A k with more bits than in order doesn't work in ECC scalar
multiplication.
Check private key length in wc_ecc_check_key()
Check private key length in ecc_make_pub_ex()
Commit 6467de5 added some timing resistance to ECC shared secret
agreement. It involved adding an RNG object to the ecc keys so
a random z value can be added to the mix. The older FIPS release
has ECC outside the boundary, so it uses the new ECC code. FIPSv2
has ECC inside the boundary, but all the TLS code checks for that
version of FIPS and leaves out the calls to the new functions as
it is using an older version of ecc.c. FIPS Ready uses the latest
version of ecc.c but compiles as FIPSv2. So, the code outside of
the crypto layer is treating ECC as FIPSv2 and not calling the new
functions, but the crypto layer assumes the RNG should be present,
and errs out on testing.
1. Added a separate option for FIPS Ready to the enable-fips
configure option. `--enable-fips=ready`. It will treat FIPS
Ready as the next kind of FIPS release. FIPS Ready will be
treated like FIPS v3 in the build.
2. Changed the C preprocessor checks for FIPS version 2 to be
checks for not version 2, with respect to ECC Timing Resistance
and FIPS builds.
1. Update the usual versions.
2. Update README and ChangeLog.
3. Modify genecc and renewcerts to update two certificate files that had expired.
4. Update the expired certificate files.
Added TLS 1.3 testing.
Added Ed25519 and Ed448 testing.
Added tesitng of OpenSSL client against wolfSSL server.
Fixed builds of Curve25519/Curve448/Ed25519/Ed448 in different
configurations.
An RNG is required for shared secret calculation now.
Use wc_ecc_set_rng() to set an RNG against the ECC object.
ECC verification does not need timing resistance and does not randomize
z ordinates.
When testing wc_ecc_import_raw(), the mp_int's in the ecc object are
initialized.
For small math, this throws away the allocated buffer.
Must free the object before importing.
Need to include options.h in assembly now.
bufPt declared in block but not outside.
poly1305_block and poly1305_blocks need prototype - declaration in
wolfcrypt/src/port/arm/armv8-poly1305.c (__arch64__ only).
Fix SkipInt() to work with DSA.
Fix protection around SetBitString16Bit() - when WOLFSSL_CERT_GEN and
WOLFSSL_CERT_EXT defined is only use.
WOLFSSL_RSA_VERIFY_ONLY and PSS means testing of PSS won't work.
Fix g++ build around ASN1_SEQUENCE - const variable required to be
initialized.
1. Check that the cipher suite size is even when doing the Client
Hello message.
2. Check that the cipher suite size is a multiple of three when doing
the Old Client Hello message.
3. Check that the hash/signature algorithm list size is even when
processing the extensions.
* Build wolfSSL as a library and builds all examples / tests.
* Added instructions in the INSTALL file.
* Fix for evp.c when being included directly due to improperly placed `WOLFSSL_EVP_INCLUDED`.
Parses the extension but does not use the information.
TLSX code change to ensure that the OCSP Status V2 extension is not
written out in EncryptedExtension, CertificateRequest nor Certificate
messages.
2. Fix memory leak in example server test.
3. Use verify callback on certificates to allow callback to fail
them.
4. Restore the forced failure test cases.
5. Make the verify action thread local.
Fix bug in ChaCha20 assembly code (was writing one byte too many).
Fix the assembly code to have APPLE format.
Change Poly1305 inline assembly as requested by compiler.
Initialize variables that will be set anyway - compiler complaint.
Change to use the assembly code files for Curve25519 and SHA-512.
Ed25519 not suported with ARM assembly.
Change the example client to use select instead of sleep.
If building for the standalone client, it will wait 1 second.
If built for no main driver, it'll wait 10ms rather than 1 second.
* Added TLS v1.3 sniffer support using static ephemeral key.
* Add support for using a static ephemeral DH and ECC keys with TLS v1.3 using `WOLFSSL_STATIC_EPHEMERAL`.
* Adds new API's `wolfSSL_CTX_set_ephemeral_key` and `wolfSSL_set_ephemeral_key`.
* Expanded TLS extension support in sniffer.
* Refactor of the handshake hashing code.
* Added parameter checking to the TLS v1.3 key derivations (protects use of "DoTls13Finished" if handshake resources have been free'd).
* Added support for loading DH keys via `wc_DhImportKeyPair` and `wc_DhExportKeyPair`, enabled with `WOLFSSL_DH_EXTRA`.
* Added sniffer documentation `sslSniffer/README.md`.
- `SendFinished` resetting`dtls_expected_peer_handshake_number` should depend on side and if we are resuming a connection
- No need to do a cookie exchange on session resumption
- Hash of fragmented certificate was not calculated as a single message and instead we were hashing individual fragments which produced the wrong digest, shared secret, etc...
- Reset handshake number after server Finished packet is sent or received (depending on side)
- Reserve space in buffer for cipher stuff
- Take `DTLS_RECORD_EXTRA` and `DTLS_HANDSHAKE_EXTRA` into size and offset calculations for DTLS path
- Fix renegotiation in DTLS with AES128-SHA
- Fix renegotiation in DTLS with AES-GCM
- Support HelloVerify request during secure renegotiation
- Save renegotiation handshake messages for retransmission in timeout
- Handle cipher parameters from different epochs. DTLS may need to resend and receive messages from previous epochs so handling different sets of encryption and decryption parameters is crucial.
* Updated example to add support for CMSIS v2 and static memory.
* Improved example to support more build options.
* Added support for detecting Cube HAL and including `wolfSSL.wolfSSL_conf.h`.
* AES CBC:
- Do all blocks, not just one at a time.
* AES GCM:
- Use local stack for authentication header if < block size.
- Use hardware GHASH for all authentication header sizes.
Tested with STM32F437II (old/new Cube HAL/StdPeriLib), STM32F777ZI (CubeMX) and STM32L4A6ZG (CubeMX).
Define: WOLFSSL_ASN_INT_LEAD_0_ANY
Allows positive integers to have a leading 0 byte.
DER/BER encoding specifies that leding 0 only on negative numbers
(highest bit of first octet set).
SetIndividualInternal should not do mp_init on mpi since it should have been zero'ed during allocation and if it isn't zero'ed then it must mean that memory has already been allocated to it
- Add X509_get0_notBefore and X509_get0_notAfter
- Implement EVP_PKEY_get0_DSA and DSA_bits
- OpenSSL_version now prints "wolfSSL $VERSION"
- Remove define guards in `wolfSSL_internal_get_version` as all protocols are defined regardless in `wolfssl/internal.h`and this function just returns the string description of the protocol
1. The openssl interop test script should check that it should run before
doing anything else.
2. The process to create a random port number was using a non-portable
option to the head command. Changed to use the od tool reading from
/dev/random.
3. Ran into a sed that doesn't use the -i option, so changed it to cp its
own bak file and sed from that.
This commit adds the configure option `--enable-ip-alt-name` that enables support for the IP alternative subject name parsing in `wolfcrypt/src/asn.c:DecodeAltNames`.
Must have SupportedVersions at start of list for Cookie to be
constructed correctly.
Application can set the key share extension before handshake and
SupportedVersions will be added after. Extensions written in order of
adding to list.
Prepend SupportedVersions so that it will always appear in the correct
place so when reconstructing HelloRetryRequest, the extensions will
always be in the same order.
- Tag checking in AES-GCM is done in Final call
- Reset `WOLFSSL_EVP_CIPHER_CTX` structure after Final call
- Don't zero `ctx->authTag` struct in Init call so that user can get the AES-GCM tag using `EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, AES_BLOCK_SIZE, tag)`
- `ctx->authTag` is only zeroed before authenticated, non-confidential data Update call since this means we are entering a new Udate-Final cycle. This doesn't need to be done in the decrypt case since the tag should be supplied by the user before the final call using `EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, AES_BLOCK_SIZE, tag)`
* Refactor the PEM saving code in `test.c`, so its not using large 4K buffer and calculates based on DER.
* Enable ECC key generation test even without `WOLFSSL_KEY_GEN`.
* Added `ECC_KEYGEN_SIZE` macro for ECC key generation testing.
* Refactor ECC DER key generation to use `ECC_BUFSIZE`.
1. In `wolfSSL_d2i_DHparams()`, when setting the internal key on a
WOLFSSL_KEY, set the flag inSet.
2. Not a leak, but in `wolfSSL_EVP_PKEY_set1_DH()`, only allocate one
buffer to store the flat key. Saves an alloc, memcpy, and free.
- make `wc_ecc_export_point_der_compressed` a local function
- use `int` for `shortKeySize` in `wc_ecc_import_point_der_ex`
- check for null return value from `wolfSSL_OBJ_nid2obj` and `wolfSSL_d2i_PUBKEY`
- add comments to `ssl.c`
- check `lnlen` in `wolfSSL_OBJ_ln2nid`
- Add `parameter` to `WOLFSSL_X509_ALGOR`
- Implement `wolfSSL_ASN1_TYPE_new`, `wolfSSL_ASN1_TYPE_free`, and `wolfSSL_ASN1_TYPE_set`
- Fix leak where `pval` in `wolfSSL_X509_ALGOR_set0` was lost if `aobj` was provided
- Don't include `ENABLED_OPENSSLALL` with `ENABLED_WPAS`
- Return length in `wolfSSL_i2d_DHparams`
- Implement `wolfSSL_EC_POINT_mul` with independent multiplication and addition if `ECC_SHAMIR` not defined
- Implment `ASN1_SIMPLE` without `offsetof` by using a dummy struct
- Style fixes
- Moved `SetECKeyInternal` and `SetECKeyExternal` to `internal.h` to allow usage outside of `ssl.c`
- Added `asn1t.h`
- Implemented the `IMPLEMENT_ASN1_FUNCTIONS` macro for a small subset of ASN1 tags
-- So far only `X509_ALGOR` and `ASN1_BIT_STRING` are supported
- Implemented `BN_mod_add` function
- Allow for setting of `EC_KEY` export form through EC_KEY_set_conv_form
- Implemented `i2o_ECPublicKey`
- Implemented `EC_POINT_copy`
- Implemented deriving DH and ECDH keys in `EVP_PKEY_CTX`. Functions added:
-- `EVP_PKEY_derive_init`
-- `EVP_PKEY_derive_set_peer`
-- `EVP_PKEY_derive`
- Implemented `EVP_PKEY_get0_DH`
- Implemented `X509_ALGOR_new`
- Implemented `X509_ALGOR_free`
- Implemented `X509_ALGOR_set0`
- Implemented `X509_PUBKEY_new`
- Implemented `X509_PUBKEY_free`
- Implemented `X509_PUBKEY_set`
- Implemented `RSA_padding_add_PKCS1_PSS`
- Implemented `RSA_verify_PKCS1_PSS`
- Changed second parameter of `wolfSSL_d2i_PUBKEY` to be constant
- Corrected long names in `asn.h`
- Added `wc_ecc_get_generator` as a way to get the generator point of a curve
- Added `wc_ecc_export_point_der_ex` to export an ECC point in compressed or uncompressed format with one API
- Added `wc_ecc_export_point_der_compressed` to export a point in an `ecc_point` structure in compressed DER format
- Added 'wc_RsaSSL_Verify_ex` which adds the option to choose a padding type
- Added `wc_RsaPad_ex` and `wc_RsaUnPad_ex` to `rsa.h` as `WOLFSSL_LOCAL` functions
- `CopyDecodedToX509` now fills `x509->key` and `x509->algor` when populating x509
- `wolfSSL_EVP_CipherInit` now uses `wc_AesGcmSetExtIV` to set the IV so that it is copied to `ctx->iv` by `wolfSSL_StoreExternalIV`
- Added error checking to `wolfSSL_EVP_PKEY_get_der`
- `wolfSSL_X509_ALGOR_get0` now attempts to return something in all parameters
- Refactored `wolfSSL_EC_KEY_new` to use `*_new` functions when available
- Added `setupPoint` to set the internal point if not yet set
- Always set external point in `wolfSSL_ECPoint_d2i`
- Added compressed point support to `wolfSSL_EC_POINT_point2oct`
- Fix `wolfSSL_EC_POINT_mul` so that it will calculate the full `generator * n + q * m` then OpenSSL does
- Added `WOLFSSL_RSA_GetRNG` helper function to get a `WC_RNG` from `WOLFSSL_RSA`
- Correct short names in `wolfssl_object_info`
- Added all currently supported curves to `wolfssl_object_info`
- Added `oidCurveType` to `oid2nid`
- Add more padding types to `wolfSSL_RSA_public_decrypt`
- Fix `keysize` in `wc_ecc_import_point_der`
- Added tests for new additions
Added PRIVATE_D version of rsa private key operation for SP
implementation for specific platforms.
