Commit Graph

157 Commits

Author SHA1 Message Date
Hideki Miyazaki 7d1516f4db Merge pull request #10382 from kojo1/doc
Improve arg descriptions in API doc
2026-05-08 15:31:55 +09:00
David Garske e3285850f9 Merge pull request #10289 from julek-wolfssl/zd/21652
TLS 1.3: gate 0-RTT on a cache-backed resumption ticket
2026-05-05 12:46:26 -07:00
Takashi Kojo 691900ac05 Improve argument descriptions 2026-05-02 10:31:03 +09:00
Juliusz Sosinowicz b0fdaa2a6d TLS 1.3: gate 0-RTT on a cache-backed resumption ticket
RFC 8446 section 8 requires any server instance to accept 0-RTT for a
given ClientHello at most once. Prior to this change wolfSSL's behaviour
diverged from that requirement in several ways:

  * ctx->maxEarlyDataSz defaulted to MAX_EARLY_DATA_SZ whenever the
    library was built with WOLFSSL_EARLY_DATA, so servers auto-
    advertised 0-RTT in NewSessionTicket without the application
    asking. RFC 8446 E.5 says 0-RTT MUST NOT be enabled unless
    specifically requested.
  * The post-accept eviction is compiled out under NO_SESSION_CACHE,
    so builds without the cache accepted 0-RTT with no replay defence.
  * Stateless self-encrypted tickets do not carry a session ID on the
    stateless DoClientTicket decrypt path, so wolfSSL_SSL_CTX_remove_
    session could not locate them to evict.
  * wolfSSL_SSL_CTX_remove_session always returned 0 on success
    regardless of whether the session was actually in the cache,
    diverging from OpenSSL's SSL_CTX_remove_session (1 on success,
    0 on not-found).

Changes:
  * src/internal.c: ctx->maxEarlyDataSz defaults to 0; applications
    must opt in with wolfSSL_CTX_set_max_early_data.
  * src/tls13.c: #error when WOLFSSL_EARLY_DATA is built with
    HAVE_SESSION_TICKET and NO_SESSION_CACHE. Escape hatch
    WOLFSSL_EARLY_DATA_NO_ANTI_REPLAY for deployments that take
    application-layer responsibility.
  * wolfssl/internal.h: imply WOLFSSL_TICKET_HAVE_ID from
    WOLFSSL_EARLY_DATA so stateless-ticket issuance populates the
    cache under an ID that eviction can find.
  * src/ssl_sess.c: wolfSSL_SSL_CTX_remove_session returns 1 when the
    session was found (internal-cache hit, or ctx->rem_sess_cb fired
    for an external cache), 0 otherwise. Matches OpenSSL semantics.
  * src/tls13.c: the 0-RTT acceptance condition in CheckPreSharedKeys
    now calls wolfSSL_SSL_CTX_remove_session and checks its return:
    the eviction is the check. If the session was in the cache, 0-RTT
    is accepted and the single-use requirement is satisfied. If not,
    the early_data extension is rejected through the normal path so
    the record layer correctly skips in-flight 0-RTT records.
    WOLFSSL_MSG at each rejection site.
  * doc/dox_comments/header_files/ssl.h: document runtime opt-in.
  * tests: four new tests —
    test_tls13_0rtt_default_off (fails without default-to-0 fix),
    test_tls13_0rtt_stateless_replay (fails without TICKET_HAVE_ID
    implication and remove_session gate),
    test_tls13_remove_session_return (fails without return-value fix),
    test_tls13_0rtt_ext_cache_eviction (fails without ext-cache
    counts-as-found fix).
    test_tls13_early_data explicitly opts in via
    wolfSSL_CTX_set_max_early_data.
    tests/api.c: two SSL_CTX_remove_session == 0 assertions updated
    to == 1.
2026-04-28 14:14:16 +02:00
Roy Carter 6353ad3683 Feat: support openssl compatibility layer functionality for libevent integration
Cosmetic: remove empty whitespace
2026-04-21 19:05:26 +03:00
Tobias Frauenschläger 0de3925207 Add RFC8773bis cert_with_extern_psk support
Implement RFC8773bis (draft-ietf-tls-8773bis-13)
cert_with_extern_psk for TLS 1.3, including protocol checks
and API support.

