feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity
17,089 Commits 28 Branches 172 Tags
a6b948ae590c4876fc101c192594c667fabb6f02
Commit Graph

1919 Commits

Author SHA1 Message Date
Sean Parkinson bf37845e2d Merge pull request #4680 from JacobBarthelmeh/certs 
update certificate expiration dates and fix autorenew
 2021-12-22 08:48:35 +10:00
JacobBarthelmeh c0f8fd5f5d update certificate dates and fix autorenew 2021-12-20 16:04:05 -08:00
Anthony Hu 7d4c13b9a4 --with-liboqs now defines HAVE_LIBOQS and HAVE_PQC 
AKA: The Great Rename of December 2021
 2021-12-20 11:48:03 -05:00
David Garske ce4f436d0f Merge pull request #4587 from SparkiDev/dis_algs_fix_1 
Disable algorithms: fixes
 2021-12-19 20:12:30 -08:00
Juliusz Sosinowicz 21a5a571e8 Fix test_wolfSSL_BIO_should_retry test 
When `OPENSSL_COMPATIBLE_DEFAULTS` is defined then `SSL_MODE_AUTO_RETRY` is set on context creation. For this test we need to clear this mode so that the `WOLFSSL_CBIO_ERR_WANT_READ` can propagate up to the user.
 2021-12-17 12:32:25 +01:00
David Garske dec78169bf Merge pull request #4658 from julek-wolfssl/apache-2.4.51 
Add Apache 2.4.51 support
 2021-12-16 08:52:10 -08:00
Juliusz Sosinowicz e78f7f734e Add Apache 2.4.51 support 
- Define `OPENSSL_COMPATIBLE_DEFAULTS` and `WOLFSSL_NO_OCSP_ISSUER_CHECK` for Apache config
- Fix `SSL_set_timeout` to match OpenSSL signature
- Implement `pkey` in `X509_INFO`
- Detect attempt to connect with plain HTTP
- Implement `wolfSSL_OCSP_request_add1_nonce`
- Set `ssl->cipher.bits` when calling `wolfSSL_get_current_cipher`
- Use custom flush method in `wolfSSL_BIO_flush` when set in BIO method
- Set the TLS version options in the `ssl->options` at the end of ClientHello parsing
- Don't modify the `ssl->version` when in a handshake (`ssl->msgsReceived.got_client_hello` is set)
- `wolfSSL_get_shutdown` returns a full bidirectional return when the SSL object is cleared. `wolfSSL_get_shutdown` calls `wolfSSL_clear` on a successful shutdown so if we detect a cleared SSL object, assume full shutdown was performed.
 2021-12-16 12:39:38 +01:00
Chris Conlon 5172130287 add wc_GetPubKeyDerFromCert(), get pub key DER from DecodedCert 2021-12-15 11:04:52 -07:00
Hayden Roche 92d207a1cd Add wc_d2i_PKCS12_fp to parse a PKCS #12 file directly in wolfCrypt. 2021-12-13 15:28:34 -08:00
Daniel Pouzzner 355b779a3e feature gating tweaks to better support --disable-rsa --disable-dh --disable-dsa. also a whitespace fix in ssl.c. 2021-12-11 14:08:04 -06:00
Hayden Roche 6764e7c15f Make wolfCrypt ASN cert parsing functionality public. 
Currently, the `ParseCert` function is only available if `WOLFSSL_ASN_API` is
defined to `WOLFSSL_API`. The only way to achieve this without enabling the
compatibility layer is to define `WOLFSSL_TEST_CERT`. There are users defining
this so that they can parse certs with wolfCrypt, even though this doesn't seem
to be the original intent of the define. This commit adds the function
`wc_ParseCert` to the public wolfCrypt API. It's simply a wrapper around
`ParseCert`. Similarly, this commit adds `wc_InitDecodedCert` and
`wc_FreeDecodedCert` to the public API, which are wrappers around
`InitDecodedCert` and `FreeDecodedCert`, respectively.
 2021-12-10 10:43:28 -08:00
Sean Parkinson 6da0cc1ced Merge pull request #4600 from dgarske/cust_oid 
Support for Custom OID in subject and CSR request extension
 2021-12-09 11:24:30 +10:00
David Garske b4c6140b64 Merge pull request #4442 from julek-wolfssl/kerberos 
Add Kerberos 5 support
 2021-12-02 09:07:34 -08:00
David Garske 5c172ca955 Merge pull request #4622 from douzzer/fix-wolfsentry-build 
wolfsentry fixes re HAVE_EX_DATA and wolfsentry_sockaddr
 2021-12-01 08:16:07 -08:00
Sean Parkinson d06ada2ccc Merge pull request #4610 from julek-wolfssl/nginx-1.21.4 
Add support for Nginx 1.21.4
 2021-12-01 22:27:12 +10:00
Juliusz Sosinowicz aac1b406df Add support for Nginx 1.21.4 