WC_NO_RNG results in warnings when RNG calls don't do anything.
Added ifdef checks for variables not used otherwise.
Remove superfluous if statements like when checking ret == 0.
Change names of globals that are generic and are used locally before
global definition.
Remove definition of variable len that isn't used except as a
replacement for sz which is parameter.
Don't subtract two variables when one has just been assigned the value
of the other.
Fix shifting of signed value.
Fix parameter checking in aes.c and des3.c for platform specific code.
* Fix to expose `wc_ecc_import_private_key_ex` and its ability to import a private key even when `NO_ASN` is defined.
* Remove execute bit on CSharp files.
Have a constant and non-constant time modular exponentation available in
tfm.c.
Call the non-constant time version explicitly when performing RSA public
key mod exp.
The warning was "comparison of array 'ecc_sets[i].name' not equal to a null
pointer is always true [-Wtautological-pointer-compare]"
Compiler is correct, ecc_sets[i].name is an array of size 16, thus
can't be NULL
Also, fix build error on Windows by changing uint8_t to "unsigned char"
(alternative fix could be including stdint.h)
Old gcc compilers can keep track of the 128-bit multiplication and left
shift results' size.
Split all multiplication and left shift results into separate variables.
Add/subtract into the correct variable at end.
Don't want variable declarations after statements so reduce doesn't use
'tr' anymore.
1. wc_HmacSetKey() has a check against the hmac's type that assumes one
has called wc_HmacInit() on the object first. In FIPS Ready builds we
do not have wc_HmacInit() in the boundary. This change removes that check
and action when making a FIPS build. The free called doesn't do anything
in the FIPS build case.
2. Initialize the Hmac's macType to WC_HASH_TYPE_NONE. Check the macType
against that rather than 0. There are some build configs where none isn't
0.
An endpoint's retransmit pool was being reset when receiving its peer's
change cipher spec message. When the finished message was lost, and
retransmits need to happen, they weren't available, so nothing happened.
Moved the reset to the finished case rather than CCS.
Check the top half of number being divided to see if it is greater than
or equal.
If it is then the first div_word may crash as the result is more than
64-bits. So subtract modulus from the top to keep value small.
Check for HAVE_GETADDRINFO beside WOLF_C99
Move STR_SIZEOF to wolfssl/wolfcrypt/types.h and rename to XSTR_SIZEOF to prevent collision in client projects
Remove wolfssl/openssl/ssl.h and wolfssl/internal.h from crypto layer
define EVP_CIPHER_CTX_set_iv as wolfSSL_EVP_CIPHER_CTX_set_iv
add wolfSSL_GetLoggingCb functionality when compiling without enable-debug
fix initialization vector handling of all cipher modes when using our EVP layer. The IV was incorrectly handled in initialization as well as not being updated after processing
- increase FP_MAX_BITS for OpenSSH
- Add helpful loggin API (names are self-explanatory)
-- wolfSSL_GetLoggingCb
-- WOLFSSL_IS_DEBUG_ON
- Define WOLFSSL_EC_METHOD as an alias of WOLFSSL_EC_GROUP
- Add wolfSSL_EC_GROUP_method_of which really just returns the group itself
- Add wolfSSL_EC_METHOD_get_field_type which gets the curve type of the WOLFSSL_EC_GROUP(remember that WOLFSSL_EC_METHOD is an alias of WOLFSSL_EC_GROUP for now)
- Modify Base64_Decode so that it accepts arbitrary PEM line length
- Modify PemToDer so that it accepts private keys with a custom -----BEGIN * PRIVATE KEY----- header
Add EC_POINT conversion to BIGNUM (EC_POINT_point2bn)
Add setting affine coordinates for EC_POINT (EC_POINT_set_affine_coordinates_GFp)
Add bit clearing for BIGNUM (BN_clear_bit)
Add supporting unit tests in api.c
* Fix for ECC and using NULL curve->order (wasn't loaded).
* Fix for typo on heap.
* Fix for QT case where GetInt failure retry did not "init" the mp_int.
1. Add C_EXTRA_FLAGS and C_FLAGS to CFLAGS.
2. Remove the cached copied of C_EXTRA_FLAGS and C_FLAGS.
3. The option.h is set only on CFLAGS, CPPFLAGS, and the AM_ versions.
1. Add a test for the new alt name handling.
2. Added an API to set altnames in a WOLFSSL_X509 struct. Just adds
DNS_entries.
3. Removed the "static" from a bunch of constant byte arrays used inside
some of the ASN.1 code.
1. Fix for issue #2724. When making a certificate out of an X.509
structure, the subject alt names weren't getting correctly copied.
2. Added a function to flatten the DNS_entries into a sequence of
GeneralNames.
3. Put the proper certificate extension wrapping around the flattened
general names.
1. Fix for issue #2718. Added a flag to the X509 structure when someone
sets the issuer name.
2. When making a certificate out of the X509, if the issuer name is set
clear the self-signed flag in the cert.
3. Propigate the flat X509_NAMEs to the string the cert building code
uses.
* Provides a context for AEAD to allow "chunked" updates of data then a final calculation for the authentication tag.
* New API's are on by default and can be disabled using NO_CHACHAPOLY_AEAD_IUF.
1. Found a corner case where secure renegotiation would fail trying to
inappropriately use a session ticket.
2. Explicitly split renegotiation into Rehandshake and SecureResume.
build dps with ARM neon 64
fix for release mode build
add in threading protection and seperate out rng
added callback function and updates to README
update default handle to lock, and add finished handle call
cleanup after veiwing diff of changes
1. Client wasn't skipping a handshake state when the server sends a
hello without a hello verify. It ended up resetting the handshake hash
and resending Hello with its next messages.
Fix for case:
- can't find a signer for a certificate with the AKID
- find it by name
Has to error as the signer's SKID is always set for signer and would
have matched the AKID.
Simplify the path length code - don't look up CA twice.
Don't require the tsip_encRsaKeyIdx field in DecodedCert when
!WOLFSSL_RENESAS_TSIP - use local variable.
* Fix for key gen macro name in benchmark.c
* Fix for possible RSA fall-through warning.
* Fix for building `WOLFSSL_STM32_PKA` without `HAVE_ECC`.
* Added option to build RSA keygen without the DER to PEM using `WOLFSSL_NO_DER_TO_PEM`.
* Added options.h includes for test.c and benchmark.c.
* Added printf warning on the math size mismatch in test.c.
* Added support for benchmarking larger sizes.
* TLS benchmarks for HiFive unleashed.
RFC 5280, Section 4.1.2.6:
If the subject is a CA (e.g., the basic constraints extension, as
discussed in Section 4.2.1.9, is present and the value of cA is TRUE),
then the subject field MUST be populated with a non-empty distinguished
name matching the contents of the issuer field (Section 4.1.2.4) in all
certificates issued by the subject CA.
The subject name must match - even when the AKID matches.
Cap the incoming DTLS handshake messages size the same way we do for
TLS. If handshake messages claim to be larger than the largest allowed
certificate message, we error out.
1. Add parsing of CRL extensions, specifically the Auth Key ID extension.
2. To verify CRL, search for CA signer by AuthKeyId first, then by name. If NO_SKID is set, just use name.
3. Update the ctaocrypt settings.h for the NO_SKID option with CRL so FIPS builds work.
1. Remove some redundant AM_CONDITIONAL macros checking for OCSP and CRL.
2. Moved the AM_CONDITIONAL macro setting BUILD_PKCS12 to the other AM_CONDITIONALS.
1. One of the error string was >80 bytes long. Shortened it.
2. The function that copies an error string to an output array needs to
ensure the string is still null terminated.
3. Added a check to the wolfCrypt test to see that error strings aren't
>= 80 bytes long.
1. Fix some preprocessor flag checking for function EncodePolicyOID. It
also needs to be available for OpenSSL Compatibility.
2. Fix for a name string for a test that can get left in or out
incorrectly.
When building with `WOLFSSL_ALT_CERT_CHAINS` a peer's presented CA could be incorrectly added to the certificate manager, marking it as trusted.
Began in PR #1934
ZD 9626
Handle prime (modulus) of 0 and 1.
Handle exponent of 0.
Fix for base of 0 in fp_exptmod and hadnle base of 0 in mp_exptmod.
fp_exptmod - Don't modify X's sign during operation when passed in as negative.
Value to invert: a
Modulus: b
integer.c - normal math
- a is one, or a mod b is one
tfm.c - fast math
- b is -ve (error), or b is zero
- a is zero or a mod b is zero
1. Undo an earlier change with respect to parsing a long length with
length zero. If BerToDer is disabled, this will be treated as a zero
length. With BerToDer enabled, the conversion will do the right thing.
1. Remove the function Word32ToString and replace with calls to
XSNPRINTF().
2. Simplify DecodePolicyOID(), which converts an ASN.1 OID to a text
string in the form a.b.ccccc.d... Return an error if it gets too long.
If the top bit is set then the encoding routine will drop a byte of the
serial number.
Better to ensure number is positive, top bit clear, and use as much of
the serial number data as possible.
1. Prime test should return NO for 1. (ex function, normal math and fast
math)
2. Call mp_init() on the k value for the primality test case in the
wolfCrypt test.
1. Added a test case for checking "1" as a prime number to the wolfCrypt
test.
2. Allow the wolfCrypt prime test for SP builds.
3. Modify the prime test to use mp_mul rather than mp_mul_d, as the SP
math library doesn't export sp_mul_d.
1. Updated the window scrolling. There was a couple off-by-one errors in
the DTLS window handling. They canceled each other out, but there was a
rare case where they would shift too much.
When encrypting with AES-GCM, AES-CCM, or PolyChacha, do not increment
the DTLS sequence number. The sequence number should only be incremented
in BuildMessage. This was done because the sequence number used to be
incremented after calculating the HMAC or after the encrypt for AEAD
ciphers. The HMAC has been separated from the sequence increment.
