wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2026-01-27 10:42:21 +01:00
Code Issues Packages Projects Releases Wiki Activity
26,938 Commits 12 Branches 184 Tags
ed7ace504fd18d9798e9d3bb221f267ce71e1fc5
Commit Graph

8956 Commits

Author SHA1 Message Date
kaleb-himes
dc6fa0ad4e De-couple ESV from DRBG 2025-11-20 09:38:13 -07:00
David Garske
658ea305d1 Fix issue with poorly written macros 2025-11-18 14:15:22 -08:00
Daniel Pouzzner
c29abccc9f src/internal.c: peer review: refactor wolfssl_priv_der_unblind() and wolfssl_priv_der_unblind_free() to use AllocDer() and FreeDer(). 2025-11-14 18:13:44 -06:00
Daniel Pouzzner
dee0658e8a fix races around WOLFSSL_CTX.{privateKey,privateKeyMask,altPrivateKey,altPrivateKeyMask} in WOLFSSL_BLIND_PRIVATE_KEY code paths: 
* rename wolfssl_priv_der_unblind() to wolfssl_priv_der_blind_toggle(),
* add wolfssl_priv_der_unblind() that allocates a temp copy,
* add wolfssl_priv_der_unblind_free(),
* in wolfssl_priv_der_blind_toggle(), make mask a const arg;

restore const attribute to ctx arg to wolfSSL_CTX_get0_privatekey(), and add explanatory comment.
 2025-11-14 18:13:43 -06:00
JacobBarthelmeh
d18b251f54 Merge pull request #9420 from wolfSSL/TLS13-cipher-suite-fix 
Fix TLS 1.3 cipher suite when TLS 1.2 ciphers precede TLS 1.3 ciphers
 2025-11-14 16:42:05 -05:00
jackctj117
0767cb84bf Removed trailing white space 2025-11-14 09:03:51 -07:00
jackctj117
5e2fd78113 Suppress unused parameter warning 2025-11-13 18:32:00 -07:00
Daniel Pouzzner
c430cc75ea src/ssl.c and wolfssl/ssl.h: fix signature on wolfSSL_CTX_get0_privatekey() -- ctx is not const; 
wolfcrypt/src/wc_port.c and wolfssl/wolfcrypt/wc_port.h: tweak gates on atomic implementations to maximize availability within currently supported targets;

fix some whitespace.
 2025-11-13 17:11:52 -06:00
Daniel Pouzzner
26ba6344f2 add wolfSSL_Atomic_Ptr_CompareExchange(); mitigate race on ctx->privateKeyPKey in wolfSSL_CTX_get0_privatekey(). 2025-11-13 16:25:49 -06:00
jackctj117
29c2f15a8f Add #ifdef guards to cipher suite checks 2025-11-13 10:06:07 -07:00
David Garske
5a8411a1ad Merge pull request #9418 from SparkiDev/tls13_ks_dup_check_fix 
TLS 1.3 duplicate KeyShare entry fix
 2025-11-12 16:09:11 -08:00
David Garske
f53191bae2 Merge pull request #9416 from julek-wolfssl/priv-key-blinding 
Fix errors when blinding private keys
 2025-11-12 16:09:03 -08:00
jackctj117
c56ea55f89 Fix TLS 1.3 cipher suite selection when TLS 1.2 ciphers precede TLS 1.3 ciphers 2025-11-12 17:03:06 -07:00
Sean Parkinson
1ec18949bc TLS 1.3 duplicate KeyShare entry fix 
Fix comparison to be greater than or equal in case count is incremented
after maxing out.
 2025-11-13 08:23:19 +10:00
David Garske
7cfffd5bbc Merge pull request #9308 from kareem-wolfssl/zd20603 
Add IPv6 support to wolfSSL_BIO_new_accept and wolfIO_TcpBind.
 2025-11-12 11:09:17 -08:00
Juliusz Sosinowicz
d1c321abdc Don't override errors when blinding the priv key 2025-11-12 17:12:22 +01:00
Kareem
fbb7ae2257 Add NULL check to wolfSSL_BIO_new_accept. 2025-11-11 16:20:09 -07:00
Kareem
3296e6a1f0 Merge remote-tracking branch 'upstream/master' into zd20603 2025-11-11 16:15:22 -07:00
David Garske
6914f08f5e Merge pull request #9391 from holtrop/check-dup-extensions-fix 
Check for duplicate extensions in client hello when HAVE_TLS_EXTENSIONS is not set - fix #9377
 2025-11-11 14:05:14 -08:00
Josh Holtrop
798b16dcef Address more code review feedback for PR 9391 2025-11-11 15:36:28 -05:00
Josh Holtrop
32b00fd10b Address code review feedback for PR 9391 2025-11-11 14:06:44 -05:00
David Garske
2db1c7a522 Merge pull request #9395 from SparkiDev/tls12_cv_sig_check 
TLS 1.2 CertificateVerify: validate sig alg matches peer key
 2025-11-11 09:18:11 -08:00
Sean Parkinson
f54ca0d481 TLS 1.2 CertificateVerify: req sig alg to have been in CR 
The signature algorithm specified in CertificateVerify must have been in
the CertificateRequest. Add check.

