wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2026-02-04 18:05:04 +01:00
Code Issues Packages Projects Releases Wiki Activity
27,597 Commits 12 Branches 184 Tags
f2f9d5bbe7a1f2fae7fe189c8f78cd1636bac991
Commit Graph

9133 Commits

Author SHA1 Message Date
Daniel Pouzzner
f2f9d5bbe7 src/internal.c: in SanityCheckMsgReceived(), gate "TLS 1.2 message order check: certificate before CKE" from 5b6f86bc8e on !WOLFSSL_NO_CLIENT_AUTH. 2026-01-30 22:38:44 -06:00
Daniel Pouzzner
6123febd3f src/ssl_sk.c, src/x509.c, wolfssl/ssl.h: tweaks and fixes to from #9705: remove !WOLFSSL_LINUXKM gates, and fix nullPointerArithmeticRedundantCheck in ExtractHostFromUri(). 2026-01-30 17:34:37 -06:00
JacobBarthelmeh
1dc177fdbe Merge pull request #9718 from SparkiDev/tls12_msg_order_checks 
TLS 1.2 message order check: certificate before CKE
 2026-01-30 10:50:33 -07:00
JacobBarthelmeh
9ca379f3bb Merge pull request #9719 from dgarske/usersettings_expand 
Improve user_settings.h examples and add validation rules
 2026-01-29 15:35:12 -07:00
David Garske
c2a987595f Add new user_settings.h templates for tls13, dtls13, pq, openssl_compat, baremetal, rsa_only, pkcs7, ca 2026-01-28 11:27:01 -08:00
JacobBarthelmeh
a6316114bd Merge pull request #9716 from SparkiDev/regression_fixes_22 
Regression test fixes
 2026-01-27 22:07:50 -07:00
Sean Parkinson
5b6f86bc8e TLS 1.2 message order check: certificate before CKE 
Make sure we received a Certificate message before the ClientKeyExchange
when a certificate is requested. (Certificate message will be empty when
client has no valid certificate.)
 2026-01-28 10:35:14 +10:00
Sean Parkinson
eb2fb4a9ce Merge pull request #9699 from anhu/downg 
Add cipher suite filtering when downgrade is disabled
 2026-01-28 08:59:06 +10:00
Sean Parkinson
bc9e37118e Regression test fixes 
Mostly combinations of NO_WOLFSSL_CLIENT, NO_WOLFSSL_SERVER and
WOLFSSL_NO_CLIENT_AUTH were failing.
Added configurations to CI loop.

wc_AesGcmDecryptFinal: use WC_AES_BLOCK_SIZE to satisfy compiler.
 2026-01-28 07:37:29 +10:00
JacobBarthelmeh
3e7efe8be2 Merge pull request #9705 from cconlon/nameConstraints 
Support for extracting and validating X.509 Name Constraints extensions
 2026-01-27 10:01:48 -07:00
Chris Conlon
610d530e45 Add Name Constraints extension support with wolfSSL_X509_get_ext_d2i() and wolfSSL_NAME_CONSTRAINTS_check_name() 2026-01-26 10:36:05 -07:00
David Garske
eeaa3a7160 Merge pull request #9596 from kareem-wolfssl/zd19378 
Add a runtime option to enable or disable the secure renegotiation check.
 2026-01-26 08:34:57 -08:00
David Garske
cd88ec57b0 Merge pull request #9685 from kareem-wolfssl/gh7735 
Always reinitialize the SSL cipher suites in InitSSL_Side as the side and enabled algos have likely changed.
 2026-01-23 12:38:46 -08:00
Tobias Frauenschläger
14ce7956f1 Increase test coverage 
* More PQC configurations
* More CMake setups
* Fix various bugs uncovered by these tests