1. Check array index bounds before using them in arrays.
2. When processing an HTTP buffer, check that the new buffer size is
valid before allocating a new one.
1. When getting the DH public key, initialize the P, G, and Pub pointers
to NULL, then set that we own the DH parameters flag. This allows
FreeSSL to correctly clean up the DH key.
1. For OCTEON builds, leave out the "-DCVMX_BUILD_FOR_LINUX_HOST" option
from CFLAGS by default so it makes standalone host builds.
2. Add a check of the variable OCTEON_HOST for linux to add back in the
"-DCVMX_BUILD_FOR_LINUX_HOST" to CFLAGS.
In verify, two points are added and they may either be the same point
(different z) or result in infinity.
If they are the same point then a double needs to be performed instead.
Detection of infinity added.
Calculation of wc_ecc_sig_size fixed to handle wehn there are more bits
in the order than in the modulus.
* Fixed `set1_curves_list` API's to use `const char*` for names.
* Fixed `ossl_typ.h` to include `ssl.h` compatibility.
* Added `SSL_CTX_up_ref`.
* Added `wolfSSL_set1_curves_list`
* Added `TLS_method` and `DTLS_method`
* Added `SSL_CIPHER_standard_name`.
* Added `X509_STORE_CTX_get0_cert`
* Added `SSL_CTX_set_cert_verify_callback`.
* Enabled "either" side support when `--enable-opensslall` is used.
* Changed `SSL_CIPHER_get_rfc_name` to use `wolfSSL_CIPHER_get_name` instead of stub.
* Reduced codesize when building with `OPENSSL_EXTRA_X509_SMALL`.
* Additional argument checks in `wolfSSL_ASN1_BIT_STRING_set_bit`, `wolfSSL_ASN1_STRING_to_UTF8`, `wolfSSL_RSA_meth_new`, `wolfSSL_RSA_meth_set`.
* Fix for compiler warnings in asn.c using strncmp to duplicate string. "specified bound depends on the length of the source argument"
Add ABI tags to the functions wolfSSL_Cleanup() to match wolfSSL_Init(),
wolfSSL_X509_free to match wolfSSL_load_certificate_file() which
allocates memory.
1. Add a blank #define WOLFSSL_ABI to tag functions as part of the ABI
to remind developers there are rules about those functions specifically.
2. Added allocators and deallocators for WC_RNG objects and ecc_key
objects so they don't have to be used on the stack.
3. Add tests for the new allocators.
Only set the name string in one place, keeping a length of the name type
to copy. Also only move cert data index once.
Reset certificate extension policy number/count in case of malicious
cert with multiple policy extensions.
1. When retaining the handshake resources for a session using resumption, do not delete the peer's certificate. If keeping peer certificates is enabled, the certificate needs to exist so it may be examined.
2. Free the saved peer certificate when receiving a peer certificate during a renegotiation.
Salt length larger than the hash size allowed in RSA-PSS.
Passing -2 to PSS pad function uses maximum salt length.
Passing -2 to PSS un-pad function makes it discover salt length.
For the sync QAT, the QAT headers are included into the library after it
has been built and is being used. The actual headers should only be used
when building wolfSSL and should be hidden from the user.
1. Most of the functions in the sync QAT and OCTEON headers don't need
to be exported. Move all of that into the source files. Only export the
init and deinit functions.
2. Remove inline from the OCTEON support functions.
3. Remove the AES-ECB files for sync OCTEON as unused.
4. Configure defaults to OCTEON2 build, can be overridden with variable.
1. Switched the IntelQa sync API back to local.
2. Added two functions to setup and cleanup the IntelQA device.
3. Changed the Octeon functions to match the IntelQa functions.
4. Updated sniffer, wolfcryptest, and benchmark.
Added back some changes from a dropped commit.
1. The Octeon README should be a stub.
2. Changed the license notice in the octeon sync files back to GPLv2.
3. Added a flag to Aes that needed a build guard around it.
4. Replaced the disable for sniffer session stats.
1. The QAT callback's worker functions need to copy the IV into the AES IV register. QAT doesn't update it automatically.
2. Update the GMAC test to set its device to INVALID_DEVID.
3. Always allocate NUMA buffers before running crypto operation and store the results.
4. The QAT does not like non-multiple of 4 iv lenths, and aad lengths. Or 0. Remove a few test cases for those.
5. QAT wasn't getting a pointer to store the auth tag for GCM. Then store it.
1. Add configure option for sync IntelQA that uses the crypto callback API.
2. Make a synchonous copy of the quickassist files.
3. Tie in the crypto device to the sniffer.
4. When making a sniffer build, define static DH enabled.
5. The readme files in the Cavium were being added to the distro optionally, changed to always add the readme files.
6. Added an include of the cavium_octeon header in the wc_ports.c.
7. Updated the Cavium OCTEON callback for AES-GCM.
8. Add the global tag to the list of crypto callback function pointers.
9. Add an accessor to the OCTEON crypto callback module to return the device ID of the OCTEON device.
10. Add a new version of ssl_SetWatchKeyCallback which takes an additional parameter of a device ID. This ID is used to set up the wolfSSL_CTXs in the sniffer session trackers.
11. Update the benchmark to use sync OCTEON and QAT.
1. Add --enable-libwebsockets option
2. Add OPENSSL_NO_EC (used in libwebsockets)
3. Add SSL_MODE_RELEASE_BUFFERS and debug message for when wolfSSL_CTX_set_mode doesn't recognize a mode.
There was a problem with the combination of DTLS, OpenSSL Compatibility,
and FIPSv2 where the DTLS server would fail out because a HMAC key was
too short. FIPS requires a HMAC key be a minimum size. The DTLS server
uses HMAC to generate the first cookie key when initialized. When using
OpenSSL, the feature for creating a DTLS endpoint with its side being
set late is tested. The DTLS cookie wasn't getting set at init because
the server was "neither" at the time. Added a call to set cookie when
initializing a neither endpoint into a server.
1. Better length checking on the IPv6 extension headers.
2. Removed the default size update analogous to the IPv4 header check
function. It cannot ever be 0, so the update was unnecessary.
Fix failing jenkins test cases
Add detection for file size with static memory
Account for cert without pathLen constraint set including test cases
Resolve OCSP case and test where cert->pathLen expected to be NULL
end of packet pointer. The end of packet pointer is based on sslFrame
and sslBytes. sslBytes is calculated from the total length in the IP
header, rather than the caplen. The caplen may include things like
Ethernet's FCS, which throws packet processing off.
1. Fixed an issue when a TLS record is split across two chain buffers.
The second buffer was being treated as a new record.
2. Fixed an issue with STARTTLS_ALLOWED where the input buffer isn't
getting cleared and the skipped data just builds up blocking TLS
records.
Added a callback and support to allow one to handle storing the data
directly without reallocating the data buffer. Also added an example
that uses this callback if the callback is enabled in the build.
1. Added a new build option for a TITAN session cache that can hold just over 2 million session entires.
2. Reordered the cache options from largest to smallest.
1. Add configure option for sync IntelQA that uses the crypto callback API.
2. Refactor the IntelQA configure checks so they are usable by both the sync and async options.
3. Make a synchonous copy of the quickassist files.
4. Replace the printfs in the code with a logging macro.
5. Added padding to the AES_KEY structure for WOLF_CRYPTO_CB.
6. Tie in the crypto device to the sniffer.
7. When setting up the symmetric operation, add a build case for the sniffer to use malloc instead of realloc. Sniffer usually uses the middle of another buffer for the input data rather than the beginning of the buffer as it has the TCP/IP data to handle as well.
8. Add the raw key to the DES3 structure.
9. Copy the functions from qa_mem over to qa_sync.
Various fixes for uninitialized variable use.
sniffer.c: close file when seek fails
tls.c: fix QSH_GET_SIZE macro
wolfio.c: uIPGenerateCookie: use the parameter, _ctx, instead of self
referencing.
wolfssl_adds.c: check for equivalent to XBADFILE to indicate error.
SP: change right shift of signed value to unsigned
sp_int.h: define 128-bit types
types.h: change a XMALLOC define to not use (,,) - cppcheck doesn't like
it and is unnecessary.
* Added detection for buffer alignment to avoid memcpy.
* Added MD5 and SHA-1 support for XTRANSFORM_LEN to process blocks.
* Cleanups for consistency between algorithms and code commenting.
* Enhancement for NXP MMCAU to process more than one block at a time.
* Improved MMCAU performance: SHA-1 by 35%, SHA-256 by 20% and MD5 by 78%.
```
NXP K64 w/MMCAU after:
MD5 8 MB took 1.000 seconds, 7.910 MB/s
SHA 4 MB took 1.005 seconds, 3.644 MB/s
SHA-256 2 MB took 1.006 seconds, 2.306 MB/s
NXP K64 w/MMCAU before:
MD5 4 MB took 1.004 seconds, 4.450 MB/s
SHA 3 MB took 1.006 seconds, 2.670 MB/s
SHA-256 2 MB took 1.008 seconds, 1.913 MB/s
```
- SSL_CIPHER_get_id
- SSL_CIPHER_get_rfc_name
- SSL_get_cipher_by_value
- X509_print_ex
- X509_NAME_add_entry_by_NID
- X509_time_adj
- X509_time_adj_ex
- DTLSv1_get_timeout
- DTLSv1_handle_timeout
- DTLSv1_set_initial_timeout_duration
- SSL_CTX_set_current_time_cb
- PEM_write_bio_RSA_PUBKEY
- PEM_read_bio_RSA_PUBKEY
- PEM_write_bio_PUBKEY
- EVP_PKEY_missing_parameters
- EVP_PKEY_cmp
- BN_is_negative
- BIO_set_retry_write
* Improvements to the notBefore and notAfter date handling.
* Improvements to BIO and BIO_METHOD
- Moved structure to public area to allow for dereferencing
- Renamed members to provide compatibility.
- Added support for custom BIO methods for read/write.
* Added advanced openssl compatibility test cases for key and certificate generation.
* Fix for `ASN1_STRING_set` to allow NULL data.
* Fix to populate public key information on `EVP_PKEY_assign_RSA` and `EVP_PKEY_assign_EC_KEY`.
* Fix naming for `X509_get_notBefore` and `X509_get_notAfter` functions.
* Added `wc_EccPublicKeyDerSize`.
* Improvements to `wc_RsaPublicKeyDerSize`, so dummy memory doesn't have to be allocated.
* Made the `wc_*PublicKeyDerSize` functions public.
* Eliminate use of snprintf for UTC to generalized time conversion in `wolfSSL_ASN1_TIME_to_generalizedtime`.
* Added Apache httpd support `--enable-apachehttpd`.
* Added `SSL_CIPHER_get_version`, `BIO_new_fp`, `SSL_SESSION_print` and `SSL_in_connect_init` compatibility API's.
* Fix to expose `ASN1_UTCTIME_print` stub.
* Pulled in `wolfSSL_X509_get_ext_count` from QT.
* Added `X509_get_ext_count`, `BIO_set_callback`, `BIO_set_callback_arg` and `BIO_get_callback_arg`.
* Added `wolfSSL_ERR_print_errors`.
* Added `BIO_set_nbio` template.
* Fixes for building with Apache httpd.
* Added DH prime functions required for Apache httpd.
* Fix and move the BN DH prime macros.
* Fix for `SSL_CTX_set_tlsext_servername_arg` to have return code.
