08:16 -07:00
David Garske
7de26312e6
Merge pull request #10378 from rlm2002/fenrir
...
Various PKCS12 Fixes
2026-05-05 12:07:17 -07:00
David Garske
e38a120043
Merge pull request #10387 from Frauschi/fix-windows-tcp-bind-flaky
...
Fix flaky tcp bind on Windows test runs
2026-05-05 12:06:44 -07:00
David Garske
63bda771fe
Merge pull request #10305 from holtrop-wolfssl/rust-crate-updates
...
Rust wrapper: add password-hash, kem, mac traits; fix a few Fenrir findings
2026-05-05 12:05:29 -07:00