Commit Graph

110 Commits

Author SHA1 Message Date
Eric Blankenhorn 8f787909da Fix from review 2026-02-24 11:17:42 -06:00
Eric Blankenhorn 2ae3164c6f Fix cert chain size issue 2026-02-24 09:27:42 -06:00
JacobBarthelmeh a156ed7bc7 update Copyright year 2026-02-18 09:52:21 -07:00
Daniel Pouzzner 8e6ebdb8ac Merge pull request #9723 from SparkiDev/ssl_split_cert
Split out code form ssl.c and pk.c
2026-02-05 18:21:36 -06:00
Tobias Frauenschläger 90be76cb94 Misc fixes and improvements regarding PKCS#11 2026-01-29 18:39:15 +01:00
Sean Parkinson be4584784c Split out code form ssl.c and pk.c
Move EC and RSA code out of pk.c into separate file.

Move out of ssl.c into separate files:
  - Certificate APIs
  - CRL/OCSP APIs
  - Public Key APIs
  - ECH

Internal Certificate Manager APIs pulled out into ssl_certman.c.
d2i and i2d WOLFSSL_EVP_PKEY APIs pulled out into evp_pk.c.

Fix formatting.
2026-01-29 18:49:56 +10:00
Sean Parkinson bc9e37118e Regression test fixes
Mostly combinations of NO_WOLFSSL_CLIENT, NO_WOLFSSL_SERVER and
WOLFSSL_NO_CLIENT_AUTH were failing.
Added configurations to CI loop.

wc_AesGcmDecryptFinal: use WC_AES_BLOCK_SIZE to satisfy compiler.
2026-01-28 07:37:29 +10:00
Kareem a1999d29ed Only enforce !NO_FILESYSTEM for WOLFSSL_SYS_CA_CERTS on non Windows/Mac systems.
wolfSSL's support for WOLFSSL_SYS_CA_CERTS uses APIs which don't depend on !NO_FILESYSTEM
on Windows/Mac.

Fixes #8152.
2025-12-19 16:37:50 -07:00
Daniel Pouzzner cd3e81a656 src/ssl_load.c: in ProcessBufferCert(), check ctx for nullness before accessing ctx->verifyNone (fixes -Wnull-dereference reported by multi-test dtls-no-rsa-no-dh after merge of 36e66eb763). 2025-12-17 11:01:10 -06:00
Ruby Martin 36e66eb763 check if ctx and ssl are null when checking public key in certificate 2025-12-09 17:04:05 -07:00
Josh Holtrop 36418aca76 Set useRsaPss flag in both SSL and CTX structures 2025-11-26 10:30:38 -05:00
Josh Holtrop d766b82bac Remove conditional and just assign boolean result 2025-11-24 15:55:32 -05:00
Josh Holtrop bb8673070a Use uppercase U 2025-11-19 23:52:21 -05:00
Josh Holtrop 268b81c29e TLSv1.3 certificate verify: report rsa_pss_pss_* signature algorithm when supported 2025-11-19 09:47:05 -05:00
Juliusz Sosinowicz d1c321abdc Don't override errors when blinding the priv key 2025-11-12 17:12:22 +01:00
effbiae 7a3db09ddd automated small stack compress 2025-10-11 11:40:30 +11:00
Juliusz Sosinowicz f9063c406b Enables dynamic TLS cert loading with OCSP
Exposes dynamic TLS certificate loading and OCSP stapling to allow applications to load certs lazily.

The server no longer needs to load the CA to staple OCSP responses.