* Only add the `BN_get_rfc*_prime_*` macro's if older than 1.1.0.
* Added `ERR_GET_FUNC`, `SSL_CTX_clear_extra_chain_certs` prototypes.
* Added `wolfSSL_CTX_set_client_cert_cb` template and `OPENSSL_load_builtin_modules` stub macro.
* Added `X509_INFO` templates (`X509_INFO_new`, `X509_INFO_free`, `sk_X509_INFO_new_null`, `sk_X509_INFO_num`, `sk_X509_INFO_value`, `sk_X509_INFO_free`). Added `sk_X509_shift`.
* Added BIO_set_callback, BIO_get_callback, BIO_set_callback_arg, BIO_get_callback_arg
* add BIO_set_nbio, ERR_print_errors and tests
* add X509 INFO stack push function
* Add ASN1_UTCTIME_print and unit test
* Add X509_get_ext_count unit test
* initial commit of wolfSSL_PEM_X509_INFO_read_bio
* Added `sk_X509_NAME_new`, `sk_X509_NAME_push`, `sk_X509_NAME_find`, `sk_X509_NAME_set_cmp_func` and `sk_X509_NAME_free`. Grouped `sk_X509_NAME_*` functions.
* Cleanup sk X509 NAME/INFO pop free template.
* Advance openssl compatibility to v1.1.0 for Apache httpd. Added TLS version macros. Implemented sk X509 NAME/INFO pop and pop_free.
* Added `TLS_client_method` support.
* Added `SSL_get_server_tmp_key` and `EC_curve_nid2nist`.
* Added `SSL_CTX_set_min_proto_version` and `SSL_CTX_set_max_proto_version`. Fix for `BN_get_rfc*_prime_*` with the v1.1.0 change.
* add test cases for PEM_X509_INFO_read_bio
* Fixes for `BN_get_rfc*_prime_*` macros. Added template for `SSL_DH_set0_pqg`. Fix for `SSL_OP_NO_` to use Macro's (as is done in openssl). Added `SSL_set_verify_result`. Added stub for `OPENSSL_malloc_init`.
* Apache httpd compatibility functions. BIO setter/getters.
* implement ASN1_TIME_check and add test case
* add SSL_get_client_CA_list
* add initial implementation of wolfSSL_DH_set0_pqg
* Add apache support to OBJ_txt2nid and unit test, add stub for OBJ_create
* add X509_STORE_CTX_get1_chain, sk_free, sk_X509_dup
* Add sk_SSL_COMP_num and SSL_COMP struct
* implement and test of SSL_SESSION_print
* add SSL_CTX_set_client_cert_cb
* expand BIO_printf and add test case
* Added `OCSP_CERTID_dup`. Added `ASN1_TYPE`.
* add implementation for wolfSSL_get_server_tmp_key
* add wolfSSL_BIO_puts and test case
* Add X509_EXTENSION_get_object and X509_EXTENSION_get_data
* add helper for bio flag set and null x509 stack
* add test adn implementation for wolfSSL_i2d_PrivateKey
* Added `ASN1_OTHERNAME`, `ACCESS_DESCRIPTION` and `GENERAL_NAME`. Added `sk_ACCESS_DESCRIPTION_pop_free` and `ACCESS_DESCRIPTION_free` stubs.
* add wolfSSL_PEM_read_bio_ECPKParameters
* add BIO_vfree
* add X509_up_ref
* add X509_STORE_CTX_set_ex_data
* add _GNU_SOURCE macro and wolfSSL_EVP_read_pw_string
* add wolfSSL_EVP_PKEY_ref_up function
* X509_get_ext, X509V3_EXT_print, and d2i_DISPLAYTEXT stubs
* add X509_set_issuer_name
* add wolfSSL_sk_SSL_CIPHER_* functions and tests
* add prototype for sk_X509_EXTENSION and ACCESS_DESCRIPTION
* fix casting to avoid clang warning
* adjust test_wolfSSL_X509_STORE_CTX test case
* Added `OpenSSL_version`
* renegotiate functions and additional stack functions
* add aditional stub functions
* Add Apache httpd requirements for ALPN, CRL, Cert Gen/Req/Ext and SecRen. Fix for `sk_X509_INFO_new_null`.
* add ocsp stub functions
* Proper fix for `sk_X509_INFO_new_null`. Added templates for `X509_get_ext_by_NID` and `X509_add_ext`. Added templates for `ASN1_TIME_diff` and `ASN1_TIME_set`.
* x509 extension stack additions
* Fixed template for `OCSP_id_get0_info`.
* add X509 stub functions
* add X509_STORE_CTX_get0_store() and unit test
* Added `EVP_PKEY_CTX_new_id`, `EVP_PKEY_CTX_set_rsa_keygen_bits`, `EVP_PKEY_keygen_init`, `EVP_PKEY_keygen` and `BN_to_ASN1_INTEGER`.
* x509v3 stubs and req add extensions
* Add OBJ_txt2obj and unit test; add long name to wolfssl_object_info table for use by OBJ_* functions
* wolfSSL_set_alpn_protos implementation
* Added `EVP_SignInit_ex` and `TLS_server_method` implementation. Added stubs for `RSA_get0_key` and `i2d_OCSP_REQUEST_bio`. Fix typo on `OCSP_response_create`. Fix warning in `wolfSSL_set_alpn_protos`.
* Added `X509_EXTENSION_free` stub. Fixed a few macro typos/adding missing.
* add X509_STORE_CTX_get0_current_issuer and unit test
* add OBJ_cmp and unit test
* add RSA_get0_key and unit test
* add OCSP_check_nonce
* Implement X509_set_notAfter/notBefore/serialNumber/version,X509_STORE_CTX_set_depth,X509V3_set_ctx.
* Modify wolfSSL_X509_set_notAfter/notBefore and add tests for each.
* Add test_wolfSSL_X509_set_version w/ fixes to _set_version and fix _set_notBefore/notAfter tests
* add OCSP_id_get0_info and unit test, move WOLFSSL_ASN1_INTEGER to asn_public.h from ssl.h
* inital implementation of wolfSSL_X509_sign
* add debugging messages and set data for BIO's
* Add i2d_OCSP_REQUEST_bio.
* implementation of some WOLFSSL_BIO_METHOD custom functions
* fix for ASN time structure and remove log node
* initial eNULL support and sanity checks
* fixes after rebasing code
* adjust test cases and ASN1_TIME print
* Various fixes for memory leaks
* Apache compatibility in CTX_set_client_CA_list for X509_NAME use; add X509_NAME_dup as supporting function
* Add initial X509_STORE_load_locations stub for Apache
* Updates to X509_get_ext_d2i to return GENERAL_NAME struct instead of ASN1_OBJECT for alternative names and add supporting GENERAL_NAME functions
* Add X509_STORE_load_locations implementation; add wolfSSL_CertManagerLoadCRL_ex; initial renegotiation fixes/updates
* Fix for freeing peer cert in wolfSSL_Rehandshake instead of FreeHandShakeResources during secure renegotiation
* Add X509_ALGOR and X509_PUBKEY structs for X509_PUBKEY_get0_param and X509_get_X509_PUBKEY implementation
* Initial implementation of wolfSSL_X509_get_X509_PUBKEY and wolfSSL_X509_PUBKEY_get0_param
* Add implementation for X509_get0_tbs_sigalg and X509_ALGOR_get0
* Add OBJ_nid2ln implementation
* Fix compile errors in tests/api.c for some build options
* Updates to X509_STORE_load_locations for non-CRL types; Add additional DETECT_CERT_TYPE enum and logic for detecting certificate type in ProcessFile
* Add X509_STORE_load_locations unit test and minor error handling fixes
* Add unit test for X509_sign
* Set correct alert type for revoked certificates; add/fix a few WOLFSSL_ENTER messages
* Add X509_ALGOR member to X509 struct; refactoring and unit tests for wolfSSL_X509_ALGOR_get0 and wolfSSL_X509_get0_tbs_sigalg
* Add X509_PUBKEY member to X509 struct; refactoring and unit tests for wolfSSL_X509_get_X509_PUBKEY and wolfSSL_X509_PUBKEY_get0_param
* Stack fixes after rebase
* Secure renegotiation refactoring: add ACCEPT_BEGIN_RENEG to AcceptState for use in wolfSSL_SSL_in_connect_init; free old peer cert when receiving new cert to fix memory leak
* Move enc-then-mac enable option in configure.ac for apache httpd compatibility
* Simplify wolfSSL_SSL_in_connect_init logic
* Remove unneeded wolfSSL_CertManagerLoadCRL_ex
* Fixes for jenkins test failures
* SSL_get_secure_renegotiation_support for print statement in Apache
merged from private repo
removed unneccessary #include
make line as 80 characters
added simple tls server
Disable TLS-linked API use when being SERVER SIDE, still use certificate verify API
Added utility tools, generate signature arrays etc
added vars to store tsip hmac keys
fix build failure when disabling dc_printf
This allows SP to support:
- DH parameter checking
- DH parameter generation
- RSA key generation
Improved performance of sp_mod operation.
Reworked some functions to have one exit point (return statement).
Fixed sp_sub_d().
Changed tests to perform 2048-bit RSA key generation only when using SP
math.
Fixed Intel x86_64 C file to not have DH specific functions available
unless WOLFSSL_HAVE_SP_DH is defined.
Fixed tfm to return an error when t is not the correct size in
fp_isprime_ex().
Feature: Added support for testing date override at build-time using `TEST_BEFORE_DATE`.
```
./examples/server/server -H overrideDateErr -A ./certs/ca-cert.pem -k ./certs/server-key.pem -c ./certs/intermediate/server-chain.pem &
./examples/client/client -D -A ./certs/ca-cert.pem -k ./certs/client-key.pem -c ./certs/intermediate/client-chain.pem
```
ssl.c: Certificate store fields freed without being NULLed and then
freed again.
integer.c: Compiler complained that a->dp may be NULL in mp_set_bit when
setting bit.
pkcs12.c: ret is zero after GetLength and this is an error but data is
freed only when ret != 0.
pkcs7.c: derArr was not zeroized for full allocated size.
To go with the fix for the functions wolfSSL_(i2d|d2i)_SSL_SESSION,
modify the example client to use a serialized session record for
resumption instead of the direct reference into the session cache. This
change only happens when OPENSSL_EXTRA and HAVE_EXT_CACHE are defined.
Right shift of a negative value is undefined.
Add an 'int' return version of constant time greater than equal.
Change equal and not equal to be constant time in more situations.
Changes
- Don't ignore decryption errors when doing TLS 1.3 and after Client
Finished.
- Put out an alert when TLS 1.3 decryption fails.
- Properly ignore RSA pss_pss algorithms when checking for matching
cipher suite.
- Check X25519 public value before import in TLS v1.2-
- REcognise TLS 1.3 integrity-only cipher suites as not negotiable with
TLS 1.2-.
- Send decode_error alert when bad message data in CertificateVerify.
- Negotiate protocol version in TLS 1.3 using extension and keep
decision when using TLS 1.2 parsing.
- Must have a signature algorithms extension in TLS 1.3 if not doing
PSK.
- More TLS v1.3 alerts.
- MAX_PSK_ID_LEN needs to be modified at compile time for tlsfuzzer to
work.
