feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity
17,575 Commits 28 Branches 172 Tags
ccc5952369e8162670aaea1a007ca63ec6d72cc7
Commit Graph

1979 Commits

Author SHA1 Message Date
Marco Oliverio
7edc916057 wolfcrypt/wolfssl: tests: adding missing wc_Aes*Free() 
In some Aes implementation this may leak resources
 2021-12-30 20:30:33 +01:00
David Garske
930cad649e Fix to resolve possible memory leak with DSA wc_DsaPublicKeyDecode in API unit test when used with HAVE_WOLF_BIGINT. 2021-12-28 16:34:54 -08:00
David Garske
569c066fab Improve TLS client side session cache references to provide option for not returning an internal session cache pointer. Now use wolfSSL_get1_sesson for reference logic, that requires calling wolfSSL_SESSION_free. To disable this feature use NO_SESSION_CACHE_REF. 2021-12-23 14:25:45 -08:00
David Garske
57d2555ac8 Merge pull request #4695 from douzzer/20211222-fips-config-update-and-fix-test_RsaDecryptBoundsCheck 
fips config update and test-driven cleanup
 2021-12-23 10:38:36 -08:00
Chris Conlon
9892f1f2d5 Merge pull request #4679 from dgarske/fips_ecc_pct 2021-12-23 10:27:51 -07:00
Daniel Pouzzner
b0a5b16068 api.c: fix logic in test_RsaDecryptBoundsCheck(). 2021-12-22 17:32:36 -06:00
David Garske
38214bd083 Disable the FIPS consistency checks in ECC and DH for key generation by default. 2021-12-22 10:06:19 -08:00
David Garske
9d137668c7 Merge pull request #4675 from julek-wolfssl/openssh-8.8 
Fix macro name conflicts with openssh
 2021-12-22 08:31:36 -08:00
Juliusz Sosinowicz
8435eb4644 Add WC_ namespace to variable handling defines 2021-12-22 12:16:02 +01:00
Juliusz Sosinowicz
dd9b1afb72 Remove magic numbers from WOLFSSL_ASN_TEMPLATE code (#4582) 
* pkcs8KeyASN and other misc asn fixes