Adds a certificate setup callback (WOLFSSL_CERT_SETUP_CB)
Adds an OCSP status callback to load OCSP responses directly
Adds `wc_NewOCSP`, `wc_FreeOCSP`, and `wc_CheckCertOcspResponse`
Don't call verify twice on the same error
Send correct alert on status response error
2025-10-03 13:08:11 +02:00
Kareem ec92f76dec Fix tests when building with PEM support disabled by using DER certs/keys. 2025-09-12 16:11:07 -07:00
Daniel Pouzzner 29dd6cce98 wolfssl/wolfcrypt/logging.h: add WOLFSSL_MSG_CERT_LOG_EX, give
WOLFSSL_DEBUG_CERTS definitions priority when defining WOLFSSL_MSG_CERT_LOG()
  and WOLFSSL_MSG_CERT_LOG_EX, update documentation in preamble, and fix the
  WOLFSSL_ANDROID_DEBUG definition of WOLFSSL_DEBUG_PRINTF_FIRST_ARGS and the
  WOLFSSL_ESPIDF definition of WOLFSSL_DEBUG_PRINTF();

src/ssl_load.c: use WOLFSSL_MSG_CERT_LOG_EX(), not WOLFSSL_DEBUG_PRINTF(), in
  ProcessFile().
2025-08-11 16:14:32 -05:00
gojimmypi d64ef34ef8 Introduce WOLFSSL_DEBUG_CERTS Certificate Debug Messages 2025-08-06 13:57:53 -07:00
JacobBarthelmeh 629c5b4cf6 updating license from GPLv2 to GPLv3 2025-07-10 16:11:36 -06:00
gojimmypi ebeb95e47b Initialize Dilithium keyTypeTemp and keySizeTemp 2025-07-09 09:13:14 -07:00
JacobBarthelmeh 7fb750962b Merge pull request #8935 from philljj/fix_coverity
coverity: prune dead code in ssl_sess.c.
2025-06-30 13:32:34 -06:00
jordan 68cf96e7f6 coverity: do not free x509 on error in wolfSSL_add0_chain_cert. 2025-06-27 17:25:28 -05:00
Ruby Martin 7c44f14e77 add apple test to github actions 2025-06-26 08:38:30 -06:00
Brett 877bade216 additional debugging 2025-06-26 08:38:28 -06:00
Brett 7232b3a6bb Apple native cert validation: add WOLFSSL_TEST_APPLE_CERT_VALIDATION feature macro that forces system CA certs on and makes all CA certs added to CM via xxx_load_verify_xxx APIs to instead be loaded as system trust anchors when used for TLS cert verification 2025-06-26 08:38:26 -06:00
Daniel Pouzzner 55460a5261 wolfssl/wolfcrypt/logging.h and wolfcrypt/src/logging.c: add
WOLFSSL_DEBUG_PRINTF() macro adapted from wolfssl_log(), refactor
  wolfssl_log() to use it, and move printf setup includes/prototypes from
  logging.c to logging.h;

src/ssl_load.c: add source_name arg and WOLFSSL_DEBUG_CERTIFICATE_LOADS clauses
  to ProcessBuffer() and ProcessChainBuffer(), and pass reasonable values from
  callers;

remove expired "Baltimore CyberTrust Root" from certs/external/ca_collection.pem
  and certs/external/baltimore-cybertrust-root.pem.
2025-05-13 20:30:48 -05:00
JacobBarthelmeh c22505a71a Merge pull request #8700 from embhorn/rel_fixes_cs
Fixes from CodeSonar report
2025-04-23 11:36:15 -06:00
Eric Blankenhorn 66b9256f86 Fixes from CodeSonar report 2025-04-22 14:43:01 -05:00
JacobBarthelmeh 73c286ae46 fix possible null dereference, CID 518681 2025-04-18 16:02:46 -06:00
Koji Takeda c05c827d6b Add a space after if and for 2025-04-16 16:26:52 +09:00
Koji Takeda 1252d69a9a Remove trailing spaces 2025-04-12 17:09:36 +09:00
Koji Takeda 29482a3e4d Fix a logic 2025-04-12 13:12:36 +09:00
Koji Takeda 770b6cb9e7 Fix too long lines 2025-04-12 10:58:13 +09:00
Koji Takeda 85c71dacb1 Update src/ssl_load.c
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2025-04-12 10:01:17 +09:00
Koji Takeda a3862f0e59 Improve ML-DSA private key import 2025-04-11 16:28:54 +09:00
Daniel Pouzzner c401f5caf2 move the newly added wolfcrypt/src/wolfssl_sources.h to wolfssl/wolfcrypt/libwolfssl_sources.h, and likewise for wolfssl_sources_asm.h; revert changes to IDE/ project files. 2025-04-04 18:44:12 -05:00
Daniel Pouzzner 217440c885 Add wolfcrypt/src/wolfssl_sources.h and wolfcrypt/src/wolfssl_sources_asm.h,
which force on BUILDING_WOLFSSL and do boilerplate includes, and update library
  sources to include them at the top.

