Commit Graph

129 Commits

Author SHA1 Message Date
kaleb-himes afb90dd2da Fix private key lock issues in master 2026-05-08 17:08:38 -06:00
Jeremiah Mackey 31c69bfdbc harden SSL config and session 2026-05-07 02:31:51 +00:00
JacobBarthelmeh fc51a38094 Merge pull request #10135 from lealem47/nid_ED
Add Ed25519/Ed448 support to EVP layer
2026-04-30 14:16:05 -06:00
Tobias Frauenschläger 7a2cf5b655 Remove liboqs for ML-KEM and ML-DSA, update for Falcon 2026-04-30 11:03:06 +02:00
Daniel Pouzzner df486d8cd5 src/ssl_load.c: fix -Wnull-dereference in wolfssl_ctx_set_tmp_dh() (detected by armel build);
.github/workflows/pq-all.yml: for the --enable-sp-math scenario, --disable-quic (QUIC unit tests fail on that combo);

wolfcrypt/test/test.c: add WC_MAYBE_UNUSED to ecdsa_test_deterministic_k_rs(), to fix armel sp-math build.
2026-04-25 11:47:25 -05:00
David Garske 21921408b9 Merge pull request #10216 from ColtonWilley/add-null-checks-public-api
Add missing NULL checks in public API functions
2026-04-24 14:42:24 -07:00
Mattia Moffa fc63047411 Additional related minor fixes 2026-04-20 18:11:16 +02:00
Juliusz Sosinowicz a82828b3ac Zeroize RSA DER buffer in CTX_use_RSAPrivateKey before free
F-2145

wolfSSL_CTX_use_RSAPrivateKey staged the RSA private key DER (PKCS#1:
n, e, d, p, q, dP, dQ, qInv) in a heap buffer and freed it without
ForceZero. Zeroize before XFREE.
2026-04-17 16:47:19 +02:00
Daniel Pouzzner d8085cc427 src/ssl_load.c, wolfssl/ssl.h, tests/api.c: rename wolfSSL*PrivateKey_id() to wolfSSL*PrivateKey_Id_ex(), and add missing WOLF_PRIVATE_KEY_ID gating. 2026-04-15 11:53:06 -05:00
Sean Parkinson 5ad6097f15 Merge pull request #10168 from night1rider/zd-21534
Address bug fixes sent in by ZD 21534
2026-04-15 09:11:04 +10:00
Colton Willey ae1da8af43 Add missing NULL checks in public API functions
Add NULL and bounds validation to public API entry points that
were missing basic argument checks. Fixes span ALPN, session cache,
X509, SRP, PrivateKey ID/Label, and OBJ_obj2txt.
2026-04-13 19:05:41 -07:00
Zackery Backman 0ab5401edf Fix cast-away-const in ws_ctx_ssl_set_tmp_dh: allocate DerBuffer with actual size and copy data instead of pointing at caller's const buffer, which caused FreeDer to free non-owned memory. 2026-04-13 11:32:51 -06:00
Zackery Backman 4594f3f275 Copy-paste error in ProcessBufferCertPublicKey and ProcessBufferCertAltPublicKey, Fix #endif comments closing WOLFSSL_SM2/SM3 blocks, not HAVE_ED25519 2026-04-13 11:32:51 -06:00
Zackery Backman 2a0d76cf63 Fix DH encoding check in wolfSSL_CTX_set_tmp_dh: && to || and < to <= to catch single-param failure and zero-length, matching wolfSSL_set_tmp_dh. 2026-04-13 11:32:51 -06:00
Zackery Backman 886ca031d0 Fix == vs = in wolfSSL_add1_chain_cert so ret captures up_ref result instead of comparing against it, matching wolfSSL_CTX_add1_chain_cert 2026-04-13 11:32:51 -06:00
Zackery Backman 0a152dd482 Fix inverted AllocDer success check in wolfSSL_use_AltPrivateKey_Label 2026-04-13 11:32:51 -06:00
Zackery Backman 72c1dd7290 Fix inverted AllocDer success check in wolfSSL_use_AltPrivateKey_Id 2026-04-13 11:32:51 -06:00
Paul Adelsbach 6f7e5d030b Use size_t in wolfSSL_strnstr and reject negative indices in mp_get_digit 2026-04-10 10:48:17 -07:00
Lealem Amedie d385ae9c29 add Ed25519 and Ed448 support to the EVP_PKEY layer
- Add WC_EVP_PKEY_ED25519 / WC_EVP_PKEY_ED448 type constants and
   matching EVP_PKEY_ED25519 / EVP_PKEY_ED448 OpenSSL aliases.
  - Extend WOLFSSL_EVP_PKEY with ed25519/ed448 fields and ownership
   bits, and free them in wolfSSL_EVP_PKEY_free().
  - Add d2i probe functions that accept both SubjectPublicKeyInfo /
   PKCS#8 PrivateKeyInfo encodings and raw 32/57-byte key material,
   and hook them into the d2i_evp_pkey_try() chain.
  - Map the Ed25519/Ed448 signature OIDs in the relevant lookups and
   teach the PEM key-format dispatch and SSL_CTX_use_PrivateKey
   switch about the new types.
2026-04-06 12:32:25 -06:00
Eric Blankenhorn 8f787909da Fix from review 2026-02-24 11:17:42 -06:00
Eric Blankenhorn 2ae3164c6f Fix cert chain size issue 2026-02-24 09:27:42 -06:00
JacobBarthelmeh a156ed7bc7 update Copyright year 2026-02-18 09:52:21 -07:00
Daniel Pouzzner 8e6ebdb8ac Merge pull request #9723 from SparkiDev/ssl_split_cert
Split out code form ssl.c and pk.c
2026-02-05 18:21:36 -06:00
Tobias Frauenschläger 90be76cb94 Misc fixes and improvements regarding PKCS#11 2026-01-29 18:39:15 +01:00
Sean Parkinson be4584784c Split out code form ssl.c and pk.c
Move EC and RSA code out of pk.c into separate file.

