wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2026-01-27 04:02:18 +01:00
Code Issues Packages Projects Releases Wiki Activity
25,799 Commits 12 Branches 184 Tags
ebeb95e47bd0323eebb12b63a98c0981a156ce42
Commit Graph

8668 Commits

Author SHA1 Message Date
gojimmypi
ebeb95e47b Initialize Dilithium keyTypeTemp and keySizeTemp 2025-07-09 09:13:14 -07:00
David Garske
0407ea131b Merge pull request #8970 from miyazakh/qt_jenkins_encryptedKey4PBKDF1 
Fix Qt nightly Jenkins failure
 2025-07-09 08:04:48 -07:00
Ruby Martin
61e4142fe0 add null check for ssl before use in wc_DhGenerateKeyPair 2025-07-07 09:17:29 -06:00
Hideki Miyazaki
ee8be22a3f Fix Qt nightly jenkins failure 
PBKDF1 encrpted key
 2025-07-07 15:10:41 +09:00
JacobBarthelmeh
ff80d62db2 Merge pull request #8942 from rlm2002/coverity 
Coverity: address unresolved issue from previous change
 2025-07-01 16:09:32 -06:00
Ruby Martin
c06fa48e75 return NULL on negative length 2025-07-01 14:25:35 -06:00
Sean Parkinson
7c4de54e73 EVP HMAC: get working with WOLFSSL_HMAC_COPY_HASH 
Get the EVP layer working with the wolfSSL HMAC implementation when
WOLFSSL_HMAC_COPY_HASH is defined.
This define hashes the ipad and opad into temporary hashes and copies
the required hash into the working hash when needed. Uses more memory
but is faster when starting a new hash with the same key.
 2025-07-01 13:14:26 +10:00
JacobBarthelmeh
7fb750962b Merge pull request #8935 from philljj/fix_coverity 
coverity: prune dead code in ssl_sess.c.
 2025-06-30 13:32:34 -06:00
Daniel Pouzzner
1127dabe98 Merge pull request #8926 from dgarske/various_20250625 
Improvement to allow building OPENSSL_EXTRA without KEEP_PEER_CERT
 2025-06-27 22:29:24 -05:00
jordan
68cf96e7f6 coverity: do not free x509 on error in wolfSSL_add0_chain_cert. 2025-06-27 17:25:28 -05:00
jordan
d998d01a0c coverity: prune dead code in ssl_sess.c. 2025-06-27 15:40:01 -05:00
David Garske
1db3dbcc28 Improvement to allow building OPENSSL_EXTRA without KEEP_PEER_CERT. Workaround to avoid large WOLFSSL structure size with compatibility layer enabled (the struct WOLFSSL_X509 is over 5KB). Note: May investigate way to place into heap instead. Fix issues building compatibility layer without MD5. 2025-06-27 12:42:52 -07:00
Ruby Martin
9b6b41627e move CFErrorRef instantiation 
cleanup
 2025-06-26 09:06:01 -06:00
Ruby Martin
79b6e62668 modify check domain test 
void code for unused variable warning