Added some missing feature additions to CMake to make the example
`user_settings_all.` config file work for the CI test.
 2026-01-23 09:27:16 +01:00
Sean Parkinson
27df554e99 Merge pull request #9701 from Frauschi/brainpool-tls13 
Add support for TLS 1.3 Brainpool curves
 2026-01-23 10:42:32 +10:00
David Garske
a17f68f036 Merge pull request #9587 from kareem-wolfssl/zd20850 
Add duplicate entry error to distinguish cases where a duplicate CRL is rejected.
 2026-01-22 15:07:19 -08:00
Kareem
1103552c37 Code review feedback 2026-01-22 15:46:13 -07:00
Kareem
d60dd53165 Merge branch 'master' of https://github.com/wolfSSL/wolfssl into zd19378 2026-01-22 15:37:30 -07:00
Kareem
4c0c51fdff Merge branch 'master' of https://github.com/wolfSSL/wolfssl into gh7735 2026-01-22 15:13:15 -07:00
Kareem
baedba6a58 Force client haveDH to true in wolfSSL_set_options. haveDH won't be set to true on the client as the server side is what calls DH param generation APIs which set this to true, but we still want the client to support DH cipher suites if enabled. This matches behavior from InitSSL_EitherSide. 2026-01-22 15:13:08 -07:00
Tobias Frauenschläger
eb8ba6124e Support TLS 1.3 ECC Brainpool authentication 
This also fixes TLS 1.2 authentication to only succeed in case the
brainpool curve was present in the supported_groups extension.
 2026-01-22 14:14:09 +01:00
Tobias Frauenschläger
a462398387 Support Brainpool ECC curve TLS 1.3 key exchange 
When both TLS 1.3 and Brainpool curves are enabled, three new groups can
be used for the ECDHE key exchange according to RFC 8734:
* WOLFSSL_ECC_BRAINPOOLP256R1TLS13 (31)
* WOLFSSL_ECC_BRAINPOOLP384R1TLS13 (32)
* WOLFSSL_ECC_BRAINPOOLP512R1TLS13 (33)

Also ensure that the existing TLS 1.2 curves are sent properly.

The TLS client application is updated to support handshakes via
Brainpool curves using the new argument "--bpKs".
 2026-01-22 14:14:09 +01:00
David Garske
e4e79dd8a3 Merge pull request #9694 from SparkiDev/tls_msg_sanity_fix 
TLS: more sanity checks on message order
 2026-01-21 15:11:11 -08:00
Anthony Hu
d088fee72c Add cipher suite filtering when downgrade is disabled 
When wolfSSL_SetVersion() is called to set a specific TLS version,
the downgrade flag is now set to 0. This causes wolfSSL_parse_cipher_list()
to no longer preserve cipher suites from the other TLS version group.

