which force on BUILDING_WOLFSSL and do boilerplate includes, and update library
sources to include them at the top.
wolfssl_sources.h includes types.h, error-crypt.h, and logging.h, and
conditionally, config.h. settings.h and wc_port.h are unconditionally
included at the top of types.h.
wolfssl_sources_asm.h includes settings.h, and conditionally, config.h.
Add wolfssl_sources*.h to wolfcrypt/src/include.am, and to several IDE/ project
files.
Also added a TEST_WOLFSSL_SOURCES_INCLUSION_SEQUENCE clause in
wolfssl/wolfcrypt/settings.h to allow coverage testing.
In wolfcrypt/src/misc.c, retain existing ad hoc boilerplate includes, and use
them if WOLFSSL_VIS_FOR_TESTS, otherwise include the new wolfssl_sources.h.
Define WOLFSSL_VIS_FOR_TESTS at top of wolfcrypt/test/test.c.
Also renamed WOLFSSL_NEED_LINUX_CURRENT to WOLFSSL_LINUXKM_NEED_LINUX_CURRENT,
for clarity.
- Added validation for digest type in `wolfSSL_OCSP_cert_to_id` function.
- Defined `OCSP_DIGEST` based on available hash types.
- Set `hashAlgoOID` in `certId` based on `OCSP_DIGEST`.
- Updated `asn.h` to define `OCSP_DIGEST` and `OCSP_DIGEST_SIZE` based on
available hash types.
- Search certificate based on responderId
- Verify response signer is authorized for all single responses
- Align with OpenSSL behavior
- Separate wolfSSL_OCSP_basic_verify from verification done during
decoding
No functional changes.
Several compat symbols that were formerly enums are now macros.
All library source is refactored to use only native symbols in all code gated in with --enable-all-crypto --enable-opensslextra.
wolfcrypt/test/test.c is similarly refactored to use only native symbols.
examples/ and tests/ are unmodified except for header setup to disable OPENSSL_COEXIST and TEST_OPENSSL_COEXIST.
* Consolidate the USE_WINDOWS_API to a single place.
* Expand the `WOLFSSL_NOT_WINDOWS_API` improvement for intrinsics and word sizes.
* Fix for macro variadic `...` when no variables are used (some compilers like Watcom C have issue with this).
* Fix for Watcom C compiler "long long" -> "__int64".
* Fix a couple of minor cast warnings reported from VS.
* fix TLS layer to consistently use WOLFSSL_FATAL_ERROR for error retvals, rather than literal -1.
* add WC_NO_ERR_TRACE() wrapper around LENGTH_ONLY_E (it does not signify an error condition).
* refactor errcode handling for traceability in wolfSSL_DSA_do_sign(), wolfSSL_DH_size(), wolfSSL_EC_KEY_get_conv_form(), wolfSSL_d2i_DSA_SIG(), wolfSSL_DSA_do_sign(), SetDhInternal(), and wolfSSL_EC_KEY_get_conv_form().
tests/api.c: add error_test() adapted from wolfcrypt/test/test.c, checking all error strings for expected presence/absence and length, called from existing test_wolfSSL_ERR_strings().
wolfssl/ssl.h, wolfssl/error-ssl.h, and wolfssl/wolfcrypt/error-crypt.h:
* move several negative error return codes from ssl.h to error-ssl.h,
* renumber them to conform to existing sequence, and
* include error-ssl.h from ssl.h;
* add special-case WOLFSSL_DEBUG_TRACE_ERROR_CODES macros for WOLFSSL_FAILURE;
* add missing WOLFSSL_API attribute to wc_backtrace_render().
add numerous WC_NO_ERR_TRACE()s to operand error code uses, cleaning up error traces in general, and particularly when WOLFSSL_DEBUG_TRACE_ERROR_CODES_ALWAYS.
* crypto lib (36),
* crypto test&benchmark (20),
* TLS lib (179),
* examples (122),
* linuxkm (3),
* tests/api.c (2272).
* refactor WOLFSSL_BIO.num and WOLFSSL_BIO.ptr as unions, for clarity and bug resistance (no functional changes).
* in wolfSSL_BIO_free(), add WOLFSSL_BIO_DGRAM to the test for closing bio->num.fd, fixing a descriptor leak.
