Daniel Pouzzner
15dcd1e3bd
src/ssl.c: fixes for -Wsign-compares in wolfSSL_ERR_GET_REASON().
2026-03-20 14:53:05 -05:00
David Garske
9877bec7b7
Merge pull request #9997 from JacobBarthelmeh/qt
...
add back WOLFSSL_QT macro guard for get cipher name behavior
2026-03-20 09:46:40 -07:00
David Garske
d49df869d9
Merge pull request #9935 from padelsbach/padelsbach/san-ip-addr-test
...
Add IP SAN matching
2026-03-20 08:15:00 -07:00
David Garske
2c030ddb0d
Merge pull request #10017 from embhorn/zd21388
...
Fix ssl_DecodePacketInternal chain processing
2026-03-20 08:07:54 -07:00
JacobBarthelmeh
5b9d0a13bf
Merge pull request #9992 from dgarske/macro_docs
...
Add inline documentation for missing macros and fix spelling errors
2026-03-19 17:08:33 -06:00
Paul Adelsbach
041bb185c6
Add IP SAN matching
2026-03-19 15:10:21 -07:00
Eric Blankenhorn
a66e29473e
Fix ssl_DecodePacketInternal chain processing
2026-03-19 14:56:24 -05:00
David Garske
255f14bab9
Merge pull request #9732 from Frauschi/pqc_first
...
Enable and use ML-KEM by default
2026-03-19 12:38:36 -07:00
David Garske
679366a5a4
Merge pull request #9991 from kareem-wolfssl/zd21354_2
...
Disallow wildcard partial domains when using MatchDomainName.
2026-03-19 12:35:14 -07:00
David Garske
3e8338dbc7
Merge pull request #9993 from kojo1/brainpool
...
Brainpool to set1_sigalgs_list
2026-03-19 12:34:54 -07:00
David Garske
42581e4c05
Merge pull request #9982 from julek-wolfssl/DoTls13CertificateRequest-certsetup
...
DoTls13CertificateRequest: call CertSetupCbWrapper only once
2026-03-19 12:32:39 -07:00
David Garske
533e9b0859
Merge pull request #9995 from julek-wolfssl/zd/21341
...
Handle OCSP_WANT_READ returned from DoTls13HandShakeMsgType
2026-03-19 12:27:38 -07:00
Tobias Frauenschläger
c3289f8aa9
Enable and use ML-KEM by default
...
* Enable ML-KEM by default in build systems (autoconf and CMake)
* Only allow three to-be-standardized hybrid PQ/T combinations by
default
* Use X25519MLKEM768 as the default KeyShare in the ClientHello (if user
does not override that). When Curve25519 is disabled, then either
WOLFSSL_SECP384R1MLKEM1024 or WOLFSSL_SECP256R1MLKEM768 is used as
default depending on the ECC configuration
* Disable standalone ML-KEM in supported groups by default (enable with
--enable-tls-mlkem-standalone)
* Disable extra OQS-based hybrid PQ/T curves by default and gate
behind --enable-experimental (enable with --enable-extra-pqc-hybrids)
* Reorder the SupportedGroups extension to reflect the preferences
* Reorder the preferredGroup array to also reflect the same preferences
* Add async support for ML-KEM hybrids
2026-03-18 10:48:16 +01:00
JacobBarthelmeh
c952b694f7
add back WOLFSSL_QT macro guard for order of cipher suites
2026-03-17 17:46:13 -06:00
JacobBarthelmeh
6f386fd6b2
Merge pull request #9981 from julek-wolfssl/fenrir/260316
...
Fenrir fixes
2026-03-17 08:36:11 -06:00
Juliusz Sosinowicz
0644369456
Handle OCSP_WANT_READ returned from DoTls13HandShakeMsgType
...
ZD21341
2026-03-17 14:59:04 +01:00
Tobias Frauenschläger
10b98733f2
Add tests for individual ML-KEM levels (based on #9777 )
...
Also fix minor problems found with these tests
2026-03-17 12:43:15 +01:00
Tobias Frauenschläger
76b1300adb
ML-KEM fixes
...
* DTLS 1.3 cookie and CH frag handling
* static memory handling
* Fix memory leak in TLS server PQC handling in case of ECH
* Make sure hybrids are actually tested in testsuite
2026-03-17 12:43:15 +01:00
Takashi Kojo
8354eb71ca
Brainpool to set1_sigalgs_list
2026-03-17 11:22:14 +09:00
David Garske
4c75a866d9
Add inline documentation for missing macros and fix spelling errors
2026-03-16 17:09:13 -07:00
Kareem
76c52c31fb
Disallow wildcard partial domains when using MatchDomainName.
2026-03-16 16:21:47 -07:00
Juliusz Sosinowicz
c6f41bce2f
Fix memory leak on hash failure in LoadCertByIssuer
...
F-721
2026-03-16 15:14:26 -07:00
Juliusz Sosinowicz
4596e9e1a7
Fix error return in InitSSL verify param path
...
F-720
2026-03-16 15:14:25 -07:00
Juliusz Sosinowicz
a9a9eae4d9
Fix error propagation in InitSSL QUIC path
...
