Commit Graph

203 Commits

Author SHA1 Message Date
Marco Oliverio b30e0f679c bio: update stale comment 2026-04-10 08:50:30 +02:00
Marco Oliverio 6b74ae5fc5 bio: simplify BIO_gets null-termination, improve ossl compat 2026-04-09 15:18:22 +02:00
Marco Oliverio c07d8634b3 bio: ABI breaking change: use int instead of byte for type 2026-04-08 18:49:40 +02:00
Marco Oliverio 7802a75acd bio: various fixes and improvements
* simplify wolfSSL_BIO_set_conn_hostname, fixing OOB read
* restructure wolfSSL_BIO_ctrl_pending, fixing inverted check and
* ctrlCB checking
* return WOLFSSL_FAILURE in wolfSSL_BIO_up_ref when refInc fails,
  updated test to reflect this
* check arguments for NULL in wolfSSL_BIO_ADDR_size
* replace non-portable type long usigned int with size_t
* wolfSSL_BIO_MEMORY_write: return WOLFSSL_BIO_ERROR on failure instead
  of WOLFSSL_FAILURE, return 0 when len is 0
* wolfSSL_BIO_get_fp: fix type mismatch comparing XFILE* pointer against
  XBADFILE
* wolfSSL_BIO_ctrl: add NULL check on bio before switch
* wolfSSL_BIO_pop: clear bio prev and next pointers after unlinking
* wolfSSL_BIO_gets: place null terminator after actual bytes read from
  BIO_BIO nread
2026-04-08 18:49:40 +02:00
David Garske 6bd1785925 Merge pull request #10004 from julek-wolfssl/zd/21318
Add custom BIO callback dispatching
2026-03-23 09:54:30 -07:00
Daniel Pouzzner 678660e26d src/keys.c and src/tls13.c: add WC_NO_ERR_TRACE() annotations for various initializations.
wolfssl/ssl.h, examples/client/client.c, examples/server/server.c, src/bio.c, tests/api.c: add error tracing for WOLFSSL_SHUTDOWN_NOT_DONE.

tests/api.c: in test_wolfSSL_read_write_ex(), use WOLFSSL_SUCCESS rather than 1 for expected-success wolfSSL_shutdown()s, and add note that the wrong value is being returned (the test currently always fails, which is masked by an always-success retval).
2026-03-22 13:17:47 -05:00
Juliusz Sosinowicz 431ee9e2d8 Implement wolfSSL_BIO_set_init 2026-03-20 17:03:35 +01:00
Juliusz Sosinowicz 84da6d22c8 Address code review 2026-03-20 15:42:50 +01:00
Juliusz Sosinowicz 056ed9e52e Add custom BIO callback dispatching
- Route BIO_ctrl_pending, BIO_reset, and BIO_get_mem_data through the custom method's ctrlCb when set, enabling fully custom BIO types to handle these operations.
- Add test_wolfSSL_BIO_custom_method that exercises a custom BIO with all callbacks (create, destroy, read, write, puts, gets, ctrl) and verifies each callback is invoked via bitfield tracking.
2026-03-18 18:29:27 +01:00
Juliusz Sosinowicz 38b52d8079 nginx 1.28.1
### `wolfssl/internal.h`

- **`InternalTicket` struct gains a flexible array member**: A new `peerCert[]` field (with a preceding `peerCertLen[2]`) is added to `InternalTicket`. This allows the peer's DER-encoded certificate to be stored directly inside the session ticket.
- **`ExternalTicket` struct becomes variable-length**: The `enc_ticket` field is changed from a fixed-size array to a flexible array member (`byte enc_ticket[]`). The `mac` field is removed from the struct — the MAC is now placed dynamically after the encrypted data in `enc_ticket`.