The cipher suite test cases, when client auth and RSA are built-in and
use the default client certificate and use the *-ECDSA-* cipher
suites, no longer work. The client certificate must be ECC when the
cipher suite has ECDSA. Don't run them for that build.
 2025-11-11 13:20:46 +10:00
Josh Holtrop
3af60ff85d Check for duplicate extensions in client hello when HAVE_TLS_EXTENSIONS is not set - fix #9377 2025-11-10 10:06:07 -05:00
Daniel Pouzzner
9e9a7392d4 Merge pull request #9373 from julek-wolfssl/WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY 
Add missing WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY guards
 2025-11-08 11:04:43 -06:00
Daniel Pouzzner
ea4311666e Merge pull request #9367 from julek-wolfssl/wolfDTLS_accept_stateless-early-data 
wolfDTLS_accept_stateless: Fix handling for early data
 2025-11-08 11:04:19 -06:00
JacobBarthelmeh
4f4826ae92 Merge pull request #9385 from anhu/not_len 
Use suites->hashSigAlgoSz when calling TLSX_SignatureAlgorithms_MapPss
 2025-11-07 13:49:30 -07:00
JacobBarthelmeh
4c5bc5f8fe Merge pull request #9387 from SparkiDev/tls12_cr_order 
TLS 1.2: client message order check
 2025-11-07 10:00:39 -07:00
Sean Parkinson
58bd6a8d94 TLS 1.2 CertificateVerify: validate sig alg matches peer key 
Don't proceed with parsing CertificateVerify message in TLS 1.2 if the
signature algorithm doesn't match the peer's key (key from client
certificate).
 2025-11-07 13:26:26 +10:00
Sean Parkinson
f376c8d910 Merge pull request #9388 from lealem47/scan_build 
Various fixes for nightly tests
 2025-11-07 09:30:08 +10:00
Juliusz Sosinowicz
c2377fd266 DTLS: Clear userSet when peer is set in EmbedReceiveFrom 
This allows us to differentiate between the user explicitly setting a peer and wolfio setting it. When wolfio sets the peer, we want to be able to update the peer address while in stateless parsing (governed by the `newPeer` variable).
 2025-11-06 17:13:45 +01:00
Juliusz Sosinowicz
975033c64f DTLS: Introduce returnOnGoodCh option for early ClientHello processing return 2025-11-06 17:13:45 +01:00
Juliusz Sosinowicz
0d7fe2f0a4 DTLS: Introduce custom I/O callbacks API and structure 2025-11-06 17:13:45 +01:00
Juliusz Sosinowicz
3ebc0c5f99 Update logs 2025-11-06 16:39:48 +01:00
Juliusz Sosinowicz
ed970e7cd8 Add missing WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY guards 2025-11-06 16:35:11 +01:00
Lealem Amedie
08db159c5d Fixes for minor scan-build warnings 2025-11-05 21:27:06 -07:00
Sean Parkinson
3ec882cd66 Merge pull request #9380 from julek-wolfssl/ip-addr-check 
Improve domain and IP address matching in certificate verification
 2025-11-06 09:49:07 +10:00
Sean Parkinson
958fa1af60 TLS 1.2: client message order check 
Error when client receives CertificateRequest out of order: not after
Certificate and not after ServerKeyExchange if being sent.
 2025-11-05 10:00:11 +10:00
Anthony Hu
6e583a01f1 Use suites->hashSigAlgoSz instead of len in call to TLSX_SignatureAlgorithms_MapPss 2025-11-04 15:36:33 -05:00
Juliusz Sosinowicz
f95cb4e9bf Improve domain and IP address matching in certificate verification 
- Distinguish between domain and IP address checks.
- Update curl action to test with httpd server
 2025-11-04 18:36:29 +01:00
Marco Oliverio
0127571238 dtls13: advance buffer index on error 2025-11-03 13:43:33 +01:00
Daniel Pouzzner
5922b5def5 Merge pull request #9363 from julek-wolfssl/refactor-zero-return 
Improve TLS 1.3 early data handling.
 2025-10-31 17:39:11 -05:00
Daniel Pouzzner
643cbe127d Merge pull request #9354 from rlm2002/coverity 
20251027 Coverity fixes
 2025-10-30 23:54:18 -05:00
Daniel Pouzzner
7085421dd0 Merge pull request #9340 from julek-wolfssl/tls13-hrr-cs-change 
Validate cipher suite after HelloRetryRequest
 2025-10-30 23:46:50 -05:00
Daniel Pouzzner
a2b3af095d Merge pull request #9339 from effbiae/EcMakeKey 
refactor to EcMakeKey
 2025-10-30 23:45:22 -05:00
Daniel Pouzzner
9c031608ef Merge pull request #9349 from effbiae/EcExportHsKey 
refactor to EcExportHsKey
 2025-10-30 23:44:58 -05:00
Juliusz Sosinowicz
3209d264b8 Improve TLS 1.3 early data handling. 
Introduce `clientInEarlyData` to only return when in `wolfSSL_read_early_data`. This makes sure that other API don't return `ZERO_RETURN` when not in `wolfSSL_read_early_data`. Chose `APP_DATA_READY` as it won't result in a false positive return from `wolfSSL_read_early_data`.
 2025-10-29 19:04:36 +01:00
Daniel Pouzzner
d260493642 src/internal.c: in HashOutput(), check for null output pointer; 
examples/pem/pem.c: in main(), add missing check that ret == 0 in _DER_TO_PEM code path.
 2025-10-29 10:04:24 -05:00
Juliusz Sosinowicz
7b7f9a4fe0 dtls: Check PSK ciphersuite against local list 2025-10-29 13:14:50 +01:00
Juliusz Sosinowicz
c14b1a0504 Validate cipher suite after HelloRetryRequest 
- Add validation to ensure the cipher suite in the ServerHello matches the one specified in the HelloRetryRequest.
- test_TLSX_CA_NAMES_bad_extension: use the same ciphersuite in HRR and SH
 2025-10-29 13:14:50 +01:00