- change the good ecc public key to be a real public key when compiled
to check imported public keys
- Fix early data in TLS 1.3
- Make max early data size able to be changed at compile time - default
4K but fuzzer sends 16K
- Fix HRR, PSK and message hashes: Don't initialize hashes in parsing
ClientHello as need to keep hash state from previous ClientHello and
HelloRetryRequest
When using the configure options '--enable-certgen --enable-certext CPPFLAGS=-DWOLFSSL_VALIDATE_ECC_IMPORT', the ecc_decode_test() will fail the "good" test case. It is using the point (1, 1) in the test, and that fails the key validation. Changed the good key to one of the keys we have in the certs directory. The additional validation checks that the point is on the curve, and is validated in FIPS mode.
In configure.ac,
1. Change some whitespace in the FIPS enable section.
2. Reorganize the FIPS section a little bit.
3. When enabling wolfRand, also force cryptonly.
4. Treat wolfRand like FIPSv2 at build time.
In the source include.am,
5. Add checks against BUILD_FIPS_RAND as appropriate.
6. Add the SHA-256 assembly to the wolfRand source list.
1. Rearrange some of the macros in the FIPS section to separate out the
different flavors of FIPS with their own flags to set them apart.
2. Add automake flags for FIPSv1 and wolfRand.
Example log output for test case where `client_hello` sent a cipher suite list and server choose a cipher suite not in the list:
```
wolfSSL Entering DoServerHello
ServerHello did not use cipher suite from ClientHello
wolfSSL Leaving DoHandShakeMsgType(), return -501
wolfSSL Leaving DoHandShakeMsg(), return -501
```
RFC 5246: 7.4.1.3: Server Hello: `cipher_suite: The single cipher suite selected by the server from the list in ClientHello.cipher_suites.`
Systems with sizof(int) == 2 default to expressions with that size.
So we have to do some explicit casts or use unigned long constants in
some cases.
In ssl.h the prototype of a function was not matching the definition.
This resulted in a type incompatibility on a 16-bit system.
Fixes to ARM code
- put in it instruction before conditional for old compilers.
- fix small code size version of compare
- handle not being able to shift by the full size - want result to be
zero
Casts as required by compiler to reduce bit size explicitly.
When building with GCC-8 and enable-intelasm set, GCC reported a memcpy
from and two the same pointer being possible. Added a check for the same
pointer and skipped the copy if the same.
One of the tests for PKCS8 depended on keys encrypted with a password
that has only 8 letters. HMAC in FIPS mode requires a minimum of 12
bytes. Disabled that test case when FIPS is enabled. All components do
get tested just not all together in that case.
1. Check the sizes picked up out of the message against the expected
size of the record when looking at the certificate messages.
2. Renamed the cert and certSz in the watch callback with it being a
certChain.
Create the OCSP Response for Stapling and TLS 1.3 when parsing.
When parsing OCSP stapling extension with TLS 1.3, use a new extension
object if it was created.
Set the extension size to 0 before writing extensions when sending a TLS
1.3 Certificate message.
Modifed the sniffer watch callback so it provides a SHA-256 hash of the
peer certificate, as before, and the entire certificate chain sent by
the server in the Certificate handshake message. The chain is taken
directly from the message payload, unprocessed. It'll be a list of pairs
of 24-bit certificate length and a DER encoded certificate, all in
network byte order.
Only check picking the hash and signature algorithm functions return
when a certificate is available to send to peer.
Include the ECC signature and hash algorithms in available list even
when using ECDSA certificates signed with RSA.
List is of capabilities not what is in certificate.
Certificate request sent to peer doesn't have to be an ECDSA certificate
signed with RSA.
Same treatment for RSA.
1. Split the function ssl_SetWatchKey() into ssl_SetWatchKey_file()
which loads the key from a named file and ssl_SetWatchKey_buffer()
which loads the key from a provided buffer. file() uses buffer().
Added the build option for the Watch mode for the sniffer. Instead of
setting a set of IP addresses and keys, you set a callback function.
When any TLS connection is started, the hook is called and a hash of the
peer certificate is given to the callback function. It has a chance to
load a private key into the sniffer session. Enable this option with the
build flag "WOLFSSL_SNIFFER_WATCH".
Do version negotiation first. Look for, parse and negotiate with
SupportedVersions extension upfront. Only need to handle TLS 1.3
ClientHello after this.
Any version greater than TLS 1.2 in Legacy Version field is translated
to TLS 1.2.
Fix preMasterSz to when not using PreSharedKey.
Not finsing KeyShare in ClientHello sends a missing_extension alert.
Decoding signature algorithms in new TLS 1.3 range now returns error
when not recognized.
Don't allow RSA PKCS #1.5 signatures to be verified.
Fix accept when downgraded from TLS 1.3 to go to wolfSSL_accept.
Fix server state when sending ChangeCipherSpec for MiddleBox
compatability.
Send a new session ticket even when resuming.
When major version is TLS Draft then this is now ignored.
If version negotitation occurs but none matched then send an alert and
return an error.
Store the rsa_pss_pss_* signature algorithms in the bit mask.
KeyShare Entry parsing returns INVALID_PARAMETER when length is 0 and
results in a different alert being sent.
Check negotiated protocol version is not TLS 1.3 when determing whether
to parse point formats.
If not FFDHE parameters in list then use existing.
If FFDHE parameters present but none matching then let the ciphersuite
match process fail when DHE must be used.
Better checking of encrypted alerts - check unencrypted data size
correctly before using data.
Send an alert if the alert isn't the right size.
Send an alert if the maximum alert count has been reached - but don't
send it if seeing close_notify alert.
1. Moved sslKeyFails.
2. Added sslEphemeralMisses, sslEncryptedConns, sslDecodeFails.
3. Removed the Rehandshake stats as the sniffer does not support rehandshaking.
4. Removed two of the per second stats as they seemed redundant.
5. Added a function to atomically read and reset the sniffer statistics.
1. Wrapped the added code for statistics in a preprocessor guard.
2. Added a check for the current cipher suite and if it is on the list
of allowed suites. Guarded by the statistics option.
3. Added more statistics from the list.
1. Added a structure for all the statistics to be kept.
2. Added a global to track the statistics.
3. Added a copy function to get a copy of the statistics.
4. Added a reset function for the statistics.
5. Handle the alert messages in statistics.
1. Remove redundant calls to the generate function when instantiating
and reseeding the DRBG.
2. Added note to the apparently redundant extra call to the generate
function when running the self test. This extra call is there to make
sure the internal state is updating correctly as a part of the KAT.
3. Removed duplicate enable argument clause for rng from configure.ac.
Replace some removed constants for AES-NI. They were removed when the
inline assembly that used that was exported to its own file.
For Windows, we're using the C intrinsic AES-NI functions, and those
still needed those constants.
Consolidate all the AM_CONDITIONAL statements in one place in the
configure process. This replaces the set of repeat checks of enable
flags to conditionally check the AM_CONDITIONAL.
performs the decrypt in the old manner before a particular bug was
fixed. The old method didn't add padding when the data to encrypt was
multiple of the block_size in length. The decrypt happened to ignore the
error returned by checkPad.
Fix up ARM32 Curve25519 assembly code to use right directives.
Slight improvement to ARM64 SHA-512 assembly code.
Don't return error code from Transform functions - can't fail.
The `WOLFSSL_SHA256_ALT_CH_MAJ` alternate Ch/Maj performance is the same.
The `SHA256_MANY_REGISTERS` is about 13% slower on 64-bit. On some platforms is slightly faster.
Added freedom-e-sdk based makefile
Updated ecc test code to not allocate more memory than requried
Run wolfcrypt and benchmark tests on the SiFive HiFive1 targets
1. When collecting the key size to log it, use the constant WOLFSSL_BIT_SIZE for the bytes->bits multiply.
2. When converting the size of the ECC key, break the steps out more explicitly. Also update the comment to be more accurate.
New compile time option WOLFSSL_PSK_ONE_ID. Indicates one identity
available. No need for client to call callback when generating binder -
already cached.
1. Moved the CopySessionInfo function to a better location for the additions.
2. Added accessors for a callback and application context data.
3. Added a callback that is called from ProcessClientKeyExchange when everything is known about the start of the current session.
4. Added the private key size and the server name indication to the SSLInfo record.
1. Refactor `ProcessClientKeyExchange()` so it can be expanded to handle ECC keys for ECDH support.
2. Add support to the sniffer for ECDH based cipher suites.
* Fixes for building wolfSSL from GitHub sources download, where .git does exist. The autogen.sh still needs to "touch" files for the build to work.
* Fix for FIPS case where `wc_RsaSetRNG` is not available.
* Added new `./configure --enable-usersettings` option to not populate the Makefile with build options and instead define `WOLFSSL_USER_SETTINGS` and expect a user provided `user_settings.h` file.
* Fix for `HAVE___UINT128_T` to match config.h generated value to eliminate warning.
When calling wolfSSL_EVP_DigestInit() with an unsupported string, the
macType should be set to NONE, rather than ignored. In a particular
build combination, functions using that EVP could false the type because
of memory garbage. Just set it in the else case.
* Added new `WOLFSSL_TELIT_M2MB` build option to enable support for RNG, Time, Mutex, FileSystem and Directory.
* Added `XTIME_MS` macro to simplify the tls13.c layer time requirement.
* Cleanup of the wolfCrypt benchmark and test printf remapping.
* Added wolfCrypt optional memory test enabled with `COMPLEX_MEM_TEST`.
* Added wolfCrypt test / benchmark feature for allowing "sleep" between long operations using `TEST_SLEEP()`.
* Fix for extern with `sp_ModExp_2048` when building with `--cpp` option.
1. Rearrange the deprecation cryptodev option so it doesn't overwrite the cryptocb option, and so it doesn't break its case in the build-test.
2. Fix the content length in the sample HTTP used by the example server.
3. Disable OCSP stapling in the example server if RSA is disabled.
4. Fix a variable in asn.c that was declared in the middle of its scope.
5. Retag the xmalloc, xrealloc, xfree functions used in the memory test as WOLFSSL_API like all the other allocators, instead of extern.
1. Fix for the enable-afalg option from Jacob Barthelmeh.
2. Client fix for enable-sp+enable-sp-math option from David Garske.
3. Added a couple of typecasts to some mallocs.
4. Modified the option guard for the mask member of Options for the webserver build.
5. Added some more padding to the opaque structures used for SHA_CTX and AES_KEY.
6. Added WOLFSSL_API to the stack logging functions.
Bump the version number in configure.ac and updated the version.h. The
library version wasn't updated between v3.15.7-stable and the snapshot
v3.15.8, so I bumped it for this release.
When enable-all and disable-rsa is configured, some of the tests needed
for all don't work because they only use RSA keys or certificates.
Disabled those test cases in that build combination.
One of the external sites contacted for the OCSP stapling test
increased the size of one of their intermediate certificates. The test
failed silently as the certificate was ignored. Increased the
FP_MAX_BITS so that the test can pass with the enable-all option. That
option was setting the FP_MAX_BITS for 3072-bit certificates, and the
site in question is using a 4096-bit certificate.
1. The combination enable-all and disable-rsa breaks some of the
testing. Added the NO_RSA guards as appropriate.
2. Disabled the OCSP stapling and CRL tests when RSA is disabled as they
use test certificates with RSA keys.