- Add KEYGEN to Nginx config
- Check for name length in `wolfSSL_X509_get_subject_name`
- Refactor `wolfSSL_CONF_cmd`
- Implement `wolfSSL_CONF_cmd_value_type`
- Don't forecfully overwrite side
- `issuerName` should be `NULL` since the name is empty
 2021-12-01 09:49:52 +01:00
Daniel Pouzzner 3f65916f3a HAVE_EX_DATA: fix wolfssl/ssl.h and tests/api.c to build -DHAVE_EX_DATA but -UOPENSSL_EXTRA. 2021-11-30 23:39:16 -06:00
JacobBarthelmeh b69a1c860c Merge pull request #3996 from cconlon/pkcs7_detachedhash 
adjust PKCS7_VerifySignedData to correctly verify precomputed content hash with detached signature
 2021-11-30 12:46:46 -08:00
David Garske 7524ededd3 Support for Custom OID in subject and CSR request extension: 
* Adds new build option `WOLFSSL_CUSTOM_OID` for supplying a custom OID in a CSR
* Fixes in ASN template CSR generation.
* Fix to allow calling `wc_Ed25519PublicKeyToDer` and `wc_Ed448PublicKeyToDer` with NULL output buffer to get length only.
* Refactor of the certificate subject name encoding.
* Refactor of the OID's to consolidate.
* Improvements to the Domain Component API unit test.
ZD 12943
 2021-11-23 09:51:13 -08:00
Juliusz Sosinowicz 1d7b2de074 Code review changes 2021-11-22 11:48:31 +01:00
Juliusz Sosinowicz 3da810cb1b Implement OpenSSL API's 
- `OBJ_DUP`
- `i2d_PKCS7`
- `BN_rshift1
- `BN_rshift` testing
- Add `--enable-krb`
 2021-11-22 11:47:58 +01:00
Juliusz Sosinowicz e7c5f137be Implement BN_rand_range 2021-11-22 11:45:27 +01:00
Juliusz Sosinowicz ccbe184434 Implement CTS 
Ciphertext stealing on top of CBC is implemented with `wolfSSL_CRYPTO_cts128_encrypt` and `wolfSSL_CRYPTO_cts128_decrypt` APIs
 2021-11-22 11:45:27 +01:00
Juliusz Sosinowicz fa662c2ab1 AES_cbc_encrypt enc parameter flipped. 1 = encrypt 0 = decrypt 
This change makes the `enc` parameter of `AES_cbc_encrypt` consistent with OpenSSL. This commit flips the meaning of this parameter now.
 2021-11-22 11:45:27 +01:00
Chris Conlon c3500fa24e Merge pull request #4581 from miyazakh/max_earlydata 
add get_max_eraly_data
 2021-11-19 09:42:01 -07:00
Sean Parkinson 5a72fee3df Disable algorithms: fixes 
WOLFSSL_PUBLIC_MP and disable algorithms didn't work because of api.c.
 - mp_cond_copy not available unless ECC compiled in
 - wc_export_int not available unless ECC compiled in
Enabling only DH and using SP with SP Math didn't work as the DH
parameters were too small.
sp_cmp is needed when only DH.
mp_set_int is was not available in SP math when RSA is not defined.
mp_set is close enough for the use cases.
Configure with SP and SP math but not RSA, DH and ECC didn't configure -
now default to small maths.
 2021-11-19 16:56:33 +10:00
David Garske 2841b5c93b Merge pull request #3010 from kaleb-himes/ZD10203 
Consistency in PP checking on use of WOLFSSL_CRYPTO_EX_DATA
 2021-11-18 14:47:25 -08:00
Hideki Miyazaki 7da0d524ff add get_max_eraly_data 
support set/get_max_eraly_data compatibility layer
 2021-11-18 09:07:32 +09:00
Masashi Honma 4800db1f9d Enable max/min int test even when non 64bit platform 
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
 2021-11-18 06:58:21 +09:00
Juliusz Sosinowicz 361975abbc Refactor sk_*_free functions 
Use a single `wolfSSL_sk_pop_free` and `wolfSSL_sk_free` function that free's the stack and optionally free's the node content as well.
 2021-11-12 13:55:37 +01:00
kaleb-himes 6547bcb44c Consistency in PP checking on use of WOLFSSL_CRYPTO_EX_DATA 2021-11-11 17:47:17 -07:00
David Garske bd0f6736c5 Merge pull request #4513 from masap/wpa_sup_dpp 
Fix X509_PUBKEY_set() to show correct algorithm and parameters
 2021-11-09 10:26:59 -08:00
Daniel Pouzzner 0b4f34d62a typographic cleanup: fix whitespace, remove unneeded UTF-8, convert C++ comment constructs to C. 2021-11-08 17:35:05 -06:00
Masashi Honma ee39fd079f Fix X509_PUBKEY_set() to show correct algorithm and parameters 
When build with OpenSSL, trailing program outputs these messages.

