Commit Graph

199 Commits

Author SHA1 Message Date
Josh Holtrop 3ca70e585a Allow SubjectInfoAccess extension without id-ad-caRepository entry
Previously parsing a SubjectInfoAccess certificate containing a
SubjectInfoAccess extension that did not contain an id-ad-caRepository
resulted in an error.
2026-05-01 07:57:04 -04:00
Juliusz Sosinowicz 141662edfb Ignore CLAUDE.md 2026-03-18 12:57:27 +01:00
Juliusz Sosinowicz 4578e1390f Implement OCSP responder
OCSP Responder Core API:

- Add new public API for creating and managing an OCSP responder
- Add public wrappers for internal OCSP request/response functions
- OcspRespCheck: fix check when authorized responder is loaded into CM

Header Cleanup:

- Remove circular dependency when including `#include <wolfssl/wolfcrypt/asn.h>` from wolfssl/wolfcrypt/ecc.h and wolfssl/wolfcrypt/rsa.h

OCSP Responder Example (examples/ocsp_responder/):

- Add a command-line OCSP responder for interoperability testing with OpenSSL's `openssl ocsp` client

Test Scripts (scripts/):

- ocsp-responder-openssl-interop.test: Tests wolfSSL OCSP responder with `openssl ocsp` client
- ocsp-stapling-with-wolfssl-responder.test: Tests wolfSSL OCSP responder when doing OCSP stapling

Certificate Infrastructure (certs/ocsp/):

- Add DER-format certificates and keys for OCSP testing
- Update renewcerts.sh to generate DER versions

Known Limitations (documented in src/ocsp.c header comment):

  - Single request/response per OCSP exchange only
  - Key-hash responder ID only (no name-based responder ID)
  - No singleExtensions support
2026-03-11 10:21:16 +01:00
Paul Adelsbach ebda79fadb Fix OCSP->CRL fallback 2026-02-26 11:44:50 -08:00
Daniel Pouzzner f376ae210e Implement Linux kernel module offline integrity hash calculation:
Add:

* linuxkm/linuxkm-fips-hash.c
* linuxkm/linuxkm-fips-hash-wrapper.sh
* linuxkm/linuxkm_memory.h

Move from linuxkm/module_hooks.c to linuxkm/linuxkm_memory.c:
* reloc_layouts[]
* find_reloc_tab_offset()
* the body of wc_linuxkm_normalize_relocations() as wc_reloc_normalize_text()
* most of updateFipsHash() as wc_fips_generate_hash()

Move from linuxkm/linuxkm_wc_port.h to linuxkm/linuxkm_memory.h:
* struct wc_linuxkm_pie_reloc_tab_ent
* enum wc_reloc_dest_segment
* enum wc_reloc_type

linuxkm/Makefile:
* Update GENERATE_RELOC_TAB recipe to populate new fields in struct wc_reloc_table_ent.
* Add targets:
  * libwolfssl-user-build/src/.libs/libwolfssl.so
  * linuxkm-fips-hash
  * module-with-matching-fips-hash
  * module-with-matching-fips-hash-no-sign
* Add support for alternate target module name, via LIBWOLFSSL_NAME make variable.

linuxkm/linuxkm_wc_port.h and linuxkm/module_hooks.c:
* Fixes to make linuxkm-pie work with CONFIG_KASAN.
* Implement WC_LINUXKM_STACK_DEBUG:
  * wc_linuxkm_stack_bottom()
  * wc_linuxkm_stack_top()
  * wc_linuxkm_stack_current()
  * wc_linuxkm_stack_left()
  * wc_linuxkm_stack_hwm_prepare()
  * wc_linuxkm_stack_hwm_measure_rel()
  * wc_linuxkm_stack_hwm_measure_total()

wolfssl/wolfcrypt/settings.h:
* When WOLFSSL_KERNEL_MODE, make sure WOLFSSL_GENERAL_ALIGNMENT is at least SIZEOF_LONG.
* When WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE, make sure WOLFSSL_BASE16 is defined.