  wolfssl_sources.h includes types.h, error-crypt.h, and logging.h, and
  conditionally, config.h.  settings.h and wc_port.h are unconditionally
  included at the top of types.h.

  wolfssl_sources_asm.h includes settings.h, and conditionally, config.h.

Add wolfssl_sources*.h to wolfcrypt/src/include.am, and to several IDE/ project
  files.

Also added a TEST_WOLFSSL_SOURCES_INCLUSION_SEQUENCE clause in
  wolfssl/wolfcrypt/settings.h to allow coverage testing.

In wolfcrypt/src/misc.c, retain existing ad hoc boilerplate includes, and use
  them if WOLFSSL_VIS_FOR_TESTS, otherwise include the new wolfssl_sources.h.

Define WOLFSSL_VIS_FOR_TESTS at top of wolfcrypt/test/test.c.

Also renamed WOLFSSL_NEED_LINUX_CURRENT to WOLFSSL_LINUXKM_NEED_LINUX_CURRENT,
  for clarity.
2025-04-04 16:51:04 -05:00
Koji Takeda 2f01c9d715 Detect unknown key format 2025-04-03 18:36:05 +09:00
David Garske 4eda5e1f7f Merge pull request #8491 from jmalak/winsock-guard
correct comment for _WINSOCKAPI_ macro manipulation
2025-02-25 09:51:23 -08:00
Reda Chouk 9178c53f79 Fix: Address and clean up code conversion in various files. 2025-02-25 11:17:58 +01:00
Jiri Malak d066e6b9a5 correct comment for _WINSOCKAPI_ macro manipulation
The issue is with MINGW winsock2.h header file which is not compatible
with Miscrosoft version and handle _WINSOCKAPI_ macro differently
2025-02-23 11:15:38 +01:00
Daniel Pouzzner 1e17d737c8 "#undef _WINSOCKAPI_" after defining it to "block inclusion of winsock.h header file", to fix #warning in /usr/x86_64-w64-mingw32/usr/include/winsock2.h. 2025-02-06 18:41:20 -06:00
David Garske 60c5a0ac7f Peer review feedback. Thank you @jmalak 2025-02-04 14:32:24 -08:00
David Garske 345c969164 Fixes for Watcom compiler and new CI test
* Correct cmake script to support Open Watcom toolchain (#8167)
* Fix thread start callback prototype for Open Watcom toolchain (#8175)
* Added GitHub CI action for Windows/Linux/OS2
* Improvements for C89 compliance.
Thank you @jmalak for your contributions.
2025-02-04 12:38:52 -08:00
Daniel Pouzzner b41d46a158 src/ssl.c and src/ssl_load.c: fix syntax flubs in WOLFSSL_DILITHIUM_FIPS204_DRAFT paths. 2025-01-25 10:11:25 -06:00
David Garske 20ae10fd8c Merge pull request #8360 from philljj/dual_alg_mldsa
Update ssl code for ML_DSA.
2025-01-24 11:55:04 -08:00
JacobBarthelmeh 69be9aa211 fix to not stomp on sz with XOF function, restore comment, remove early XFREE call 2025-01-24 11:40:53 -07:00
JacobBarthelmeh 1e3d3ddec7 remove attempting to load a CRL with wolfSSL_CTX_load_verify_locations_ex 2025-01-23 16:30:08 -07:00