Commit Graph

9392 Commits

Author SHA1 Message Date
Daniel Pouzzner 15dcd1e3bd src/ssl.c: fixes for -Wsign-compares in wolfSSL_ERR_GET_REASON(). 2026-03-20 14:53:05 -05:00
David Garske 9877bec7b7 Merge pull request #9997 from JacobBarthelmeh/qt
add back WOLFSSL_QT macro guard for get cipher name behavior
2026-03-20 09:46:40 -07:00
David Garske d49df869d9 Merge pull request #9935 from padelsbach/padelsbach/san-ip-addr-test
Add IP SAN matching
2026-03-20 08:15:00 -07:00
David Garske 2c030ddb0d Merge pull request #10017 from embhorn/zd21388
Fix ssl_DecodePacketInternal chain processing
2026-03-20 08:07:54 -07:00
JacobBarthelmeh 5b9d0a13bf Merge pull request #9992 from dgarske/macro_docs
Add inline documentation for missing macros and fix spelling errors
2026-03-19 17:08:33 -06:00
Paul Adelsbach 041bb185c6 Add IP SAN matching 2026-03-19 15:10:21 -07:00
Eric Blankenhorn a66e29473e Fix ssl_DecodePacketInternal chain processing 2026-03-19 14:56:24 -05:00
David Garske 255f14bab9 Merge pull request #9732 from Frauschi/pqc_first
Enable and use ML-KEM by default
2026-03-19 12:38:36 -07:00
David Garske 679366a5a4 Merge pull request #9991 from kareem-wolfssl/zd21354_2
Disallow wildcard partial domains when using MatchDomainName.
2026-03-19 12:35:14 -07:00
David Garske 3e8338dbc7 Merge pull request #9993 from kojo1/brainpool
Brainpool to set1_sigalgs_list
2026-03-19 12:34:54 -07:00
David Garske 42581e4c05 Merge pull request #9982 from julek-wolfssl/DoTls13CertificateRequest-certsetup
DoTls13CertificateRequest: call CertSetupCbWrapper only once
2026-03-19 12:32:39 -07:00
David Garske 533e9b0859 Merge pull request #9995 from julek-wolfssl/zd/21341
Handle OCSP_WANT_READ returned from DoTls13HandShakeMsgType
2026-03-19 12:27:38 -07:00
Tobias Frauenschläger c3289f8aa9 Enable and use ML-KEM by default
* Enable ML-KEM by default in build systems (autoconf and CMake)
* Only allow three to-be-standardized hybrid PQ/T combinations by
  default
* Use X25519MLKEM768 as the default KeyShare in the ClientHello (if user
  does not override that). When Curve25519 is disabled, then either
  WOLFSSL_SECP384R1MLKEM1024 or WOLFSSL_SECP256R1MLKEM768 is used as
  default depending on the ECC configuration
* Disable standalone ML-KEM in supported groups by default (enable with
  --enable-tls-mlkem-standalone)
* Disable extra OQS-based hybrid PQ/T curves by default and gate
  behind --enable-experimental (enable with --enable-extra-pqc-hybrids)
* Reorder the SupportedGroups extension to reflect the preferences
* Reorder the preferredGroup array to also reflect the same preferences
* Add async support for ML-KEM hybrids
2026-03-18 10:48:16 +01:00
JacobBarthelmeh c952b694f7 add back WOLFSSL_QT macro guard for order of cipher suites 2026-03-17 17:46:13 -06:00
JacobBarthelmeh 6f386fd6b2 Merge pull request #9981 from julek-wolfssl/fenrir/260316
Fenrir fixes
2026-03-17 08:36:11 -06:00
Juliusz Sosinowicz 0644369456 Handle OCSP_WANT_READ returned from DoTls13HandShakeMsgType
ZD21341
2026-03-17 14:59:04 +01:00
Tobias Frauenschläger 10b98733f2 Add tests for individual ML-KEM levels (based on #9777)
Also fix minor problems found with these tests
2026-03-17 12:43:15 +01:00
Tobias Frauenschläger 76b1300adb ML-KEM fixes
* DTLS 1.3 cookie and CH frag handling
* static memory handling
* Fix memory leak in TLS server PQC handling in case of ECH
* Make sure hybrids are actually tested in testsuite
2026-03-17 12:43:15 +01:00
Takashi Kojo 8354eb71ca Brainpool to set1_sigalgs_list 2026-03-17 11:22:14 +09:00
David Garske 4c75a866d9 Add inline documentation for missing macros and fix spelling errors 2026-03-16 17:09:13 -07:00
Kareem 76c52c31fb Disallow wildcard partial domains when using MatchDomainName. 2026-03-16 16:21:47 -07:00
Juliusz Sosinowicz c6f41bce2f Fix memory leak on hash failure in LoadCertByIssuer
F-721
2026-03-16 15:14:26 -07:00