algorithm: id-ecPublicKey
parameters: prime256v1

But with wolfSSL, X509_PUBKEY_get0_param() fails.
This patch fixes wolfSSL to display the same values as OpenSSL.

This program was extracted from wpa_supplicant in order to reproduce the
issue.

----------------
int main(void)
{
    EVP_PKEY *pkey;
    X509_PUBKEY *pub = NULL;
    ASN1_OBJECT *ppkalg, *poid;
    const ASN1_OBJECT *pa_oid;
    const uint8_t *pk;
    int ppklen, ptype;
    X509_ALGOR *pa;
    void *pval;
    char buf[100];
    const uint8_t data[] = {
        0x30, 0x39, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a,
        0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x22, 0x00, 0x03, 0x33, 0x6d, 0xb4, 0xe9, 0xab,
        0xf1, 0x1c, 0x96, 0x87, 0x5e, 0x02, 0xcc, 0x92, 0xaf, 0xf6, 0xe1, 0xed, 0x2b, 0xb2, 0xb7, 0xcc,
        0x3f, 0xd2, 0xb5, 0x4e, 0x6f, 0x20, 0xc7, 0xea, 0x2f, 0x3f, 0x42
    };
    size_t data_len = sizeof(data);
    const uint8_t *p;
    int res;

    p = data;
    pkey = d2i_PUBKEY(NULL, &p, data_len);
    if (!pkey) {
        fprintf(stderr, "d2i_PUBKEY() failed\n");
        return -1;
    }

    if (EVP_PKEY_type(EVP_PKEY_id(pkey)) != EVP_PKEY_EC) {
        fprintf(stderr, "invalid type\n");
        EVP_PKEY_free(pkey);
        return -1;
    }

    res = X509_PUBKEY_set(&pub, pkey);
    if (res != 1) {
        fprintf(stderr, "X509_PUBKEY_set() failed\n");
        return -1;
    }

    res = X509_PUBKEY_get0_param(&ppkalg, &pk, &ppklen, &pa, pub);
    if (res != 1) {
        fprintf(stderr, "X509_PUBKEY_get0_param() failed\n");
        return -1;
    }
    res = OBJ_obj2txt(buf, sizeof(buf), ppkalg, 0);
    if (res < 0 || (size_t) res >= sizeof(buf)) {
        fprintf(stderr, "OBJ_obj2txt() failed\n");
        return -1;
    }
    fprintf(stdout, "algorithm: %s\n", buf);