configure.ac and wolfcrypt/benchmark/benchmark.c: Disable scrypt when KERNEL_MODE_DEFAULTS, due to excessive memory requirements.
2026-02-20 11:09:37 -06:00
Paul Adelsbach 81ae472e50 Add CRL generation code 2026-02-13 10:54:47 -08:00
Daniel Pouzzner 88edcf6c96 Merge pull request #9736 from embhorn/gh9731
Exclude Config.cmake.in in .gitignore
2026-02-05 16:49:35 -06:00
Daniel Pouzzner da426d9c1d Merge pull request #9725 from Frauschi/cmake
CMake fixes and improvements
2026-02-05 16:49:03 -06:00
Daniel Pouzzner 681d09fc3c Merge pull request #9714 from philljj/bsdkm_crypto_accel
bsdkm: x86 crypto acceleration support.
2026-02-05 16:48:03 -06:00
Paul Adelsbach 08c1397cc1 Enable 8 combined OCSP and URLs instead of 1 of each 2026-02-04 11:04:46 -08:00
Eric Blankenhorn 808896e82f Exclude Config.cmake.in in .gitignore 2026-02-03 11:29:34 -06:00
jordan 8ae27c75e4 bsdkm: x86 crypto acceleration support. 2026-02-02 12:00:22 -06:00
Tobias Frauenschläger 540b51eb28 CMake fixes and improvements
* Minor fixes to the CMakeLists.txt
* Add more options to the CMake infrastructure already present in the
  autoconf infrastructure
* An autoconf build now also generates and installs files required to
  consume the installed wolfssl library via CMake.
* Added test for autoconf-CMake interworking

Work is mostly done by Codex and Curser.
2026-02-02 10:26:58 +01:00
Juliusz Sosinowicz 730b0d3e38 Add AGENTS.md to .gitignore 2025-12-29 19:01:50 +01:00
Sean Parkinson ea0793f0af Merge pull request #9428 from dgarske/qat_v5.8.4
Migrate wolfAsyncCrypt repo into wolfSSL proper
2025-11-25 09:33:31 +10:00
jordan 28e4fe3b6c bsdkm: initial wolfcrypt FreeBSD kernel module support. 2025-11-18 01:28:08 -06:00
David Garske a071426bc8 Migrate wolfAsyncCrypt repo into wolfSSL proper 2025-11-14 09:43:59 -08:00
JacobBarthelmeh 05bcd82adc Merge pull request #9191 from holtrop/rust-wrapper
Create initial Rust wrapper structure
2025-09-17 14:20:34 -06:00
Juliusz Sosinowicz c2a3a37c1e Ignore debian/rules 2025-09-16 16:08:01 +02:00
Josh Holtrop 167e76add4 Create initial Rust wrapper structure
Generate bindings to C library with bindgen
Add github CI workflow to build Rust wrapper
2025-09-12 15:49:56 -04:00
Daniel Pouzzner b3944a73c2 linuxkm/lkcapi_sha_glue.c:
* implement interception of _get_random_bytes() and get_random_bytes_user() (implicitly intercepts /dev/random and /dev/urandom):

    * get_crypto_default_rng()
    * get_default_drbg_ctx()
    * wc__get_random_bytes()
    * wc_get_random_bytes_user()
    * wc_extract_crng_user()
    * wc_mix_pool_bytes()
    * wc_crng_reseed()
    * wc_get_random_bytes_by_kprobe()
    * wc_get_random_bytes_user_kretprobe_enter()
    * wc_get_random_bytes_user_kretprobe_exit()

    * add LINUXKM_DRBG_GET_RANDOM_BYTES sections to wc_linuxkm_drbg_startup() and wc_linuxkm_drbg_cleanup()

    * add linuxkm/patches/*/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-*.patch, initially for versions:
      * 5.10.17
      * 5.10.236
      * 5.15
      * 5.17
      * 6.1.73
      * 6.12
      * 6.15

    * remove "*.patch" from .gitignore.

    * add linuxkm/patches/regen-patches.sh.

  * in wc_linuxkm_drbg_ctx_clear(), check lock count before freeing.

  * in get_drbg() and put_drbg(), use migrate_disable(), not DISABLE_VECTOR_REGISTERS().

  * in wc_linuxkm_drbg_generate(), explicitly DISABLE_VECTOR_REGISTERS() for the crypto_default_rng.

  * in wc_linuxkm_drbg_generate(), add DRBG reinitialization code to handle RNG_FAILURE_E.  This handles the situation where a DRBG was instantiated in a vector-ops-allowed context, caching a vectorized SHA256 ethod, but later used in a no-vector-ops-allowed context.

  * in wc_linuxkm_drbg_seed(), add DISABLE_VECTOR_REGISTERS() wrapper around wc_RNG_DRBG_Reseed() for crypto_default_rng.

linuxkm/x86_vector_register_glue.c:

  * add crash recovery logic to wc_linuxkm_fpu_state_assoc_unlikely()

  * in wc_linuxkm_fpu_state_assoc(), when wc_linuxkm_fpu_states is null, don't call wc_linuxkm_fpu_state_assoc_unlikely() if !assume_fpu_began.