### `src/internal.c`

- The `GetRecordHeader` function now only adds `MAX_COMP_EXTRA` to the maximum allowed record size when `ssl->options.usingCompression` is true, tightening the length validation. The max fragment length extension check is now much stricter.
- **Peer certificate is serialized into the ticket**: During ticket creation, the code attempts to find the peer certificate from `ssl->peerCert` or from `ssl->session->chain` (fallback). If found and within `MAX_TICKET_PEER_CERT_SZ`, it's copied into `it->peerCert`. DTLS is explicitly excluded (peer cert length set to 0) to keep ticket size small for MTU constraints. If `HAVE_MAX_FRAGMENT` is defined and max fragment is not `MAX_RECORD_SIZE` for TLS 1.3, the cert is also skipped since `SendTls13NewSessionTicket` doesn't support fragmentation yet.
- **Peer certificate restoration from ticket**: On successful ticket decryption, if the ticket contains a peer certificate (`peerCertLen > 0`), it is decoded back into `ssl->peerCert` via `ParseCertRelative`/`CopyDecodedToX509`, and also added to `ssl->session->chain` via `AddSessionCertToChain`.
- The `CLEAR_ASN_NO_PEM_HEADER_ERROR` macro was rewritten to loop and remove all consecutive PEM no-start-line errors (not just the last one), wrapped in a `do { ... } while(0)` for safety.
- The `SendTicket` function is simplified to use `SendHandshakeMsg` to support fragmenting the larger ticket.

---

### `src/x509.c`

- `loadX509orX509REQFromPemBio` now accepts `TRUSTED_CERT_TYPE` in addition to `CERT_TYPE` and `CERTREQ_TYPE`.
- **Streaming BIO support**: When `wolfSSL_BIO_get_len()` returns ≤ 0 (e.g., pipes/FIFOs), the function no longer returns an error. Instead, it sets an initial buffer of `MAX_X509_SIZE` and dynamically grows (doubling) up to `MAX_BIO_READ_BUFFER` (`MAX_X509_SIZE * 16`) as data is read byte-by-byte.
- **Alternate footer detection**: For `TRUSTED_CERT_TYPE`, the PEM reader also checks for the regular `CERT_TYPE` footer (`-----END CERTIFICATE-----`) in addition to the trusted cert footer (`-----END TRUSTED CERTIFICATE-----`), so it can parse either format.
- Removed two lines that set `cert->srcIdx` to `SIGALGO_SEQ` offset. This makes `cert->srcIdx` reflect the end of parsed certificate data. This is used by `loadX509orX509REQFromBuffer` to detect where auxiliary trust data begins in trusted certificates.

---

### `src/ssl_sk.c`

- Added a `STACK_TYPE_X509_CRL` case to `wolfssl_sk_dup_data` that calls `wolfSSL_X509_CRL_dup` for deep-copying CRL stack elements. Previously, `STACK_TYPE_X509_CRL` fell through to the unsupported default case.

---

### `wolfssl/openssl/ssl.h`

- `sk_X509_dup` now maps to `wolfSSL_shallow_sk_dup` (was `wolfSSL_sk_dup`/deep copy). This matches OpenSSL's behavior where `sk_X509_dup` does a shallow copy.
- `sk_SSL_CIPHER_dup` similarly changed to `wolfSSL_shallow_sk_dup`.

---

### `src/ssl_api_cert.c`

- When `ssl->ourCert` is `NULL` and the SSL owns its cert, the function now checks if `ssl->ctx->ourCert` points to the same certificate (by comparing DER buffers). If so, it returns the ctx's `X509` pointer directly. This maintains pointer compatibility for applications (like nginx OCSP stapling) that use the `X509*` from `SSL_CTX_use_certificate` as a lookup key.

### `src/bio.c`

- When `wolfssl_file_len` returns `WOLFSSL_BAD_FILETYPE` (now returned for pipes/FIFOs), `wolfSSL_BIO_get_len` treats it as length 0 instead of propagating the error.