Previously, when using SSLv23 method and setting cipher suites for only
one TLS version (e.g., TLS 1.2), the library would preserve any existing
cipher suites from the other version (e.g., TLS 1.3) for OpenSSL API
compatibility. With this change, if a specific version is set via
wolfSSL_SetVersion(), only the cipher suites for that version are kept.
 2026-01-21 18:01:01 -05:00
David Garske
f52930b844 More fixes for NO RNG and NO check key (broken in #9606 and #9576) 2026-01-21 10:31:57 -08:00
Sean Parkinson
8902afdcea TLS: more sanity checks on message order 
Add more checks on message ordering for TLS 1.2 and below.
Reformat code.
 2026-01-21 10:00:38 +10:00
Kareem
832bcd7f4b Merge branch 'master' of https://github.com/wolfSSL/wolfssl into zd20850 2026-01-20 15:59:05 -07:00
Kareem
0f0163d888 Merge branch 'master' of https://github.com/wolfSSL/wolfssl into gh7735 2026-01-20 15:18:26 -07:00
David Garske
17401da6ae Merge pull request #9678 from cconlon/otherNameSan 
Fix GENERAL_NAME memory management for otherName and RID SANs
 2026-01-20 10:56:37 -08:00
David Garske
6bdc6a7550 Merge pull request #9618 from SparkiDev/volatile_multi_statement 
Multiple volatile variables in a C statement undefined
 2026-01-20 10:42:49 -08:00
Kareem
d505c0b7c5 Only reinitialize suites in InitSSL_Side if they were not set by the user. Always allocate suites in InitSSL_Side if they're NULL so InitSSL_Suites will set them. 2026-01-20 11:40:37 -07:00
Kareem
89931bd884 Always reinitialize the SSL cipher suites in InitSSL_Side as the side and enabled algos have likely changed. 2026-01-19 17:50:26 -07:00
Sean Parkinson
c71a4dd66f Merge pull request #9662 from AlexLanzano/tls1.2-empty-cert-fix 
[TLS 1.2, TLS 1.3] Fail immediately if server sends empty certificate message for TLS 1.2 and beyond
 2026-01-20 09:45:29 +10:00
Chris Conlon
0f395a5f9d Fix memory management in wolfssl_dns_entry_othername_to_gn() and 
wolfSSL_X509_get_ext_d2i() for otherName SAN handling, add ASN_RID_TYPE case to wolfSSL_X509_get_ext_d2i()
 2026-01-19 16:39:33 -07:00
Daniel Pouzzner
4ce6c4c262 Merge pull request #9623 from julek-wolfssl/dtls-1.3-ms-interval 
dtls 1.3: allow rtx interval to be less than a second
 2026-01-19 17:01:23 -06:00
Daniel Pouzzner
c2cf8b1545 Merge pull request #9659 from holtrop-wolfssl/improve-error-for-invalid-helloretryrequest 
Improve log message and error code for invalid HelloRetryRequest - fix #9653
 2026-01-19 16:23:59 -06:00
Juliusz Sosinowicz
bba4671042 wolfSSL_dtls13_use_quick_timeout: check for NULL input 2026-01-19 10:13:23 +01:00
Juliusz Sosinowicz
429b690370 Address code review 2026-01-19 09:38:17 +01:00
Juliusz Sosinowicz
48067f1fa7 dtls 1.3: allow rtx interval to be less than a second 2026-01-19 09:32:09 +01:00
Daniel Pouzzner
84bca62ace Merge pull request #9667 from bigbrett/ancv-verify-callback-fix 
Apple Cert Fix: Prevent verify callback from blocking ANCV invocation
 2026-01-17 00:02:42 -06:00
Daniel Pouzzner
9ae87e2a48 Merge pull request #9657 from embhorn/gh9655 
Fix TLSX_Parse to correctly handle client and server cert type ext with TLS1.3
 2026-01-16 23:59:31 -06:00
Daniel Pouzzner
0ceed2d832 Merge pull request #9664 from padelsbach/hmac-update-len-check 
Add length check to Hmac_UpdateFinal_CT to prevent build error
 2026-01-16 15:35:58 -06:00
Sean Parkinson
fabe0c090a Merge pull request #9646 from rlm2002/coverity 
20260112 Coverity: update macros and add length checks
 2026-01-16 09:20:01 +10:00
Brett
65a2b06d89 ANCV: support server-side policy creation 2026-01-15 11:59:59 -07:00
Brett
22a9665e6d Prevent verify callback from blocking ANCV invocation when verify 
callback is registered. Reverts behavior to pre-PR#9144
 2026-01-15 11:59:59 -07:00
Ruby Martin
2596d56802 verify length limit for supported version ext 
add length check to tls extensions
 2026-01-15 10:58:26 -07:00
Josh Holtrop
e7612ff36f Improve log message and error code for invalid HelloRetryRequest - fix #9653 2026-01-15 12:55:17 -05:00
Eric Blankenhorn
3c5b8f900e Fix TLSX_Parse to correctly handle client and server cert type ext with TLS1.3 2026-01-15 07:36:52 -06:00
David Garske
f0d3957aa9 Merge pull request #9643 from mattia-moffa/20260112-sniffer-fixes 
More sniffer length checks
 2026-01-14 17:00:12 -08:00
Paul Adelsbach
f3fb63aea7 Add length check to Hmac_UpdateFinal_CT to prevent build error 2026-01-14 09:31:35 -08:00