F-719
2026-03-16 15:14:25 -07:00
Juliusz Sosinowicz
3ff051f3e4
Use secure wipe for RSA temporary
...
F-718
2026-03-16 15:14:25 -07:00
Juliusz Sosinowicz
0d7ef87f09
Fix bounds check in session deserialization
...
F-717
2026-03-16 15:14:25 -07:00
David Garske
96661a5dab
Merge pull request #9977 from JacobBarthelmeh/multi-test
...
Minor fixes for nightly multi-test tool
2026-03-16 14:31:39 -07:00
JacobBarthelmeh
57f416fc43
Merge pull request #9961 from sebastian-carpenter/tls-ech-coverity
...
minor coverity fixes for tls ech code
2026-03-16 15:27:27 -06:00
David Garske
77c7418052
Merge pull request #9973 from JacobBarthelmeh/static_analysis
...
fix to sanity check on importing raw session key info
2026-03-16 13:46:53 -06:00
JacobBarthelmeh
7de150eff0
Merge pull request #9975 from rlm2002/coverity
...
20260313 Coverity changes
2026-03-16 12:52:27 -06:00
Juliusz Sosinowicz
2051297ab0
DoTls13CertificateRequest: call CertSetupCbWrapper only once
2026-03-16 17:02:02 +01:00
JacobBarthelmeh
f8dda213b0
Merge pull request #9972 from cconlon/getCiphersCompatFix
...
Fix wolfSSL_get_ciphers_compat() to return NULL for empty cipher list
2026-03-16 08:29:00 -06:00
JacobBarthelmeh
681fb41fcb
Null check on SNI pointer before potential use
2026-03-16 00:06:38 -06:00
Ruby Martin
1ac4ba282b
remove early der free
2026-03-13 17:03:02 -06:00
JacobBarthelmeh
d36f7a2b99
fix to sanity check on importing raw session key info
2026-03-13 15:32:46 -06:00
Chris Conlon
428030a3e8
Fix wolfSSL_get_ciphers_compat to return NULL when no ciphers available
2026-03-13 15:07:25 -06:00
Kareem
94b370f5e2
Rework check to compare only ints.
2026-03-13 11:42:12 -07:00
Kareem
19b99f8072
Ensure the length computed by CheckHeaders in the SSL sniffer does not exceed the actual size of the packets.
...
Thanks to Haruto Kimura (Stella) for the report.
2026-03-13 11:42:12 -07:00
sebastian-carpenter
47a24d7b90
minor coverity fixes for tls ech
2026-03-13 11:04:44 -06:00
JacobBarthelmeh
156db7dd2d
Merge pull request #9831 from julek-wolfssl/pytho-3.13.4
...
Fixes to run python with --enable-all
2026-03-13 10:50:23 -06:00
JacobBarthelmeh
e5594a6366
Merge pull request #9889 from rlm2002/F29
...
remove word16 cast, add WOLFSSL_MAX_16BIT check
2026-03-12 14:54:19 -06:00
JacobBarthelmeh
67abcc6f2d
Merge pull request #9949 from philljj/fix_d2i_SSL_SESSION
...
ssl_sess: check fields in wolfSSL_d2i_SSL_SESSION.
2026-03-12 14:45:29 -06:00
JacobBarthelmeh
351d2594ac
Merge pull request #9938 from SparkiDev/regression_fixes_23
...
Fixes from regression testing
2026-03-12 14:41:18 -06:00
JacobBarthelmeh
a05a3ed1c2
Merge pull request #9940 from cconlon/pathLenSet
...
Fix pathlen not copied in ASN1_OBJECT_dup and not marked set in X509_add_ext
2026-03-12 10:34:58 -06:00
Juliusz Sosinowicz
4fbc81916c
Address final comments from #9761
...
- Fix line length
- Remove duplicate comment
- Check return of `wc_HashGetDigestSize`
- Use constant instead of magic number
2026-03-12 12:30:13 +01:00
JacobBarthelmeh
a8dfa59bbe
Merge pull request #9761 from julek-wolfssl/ocsp-responder
...
Implement OCSP responder
2026-03-11 17:27:33 -06:00
Sean Parkinson
bbd2f6f898
Fixes from regression testing
...
CRL APIs not usable when NO_ASN_TIME defined.
WOLFSSL_TLS13 needs to be defined with HAVE_ECH.
When session ticket encrypted with CBC, must be a multiple of block
size.
Fix test define protection.
Fix ML-DSA protection of reduction functions.
Need !NO_RSA with WC_RSA_PSS.
Connection ID is not a DTLS 1.3 only extension.
2026-03-12 08:19:39 +10:00
sebastian-carpenter
bb7c6a13c8
ECH tidying
2026-03-11 12:07:20 -06:00
sebastian-carpenter
8a7d327d24
ECH fixes F-293, F-201, F-358, F-203
2026-03-11 10:06:37 -06:00
sebastian-carpenter
032dbe6878
ECH fixes F-292, F-28
2026-03-11 10:06:36 -06:00