---

### `tests/test-maxfrag.conf` and `tests/test-maxfrag-dtls.conf`

- Removed `DHE-RSA-AES256-GCM-SHA384` test entries because the ClientKeyExchange doesn't fit in the selected max fragment length.
2026-02-25 15:19:13 +01:00
JacobBarthelmeh a156ed7bc7 update Copyright year 2026-02-18 09:52:21 -07:00
Kareem fbb7ae2257 Add NULL check to wolfSSL_BIO_new_accept. 2025-11-11 16:20:09 -07:00
Kareem 8d41d1ca65 Add IPv6 support to wolfSSL_BIO_new_accept and wolfIO_TcpBind. 2025-10-15 15:47:22 -07:00
Daniel Pouzzner 2d1c797b64 fixes from cppcheck-force-source: in src/bio.c:wolfSSL_BIO_vprintf() and
wolfcrypt/src/logging.c:WOLFSSL_MSG_CERT_EX(), add missing gating on
  defined(XVSNPRINTF);

in src/crl.c:CRL_Entry_new(), fix true-positive nullPointerRedundantCheck;

in src/pk.c:_DH_compute_key(), add bounds checking to ForceZero(priv).
2025-08-11 18:12:44 -05:00
David Garske 2db1669713 Merge pull request #8988 from JacobBarthelmeh/visibility
remove WOLFSSL_API in source code when already used in header file
2025-07-24 11:00:55 -07:00
Daniel Pouzzner 2c341a5806 Merge pull request #8990 from JacobBarthelmeh/license
updating license from GPLv2 to GPLv3

(linuxkm tweak to `MODULE_LICENSE("GPL")` to follow.)
2025-07-14 16:14:39 -05:00
JacobBarthelmeh 01cd91cbea removing more locations of WOLFSSL_API used with function implementations 2025-07-10 16:44:28 -06:00
JacobBarthelmeh 629c5b4cf6 updating license from GPLv2 to GPLv3 2025-07-10 16:11:36 -06:00
Kareem c9d451e857 Fix wolfSSL_BIO_new_connect's handling of IPV6 addresses. 2025-07-10 10:33:46 -07:00
Daniel Pouzzner c401f5caf2 move the newly added wolfcrypt/src/wolfssl_sources.h to wolfssl/wolfcrypt/libwolfssl_sources.h, and likewise for wolfssl_sources_asm.h; revert changes to IDE/ project files. 2025-04-04 18:44:12 -05:00
Daniel Pouzzner 217440c885 Add wolfcrypt/src/wolfssl_sources.h and wolfcrypt/src/wolfssl_sources_asm.h,
which force on BUILDING_WOLFSSL and do boilerplate includes, and update library
  sources to include them at the top.

  wolfssl_sources.h includes types.h, error-crypt.h, and logging.h, and
  conditionally, config.h.  settings.h and wc_port.h are unconditionally
  included at the top of types.h.

  wolfssl_sources_asm.h includes settings.h, and conditionally, config.h.

Add wolfssl_sources*.h to wolfcrypt/src/include.am, and to several IDE/ project
  files.

Also added a TEST_WOLFSSL_SOURCES_INCLUSION_SEQUENCE clause in
  wolfssl/wolfcrypt/settings.h to allow coverage testing.

In wolfcrypt/src/misc.c, retain existing ad hoc boilerplate includes, and use
  them if WOLFSSL_VIS_FOR_TESTS, otherwise include the new wolfssl_sources.h.

Define WOLFSSL_VIS_FOR_TESTS at top of wolfcrypt/test/test.c.