  * in can_save_vector_registers_x86(), save_vector_registers_x86(), and restore_vector_registers_x86(), check for hard interrupt context first, to return early failure if current->pid is unusable.

  * in save_vector_registers_x86(), tweak logic around WC_FPU_INHIBITED_FLAG, adding local_bh_disable()...local_bh_enable() to provide for safe recursion.

wolfcrypt/src/random.c: optimization: in Hash_df(), for WOLFSSL_LINUXKM, don't put digest[WC_SHA256_DIGEST_SIZE] in the heap, keep it on the stack.

wolfssl/wolfcrypt/types.h: add WOLFSSL_NO_ASM no-op definitions for DISABLE_VECTOR_REGISTERS() and REENABLE_VECTOR_REGISTERS().

configure.ac:

* move --enable-linuxkm and --enable-linuxkm-defaults initial detection early, so that HMAC_COPY_DEFAULT picks it up.

* add ENABLED_ENTROPY_MEMUSE_DEFAULT, and enable it by default when ENABLED_LINUXKM_DEFAULTS.

* update linuxkm-lkcapi-register help message.

linuxkm/linuxkm_wc_port.h:

* add my_kallsyms_lookup_name().

* add preempt_count, _raw_spin_lock_irqsave, _raw_spin_trylock, _raw_spin_unlock_irqrestore, and _cond_resched, to wolfssl_linuxkm_pie_redirect_table, and add spin_unlock_irqrestore() macro to mask native inline.

* move linuxkm mutex wrappers from wolfcrypt/src/wc_port.c to linuxkm_wc_port.h, make them inlines, and add new default spinlock-based implementation, with old method now gated on WOLFSSL_LINUXKM_USE_MUTEXES.

* change malloc() and realloc() wrappers from GFP_KERNEL to GFP_ATOMIC.

linuxkm/lkcapi_glue.c: make misc.h/misc.c inclusion unconditional, and trim now-redundant inclusions out of lkcapi_dh_glue.c and lkcapi_ecdh_glue.c.
2025-07-02 14:25:05 -05:00
gojimmypi 71a982e6b7 sync with upstream 2025-02-03 16:13:05 -08:00
Brett Nicholas 30f372ce16 add autogenerated error trace headers to gitignore 2024-11-21 09:38:11 -08:00
gojimmypi ee24446bee Add Visual Studio 2022 Project Files for wolfSSL, Test, & Benchmark 2024-10-21 14:05:51 -07:00
Joshua Okeleke 337456cc1e Add support for (DevkitPro)libnds 2024-09-18 21:27:53 +02:00
Fernando Oleo Blanco ae7e7e716a Update upstream 2024-08-10 13:56:14 +02:00
gojimmypi 891b986fd4 Clarify WOLFSSL_ROOT location for ESP8266 make builds 2024-06-11 18:13:24 +02:00
gojimmypi fe5e5955bd Introduce IDE/PlatformIO 2024-05-13 19:12:34 -07:00
Fernando Oleo Blanco 4a5373f21b Add Ada/Alire files to gitignore 2024-04-05 23:23:26 +02:00
gojimmypi e40eb3c774 Update Arduino examples; add wolfcrypt breadcrumbs. 2024-03-06 15:13:37 -08:00
David Garske 6f88ed0901 Merge pull request #7177 from gojimmypi/PR-Arduino-Update
Improved Arduino Support: ESP32, Due
2024-02-13 09:43:42 -08:00
gojimmypi ee0e25de5f Improved Arduino Support, ESP32, Due; (+ code review x2) 2024-02-01 08:31:00 -08:00
Lealem Amedie 154841a083 MICROCHIP PIC24 support and example project 2024-01-29 12:50:00 -07:00
Lealem Amedie 837452b1ca Remove user-crypto functionality and Intel IPP support 2023-12-27 12:24:19 -07:00
gojimmypi 5b01270205 Update all Expressif examples, ready for PR #6990 2023-11-22 12:37:15 -08:00
Juliusz Sosinowicz 7baf151c37 CRL verify the entire chain including loaded CA's
- Regen CRL's as most of them are expired
- certs/crl/extra-crls/ca-int-cert-revoked.pem: CRL that revokes certs/intermediate/ca-int-cert.pem signed by certs/ca-cert.pem
- Add CheckCertCRL_ex API to not depend on DecodedCert
- CheckCertCRLList: accept raw serial or hashed version to work with Signers
- Add XELEM_CNT to simplify pre-proc element counting
2023-10-03 11:45:43 +02:00
gojimmypi 5830f921fa ARIA cipher cmake (#6600)
* ARIA Cipher CMake support
2023-09-19 10:57:02 -07:00
Andras Fekete 57e870e0d4 Add Async examples 2023-09-11 12:05:11 -04:00
Andras Fekete f9e5e4d08a Clean up the 'async-check.sh' script
Far too many times I got burned by passing the wrong argument and things getting set up wrong.
2023-09-08 15:05:22 -04:00
Juliusz Sosinowicz 7a12202675 Init deb packaging
- rpm: Simplify script and list wolfSSL as packager
- add packaging github action
2023-08-23 22:01:12 +02:00
JacobBarthelmeh b7b4be8822 Merge pull request #6610 from bigbrett/apple-universal-lib
Apple "universal binary framework" build script and project example
2023-07-19 15:39:24 -06:00
Brett c8209068c2 added apple univeresal binary framework build script and example 2023-07-13 12:02:12 -06:00
David Garske 8f36f78e6c Merge pull request #6400 from bandi13/ARIA-cipher
Aria cipher
2023-07-11 09:50:42 -07:00
Sean Parkinson 3af87f6f93 Moved CertManager APIs into own file
Split out certificate manager APIs into ssl_certman.c.
ssl.c includes ssl_certman.c
Better test coverage.
Minor fixes.
wolfSSL_X509_chain_up_ref calls XFREE with name->heap but name may be
NULL. Check for NULL first.
2023-07-07 15:08:08 -07:00
Andras Fekete 266307da6c Add in ARIA wrappers
Address PR comments + other cleanup