- Test fixes for testing with `USE_CERT_BUFFERS_1024`

* intASN

* bitStringASN

* objectIdASN

* algoIdASN

* rsaKeyASN

* pbes2ParamsASN

* pbes1ParamsASN

* pkcs8DecASN

* p8EncPbes1ASN

* rsaPublicKeyASN

* dhParamASN

* dhKeyPkcs8ASN

* dsaKeyASN

* dsaPubKeyASN

- Add `wc_SetDsaPublicKey` without header testing

* dsaKeyOctASN

* rsaCertKeyASN

* eccCertKeyASN

* rdnASN

* certNameASN

* digestInfoASN

* otherNameASN

* altNameASN

* basicConsASN

* crlDistASN

* accessDescASN

* authKeyIdASN

* keyUsageASN

* keyPurposeIdASN

* subTreeASN

* nameConstraintsASN

* policyInfoASN

* certExtHdrASN

* certExtASN

* x509CertASN

* reqAttrASN

* strAttrASN

* certReqASN

* eccPublicKeyASN

* edPubKeyASN

* ekuASN

* nameASN

* certExtsASN

* sigASN

* certReqBodyASN_IDX_EXT_BODY

* dsaSigASN

* eccSpecifiedASN

* eccKeyASN

* edKeyASN

* singleResponseASN

* respExtHdrASN

* ocspRespDataASN

* ocspBasicRespASN

* ocspResponseASN

* ocspNonceExtASN

* ocspRequestASN

* revokedASN

* crlASN

* pivASN

* pivCertASN

* dateASN

* `wc_SetDsaPublicKey` was not including `y` in the sequence length

* All index names changed to uppercase

* Shorten names in comments

* Make sure extensions have sequence header when in cert gen

* Fix/refactor size calc in `SetNameEx`

* Pad blocks for encryption

* Add casting for increased enum portability

* Use stack for small ASN types
 2021-12-22 11:28:01 +10:00
Sean Parkinson
bf37845e2d Merge pull request #4680 from JacobBarthelmeh/certs 
update certificate expiration dates and fix autorenew
 2021-12-22 08:48:35 +10:00
JacobBarthelmeh
c0f8fd5f5d update certificate dates and fix autorenew 2021-12-20 16:04:05 -08:00
Anthony Hu
7d4c13b9a4 --with-liboqs now defines HAVE_LIBOQS and HAVE_PQC 
AKA: The Great Rename of December 2021
 2021-12-20 11:48:03 -05:00
David Garske
ce4f436d0f Merge pull request #4587 from SparkiDev/dis_algs_fix_1 
Disable algorithms: fixes
 2021-12-19 20:12:30 -08:00
Juliusz Sosinowicz
21a5a571e8 Fix test_wolfSSL_BIO_should_retry test 
When `OPENSSL_COMPATIBLE_DEFAULTS` is defined then `SSL_MODE_AUTO_RETRY` is set on context creation. For this test we need to clear this mode so that the `WOLFSSL_CBIO_ERR_WANT_READ` can propagate up to the user.
 2021-12-17 12:32:25 +01:00
David Garske
dec78169bf Merge pull request #4658 from julek-wolfssl/apache-2.4.51 
Add Apache 2.4.51 support
 2021-12-16 08:52:10 -08:00
Juliusz Sosinowicz
e78f7f734e Add Apache 2.4.51 support 
- Define `OPENSSL_COMPATIBLE_DEFAULTS` and `WOLFSSL_NO_OCSP_ISSUER_CHECK` for Apache config
- Fix `SSL_set_timeout` to match OpenSSL signature
- Implement `pkey` in `X509_INFO`
- Detect attempt to connect with plain HTTP
- Implement `wolfSSL_OCSP_request_add1_nonce`
- Set `ssl->cipher.bits` when calling `wolfSSL_get_current_cipher`
- Use custom flush method in `wolfSSL_BIO_flush` when set in BIO method
- Set the TLS version options in the `ssl->options` at the end of ClientHello parsing
- Don't modify the `ssl->version` when in a handshake (`ssl->msgsReceived.got_client_hello` is set)
- `wolfSSL_get_shutdown` returns a full bidirectional return when the SSL object is cleared. `wolfSSL_get_shutdown` calls `wolfSSL_clear` on a successful shutdown so if we detect a cleared SSL object, assume full shutdown was performed.
 2021-12-16 12:39:38 +01:00
Chris Conlon
5172130287 add wc_GetPubKeyDerFromCert(), get pub key DER from DecodedCert 2021-12-15 11:04:52 -07:00
Hayden Roche
92d207a1cd Add wc_d2i_PKCS12_fp to parse a PKCS #12 file directly in wolfCrypt. 2021-12-13 15:28:34 -08:00
Daniel Pouzzner
355b779a3e feature gating tweaks to better support --disable-rsa --disable-dh --disable-dsa. also a whitespace fix in ssl.c. 2021-12-11 14:08:04 -06:00
Hayden Roche
6764e7c15f Make wolfCrypt ASN cert parsing functionality public. 
Currently, the `ParseCert` function is only available if `WOLFSSL_ASN_API` is
defined to `WOLFSSL_API`. The only way to achieve this without enabling the
compatibility layer is to define `WOLFSSL_TEST_CERT`. There are users defining
this so that they can parse certs with wolfCrypt, even though this doesn't seem
to be the original intent of the define. This commit adds the function
`wc_ParseCert` to the public wolfCrypt API. It's simply a wrapper around
`ParseCert`. Similarly, this commit adds `wc_InitDecodedCert` and
`wc_FreeDecodedCert` to the public API, which are wrappers around
`InitDecodedCert` and `FreeDecodedCert`, respectively.
 2021-12-10 10:43:28 -08:00
Sean Parkinson
6da0cc1ced Merge pull request #4600 from dgarske/cust_oid 