Also renamed WOLFSSL_NEED_LINUX_CURRENT to WOLFSSL_LINUXKM_NEED_LINUX_CURRENT,
  for clarity.
2025-04-04 16:51:04 -05:00
Reda Chouk 9178c53f79 Fix: Address and clean up code conversion in various files. 2025-02-25 11:17:58 +01:00
Juliusz Sosinowicz 89aba661fc Changes for libimobiledevice 860ffb 2025-01-27 12:56:49 +01:00
Lealem Amedie eda98712d5 Fix for NO_REALLOC build crash 2025-01-23 16:14:45 -07:00
Lealem Amedie 49a74daebc Fix OPENSSL_ALL build with WOLFSSL_NO_REALLOC 2025-01-23 13:59:30 -07:00
JacobBarthelmeh 2c24291ed5 update copyright date 2025-01-21 09:55:03 -07:00
David Garske 6151160e58 Further fixes with NO_TLS to support use with compatibility layer. 2024-12-17 09:24:38 -08:00
gojimmypi 5d86031f57 Initialize vars & change types to appease Windows/VS 2024-11-17 17:50:17 -08:00
Sean Parkinson 86ad96ca29 X509: improve testing coverage 2024-11-13 09:10:22 +10:00
Daniel Pouzzner a2bcbf7ecf additional fixes and peer review for -DOPENSSL_EXTRA -DOPENSSL_COEXIST: cover -DWOLFSSL_QUIC, fix -DNO_ASN, rename WOLFSSL_ASN1_TYPE_* to WOLFSSL_V_ASN1_*, completed nativization of NID_*, and switch to prefix WC_NID_ rather than wc_NID_. 2024-10-31 00:10:21 -05:00
Daniel Pouzzner cf95fdc071 Globally remap & refactor conflicting symbols to allow -DOPENSSL_EXTRA -DOPENSSL_COEXIST, or equivalently, --enable-opensslextra --enable-opensslcoexist.
No functional changes.

Several compat symbols that were formerly enums are now macros.

All library source is refactored to use only native symbols in all code gated in with --enable-all-crypto --enable-opensslextra.

wolfcrypt/test/test.c is similarly refactored to use only native symbols.

examples/ and tests/ are unmodified except for header setup to disable OPENSSL_COEXIST and TEST_OPENSSL_COEXIST.
2024-10-31 00:10:21 -05:00
Sean Parkinson 5f1ddadf71 Regression test fixes
Fix unit tests to not compile when NO_RSA is defined and RSA used.
test_wc_PKCS7_EncodeSignedData: only RSA supported with streaming.
test_wolfSSL_RSA when SP math and SP: CRT parameters required.
test_wolfSSL_OCSP_REQ_CTX to compile with NO_ASN_TIME.
test_wolfSSL_IMPLEMENT_ASN1_FUNCTIONS: make sure all objects freed even
on memory allocation failure.
test_wolfSSL_error_cb: don't use bio if is NULL.
test_wolfSSL_BN_enc_dec: don't free a twice on memory allocation error.
test_wc_dilithium_der: remove debug printing
test_othername_and_SID_ext: make sid_oid NULL after free to ensure no
double free on later memory allocation failure.
test_wolfSSL_RSA: don't leak when BN_dup fails.
test_wolfSSL_i2d_ASN1_TYPE: free ASN1 string whn no ASN1 type to put it
into.
test_tls13_rpk_handshake: don't leak on failure
test_dtls_client_hello_timeout_downgrade: only move memory when test is

wolfSSL_certs_clear, wolfSSL_set_SSL_CTX, SetSSL_CTX: Check return from
AllocCopyDer.
d2i_generic: make sure impBuf is only freed once.
wolfSSL_BIO_write: don't dereference front unless it is not NULL.
wolfssl_dns_entry_othername_to_gn: don't free obj twice
wolfSSL_X509_REQ_add1_attr_by_NID: don't access reqAttributes if NULL.
succeeding.
2024-10-11 11:49:01 +10:00
Daniel Pouzzner 794f0d8d19 src/pk.c: add missing "keySz = padded_keySz" in _DH_compute_key() ct cleanup path.
wolfcrypt/src/wc_kyber_poly.c: add SAVE_VECTOR_REGISTERS2()...RESTORE_VECTOR_REGISTERS() wrappers for AVX2 implementations.