Includes unit tests for API and handshake behavior as well
as tests in the testsuite using extended examples.
2026-04-17 15:12:04 +02:00
Daniel Pouzzner b2f1c5864d Merge pull request #10021 from dgarske/name_mismatches
Fixes for documentation typos on arguments
2026-03-23 12:26:23 -05:00
David Garske 43f6512e0c Fixes for documentation typos on arguments 2026-03-19 16:39:08 -07:00
Paul Adelsbach 041bb185c6 Add IP SAN matching 2026-03-19 15:10:21 -07:00
Kareem 1103552c37 Code review feedback 2026-01-22 15:46:13 -07:00
Kareem d60dd53165 Merge branch 'master' of https://github.com/wolfSSL/wolfssl into zd19378 2026-01-22 15:37:30 -07:00
Marco Oliverio 50b39c91da fixup! (d)tls13: check if early data is possible in write_early_data 2026-01-07 14:30:16 +01:00
Kareem ddb2fb628e Add a runtime option to enable or disable the secure renegotation check. 2025-12-30 13:19:04 -07:00
David Garske 1744c11686 Merge pull request #9570 from kareem-wolfssl/variousFixes
Add SSL_get_rfd and SSL_get_wfd.  Various documentation updates.
2025-12-26 07:47:17 -08:00
Anthony Hu 0b5e9c76ed Correct the API docs for wolfSSL_write_early_data() 2025-12-23 10:08:02 -05:00
Kareem fe45b74921 Add trailing newline back to ssl.h. 2025-12-22 11:45:25 -07:00
Kareem adf38007f4 Document wolfSSL_CTX_New's behavior on failure around WOLFSSL_METHOD.
Fixes #9517.
2025-12-19 17:19:45 -07:00
Kareem ac98505204 Document wolfSSL_CTX_set_default_passwd_cb and wolfSSL_CTX_set_default_passwd_cb_userdata.
Fixes #6008.
2025-12-19 17:18:45 -07:00
JacobBarthelmeh d7a852af82 remove unimplemented function macro 2025-12-11 09:32:57 -07:00
Andrew Hutchings 590a02e541 Fix Doxygen parameters 2025-12-03 15:15:32 +00:00
Andrew Hutchings 026fa2dd4e Fix issues with the API documentation 2025-11-21 17:43:55 +00:00
Juliusz Sosinowicz 13f8f66281 Add docs 2025-10-08 13:43:35 +02:00
Juliusz Sosinowicz f9063c406b Enables dynamic TLS cert loading with OCSP
Exposes dynamic TLS certificate loading and OCSP stapling to allow applications to load certs lazily.

The server no longer needs to load the CA to staple OCSP responses.

