tls ocsp: support lazy cert loading with ocsp stapling

.github/workflows/os-check.yml

@@ -61,6 +61,8 @@ jobs:
           '--enable-all CPPFLAGS=-DWOLFSSL_DEBUG_CERTS ',
           '--enable-all CFLAGS="-DWOLFSSL_CHECK_MEM_ZERO"',
           '--enable-coding=no',
+          '--enable-dtls --enable-dtls13 --enable-ocspstapling --enable-ocspstapling2
+           --enable-cert-setup-cb --enable-sessioncerts',
         ]
     name: make check
     if: github.repository_owner == 'wolfssl'

IDE/GCC-ARM/Header/user_settings.h

@@ -521,7 +521,7 @@ extern unsigned int my_rng_seed_gen(void);
     #define USE_WOLF_STRTOK
     #define XSTRTOK(s1,d,ptr) wc_strtok((s1),(d),(ptr))
 
-    #define XSTRNSTR(s1,s2,n) mystrnstr((s1),(s2),(n))
+    #define XSTRNSTR(s1,s2,n) wolfSSL_strnstr((s1),(s2),(n))
 
     #define XMEMCPY(d,s,l)    memcpy((d),(s),(l))
     #define XMEMSET(b,c,l)    memset((b),(c),(l))

IDE/SimplicityStudio/user_settings.h

@@ -438,7 +438,7 @@ extern "C" {
     #define USE_WOLF_STRTOK
     #define XSTRTOK(s1,d,ptr) wc_strtok((s1),(d),(ptr))
 
-    #define XSTRNSTR(s1,s2,n) mystrnstr((s1),(s2),(n))
+    #define XSTRNSTR(s1,s2,n) wolfSSL_strnstr((s1),(s2),(n))
 
     #define XMEMCPY(d,s,l)    memcpy((d),(s),(l))
     #define XMEMSET(b,c,l)    memset((b),(c),(l))

IDE/WICED-STUDIO/user_settings.h

@@ -515,7 +515,7 @@ extern unsigned int my_rng_seed_gen(void);
     #define USE_WOLF_STRTOK
     #define XSTRTOK(s1,d,ptr) wc_strtok((s1),(d),(ptr))
 
-    #define XSTRNSTR(s1,s2,n) mystrnstr((s1),(s2),(n))
+    #define XSTRNSTR(s1,s2,n) wolfSSL_strnstr((s1),(s2),(n))
 
     #define XMEMCPY(d,s,l)    memcpy((d),(s),(l))
     #define XMEMSET(b,c,l)    memset((b),(c),(l))

IDE/WINCE/user_settings.h

@@ -646,7 +646,7 @@ C149F3285397DFBD0C6720E14818475C3A50B10880EF9619463173A6D5ED15E7
     #define USE_WOLF_STRTOK
     #define XSTRTOK(s1,d,ptr) wc_strtok((s1),(d),(ptr))
 
-    #define XSTRNSTR(s1,s2,n) mystrnstr((s1),(s2),(n))
+    #define XSTRNSTR(s1,s2,n) wolfSSL_strnstr((s1),(s2),(n))
 
     #define XMEMCPY(d,s,l)    memcpy((d),(s),(l))
     #define XMEMSET(b,c,l)    memset((b),(c),(l))

IDE/XCODE-FIPSv2/macOS-C++/Intel/user_settings.h

@@ -512,7 +512,7 @@ extern "C" {
     #define USE_WOLF_STRTOK
     #define XSTRTOK(s1,d,ptr) wc_strtok((s1),(d),(ptr))
 
-    #define XSTRNSTR(s1,s2,n) mystrnstr((s1),(s2),(n))
+    #define XSTRNSTR(s1,s2,n) wolfSSL_strnstr((s1),(s2),(n))
 
     #define XMEMCPY(d,s,l)    memcpy((d),(s),(l))
     #define XMEMSET(b,c,l)    memset((b),(c),(l))

IDE/XCODE-FIPSv2/macOS-C++/M1/user_settings.h

@@ -523,7 +523,7 @@ extern "C" {
     #define USE_WOLF_STRTOK
     #define XSTRTOK(s1,d,ptr) wc_strtok((s1),(d),(ptr))
 
-    #define XSTRNSTR(s1,s2,n) mystrnstr((s1),(s2),(n))
+    #define XSTRNSTR(s1,s2,n) wolfSSL_strnstr((s1),(s2),(n))
 
     #define XMEMCPY(d,s,l)    memcpy((d),(s),(l))
     #define XMEMSET(b,c,l)    memset((b),(c),(l))

IDE/XCODE-FIPSv2/user_settings.h

@@ -524,7 +524,7 @@ extern "C" {
     #define USE_WOLF_STRTOK
     #define XSTRTOK(s1,d,ptr) wc_strtok((s1),(d),(ptr))
 