Addressing PR comments


Minor change


Make sure the last line gets output as well


Add in ARIA SHA256 session to internal structure


Add in ARIA SHA384 session to internal structure


Add necessary function for ARIA to extract key


Fix unit tests


Rename HAVE_ARIAGCM to HAVE_ARIA


Move aria.* to wolfcrypt/port/aria


Separate out aria-crypt init functions


Adding in ECC+SHA callbacks


Avoid using AC_CHECK_FILE


Rename Aria to wc_Aria


Don't need special cases


Addressing PR comments


Code cleanup


C89 support


Remove TODO


Add documentation about buffer size


Clean up header files


Use ARIA_DEVID by default if available


Dummy update call to make MagicCrypto happy


Fix for detecting what algo type to use


Documentation


Use the appropriate sign/verify


Collect MagicCrypto functions together (and avoid leaks)


Fall back on other implementations on failure


Fix issue when compiling without CRYPTOCB


Addressing PR comments


Better cleanup


Addressing PR comments


Cleaner exit in case of error
2023-07-06 16:09:23 -04:00
Sean Parkinson a39a04fc88 PEM example: new example for convert between PEM and DER
PEM example converts PEM to DER and DER to PEM.
Supports encrypting DER and writing out as PEM.

Added better support for 40-bit RC2-CBC PBE.
Added AES-128-CBC encryption support with PKCS#5v2.
Fixed handling of iterations to support writing 24-bit values.
Declared enum types for pass to PKCS#8 encryption APIs.

Add more DER and PEM files to certs directory.
Add testing of 'pem' with pem.test script.
2023-07-03 17:20:35 +10:00
oltolm 90b858492f CMake: improve build scripts (#6331)
* make wolfssl compile with Mingw-w64

* cmake: CMAKE_SYSTEM_PROCESSOR is AMD64 on Windows

* cmake: use target_compile_definitions instead of add_definitions

* cmake: change default value of WOLFSSL_BUILD_OUT_OF_TREE_DEFAULT to ON

* cmake: link crypt32.lib on Windows

* cmake: export wolfssl

* move Config.cmake.in to cmake directory

* revert changes to .gitignore

* add Config.cmake.in to include.am
2023-05-17 15:26:46 -06:00
Sean Parkinson 9cdee20a7d ASN.1 print: implementation to parse and print added
New API to parse and print DER/BER data from a buffer.
Add an example to parse DER, Base64 and PEM files and print out ASN.1 items.
2023-05-04 09:57:44 +10:00
David Garske cefd55eb74 Fix for benchmarking shake with custom block size. Using ./benchmark -shake 1024 caused seg fault. 2023-02-08 11:25:53 -08:00
gojimmypi ef63a5287a Ignore old cmake, VisualGDB working & Espressif sdkconfig files 2022-12-06 08:10:14 -08:00