Adds a certificate setup callback (WOLFSSL_CERT_SETUP_CB)
Adds an OCSP status callback to load OCSP responses directly
Adds `wc_NewOCSP`, `wc_FreeOCSP`, and `wc_CheckCertOcspResponse`
Don't call verify twice on the same error
Send correct alert on status response error
2025-10-03 13:08:11 +02:00
Mattia Moffa 4535572428 Use memio in tests, fix ifdef, fix typos 2025-09-23 11:50:21 +02:00
Mattia Moffa 3bdb43eb6a Add support for certificate_authorities extension in ClientHello 2025-09-17 15:33:05 +02:00
Ruby Martin a725f4d7ac update wolfSSL_get_SessionTicket() function dox comment 2025-08-13 08:29:30 -06:00
Josh Holtrop e6eac9b920 Fix inconsistent function prototype parameter names for wolfssl 2025-08-07 09:28:50 -04:00
Anthony Hu a814683684 Rename variable index to idx to avoid conflicting declaration. 2025-05-14 18:26:37 -04:00
Juliusz Sosinowicz cfa6fbfcef Correct wolfSSL_dtls_cid_parse declaration in docs 2025-02-14 09:51:29 -06:00
Juliusz Sosinowicz 3ded2bc05d Code review and jenkins fixes 2024-12-18 09:31:25 +01:00
Juliusz Sosinowicz daa57c492d DTLS: Add server side stateless and CID QoL API
- wolfDTLS_accept_stateless - statelessly listen for incoming connections
- wolfSSL_inject - insert data into WOLFSSL object
- wolfSSL_SSL(Enable|Disable)Read - enable/disable reading from IO
- wolfSSL_get_wfd - get the write side file descriptor
- wolfSSL_dtls_set_pending_peer - set the pending peer that will be upgraded to regular peer when we successfully de-protect a DTLS record
- wolfSSL_dtls_get0_peer - zero copy access to the peer address
- wolfSSL_is_stateful - boolean to check if we have entered stateful processing
- wolfSSL_dtls_cid_get0_rx - zero copy access to the rx cid
- wolfSSL_dtls_cid_get0_tx - zero copy access to the tx cid
- wolfSSL_dtls_cid_parse - extract cid from a datagram/message
2024-12-18 09:31:24 +01:00
Colton Willey 55be5035a0 Merge branch 'master' of github.com:ColtonWilley/wolfssl into crl_update_cb 2024-11-18 09:52:51 -08:00
David Garske e1116e8e6b Merge pull request #8161 from ColtonWilley/update_ssl_doxy
Update doxygen to use proper types in sample code
2024-11-15 09:43:38 -08:00
Colton Willey dbec1b2b0d Update doxygen to use proper types in sample code 2024-11-07 12:50:55 -08:00
jordan b4e8e57b59 spelling: tiny cleanup. 2024-11-07 07:40:02 -06:00
Andras Fekete b8253ac4c5 Final set of spelling fixes 2024-11-01 12:59:01 -04:00
Colton Willey 720e24209a Updates for doxygen and review comments 2024-09-23 13:29:41 -07:00
Anthony Hu 0de974c3a7 Quick fixup in API doc for wolfSSL_is_init_finished() 2024-06-05 16:40:06 -04:00
Eric Blankenhorn 314afc9e10 Fix doc for wolfSSL_CTX_EnableOCSP 2024-05-21 16:12:23 -05:00
Juliusz Sosinowicz 09de233fc0 Add dox for new API 2024-02-20 14:42:58 +01:00
Marco Oliverio c8f3a8f14b fix: negotiate handshake until the end in wolfSSL_read/wolfSSL_write (#7237)
* tls: negotiate until hs is complete in wolfSSL_read/wolfSSL_write

Don't rely on ssl->options.handShakeSate == HANDSHAKE_DONE to check if
negotiation is needed. wolfSSL_Connect() or wolfSSL_Accept() job may not yet be
completed and/or some messages may be waiting in the buffer because of
non-blocking I/O.

* tests: test case for handshake with wolfSSL_read()/wolfSSL_write()

* doc: clarify wolfSSL_write()

* internal.c: rename: need_negotiate -> ssl_in_handshake
2024-02-15 13:48:19 -08:00
Marco Oliverio 7b0fefbceb doc: update new wolfSSL_read_early_data() behavior 2024-02-12 17:20:15 +01:00
David Garske 1c4d7285d3 Add documentation for HKDF functions. Improve param comments for devId. 2023-12-27 13:56:40 -08:00
Juliusz Sosinowicz fbe79d7317 Code review 2023-12-07 11:13:16 +01:00
Juliusz Sosinowicz 3edfcfe162 Jenkins fixes 2023-11-29 23:17:10 +01:00
Juliusz Sosinowicz 9337cfbb16 Add wolfSSL_get_sigalg_info 2023-11-29 23:04:19 +01:00
Juliusz Sosinowicz 7c2344c389 Add API to get information about ciphersuites 2023-11-29 23:04:19 +01:00
Brett 0244c2a254 Add support for new Apple trust APIs with WOLFSSL_SYS_CA_CERTS 2023-10-16 14:37:21 -06:00
Dimitri Papadopoulos f7d7006e87 More typos found by codespell 2023-09-22 11:38:24 +02:00
JacobBarthelmeh 6e9c73eb12 fix parameter typo in dox documentation 2023-09-06 15:38:49 -07:00