1. Removed redundant includes of files.
2. Moved all the files in the viewer into the appropriate directories.
3. Updated the copy rules so the missing include files are copied to the destination for all the three possible targets.
2. Check the trusted CA id pointer for NULL before copying.
3. Updated the api test for the NO_SHA change.
4. Remove the TCA options member as redundant.
Added an API for enabling the Trusted CA Key Indication extension from
RFC6066 section 6. If the server doesn't have a match for the client,
the client will abandon the session.
Add some typecasts to the RSA constant time data copy so it doesn't
misbehave with some embedded compilers that do the integer promotion in
a different order than expected.
In at least one environment the check for particular AR options was
failing due to a bash script bug. Deleted an extra pair of parenthesis
triggering an arithmetic statement when redundant grouping was desired.
2. Put SecureResume in terms of a regular resume, using Get/SetSession
and then calling Rehandshake.
3. Add the startScr after checking secure_renegotiation enabled during a
resume.
Fix wc_ecc_fp_free() to be called when using HAVE_STACK_SIZE.
Increase size of replyin client.c so all HTTP reply is displayed.
Fix api.c to support only Ed25519 (not RSA and ECC)
Fix suites.c to detect when CA for client won't work (Ed25519 only)
For Static Memory add debugging and small profile.
Also allow realloc to be called with NULL.
Add more Ed25519 certs and keys.
Fix names of Ed25519 filenames for client and server.
Do NOT turn on ECC_SHAMIR by default with lowresource.
Enable WOLFSSL_STATIC_MEMORY_SMALL if low resource and no RSA.
subject ID on renegotiation. Both endpoints are already
cryptographically linked on an encrypted channel.
2. The error code list has gaps where deprecated codes were deleted,
remove the redundant gaps where there aren't missing codes.
1. Split the wolfSSL_Rehandshake() function into wolfSSL_Rehadshake()
which performs a full handshake on secure renegotiation and
wolfSSL_SecureResume() which performs a session resumption on a
secure renegotiation.
2. Add option to example client to perform a secure resumption instead
of a full secure handshake.
Add support for the fixed FFDHE curves to TLS 1.2. Same curves in TLS
1.3 already. On by default - no checking of prime required.
Add option to require client to see FFDHE parameters from server as per
'may' requirements in RFC 7919.
Change TLS 1.3 ClientHello and ServerHello parsing to find the
SupportedVersions extension first and process it. Then it can handle
other extensions knowing which protocol we are using.
__attribute__ ((mode(TI))) does not really work on clang-cl,
linking would fail with "unresolved external symbol __udivti3",
as reported in https://bugs.llvm.org/show_bug.cgi?id=25305
Fix to use default case with 28bit digits on clang-Windows.
If the old length checking method is desired `NO_STRICT_ECDSA_LEN` can be used. This would allow extra signature byes at the end (unused and not altering verification result). This is kept for possible backwards compatibility.
Per RFC6979: `How a signature is to be encoded is not covered by the DSA and ECDSA standards themselves; a common way is to use a DER-encoded ASN.1 structure (a SEQUENCE of two INTEGERs, for r and s, in that order).`
ANSI X9.62: ASN.1 Encoding of ECDSA:
```
ECDSA-Sig-Value ::= SEQUENCE {
r INTEGER,
s INTEGER
}
```
Fixes#2088
OCSP uses an identified hash of the issuer's public key to identify the
certificate's signer. (Typically this is SHA-1, but can be any SHA
hash.) The AKID/SKID for the certificates usually are the SHA-1 hash of
the public key, but may be anything. We cannot depend on the AKID for
OCSP purposes. For OCSP lookups, wolfSSL calculates the hash of the
public key based on the copy saved for use with the handshake signing.
For RSA, that was fine. For ECDSA, we use the whole public key including
the curve ID, but for OCSP the curve ID isn't hashed. Stored the hash of
the public key at the point where we are looking at the key when reading
in the certificate, and saving the hash in the signer record.
Getting the seed from a device has been added.
If the HASH_DRBG is available, PKCS#11 will be used for generating the
seed.
Otherwise, all generated random data will come from PKCS#11 device.
hardware acceleration with RSA
add AES-GCM hardware acceleration
refactor setting RSA IV flag
check and set AF_ALG flags
fix for default AF_ALG use
set buffer alignment with Xilinx RSA
macro guard after rebase
use ALIGN64
clean up test cases
- Added support for Deos with no file system
- Implemented a custom malloc since reusing and freeing memory is disallowed in avionics and mission critical applications.
- Added TLS client and server example with a TCP setup mailbox transport
- Timer starts at an offset of CURRENT_UNIX_TIMESTAMP specified by the user
- Uses rand_r() as a pseudo random number generator and uses the current time in seconds as a seed
- Uses strnicmp for XSTRNCASECMP instead of strncasecmp
- a readme doc included
* Support for building `WOLFSSL_SAFERTOS` without heap.
* Allows `XSTRNCASECMP` macro to be customized.
* USER_TIME supports checks for existing `strct tm` and `time_t`.
Modify the DtlsMsgPoolSend() function to keep track of the last message
retransmit. If a write would block, it allows the retransmit pick up
where it left off.
Do not allow the DTLS message flight be retransmit without being
finished. This can happen if a non-blocking transmit times out the
response and the application tries to retransmit.
1. Add a second select for tx.
2. Revised tcp_select to work for either rx or tx.
3. Updated client and server to use new tcp_select_tx() for checking the
tx socket if the nonblocking connect/accept would block on transmit.
1. Add error code for trying to retransmit a flight when transmitting
the flight hasn't finished.
2. Add function to retransmit the stored flight without updating the
timeout count.
1. In DTLS, when transmitting the Change Cipher Spec message increment the
sequence number.
2. In DTLS, when client receives the CCS message, sanity check that the
server hello has been received in the case of resume.
1. In the client, check the return code on wolfSSL_CTX_SetMinDhKey_Sz() as it is checked in the server. (Resolves issue #2037.)
2. In HashOutput(), check that the hsHashes exists for the session before hashing. (Resolves issue #2038.)
Fixed a potential bug with respect to processing fragmented handshake
messages. If a handshake message is fragmented across multiple TLS
records and the last fragment's record has the next handshake message in
it, we would throw a buffer error instead of processing the next
message. Changed this so it will finish the handshake message and return
out to process the next message. Also changed the handling of the
handshake message to follow the calling pattern.
* Added support for running as only Client (`-c`) or Server (`-s`).
* Added support for using sockets (in addition to in memory mode `-m`).
* Fixed support for 16KB test packet (memory version needed TLS header space). Changed to default to 16KB.
* Fixed so transfer is done on each connection and there is not transfer limit (instead "shutdown" message is used).
* Made pthread support optional and based on HAVE_PTHREAD.
* Tested non-blocking support with sockets or shared memory.
To use with localhost sockets and threading use `./examples/benchmark/tls_bench`
To use with threading and in-memory use `./examples/benchmark/tls_bench -m`
To use as separate server client applications with localhost sockets use: `./examples/benchmark/tls_bench -s` and `./examples/benchmark/tls_bench -c` in separate terminals.
```
./examples/benchmark/tls_bench -?
tls_bench 3.15.7 NOTE: All files relative to wolfSSL home dir
-? Help, print this usage
-c Run as client only, no threading and uses sockets
-s Run as server only, no threading and uses sockets
-h Host (default localhost)
-P Port (default 11112)
-e List Every cipher suite available
-i Show peer info
-l <str> Cipher suite list (: delimited)
-t <num> Time <num> (seconds) to run each test (default 1)
-p <num> The packet size <num> in bytes [1-16kB] (default 16384)
-v Show verbose output
-d Enable debug messages
-T <num> Number of threaded server/client pairs (default 1)
-m Use local memory, not socket
```
* Added ECC and RSA intermediate CA's and server/client chain certificates for testing.
* Enhanced suites test to support expected fail arg `-H exitWithRet` in any test .conf file.
* Added new `test-altchains.conf` for testing with `WOLFSSL_ALT_CERT_CHAINS` defined.
* Added new `test-chains` for testing chains.
* Added new `test-dhprime.conf` for DH prime check tests.
* Added new `test-trustedpeer.conf` for testing `WOLFSSL_TRUST_PEER_CERT`.
* Refactor to add `-2` to disable DH prime check by default (except for new test-dhprime.conf).
* Added ability to run a specific test.conf file using syntax like `./tests/unit.test tests/test-altchains.conf`.
* Fix with `WOLFSSL_ALT_CERT_CHAINS` to resolve issue with using a trusted intermediate to validate a partial chain. With the alt cert chain enabled a CA may fail with only `ASN_NO_SIGNER_E` and the connection is allowed if the peer's certificate validates to a trusted CA. Eliminates overly complex 1 deep error alternate chain detection logic. Resolves ZD 4525.
* Refactor and cleanup of ProcessPeerPerts to combine duplicate code and improve code commenting.
* Fix for CA path len check in `ParseCertRelative` to always check for self-signed case (was previously only in NO_SKID case).
* Improvement to include self-signed flag in the DecodedCert struct.
Put the clientState into CLIENT_HELLO_RETRY (new state) when waiting for
second ClientHello.
Chrome sends change_cipher_spec message, for reasons of compatability,
which meets the requirements of the Old ClientHello detection when state
of client is NULL.
1. Replace the WOLFSSL_PTHREADS option for VxWorks builds, but comment it out.
2. Added a comment about using the pthreads wrappers for mutexes in VxWorks.
1. HAVE_WEBSERVER option turns on a couple more functions that MG is
using for client side authentication.
2. If using webserver, those functions return and error.
* Fixes to ensure the "const" input buffer is not modified for AES GCM calls with STM32 hardware crypto.
* Improvements to allow AES GCM hardware acceleration for inputs that are not a multiple of AES block size.
* Switched the wolfCrypt test for STM32_CRYPTO to use the standard AES GCM tests with 12-byte IV and less than 16-byte auth data.
* Fixes for building with the standard peripheral library.
* Fixes for building with `NO_AES_DECRYPT`.
`./configure --enable-debug --disable-shared --enable-cryptonly CFLAGS="-DNO_AES_DECRYPT"`
1. Fix testing issue with a client using the SCSV cipher suite to indicate desire for renegotiation.
2. Add indication to both the server and client examples that the renegotiation was successful.
1. Add an extra guard check around a call to SendHelloRequest() in the case where server renegotiation is disabled.
2. Replaced an accidental deletion of an include of the misc.h header for no inline builds.
1. Add the server side renegotiation flag to the secure renegotiation option.
2. Changed the AddEmptyNegotiationInfo so it doesn't create an extension, just adds a reply if SCR is enabled.
3. Fix the server's reaction to the client sending the SCR extension.
1. Fix an incorrect function entry log string.
2. Restart the server's accept state assuming the client hello was
received when the client initiates renegotiation.
1. Add enables to the example server for turning on secure renegotiation.
2. Add encryption assists to the handhshake message handler functions.
3. Add a hello request message function. Includes handshake timing pre/postambles.
1. Remove the file async.c from the iOS Benchmark project.
2. Update the organization name in the Benchmark project to "wolfSSL Inc".
3. In the workspace project, change the path to the wolfSSL test to be a local relative path rather than an absolute path.
4. In the workspace project, remove the benchmark project and re-add it. It becomes a local relative reference with the correct name.
* Updated `--with-intelqa=` to support detection of QAT driver version and use different .so libs.
* Added include and lib reference for new libusdm.