Move out of ssl.c into separate files:
  - Certificate APIs
  - CRL/OCSP APIs
  - Public Key APIs
  - ECH

Internal Certificate Manager APIs pulled out into ssl_certman.c.
d2i and i2d WOLFSSL_EVP_PKEY APIs pulled out into evp_pk.c.

Fix formatting.
2026-01-29 18:49:56 +10:00
Sean Parkinson bc9e37118e Regression test fixes
Mostly combinations of NO_WOLFSSL_CLIENT, NO_WOLFSSL_SERVER and
WOLFSSL_NO_CLIENT_AUTH were failing.
Added configurations to CI loop.

wc_AesGcmDecryptFinal: use WC_AES_BLOCK_SIZE to satisfy compiler.
2026-01-28 07:37:29 +10:00
Kareem a1999d29ed Only enforce !NO_FILESYSTEM for WOLFSSL_SYS_CA_CERTS on non Windows/Mac systems.
wolfSSL's support for WOLFSSL_SYS_CA_CERTS uses APIs which don't depend on !NO_FILESYSTEM
on Windows/Mac.

Fixes #8152.
2025-12-19 16:37:50 -07:00
Daniel Pouzzner cd3e81a656 src/ssl_load.c: in ProcessBufferCert(), check ctx for nullness before accessing ctx->verifyNone (fixes -Wnull-dereference reported by multi-test dtls-no-rsa-no-dh after merge of 36e66eb763). 2025-12-17 11:01:10 -06:00
Ruby Martin 36e66eb763 check if ctx and ssl are null when checking public key in certificate 2025-12-09 17:04:05 -07:00
Josh Holtrop 36418aca76 Set useRsaPss flag in both SSL and CTX structures 2025-11-26 10:30:38 -05:00
Josh Holtrop d766b82bac Remove conditional and just assign boolean result 2025-11-24 15:55:32 -05:00
Josh Holtrop bb8673070a Use uppercase U 2025-11-19 23:52:21 -05:00
Josh Holtrop 268b81c29e TLSv1.3 certificate verify: report rsa_pss_pss_* signature algorithm when supported 2025-11-19 09:47:05 -05:00
Juliusz Sosinowicz d1c321abdc Don't override errors when blinding the priv key 2025-11-12 17:12:22 +01:00
effbiae 7a3db09ddd automated small stack compress 2025-10-11 11:40:30 +11:00
Juliusz Sosinowicz f9063c406b Enables dynamic TLS cert loading with OCSP
Exposes dynamic TLS certificate loading and OCSP stapling to allow applications to load certs lazily.