Support for Custom OID in subject and CSR request extension
 2021-12-09 11:24:30 +10:00
David Garske
b4c6140b64 Merge pull request #4442 from julek-wolfssl/kerberos 
Add Kerberos 5 support
 2021-12-02 09:07:34 -08:00
David Garske
5c172ca955 Merge pull request #4622 from douzzer/fix-wolfsentry-build 
wolfsentry fixes re HAVE_EX_DATA and wolfsentry_sockaddr
 2021-12-01 08:16:07 -08:00
Sean Parkinson
d06ada2ccc Merge pull request #4610 from julek-wolfssl/nginx-1.21.4 
Add support for Nginx 1.21.4
 2021-12-01 22:27:12 +10:00
Juliusz Sosinowicz
aac1b406df Add support for Nginx 1.21.4 
- Add KEYGEN to Nginx config
- Check for name length in `wolfSSL_X509_get_subject_name`
- Refactor `wolfSSL_CONF_cmd`
- Implement `wolfSSL_CONF_cmd_value_type`
- Don't forecfully overwrite side
- `issuerName` should be `NULL` since the name is empty
 2021-12-01 09:49:52 +01:00
Daniel Pouzzner
3f65916f3a HAVE_EX_DATA: fix wolfssl/ssl.h and tests/api.c to build -DHAVE_EX_DATA but -UOPENSSL_EXTRA. 2021-11-30 23:39:16 -06:00
JacobBarthelmeh
b69a1c860c Merge pull request #3996 from cconlon/pkcs7_detachedhash 
adjust PKCS7_VerifySignedData to correctly verify precomputed content hash with detached signature
 2021-11-30 12:46:46 -08:00
David Garske
7524ededd3 Support for Custom OID in subject and CSR request extension: 
* Adds new build option `WOLFSSL_CUSTOM_OID` for supplying a custom OID in a CSR
* Fixes in ASN template CSR generation.
* Fix to allow calling `wc_Ed25519PublicKeyToDer` and `wc_Ed448PublicKeyToDer` with NULL output buffer to get length only.
* Refactor of the certificate subject name encoding.
* Refactor of the OID's to consolidate.
* Improvements to the Domain Component API unit test.
ZD 12943
 2021-11-23 09:51:13 -08:00
Juliusz Sosinowicz
1d7b2de074 Code review changes 2021-11-22 11:48:31 +01:00
Juliusz Sosinowicz
3da810cb1b Implement OpenSSL API's 
- `OBJ_DUP`
- `i2d_PKCS7`
- `BN_rshift1
- `BN_rshift` testing
- Add `--enable-krb`
 2021-11-22 11:47:58 +01:00
Juliusz Sosinowicz
e7c5f137be Implement BN_rand_range 2021-11-22 11:45:27 +01:00
Juliusz Sosinowicz
ccbe184434 Implement CTS 
Ciphertext stealing on top of CBC is implemented with `wolfSSL_CRYPTO_cts128_encrypt` and `wolfSSL_CRYPTO_cts128_decrypt` APIs
 2021-11-22 11:45:27 +01:00
Juliusz Sosinowicz
fa662c2ab1 AES_cbc_encrypt enc parameter flipped. 1 = encrypt 0 = decrypt 
This change makes the `enc` parameter of `AES_cbc_encrypt` consistent with OpenSSL. This commit flips the meaning of this parameter now.
 2021-11-22 11:45:27 +01:00
Chris Conlon
c3500fa24e Merge pull request #4581 from miyazakh/max_earlydata 
add get_max_eraly_data
 2021-11-19 09:42:01 -07:00
Sean Parkinson
5a72fee3df Disable algorithms: fixes 
WOLFSSL_PUBLIC_MP and disable algorithms didn't work because of api.c.
 - mp_cond_copy not available unless ECC compiled in
 - wc_export_int not available unless ECC compiled in
Enabling only DH and using SP with SP Math didn't work as the DH
parameters were too small.
sp_cmp is needed when only DH.
mp_set_int is was not available in SP math when RSA is not defined.
mp_set is close enough for the use cases.
Configure with SP and SP math but not RSA, DH and ECC didn't configure -
now default to small maths.
 2021-11-19 16:56:33 +10:00
David Garske
2841b5c93b Merge pull request #3010 from kaleb-himes/ZD10203 
Consistency in PP checking on use of WOLFSSL_CRYPTO_EX_DATA
 2021-11-18 14:47:25 -08:00
Hideki Miyazaki
7da0d524ff add get_max_eraly_data 
support set/get_max_eraly_data compatibility layer
 2021-11-18 09:07:32 +09:00
Masashi Honma
4800db1f9d Enable max/min int test even when non 64bit platform 
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
 2021-11-18 06:58:21 +09:00
Juliusz Sosinowicz
361975abbc Refactor sk_*_free functions 
Use a single `wolfSSL_sk_pop_free` and `wolfSSL_sk_free` function that free's the stack and optionally free's the node content as well.
 2021-11-12 13:55:37 +01:00
kaleb-himes
6547bcb44c Consistency in PP checking on use of WOLFSSL_CRYPTO_EX_DATA 2021-11-11 17:47:17 -07:00
David Garske
bd0f6736c5 Merge pull request #4513 from masap/wpa_sup_dpp 
Fix X509_PUBKEY_set() to show correct algorithm and parameters
 2021-11-09 10:26:59 -08:00
Daniel Pouzzner
0b4f34d62a typographic cleanup: fix whitespace, remove unneeded UTF-8, convert C++ comment constructs to C. 2021-11-08 17:35:05 -06:00
Masashi Honma
ee39fd079f Fix X509_PUBKEY_set() to show correct algorithm and parameters 
When build with OpenSSL, trailing program outputs these messages.