    X509_ALGOR_get0(&pa_oid, &ptype, (void *) &pval, pa);
    if (ptype != V_ASN1_OBJECT) {
        fprintf(stderr, "X509_ALGOR_get0() failed\n");
        return -1;
    }
    poid = pval;
    res = OBJ_obj2txt(buf, sizeof(buf), poid, 0);
    if (res < 0 || (size_t) res >= sizeof(buf)) {
        fprintf(stderr, "OBJ_obj2txt() failed\n");
        return -1;
    }
    fprintf(stdout, "parameters: %s\n", buf);

    X509_PUBKEY_free(pub);
    EVP_PKEY_free(pkey);
    return 0;
}

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
 2021-11-09 07:30:58 +09:00
David Garske 478f57b347 Merge pull request #4535 from kareem-wolfssl/zd13165 
Fix building with NO_ECC_KEY_EXPORT.
 2021-11-08 11:11:53 -08:00
David Garske 4fe17cc143 Merge pull request #4527 from julek-wolfssl/zd13097 
Fix a heap buffer overflow with mismatched PEM structure ZD13097
 2021-11-05 08:50:28 -07:00
Chris Conlon ae84a2a326 Merge pull request #4293 from TakayukiMatsuo/set_min_proto 
Add support for value zero as version parameter for SSL_CTX_set_min/max_proto_version
 2021-11-04 14:59:34 -06:00
Juliusz Sosinowicz 1faa9e66b6 Check wolfSSL_BIO_read return 2021-11-04 15:34:33 +01:00
Kareem 60a86157c7 Fix building with NO_ECC_KEY_EXPORT. 2021-11-03 16:03:26 -07:00
Juliusz Sosinowicz 23487a4532 Fix a heap buffer overflow with mismatched PEM structure ZD13097 2021-11-02 11:31:22 +01:00
Daniel Pouzzner 6ba55edd50 fix async warnings 2021-10-29 14:37:39 -06:00
David Garske 6b3ff9bae2 Merge pull request #4459 from julek-wolfssl/missing-ext 
Add x509 name attributes and extensions to DER parsing and generation
 2021-10-28 14:30:37 -07:00
David Garske 6bb7e3900e Merge pull request #4511 from JacobBarthelmeh/Testing 
build fixes and PKCS7 BER encoding fix
 2021-10-28 10:52:58 -07:00
Juliusz Sosinowicz 8cba5dda17 Need to free x509 in tests 2021-10-28 14:50:53 +02:00
Juliusz Sosinowicz a738c16b2f Can't have macros within macros 2021-10-28 14:50:53 +02:00
Juliusz Sosinowicz 7d6f8ea255 Update wrong email in gen script 2021-10-28 14:50:53 +02:00
Juliusz Sosinowicz a6be157628 Gate new AKID functionality on WOLFSSL_AKID_NAME 2021-10-28 14:50:53 +02:00
Juliusz Sosinowicz d9af698aa4 Implement raw AKID with WOLFSSL_ASN_TEMPLATE 2021-10-28 14:50:53 +02:00
Juliusz Sosinowicz c162196b27 Add x509 name attributes and extensions to DER parsing and generation 
- Postal Code
- Street Address
- External Key Usage
- Netscape Certificate Type
- CRL Distribution Points
- Storing full Authority Key Identifier information
- Add new certificates to `certs/test` for testing
- Update WOLFSSL_ASN_TEMPLATE to match new features
 2021-10-28 14:50:53 +02:00
David Garske c16f0db1b5 Fixes for handling WC_PENDING_E async responses in API unit test and examples. Resolves all issues with --enable-all --enable-asynccrypt --with-intelqa=. 2021-10-27 15:08:39 -07:00