src/bio.c and src/ssl.c: add several missing WC_NO_ERR_TRACE()s, and tweak several returns to generate error traces.
2024-09-27 00:28:45 -05:00
Daniel Pouzzner e3301b06f6 OpenSSL coexistence tweaks 2024-09-12 16:37:41 -05:00
Daniel Pouzzner c81c9be9ce error code fixes:
* fix TLS layer to consistently use WOLFSSL_FATAL_ERROR for error retvals, rather than literal -1.
* add WC_NO_ERR_TRACE() wrapper around LENGTH_ONLY_E (it does not signify an error condition).
* refactor errcode handling for traceability in wolfSSL_DSA_do_sign(), wolfSSL_DH_size(), wolfSSL_EC_KEY_get_conv_form(), wolfSSL_d2i_DSA_SIG(), wolfSSL_DSA_do_sign(), SetDhInternal(), and wolfSSL_EC_KEY_get_conv_form().
2024-09-06 19:33:48 -05:00
Daniel Pouzzner 806df85477 backfill more missing WC_NO_ERR_TRACE()s on error code operands, and refactor away the obsolete GEN_MEM_ERR macro mechanism in wolfcrypt/src/ecc.c. 2024-09-03 17:44:11 -05:00
Daniel Pouzzner b178138d83 src/internal.c: in wolfSSL_ERR_reason_error_string(), add missing error string for SCR_DIFFERENT_CERT_E, and de-gate error strings previously gated on HAVE_HTTP_CLIENT.
tests/api.c: add error_test() adapted from wolfcrypt/test/test.c, checking all error strings for expected presence/absence and length, called from existing test_wolfSSL_ERR_strings().

wolfssl/ssl.h, wolfssl/error-ssl.h, and wolfssl/wolfcrypt/error-crypt.h:
* move several negative error return codes from ssl.h to error-ssl.h,
* renumber them to conform to existing sequence, and
* include error-ssl.h from ssl.h;
* add special-case WOLFSSL_DEBUG_TRACE_ERROR_CODES macros for WOLFSSL_FAILURE;
* add missing WOLFSSL_API attribute to wc_backtrace_render().

add numerous WC_NO_ERR_TRACE()s to operand error code uses, cleaning up error traces in general, and particularly when WOLFSSL_DEBUG_TRACE_ERROR_CODES_ALWAYS.
* crypto lib (36),
* crypto test&benchmark (20),
* TLS lib (179),
* examples (122),
* linuxkm (3),
* tests/api.c (2272).
2024-08-28 23:05:04 -05:00
Juliusz Sosinowicz a6a40de249 init sssd support
- Refactor OCSP to separate IO callback
- wolfSSL_BIO_reset: fix return
- CheckCertCRL_ex: return CRL_CERT_DATE_ERR instead of ASN_AFTER_DATE_E
- CheckCertCRL_ex: return most relevant error code
- i2d/d2i APIs: correct parameters handling and return codes
- Custom ASN1 structures: major refactor to make it much more versatile
- Use WOLFSSL_ASSERT_SIZEOF_GE where applicable
- wolfSSL_EVP_SignFinal: implement ecc
- wolfSSL_EVP_VerifyFinal: implement ecc
- OBJ_NAME_do_all: bring closer to OpenSSL functionality
- Correct return of *_push api
- Implement:
  - OCSP_REQ_CTX API
  - d2i_ECPKParameters
  - wolfSSL_sk_insert
  - OCSP_parse_url
  - X509_STORE_set1_param
  - X509_get0_subject_key_id
  - X509_OBJECT_retrieve_by_subject
  - OCSP_sendreq_nbio
2024-08-16 17:22:41 +02:00
Andras Fekete d350ba6c41 remove NULL test with XFREE arguments with dereference 2024-08-06 10:44:59 -04:00
David Garske f9dc5e9f4d Fixes for uses of deprecated sprintf. If C89 remap XSNPRINTF to use sprintf. 2024-07-29 14:03:44 -07:00
David Garske 575df43889 Merge pull request #7768 from JacobBarthelmeh/copyright
update copyright to 2024
2024-07-19 14:27:39 -07:00
Daniel Pouzzner 787397b28e src/bio.c and related:
* refactor WOLFSSL_BIO.num and WOLFSSL_BIO.ptr as unions, for clarity and bug resistance (no functional changes).