algorithm: id-ecPublicKey
parameters: prime256v1

But with wolfSSL, X509_PUBKEY_get0_param() fails.
This patch fixes wolfSSL to display the same values as OpenSSL.

This program was extracted from wpa_supplicant in order to reproduce the
issue.

----------------
int main(void)
{
    EVP_PKEY *pkey;
    X509_PUBKEY *pub = NULL;
    ASN1_OBJECT *ppkalg, *poid;
    const ASN1_OBJECT *pa_oid;
    const uint8_t *pk;
    int ppklen, ptype;
    X509_ALGOR *pa;
    void *pval;
    char buf[100];
    const uint8_t data[] = {
        0x30, 0x39, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a,
        0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x22, 0x00, 0x03, 0x33, 0x6d, 0xb4, 0xe9, 0xab,
        0xf1, 0x1c, 0x96, 0x87, 0x5e, 0x02, 0xcc, 0x92, 0xaf, 0xf6, 0xe1, 0xed, 0x2b, 0xb2, 0xb7, 0xcc,
        0x3f, 0xd2, 0xb5, 0x4e, 0x6f, 0x20, 0xc7, 0xea, 0x2f, 0x3f, 0x42
    };
    size_t data_len = sizeof(data);
    const uint8_t *p;
    int res;

    p = data;
    pkey = d2i_PUBKEY(NULL, &p, data_len);
    if (!pkey) {
        fprintf(stderr, "d2i_PUBKEY() failed\n");
        return -1;
    }

    if (EVP_PKEY_type(EVP_PKEY_id(pkey)) != EVP_PKEY_EC) {
        fprintf(stderr, "invalid type\n");
        EVP_PKEY_free(pkey);
        return -1;
    }

    res = X509_PUBKEY_set(&pub, pkey);
    if (res != 1) {
        fprintf(stderr, "X509_PUBKEY_set() failed\n");
        return -1;
    }

    res = X509_PUBKEY_get0_param(&ppkalg, &pk, &ppklen, &pa, pub);
    if (res != 1) {
        fprintf(stderr, "X509_PUBKEY_get0_param() failed\n");
        return -1;
    }
    res = OBJ_obj2txt(buf, sizeof(buf), ppkalg, 0);
    if (res < 0 || (size_t) res >= sizeof(buf)) {
        fprintf(stderr, "OBJ_obj2txt() failed\n");
        return -1;
    }
    fprintf(stdout, "algorithm: %s\n", buf);

    X509_ALGOR_get0(&pa_oid, &ptype, (void *) &pval, pa);
    if (ptype != V_ASN1_OBJECT) {
        fprintf(stderr, "X509_ALGOR_get0() failed\n");
        return -1;
    }
    poid = pval;
    res = OBJ_obj2txt(buf, sizeof(buf), poid, 0);
    if (res < 0 || (size_t) res >= sizeof(buf)) {
        fprintf(stderr, "OBJ_obj2txt() failed\n");
        return -1;
    }
    fprintf(stdout, "parameters: %s\n", buf);

    X509_PUBKEY_free(pub);
    EVP_PKEY_free(pkey);
    return 0;
}

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
 2021-11-09 07:30:58 +09:00
David Garske
478f57b347 Merge pull request #4535 from kareem-wolfssl/zd13165 
Fix building with NO_ECC_KEY_EXPORT.
 2021-11-08 11:11:53 -08:00
David Garske
4fe17cc143 Merge pull request #4527 from julek-wolfssl/zd13097 
Fix a heap buffer overflow with mismatched PEM structure ZD13097
 2021-11-05 08:50:28 -07:00
Chris Conlon
ae84a2a326 Merge pull request #4293 from TakayukiMatsuo/set_min_proto 
Add support for value zero as version parameter for SSL_CTX_set_min/max_proto_version
 2021-11-04 14:59:34 -06:00
Juliusz Sosinowicz
1faa9e66b6 Check wolfSSL_BIO_read return 2021-11-04 15:34:33 +01:00
Kareem
60a86157c7 Fix building with NO_ECC_KEY_EXPORT. 2021-11-03 16:03:26 -07:00
Juliusz Sosinowicz
23487a4532 Fix a heap buffer overflow with mismatched PEM structure ZD13097 2021-11-02 11:31:22 +01:00