The server no longer needs to load the CA to staple OCSP responses.

Adds a certificate setup callback (WOLFSSL_CERT_SETUP_CB)
Adds an OCSP status callback to load OCSP responses directly
Adds `wc_NewOCSP`, `wc_FreeOCSP`, and `wc_CheckCertOcspResponse`
Don't call verify twice on the same error
Send correct alert on status response error
2025-10-03 13:08:11 +02:00
Kareem ec92f76dec Fix tests when building with PEM support disabled by using DER certs/keys. 2025-09-12 16:11:07 -07:00
Daniel Pouzzner 29dd6cce98 wolfssl/wolfcrypt/logging.h: add WOLFSSL_MSG_CERT_LOG_EX, give
WOLFSSL_DEBUG_CERTS definitions priority when defining WOLFSSL_MSG_CERT_LOG()
  and WOLFSSL_MSG_CERT_LOG_EX, update documentation in preamble, and fix the
  WOLFSSL_ANDROID_DEBUG definition of WOLFSSL_DEBUG_PRINTF_FIRST_ARGS and the
  WOLFSSL_ESPIDF definition of WOLFSSL_DEBUG_PRINTF();

src/ssl_load.c: use WOLFSSL_MSG_CERT_LOG_EX(), not WOLFSSL_DEBUG_PRINTF(), in
  ProcessFile().
2025-08-11 16:14:32 -05:00
gojimmypi d64ef34ef8 Introduce WOLFSSL_DEBUG_CERTS Certificate Debug Messages 2025-08-06 13:57:53 -07:00
JacobBarthelmeh 629c5b4cf6 updating license from GPLv2 to GPLv3 2025-07-10 16:11:36 -06:00
gojimmypi ebeb95e47b Initialize Dilithium keyTypeTemp and keySizeTemp 2025-07-09 09:13:14 -07:00
JacobBarthelmeh 7fb750962b Merge pull request #8935 from philljj/fix_coverity
coverity: prune dead code in ssl_sess.c.
2025-06-30 13:32:34 -06:00
jordan 68cf96e7f6 coverity: do not free x509 on error in wolfSSL_add0_chain_cert. 2025-06-27 17:25:28 -05:00
Ruby Martin 7c44f14e77 add apple test to github actions 2025-06-26 08:38:30 -06:00
Brett 877bade216 additional debugging 2025-06-26 08:38:28 -06:00
Brett 7232b3a6bb Apple native cert validation: add WOLFSSL_TEST_APPLE_CERT_VALIDATION feature macro that forces system CA certs on and makes all CA certs added to CM via xxx_load_verify_xxx APIs to instead be loaded as system trust anchors when used for TLS cert verification 2025-06-26 08:38:26 -06:00
Daniel Pouzzner 55460a5261 wolfssl/wolfcrypt/logging.h and wolfcrypt/src/logging.c: add
WOLFSSL_DEBUG_PRINTF() macro adapted from wolfssl_log(), refactor
  wolfssl_log() to use it, and move printf setup includes/prototypes from
  logging.c to logging.h;

src/ssl_load.c: add source_name arg and WOLFSSL_DEBUG_CERTIFICATE_LOADS clauses
  to ProcessBuffer() and ProcessChainBuffer(), and pass reasonable values from
  callers;

remove expired "Baltimore CyberTrust Root" from certs/external/ca_collection.pem
  and certs/external/baltimore-cybertrust-root.pem.
2025-05-13 20:30:48 -05:00
JacobBarthelmeh c22505a71a Merge pull request #8700 from embhorn/rel_fixes_cs
Fixes from CodeSonar report
2025-04-23 11:36:15 -06:00
Eric Blankenhorn 66b9256f86 Fixes from CodeSonar report 2025-04-22 14:43:01 -05:00
JacobBarthelmeh 73c286ae46 fix possible null dereference, CID 518681 2025-04-18 16:02:46 -06:00