* Added `QAT_ENABLE_RNG` option.
* Fix for dynamic type spelling error (`DYNAMIC_TYPE_SYMETRIC_KEY` -> `DYNAMIC_TYPE_SYMMETRIC_KEY`).
* Fix benchmark output to use "took" not "tooks".
1. Modify all the test configuration files to disable the DHE prime test.
2. Add a test configuration that tests three cipher suites with the DHE prime test enabled.
1. Fix iOS Benchmark reference to the async.c file.
2. Fix iOS Benchmark reference to the sp.c file. Changed to spr_c64.c.
3. Removed misc.c from iOS Benchmark as it is using inlined misc.h.
4. Added define of HAVE___UINT128_T to the user_settings.h so the
benchmark would build.
5. Wrapped the benchmark usage strings in NO_MAIN_DRIVER.
When loading DH domain parameters into a CTX, test the prime
immediately. When loading them into a session, test the prime right
before using it during the handshake. Sessions that get their prime from
their context do not need to test their prime. Added a function to
disable testing the prime in a session. The goal is to speed up testing
as every single test case loads DH parameters whether they are used or
not.
Fixed wrong error checks, changed return value to the size of the derived key, added support for the case where data == NULL and removed the assignment of constant value to info->ivSz (the correct value is assigned to it inside 'wc_EncryptedInfoGet')
1. Updated a config item regarding the order of searching headers to the current recommendation from Apple.
2. Added the define flag CYASSL_USER_SETTINGS to the FIPS project so the user settings are loaded into the FIPS files.
1. Collect the SSL Info capture into its own function.
2. Add a Trace function for the SSL Info.
3. When copying the IANA name for the cipher suite, use a strncpy
instead of a memcpy and cap the copy at the length of the destination.
Force a null terminator at the end of the destination, just in case.
4. Modify the snifftest to collect the SSL Info.
remove uC/OS-III eclipse project files
Adding wolfSSL client example for uC/TCP-IP with WinPcap running on Win7
Cleaned up user_settings and client example code
wolfSSL server example for uCOS-III/TCP-IP
Fixed typo and formating
Removed comments from user settings
serial (UART) interface isn't available on all targets
Updated to use PEM certs
add XSNPRINTF snprintf
define tx msg and size for clarity
1. Adds a new function ssl_DecodePacketWithSessionInfo() that returns a
copy of the TLS session info (version and suite ID) for the packet that
is decoded.
2. Adds a new function DecodePacketInternal() that does the same work as
the old DecodePacket() with the additional Session Info behavior.
3. Both DecodePacket public functions call the internal version.
Drop a handshake message if it is split across TLS records. The likely
messages dropped are certificate and certificate request, which are
ignored by the sniffer.
* Signature wrapper improvements to eliminate mallocs/frees unless small stack is used. If small stack is used only one allocation is done based on actual max (was previously was allocating too much and in the encoding case was reallocating a second buffer).
Add heap as a device initialization parameter.
Allocate slot info pointer wiht device heap pointer.
ForceZero user pin on token finalization.
Add comments to structure definitions.
Added a build option, WOLFSSL_ALLOW_SERVER_SC_EXT, that skips the
client's parsing of the supported curve extension if sent by the
server for sessions using < TLSv1.3. The server doesn't need to send it
and the RFCs don't specify what should happen if it does in TLSv1.2, but
it is sent in response from one particular Java based TLS server.
* Fix for possible NULL RNG case in mp_rand.
* Fix for memory macros to handle expression for `HEAP`.
* Fix for possible unknown uint32_t type with mem track.
* Fix for double Alloc/Free print when using track and debug memory at same time.
* Fix for building with `./configure CFLAGS="-DECC_USER_CURVES -DNO_ECC256 -DHAVE_ECC160"`
* Performance improvements for cases with `WC_ASYNC_NO_HASH` and `WC_ASYNC_ENABLE_SHA256`.
formating and refactoring
update configure for devcrypto
add AES algorithms to cyrptodev port
increase structure size for compatibility AES with cryptodev
add wc_devcrypto.h to install path
1. Updated the IDE/WIN10 user settings to enable RDSEED by default.
2. Updated the Windows GenerateSeed() function to take into account the
RDSEED enabled setting.
3. Exclude the TestSeed() function check for the "selftest" build as
well as old FIPS.
1. Update the SEED_BLOCK_SZ to 4 for non-FIPS builds.
2. Change fips-check.sh to skip copying over the random.{c,h} files for
now. Need the tagged versions of the other files and the new random for
now.
1. For non-FIPS builds, lower the entropy request size to the old value.
2. Added a consistency check to the result of the entropy source. The test
involves requesting an additional 64-bits, then doing a running
comparison of each block of 64-bits. The first block of bits is ignored.
3. Refactored the RNG seeding a bit. Renamed all variables with
"entropy" in the name as "seed". Renamed the constants for entropy sizes
as seed sizes. Changed the security strength to its actual value and
introduced an entropy scaling factor for the number of bits of entropy
per bit and a size for the NDRBG block size.
4. Changed it so the user can change the parameters for the RNG at the
build configuration. If using FIPSv2, triggers an error if the paramters
are changed.
Document how length of ECDSA signature calculated.
Check parameter not NULL before use.
Formatting fix.
Also, disable RSA test of EVP_DigestSign/Verify* when HAVE_USER_RSA.
In the case of OCSP Stapling being enabled and NO_WOLFSSL_SERVER being
set, there was a spot where the ocsp_stapling list was still being
touched even though it is left out of the build. Just needed to add the
right #ifdefs.
A couple flags were being implemented as bitfields from an int type.
GCC-8 is being more strict of type and value checking and is treating
single bit ints as both 1 and -1 and complaining about value changes.
Change the two int bitfields to use word16 bitfields as is the
pattern elsewhere.
* Added new `wolfSSL_CTX_load_verify_locations_ex` that supports flags `WOLFSSL_LOAD_FLAG_IGNORE_ERR`, `WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY` and `WOLFSSL_LOAD_FLAG_PEM_CA_ONLY`.
* Fix for `PemToDer` to handle PEM which may include a null terminator in length at end of file length causing wrong error code to be returned. Added test case for this. (ZD 4278)
* Added macro to override default flags for `wolfSSL_CTX_load_verify_locations` using `WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS`.
* Added tests for loading CA PEM's from directory using `wolfSSL_CTX_load_verify_locations` and `wolfSSL_CTX_load_verify_locations_ex` with flags.
* Added tests for `wolfSSL_CertManagerLoadCABuffer`.
* Updated the expired test certs and added them to `./certs/test/gen-testcerts.sh` script.
The ValidateDate() function is wrapped by a macro so it may be replaced
in environments without ASN_TIME built in. In two cases, OCSP and CRL,
ValidateDate() is called directly instead of by the macro. This change
fixes that.
Code doesn't require a DecodedCert which saves on dynamic memory usage.
WOLFSSL_SMALL_CERT_VERIFY: Don't have a DecodedCert allocated and verify
certificate signature in ProcessPeerCerts as this is maximum dynamic
memory usage.
WOLFSSL_SMALL_CERT_VERIFY is enabled with 'lowresource' configuration
option.
Fix sp_clear to work with NULL parameter.
Define a new function HashId that maps to the hashing function
available.
Set MAX_CERT_VERIFY_SZ to be the maximum based on what algorithms are
compiled in.
Fix usage of MAX_CERT_VERIFY_SZ in functions sending certificate verify
messages.
TLS 1.3 Early Data can be used with PSK and not session tickets.
If only TLS 1.3 and no session tickets then no resumption.
External sites don't support TLS 1.3 yet.
1. When checking an OID sum against an OID string based on context, skip the unknown OIDs instead of treating them as parse errors.
2. When getting an OID, pass the lower error upstream instead of just PARSE error.
1. Define Timeval in callbacks.h if the file sys/time.h is missing.
2. When picking the correct strtok() function, take into account MINGW64.
3. In the example server, changed the call to SSL_accept_ex() as it doesn't exist. Using wolfSSL_accept_ex(). Only a problem when setting WOLFSSL_CALLBACKS.
4. PickHashSigAlgo() is missing a ; when WOLFSSL_CALLBACKS is set.
Change define to WOLFSSL_MEMORY_LOG.
Fix for ED25519 server certificate - single cert to allow comparison
with ECC dynamic memory usage.
Free memory earlier to reduce maximum memory usage in a connection.
Make MAX_ENCODED_SIG_SZ only as big as necessary.
Change memory allocation type in sha256 from RNG to DIGEST.
If we know the key type use it in decoding private key
Using the wrong size for the MR test check value. Converting from size
of FP_MAX_BITS to the DH prime size, dividing too much. Switched it to
its own constant.
It is highly recommended that the PSK be different for each protocol.
Example callback already returns a different key for TLS 1.3.
New callback includes the ciphersuite, as a string, to use with the key.
More places to mask shifted n.
Fix conditional check on NO_3072 in sp_int.h
Disable prime checking when using SP maths.
Add support for mp_tohex to SP maths.
Fix wolfmath.c to support including SP maths.
When using the async option, the RSA key is checked on the first call to
DoTls13CertificateVerify() when the async state machine is set up. On
the subsequent call, the pointer to the key isn't checked again. Added a
check. (This was from a static analysis report.)
1. Modify the other OCSP Stapling scripts to better manage the OCSP responder.
2. Modify the client's W option to take:
- 1 for Stapling v1
- 2 for Stapling v2
- 3 for Stapling v2 MULTI
3. Modify the client to disallow stapling v2 with TLSv1.3.
1. Added a missed attr files for the OSCP status files. Bare minimum attr.
2. Added the attr files to the automake include.
3. Fix out of bounds read with the OCSP URL.
1. Made killing the OCSP server process more reliable.
2. Added attr files for the OSCP status files. Bare minimum attr.
3. Added a NL to the error string from the client regarding external tests.
When doing the sp_2048_mod_exp_*() is processed, one of the index
variables is masked with 0x1f when it was updated. Added the masking to
the initial set of the index.
Change the DES_IV_SIZE back to 8 bytes, rather than 16.
DES/DES3 was passing the wolfCrypt test becuase the main DES code uses
the DES_BLOCK_SIZE when handling the IV. The TLS/SSL code uses the
DES_IV_SIZE when generating the session keys.
progress on AES-GCM with AF_ALG and add SHA256
add aes-gcm test cases and finish logic of aes-gcm with AF_ALG
formating of tabs and white space
add files to dist
adding ecb and ctr mode with af_alg
make length of buffers for ctr be AES_BLOCK_SIZE
formating and add support for sha256 copy/gethash
sanity checks on arguments
cast return values and valgrind tests
make it easier to use sha256 with af_alg
remove hard tabs
add endif for after rebase
1. strncat() does not like to copy single byte strings with "n = 1", as it won't null-terminate.
2. strncpy()'s len parameter is the size of the dst not the src.
3. Replaced the echoserver HTTP response composition of const strings with a copy of a single string.
1. Allow SetAllocators to use NULL as a callback. Memory wrappers will use default with NULL.
2. Remove the ResetAllocators function. Use SetAllocators with NULL.
3. Modify memory tracker to save the old allocators on init and restore them on cleanup.
* Added reference PK callbacks functions for ECC sign, verify and shared secret used by TLS in `wolfcrypt/src/port/st/stsafe.c`.