-    #define XSTRNSTR(s1,s2,n) mystrnstr((s1),(s2),(n))
+    #define XSTRNSTR(s1,s2,n) wolfSSL_strnstr((s1),(s2),(n))
 
     #define XMEMCPY(d,s,l)    memcpy((d),(s),(l))
     #define XMEMSET(b,c,l)    memset((b),(c),(l))

IDE/XCODE-FIPSv5/user_settings.h

@@ -605,7 +605,7 @@ extern "C" {
     #define USE_WOLF_STRTOK
     #define XSTRTOK(s1,d,ptr) wc_strtok((s1),(d),(ptr))
 
-    #define XSTRNSTR(s1,s2,n) mystrnstr((s1),(s2),(n))
+    #define XSTRNSTR(s1,s2,n) wolfSSL_strnstr((s1),(s2),(n))
 
     #define XMEMCPY(d,s,l)    memcpy((d),(s),(l))
     #define XMEMSET(b,c,l)    memset((b),(c),(l))

IDE/XCODE-FIPSv6/user_settings.h

@@ -665,7 +665,7 @@ extern "C" {
     #define USE_WOLF_STRTOK
     #define XSTRTOK(s1,d,ptr) wc_strtok((s1),(d),(ptr))
 
-    #define XSTRNSTR(s1,s2,n) mystrnstr((s1),(s2),(n))
+    #define XSTRNSTR(s1,s2,n) wolfSSL_strnstr((s1),(s2),(n))
 
     #define XMEMCPY(d,s,l)    memcpy((d),(s),(l))
     #define XMEMSET(b,c,l)    memset((b),(c),(l))

configure.ac

@@ -9857,6 +9857,13 @@ AC_ARG_ENABLE([rpk],
     [ ENABLED_RPK=no ]
     )
 
+# Allows dynamically loading the certificate
+AC_ARG_ENABLE([cert-setup-cb],
+    [AS_HELP_STRING([--enable-cert-setup-cb],[Enable support for dynamically loading TLS certificates (default: disabled)])],
+    [ ENABLED_CERT_SETUP_CB=$enableval ],
+    [ ENABLED_CERT_SETUP_CB=no ]
+    )
+
 # check if should run the trusted peer certs test
 # (for now checking both C_FLAGS and C_EXTRA_FLAGS)
 AS_CASE(["$CFLAGS $CPPFLAGS"],[*'WOLFSSL_TRUST_PEER_CERT'*],[ENABLED_TRUSTED_PEER_CERT=yes])
@@ -10278,6 +10285,9 @@ AS_IF([test "x$ENABLED_DUAL_ALG_CERTS" = "xyes"],
 AS_IF([test "x$ENABLED_RPK" = "xyes"],
       [AM_CFLAGS="$AM_CFLAGS -DHAVE_RPK"])
 
+AS_IF([test "x$ENABLED_CERT_SETUP_CB" = "xyes"],
+      [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_SETUP_CB"])
+
 AS_IF([test "x$ENABLED_ALTNAMES" = "xyes"],
       [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALT_NAMES"])
 

doc/dox_comments/header_files/ocsp.h

@@ -0,0 +1,49 @@
+/*!
+    \ingroup OCSP
+
+    \brief Allocates and initialises an OCSP context.
+
+    This function allocates and initialises a WOLFSSL_OCSP structure for use
+    with OCSP operations.
+
+    \param cm   Pointer to the certificate manager.
+
+    \return Pointer to allocated WOLFSSL_OCSP on success
+    \return NULL on failure
+
+    \sa wc_FreeOCSP
+*/
+WOLFSSL_OCSP* wc_NewOCSP(WOLFSSL_CERT_MANAGER* cm);
+
+/*!
+    \ingroup OCSP
+
+    \brief Frees resources associated with an OCSP context.
+
+    This function releases any resources associated with a WOLFSSL_OCSP structure.
+
+    \param ocsp Pointer to the WOLFSSL_OCSP structure to free.
+
+    \return void
+
+    \sa wc_NewOCSP
+*/
+void wc_FreeOCSP(WOLFSSL_OCSP* ocsp);
+
+/*!
+    \ingroup OCSP
+
+    \brief Checks the OCSP response for a given certificate.
+
+    This function verifies an OCSP response for a specific certificate.
+
+    \param ocsp       Pointer to the WOLFSSL_OCSP structure.
+    \param cert       Pointer to the decoded certificate.
+    \param response   Pointer to the OCSP response buffer.
+    \param responseSz Size of the OCSP response buffer.
+    \param heap       Optional heap pointer.
+
+    \return 0 on success
+    \return <0 on failure
+*/
+int wc_CheckCertOcspResponse(WOLFSSL_OCSP *ocsp, DecodedCert *cert, byte *response, int responseSz, void* heap);