* use SOCKET_INVALID consistently as the invalid value for WOLFSSL_BIO.num.fd, and use SOCKET_T consistently as the internal type for file descriptors.
* move the definitions for SOCKET_T and SOCKET_INVALID from wolfio.h to the filesystem section of wc_port.h, and allow override definitions of SOCKET_T.
detected and tested with wolfssl-multi-test.sh ... pq-hybrid-all-rpk-valgrind-unittest. also tested with wolfssl-multi-test.sh ... super-quick-check.
1. In CheckOcspResponse(), remove the existing check for UNKNOWN
certificate status. Given the values of ret and ocsp->error, unknown
won't get checked.
2. Separated checks for UKNOWN and REJECTED for logging purposes. Return
that as an error.
3. Anything else should be a failure.
if ENABLED_LINUXKM_PIE, add -DWOLFSSL_NO_OCSP_ISSUER_CHECK to gate out backward dependency in asn.c;
if ENABLE_LINUXKM, don't error on FIPS without thread_ls_on;
for --enable-curl, set ENABLED_MD4="yes", and move --enable-md4 AC_ARG_ENABLE() clause up to a position adjacent to des3 handling;
scripts/sniffer-gen.sh: fix illegal exit code (SC2242);
src/internal.c: fix clang-analyzer-core.NonNullParamChecker in CreateTicket();
src/ocsp.c: fix readability-redundant-preprocessor;
src/tls.c: fix empty-body in TLSX_PskKeModes_Parse() and clang-diagnostic-unreachable-code-break in ALPN_Select();
tests/api.c: fix several clang-analyzer-core.NullDereference related to Expect*() refactor;
wolfcrypt/src/asn.c:
fix -Wconversions in DecodeAuthKeyId() and ParseCertRelative();
fix readability-redundant-declaration re GetCA() and GetCAByName();
gate inclusion of wolfssl/internal.h on !defined(WOLFCRYPT_ONLY);
wolfssl/internal.h: add macro-detection gating around GetCA() and GetCAByName() prototypes matching gates in wolfcrypt/src/asn.c;
tests/utils.c: in create_tmp_dir(), use one-arg variant of mkdir() if defined(__CYGWIN__) || defined(__MINGW32__).
- nginx: add necessary defines and function
- Implement Certificate Authorities for TLS 1.3
- Implement secret logging for TLS 1.3. Can be used for example with:
./configure CPPFLAGS="-DWOLFSSL_SSLKEYLOGFILE -DSHOW_SECRETS -DHAVE_SECRET_CALLBACK -DWOLFSSL_SSLKEYLOGFILE_OUTPUT='\"/tmp/secrets\"'"
- Implement session context checking for tickets
- Check for authorized responder in OCSP basic response
- Fix handling call to ocsp->statusCb
- compat: Translate SOCKET_PEER_CLOSED_E to WOLFSSL_ERROR_SYSCALL
- Fix wolfSSL_CTX_set_session_cache_mode
- WOLFSSL_SESS_CACHE_OFF means nothing should be on
- WOLFSSL_SESS_CACHE_NO_INTERNAL turns off only the internal cache
- Respect ssl->options.internalCacheOff
- Implement SSL_SESSION_set_time
- wolfSSL_SSL_in_init: fix detection for TLS 1.3
- Fix handling call to ssl->alpnSelect
- SendTls13NewSessionTicket: always generate new ID
- When we send a new ticket for the same session (for example we resumed a connection and are sending a new ticket so that the client can resume in the future), we need to generate a new ID so that we don't overwrite the old session in the cache. Overwriting the session results in the `diff` calculation in `DoClientTicketCheck()` producing the wrong value and failing to resume.
Add nginx github action test
- Fix memory leaks
- wolfSSL_OCSP_basic_verify: implement OCSP_TRUSTOTHER flag
- AKID: implement matching on issuer name and serial number
- ocsp: check for a chain match for OCSP responder
- Split CreateTicket into CreateTicket and SetupTicket
- SendCertificateStatus: free response.buffer
- Use heap hint when allocating responseBuffer
- Remove responseBuffer from internal API's that don't use it anywhere