Juliusz Sosinowicz 4596e9e1a7 Fix error return in InitSSL verify param path
F-720
2026-03-16 15:14:25 -07:00
Juliusz Sosinowicz a9a9eae4d9 Fix error propagation in InitSSL QUIC path
F-719
2026-03-16 15:14:25 -07:00
Juliusz Sosinowicz 3ff051f3e4 Use secure wipe for RSA temporary
F-718
2026-03-16 15:14:25 -07:00
Juliusz Sosinowicz 0d7ef87f09 Fix bounds check in session deserialization
F-717
2026-03-16 15:14:25 -07:00
David Garske 96661a5dab Merge pull request #9977 from JacobBarthelmeh/multi-test
Minor fixes for nightly multi-test tool
2026-03-16 14:31:39 -07:00
JacobBarthelmeh 57f416fc43 Merge pull request #9961 from sebastian-carpenter/tls-ech-coverity
minor coverity fixes for tls ech code
2026-03-16 15:27:27 -06:00
David Garske 77c7418052 Merge pull request #9973 from JacobBarthelmeh/static_analysis
fix to sanity check on importing raw session key info
2026-03-16 13:46:53 -06:00
JacobBarthelmeh 7de150eff0 Merge pull request #9975 from rlm2002/coverity
20260313 Coverity changes
2026-03-16 12:52:27 -06:00
Juliusz Sosinowicz 2051297ab0 DoTls13CertificateRequest: call CertSetupCbWrapper only once 2026-03-16 17:02:02 +01:00
JacobBarthelmeh f8dda213b0 Merge pull request #9972 from cconlon/getCiphersCompatFix
Fix wolfSSL_get_ciphers_compat() to return NULL for empty cipher list
2026-03-16 08:29:00 -06:00
JacobBarthelmeh 681fb41fcb Null check on SNI pointer before potential use 2026-03-16 00:06:38 -06:00
Ruby Martin 1ac4ba282b remove early der free 2026-03-13 17:03:02 -06:00
JacobBarthelmeh d36f7a2b99 fix to sanity check on importing raw session key info 2026-03-13 15:32:46 -06:00
Chris Conlon 428030a3e8 Fix wolfSSL_get_ciphers_compat to return NULL when no ciphers available 2026-03-13 15:07:25 -06:00
Kareem 94b370f5e2 Rework check to compare only ints. 2026-03-13 11:42:12 -07:00
Kareem 19b99f8072 Ensure the length computed by CheckHeaders in the SSL sniffer does not exceed the actual size of the packets.
Thanks to Haruto Kimura (Stella) for the report.
2026-03-13 11:42:12 -07:00
sebastian-carpenter 47a24d7b90 minor coverity fixes for tls ech 2026-03-13 11:04:44 -06:00
JacobBarthelmeh 156db7dd2d Merge pull request #9831 from julek-wolfssl/pytho-3.13.4
Fixes to run python with --enable-all
2026-03-13 10:50:23 -06:00
JacobBarthelmeh e5594a6366 Merge pull request #9889 from rlm2002/F29
remove word16 cast, add WOLFSSL_MAX_16BIT check
2026-03-12 14:54:19 -06:00
JacobBarthelmeh 67abcc6f2d Merge pull request #9949 from philljj/fix_d2i_SSL_SESSION
ssl_sess: check fields in wolfSSL_d2i_SSL_SESSION.
2026-03-12 14:45:29 -06:00
JacobBarthelmeh 351d2594ac Merge pull request #9938 from SparkiDev/regression_fixes_23
Fixes from regression testing
2026-03-12 14:41:18 -06:00
JacobBarthelmeh a05a3ed1c2 Merge pull request #9940 from cconlon/pathLenSet
Fix pathlen not copied in ASN1_OBJECT_dup and not marked set in X509_add_ext
2026-03-12 10:34:58 -06:00
Juliusz Sosinowicz 4fbc81916c Address final comments from #9761
- Fix line length
- Remove duplicate comment
- Check return of `wc_HashGetDigestSize`
- Use constant instead of magic number
2026-03-12 12:30:13 +01:00
JacobBarthelmeh a8dfa59bbe Merge pull request #9761 from julek-wolfssl/ocsp-responder
Implement OCSP responder
2026-03-11 17:27:33 -06:00
Sean Parkinson bbd2f6f898 Fixes from regression testing
CRL APIs not usable when NO_ASN_TIME defined.
WOLFSSL_TLS13 needs to be defined with HAVE_ECH.
When session ticket encrypted with CBC, must be a multiple of block
size.
Fix test define protection.
Fix ML-DSA protection of reduction functions.
Need !NO_RSA with WC_RSA_PSS.
Connection ID is not a DTLS 1.3 only extension.
2026-03-12 08:19:39 +10:00
sebastian-carpenter bb7c6a13c8 ECH tidying 2026-03-11 12:07:20 -06:00
sebastian-carpenter 8a7d327d24 ECH fixes F-293, F-201, F-358, F-203 2026-03-11 10:06:37 -06:00
sebastian-carpenter 032dbe6878 ECH fixes F-292, F-28 2026-03-11 10:06:36 -06:00