* in wolfSSL_BIO_free(), add WOLFSSL_BIO_DGRAM to the test for closing bio->num.fd, fixing a descriptor leak.

* use SOCKET_INVALID consistently as the invalid value for WOLFSSL_BIO.num.fd, and use SOCKET_T consistently as the internal type for file descriptors.

* move the definitions for SOCKET_T and SOCKET_INVALID from wolfio.h to the filesystem section of wc_port.h, and allow override definitions of SOCKET_T.

detected and tested with wolfssl-multi-test.sh ... pq-hybrid-all-rpk-valgrind-unittest. also tested with wolfssl-multi-test.sh ... super-quick-check.
2024-07-19 14:50:26 -05:00
JacobBarthelmeh 31a6a2bf59 update copyright to 2024 2024-07-19 13:15:05 -06:00
Daniel Pouzzner ee7748f2e3 PR7648 20240418-exosip-apis peer review:
* tweak typography;
* move wolfSSL_i2d_X509_PUBKEY() from ssl.c to x509.c;
* in asn.h, add !NO_ASN_OLD_TYPE_NAMES macros to remap old names (ISSUER, SUBJECT, BEFORE, AFTER) by default unless the macros are already defined.
2024-07-16 19:12:19 -05:00
Daniel Pouzzner 9023aeef75 BIO/wolfio: refactor TranslateReturnCode(), wolfSSL_LastError(), and TranslateIoError() into complete+consistent wolfSSL_LastError() and TranslateIoReturnCode(), handling all special cases correctly, and correctly returning WOLFSSL_CBIO_ERR_WANT_WRITE and WOLFSSL_CBIO_ERR_TIMEOUT. use TranslateIoReturnCode() directly in wolfIO_Recv(), wolfIO_Send(), wolfIO_RecvFrom(), wolfIO_SendTo(), and remove now-superfluous TranslateIoError() calls from EmbedReceive(), EmbedSend(), EmbedReceiveFrom(), EmbedSendTo(), EmbedReceiveFromMcast(). 2024-07-16 19:12:19 -05:00
Daniel Pouzzner 5298039d09 fixes from peer review: move OS-specific code from wolfSSL_BIO_read() and wolfSSL_BIO_write() to wolfIO_Recv(), wolfIO_Send(), wolfIO_RecvFrom(), and wolfIO_SendTo(); add SOCKET_ETIMEDOUT definitions to wolfio.h; misc cleanups. 2024-07-16 19:12:19 -05:00
Daniel Pouzzner 0c1163f01f src/bio.c: restore inadvertently removed update of bio->connected in wolfSSL_BIO_ctrl() case BIO_CTRL_DGRAM_SET_CONNECTED. 2024-07-16 19:12:18 -05:00
Daniel Pouzzner 1159fc333f src/bio.c: in wolfSSL_BIO_ADDR_size(), add missing gate on HAVE_SYS_UN_H for AF_UNIX. 2024-07-16 19:12:18 -05:00
Daniel Pouzzner 51c49b678e src/bio.c: fix gating for WOLFSSL_BIO_DGRAM handling. 2024-07-16 19:12:18 -05:00
Daniel Pouzzner 0a928ead3f address peer review around WOLFSSL_HAVE_BIO_ADDR:
refactor housekeeping for bio->bytes_read and bio->bytes_write, and add WOLFSSL_BIO_HAVE_FLOW_STATS gate;

add WOLFSSL_BIO_FLAG_RETRY housekeeping for WOLFSSL_BIO_SOCKET and WOLFSSL_BIO_DGRAM;

refactor WOLFSSL_BIO.peer_addr to be inline rather than a pointer;

add wolfSSL_set_mtu_compat() and wolfSSL_CTX_load_verify_locations_compat() implementations;

enable WOLFSSL_HAVE_BIO_ADDR and WOLFSSL_DTLS_MTU when OPENSSL_ALL.
2024-07-16 19:12:18 -05:00