do not run check_domain_name test if ssl_verify_none has been set
 2025-06-26 08:39:32 -06:00
Ruby Martin
7c44f14e77 add apple test to github actions 2025-06-26 08:38:30 -06:00
Ruby Martin
d3b30f8d51 Check underlying error, want only maximum validity period error 
add apple test macros to tests requiring cert manager
 2025-06-26 08:38:28 -06:00
Brett
877bade216 additional debugging 2025-06-26 08:38:28 -06:00
Brett
7232b3a6bb Apple native cert validation: add WOLFSSL_TEST_APPLE_CERT_VALIDATION feature macro that forces system CA certs on and makes all CA certs added to CM via xxx_load_verify_xxx APIs to instead be loaded as system trust anchors when used for TLS cert verification 2025-06-26 08:38:26 -06:00
Daniel Pouzzner
23a37b2ebc Merge pull request #8916 from dgarske/revert_pr8911 
Revert PR #8911
 2025-06-25 21:52:34 -05:00
Daniel Pouzzner
d6d124bb85 Merge pull request #8774 from SparkiDev/armv8_ghs 
Armv8 (Aarch64) ASM fixes for Green Hills compiler
 2025-06-25 21:46:48 -05:00
Daniel Pouzzner
38892fdd07 Merge pull request #8757 from anhu/recalc_suites 
Recalculate suites at ssl initialization.
 2025-06-25 21:32:38 -05:00
JacobBarthelmeh
fe7d458d29 random.c is also locked in FIPS v6 2025-06-24 16:08:25 -06:00
David Garske
bfebeae533 Revert PR #8911. For TLS v1.2 RSA only is only supported with WOLFSSL_STATIC_RSA. For TLS v1.3 RSA only is not supported (must be PFS). 2025-06-24 09:40:15 -07:00
Anthony Hu
43df11c9c1 Add gate on having DH 2025-06-24 10:37:26 -04:00
Anthony Hu
8c1298a1d8 Check if DH's P and G are set 2025-06-24 09:59:12 -04:00
Sean Parkinson
fc1d281268 Green Hills compiler fixes 
internal.c: Move non-enumeration value out of switch.
ssl.c: Only declare globalRNGMutex when required.
x509.c: initialize ret

armv8-aes.c, armv8-chacha.c: fix branch instructions
armv8-mlkem*: ensure only required constants are input operands and move
constants closer to first use.
armv8-poly1305.c: remove POLY1305_BLOCK_SIZE from input operands.
armv8-sha3-asm_c.c, armv8-sha512-asm_c.c: use constraint ':' instead of
'S'.
armv8-sha512.c: initialize initfp. Is always used.
 2025-06-24 19:39:40 +10:00
David Garske
978a29da0b Merge pull request #8898 from cconlon/getpidOptionsH 
Add HAVE_GETPID to options.h if getpid detected
 2025-06-23 17:11:55 -07:00
Anthony Hu
d45e42e2e6 keySz is only in Buffers if NO_CERTS not defined. 2025-06-23 18:29:39 -04:00
Anthony Hu
6385999ae9 Recalculate suites at ssl initialization. 2025-06-23 18:29:39 -04:00
David Garske
caf8494d65 Merge pull request #8911 from gojimmypi/pr-allow-only-rsa 
Allow configuration with only RSA cipher suites
 2025-06-23 11:18:27 -07:00
Daniel Pouzzner
b361c62372 Merge pull request #8903 from dgarske/cadate_calist 
Expose API to access "store" error code and depth for cert failure callback
 2025-06-23 10:08:41 -05:00
gojimmypi
afa22dfc2b Allow configuration with only RSA cipher suites 2025-06-21 14:54:10 -07:00
David Garske
1be303866e Merge pull request #8908 from douzzer/20250620-clang-tidy-and-cppcheck-fixes-and-workarounds 
20250620-clang-tidy-and-cppcheck-fixes-and-workarounds
 2025-06-20 15:07:09 -07:00
David Garske
f30c54abdd Merge pull request #8894 from SparkiDev/ppc32_sha256_asm 
PPC 32 ASM: SHA-256
 2025-06-20 14:29:47 -07:00
Daniel Pouzzner
7977a605c5 src/internal.c: in FreeSskeArgs(), move nullness check on args to the start, and make it unconditional, to resolve nullPointerRedundantChecks. 2025-06-20 15:04:07 -05:00
David Garske
b98cf8882b Remove HAVE_LIGHTY from the client_ca_names feature. 2025-06-20 11:29:02 -07:00
David Garske
9b50708741 Fix to expose API to access "store" error code and error depth for cert failure callback (from set_verify). Useful for C# wrapper or clients that cannot directly dereference X509_STORE. Fixes for building with WOLFSSL_EXTRA and WOLFSSL_NO_CA_NAMES (and added new tests). Added example in CSharp TLS client for overriding a begin date error (useful if date is not set). 2025-06-19 14:49:00 -07:00
Chris Conlon
cdd02f9665 Add check for reseed in ssl.c for HAVE_SELFTEST, similar to old FIPS bundles that do not have older random.c files 2025-06-18 17:21:55 -06:00
David Garske
27176a5eeb Merge pull request #8870 from kareem-wolfssl/zd20030 
Various minor fixes.
 2025-06-18 08:55:07 -07:00
Sean Parkinson
c39f1fe721 PPC 32 ASM: SHA-256 
Pure and inline  ASM for the PowerPC 32-bit.
 2025-06-18 21:23:15 +10:00
David Garske
7d77446964 Merge pull request #8882 from rizlik/dtls13_always_transmit_explicit_ack 
dtls13: always send ACKs on detected retransmission
 2025-06-17 11:35:07 -07:00
David Garske
6b68797b4f Merge pull request #8883 from JacobBarthelmeh/rng 
account for Intel RDRAND build without HAVE_HASHDRBG
 2025-06-17 11:33:16 -07:00
Kareem
2366718d5a Add args->input free in FreeSskeArgs. 
This free is redundant in most cases but it covers the specific
case of using async, exiting SendServerKeyExchange early due to
WANT_WRITE or WC_PENDING_E, then later freeing the async context
without calling SendServerKeyExchange again.
 2025-06-17 10:12:06 -07:00
David Garske
5e6c1ba05f Merge pull request #8879 from julek-wolfssl/openssh-10.0p2 
Updates for OpenSSH 10.0p2
 2025-06-17 09:36:45 -07:00
Marco Oliverio
e82c099bec fix indentation 2025-06-16 18:42:17 +02:00
JacobBarthelmeh
ce61f0d517 account for Intel RDRAND build without HAVE_HASHDRBG 2025-06-16 09:04:50 -06:00
Marco Oliverio
b1b49c9ffb dtls13: always send ACKs on detected retransmission 
Otherwise the connection can stall due the indefinite delay of an explicit ACK,
for exapmle:

 -> client sends the last Finished message
<- server sends the ACK, but the ACK is lost
 -> client rentrasmit the Finished message
 - server delay sending of the ACK until a fast timeout
 -> client rentrasmit the Finished message quicker than the server timeout
 - server resets the timeout, delaying sending the ACK
 -> client rentrasmit the Finished...
 2025-06-16 14:19:32 +02:00
Marco Oliverio
509491f554 dtls13: wolfSSL_is_init_finished true after last server ACK 
Do not consider the handshake finished until the last server ACK.
This way the application knows where to switch from
wolfSSL_negotiate/wolfSSL_connect to wolfSSL_read/wolfSSL_write.
 2025-06-16 14:19:31 +02:00
Juliusz Sosinowicz
37554a13db Updates for OpenSSH 10.0p2 
- random.c: use getrandom when available and fall back to direct file access
- openssh.yml: run more tests
- openssh.yml: add 10.0p2 and 9.9p2
- configure.ac: detect if `getrandom` is available on the system
- configure.ac: openssh requires WC_RNG_SEED_CB to always use `getrandom` so that the RNG doesn't get killed by SECCOMP
 2025-06-13 18:06:19 +02:00
Josh Holtrop
8bde5e6982 Fix printing empty names in certificates 
The empty-issuer-cert.pem certificate was created with:

    wolfssl genkey rsa -size 2048 -out mykey -outform pem -output KEY
    wolfssl req -new -days 3650 -key mykey.priv -out empty-issuer-cert.pem -x509

Prior to this fix this command would error printing the certificate:

    wolfssl x509 -inform pem -in empty-issuer-cert.pem -text
 2025-06-13 11:22:52 -04:00