* Fix for wolfcrypt_test to not require args to be provided.
* Fix for wolfCrypt `ecc_test_buffers` to poperly init ecc_key (resolves devId issue).
* Fix for STM32 AES CBC Decrypt with CubeMX, which was not capturing the first input block for next IV.
* Refactor to combine STM32 hardware init code.
1. Added calls to wc_DhSetCheckKey() on the client side of TLS.
2. Added an API test to the wolfCrypt test.
3. Fixed a bug in the prime test found with the API test. Misuse of tertiary operator.
Allows configurations without RSA, DH and ECC but with Curve25519
algorithms to work with SSL/TLS using X25519 key exchange and Ed25519
certificates.
Fix Ed25519 code to call wc_Sha512Free().
Add certificates to test.h and fix examples to use them.
1. The check for options that start with an underscore to wrap them with another check was broken. Replaced with a use of grep. The old original version breaks on some shells.
1. The fips-check script was missing the ecc file when building the FIPSv2 test directory. The correct file was sent in for testing.
2. When building with ECC import validation enabled, one usage of the ALLOC_CURVE_SPECS macro had an extra parameter. (copy-and-paste error)
Small stack builds now dynamically allocate large stack variables.
Cache option added to avoid repeated allocation of temporaries in add
points, double point and map.
Cached memory allocated in mulmod and mul2add.
Fix asn.c and rsa.c small stack to not have large stack variables.
In RSA code don't load or store dP, dQ or u when using RSA_LOW_MEM as
they are not used.
Fix SP to recognize RSA_LOW_MEM means to use d, private exponent.
Fix wc_CheckRsaKey to work with SP.
Fix sp_int to support mp_set_int for wc_CheckRsaKey().
Small stack builds see SHA-256 allocating W a lot.
Cache the SHA-256 object in DRBG when WOLFSSL_SMALL_STACK_CACHE is
defined.
Call free function on SHA-256 object now that it is required.
SHA-2 algorithms allocate W each call to transform when using
WOLFSSL_SMALL_STACK.
Put a pointer into the SHA-2 object to cache W.
Change code to call the SHA-2 Free functions now that they are required.
Only cache when WOLFSSL_SMALL_STACK_CACHE is defined.
1. Added some new ifdef clauses to tfc and integer so that
the prime checking is available when using RSA, DSA, or DH.
A couple functions used were dependent on ECC being enabled.
1. Moved a few functions around in tfm.c and integer.c.
2. Added some new ifdef clauses to tfc and integer so that the prime checking is available when using RSA, DSA, or DH.
3. Added an internal version of function wc_DhSetKey and wc_DsaImportParamsRaw that always checks to see if the prime value is prime. Modified the original function to be a wrapper.
1. In wc_DhGenerateParams(), changed the call to mp_prime_is_prime() to
mp_prime_is_prime_ex().
2. In wc_MakeDsaParameters(), changed the call to mp_prime_is_prime() to
mp_prime_is_prime_ex().
3. Added wc_CheckProbablePrime_ex in RSA that also takes an RNG to call
mp_prime_is_prime_ex(). If RNG is NULL, call mp_prime_is_prime().
4. Rewrite wc_CheckProbablePrime() in terms of
wc_CheckProbablePrime_ex().
1. Fixed variable name typo in DH for the FFDHE 8192-bit q value.
2. Updated some error strings in wolfSSL_BN_is_prime_ex().
3. Changed the calls to mp_prime_is_prime_ex() in fp_randprime() and
mp_randprime() so they go back to the 8 rounds of MR, which is more than
adequate in this situation.
1. Fix typo.
2. Change the parsing of the -D options to be more POSIX friendly.
Removed the "==" and replaced the multi escaped [] with a test command.
1. Update the function wolfSSL_BN_is_prime_ex to use mp_prime_is_prime_ex.
2. Modified fast and normal mp_prime_is_prime_ex() to use random numbers
that are in the range 2 < a < n-2.
Made modifications to the primality testing so that the Miller-Rabin tests check against up to 40 random numbers rather than a fixed list of small primes.
When generating the times for a generated certificate, calculate the
time differences based on the seconds from epoch rather then converting
back and forth between tm structures. One particular RTOS calculates the
date change when generating a certificate on the first of the month. It
leaves the certificate valid on the zeroth of the month.
1. Added certificates for localhost where the CN and SAN match and differ.
2. Change subject name matching so the CN is checked if the SAN list doesn't exit, and only check the SAN list if present.
3. Added a test case for the CN/SAN mismatch.
4. Old matching behavior restored with build option WOLFSSL_ALLOW_NO_CN_IN_SAN.
5. Add test case for a correct certificate.
Note: The test for the garbage certificate should fail. If you enable the old behavior, that test case will start succeeding, causing the test to fail.
Introduce support for OCSP stapling in TLS 1.3.
Note: OCSP Stapling v2 is not used in TLS 1.3.
Added tests.
Allow extensions to be sent with first certificate.
Fix writing out of certificate chains in TLS 1.3.
Tidy up the OCSP stapling code to remove duplication as much as
possible.
* Fix for `wolfSSL_CTX_set_options` to work correctly when no certificate has been set for WOLFSSL_CTX, otherwise this operation fails with `Server missing certificate`.
* Fix for bad argument name `time`.
* Fix for `warning: type of bit-field`: Allowed types for bit-fields are int and unsigned int only.
* Exposed `ERR_remove_thread_state` and `SSL_CTX_set_tmp_ecdh` for lighttpd
* Renamed `WOLFSSL_ERR_remove_thread_state` to `wolfSSL_ERR_remove_thread_state` and setup old name macro.
* Add missing newline on asn1.h.
* Whitespace cleanup in ssl.c.
Fix states in TLS 1.3 connect and accept to be monotonically increasing
by 1.
Always have a new state after a buffer is constructed to be sent.
Add non-blocking support into TLS benchmark and support TLS 1.3.
Store DER copy of CA certificate with signer when
WOLFSSL_SIGNER_DER_CERT is defined.
Keep the bad issuer error for later when compiling for OpenSSL
compatability.
Authority Info string needs to be passed back with a nul terminator.
In the past, Doxygen just listed API for wolfSSL and wolfCrypt in one long list.
Now there are two separate pages for the wolfSSL and wolfCrypt API references.
1. Fixed a few parsing checks in the dates in the RPM changelog.
2. Moved some file names between sections in the include.am and spec.in files.
3. Added the match-start-of-line to the regex for finding the -D items for the options file.
1. In wolfIO_Select(), separate out the fd lists into separate read and write lists.
2. Check the read and write fds lists to see if the connect() succeeded or failed.
3. Windows doesn't use the nfds parameter to Select. Initialize it to zero and reset it to the right value when building for not-Windows.
4. Remove the warning disable for Windows.
GCC 8.1 checks that "restrict" pointer parameters don't point to the same thing and will error if they do.
1. Update the fips-check script to pull the FIPSv2 code from the main repositories.
2. Script cleanup.
3. Disable the api.test check of wc_ecc_mulmod() when WOLFSSL_VALIDATE_ECC_IMPORT is enabled.
1. When building on VS, it didn't like using a variable for an array size. Fixed it so it was a constant.
2. In dh.c, there were a few #if that should have been #ifdef.
3. Tweaked a return value in the wolfCrypt test so it was read after being set.
1. ForceZero the odd block when using RDSEED to seed the DRBG.
2. When using FIPSv2 and Intel_ASM speedups, force RDSEED failure flag.
3. Annotate the ecc key pair checking code with NIST process references.
4. Add function to pair-wise check the DH key.
5. Add optional "Q" values for the FFDHE canned parameters from RFC 7919.
6. Enabled the ECC key checks by default for FIPS.
7. Added DH private key check function.
8. Enabled the DH key checks by default for FIPS.
1. Changed the ecc_sets table for Windows builds to use arrays instead of pointers to strings.
2. Updated the initializer to play nice with the Windows and not-Windows versions of the ecc_sets table.
This is a change for FIPS mode on Windows. The ecc_sets table has pointers to constants. When the FIPS POST runs, the pointers stored in the table are relocated pointers so the verify fails.
1. Windows IDE project, clean up the preprocessor flags.
2. Add command line define to the MASM steps to set HAVE_FIPS and HAVE_FIPS_VERSION=2.
3. Disable the whole program optimization for the non-DLL builds for the file fips.c.
4. Tweaked the aes_asm.asm's code segment line to be dependant on the FIPS setting. Only place it specially for FIPSv2.
5. Reverted the Windows IDE project and copied the new setting to a WIN10 directory.
1. Changed the _InitHmac() function in ssl.c to have a different name.
2. Added switch in ssl.c to use _InitHmac or _HMAC_Init depending on FIPS option.
1. MSC doesn't allow for inline assembly. Restore the intrinsic version of AES_GCM_encrypt and AES_GCM_decrypt for MSC AES-NI builds. This is lacking AVX.
1. Update gitignore with some more VS outputs.
2. Update the Windows IDE user settings with FIPSv2 settings.
3. Remove redundant _InitHmac() function from ssl.c.
4. In wc_DhGenerateParams(), initialize the groupSz and bufSz to 0.
5. In wc_DhExportParamsRaw(), initialize pLen, qLen, and gLen to 0.
6. In wc_MakeRsaKey(), initialize isPrime to 0.
7. In ecc_test_make_pub(), initialize exportBuf and tmp to NULL and initialize the ECC key before any chance of trying to free it.
8. In fips_test.h header, update types.h include to use the wolfCrypt types rather than ctaocrypt types.
9. In fips_test.h header, change the visibility tags on all the function prototypes to use the WOLFSSL tags rather than CYASSL.
10. Change the wolfCrypt visibility tags to use CyaSSL's tags for old FIPS and the regular tags for new FIPS and non-FIPS builds.
1. Added APIs to perform RSA-PSS verify and padding operation in the same call.
2. Change to RsaPSS sign and verify to pick the proper salt length if the key is 1024-bits and the hash is SHA-512.
1. For FIPSv2 builds, changed the FP_MAX_BITS to 6144.
2. Fixed bug in HMAC-SHA-3 where the digest size was being used instead of the block size for processing the key.
1. Add new APIs for AES-GCM so it can manage the IV per SP 800-38D.
2. Add new APIs for AES-CCM so it can manage the IV, similar to the behavior in AES-GCM.
3. Add new APIs for GMAC that use the new AES-GCM APIs.
1. Removed redundant forward declaration of RsaKey from hmac.h.
2. Updated gitignore with the first and last files.
3. Updated autogen with touching the first and last files.
1. AesGcmEncrypt_ex requires the RNG, remove function if RNG disabled.
2. Fix a couple function name changes in the example server.
3. Removed the old FIPS wrapping added to dh.h, was redundant.
4. Move include of random.h in the aes.h file.
5. Fix where ecc.c was being left out of old FIPS builds.
6. Exclude the AES-GCM internal IV test case when building without the RNG.
7. Fix api test where AES-GCM Encrypt was called with a too-long IV in old FIPS mode. Non-FIPS and new FIPS are allowed longer IVs.
1. Enabled ECC Cofactor DH for the FIPSv2 build.
2. Updated the wolfCrypt HMAC-SHA-3 test to leave out the set of test cases that use the four-byte key in FIPS mode.
1. Change to configure.ac to automatically enable AES-CTR in FIPSv2 builds.
2. Move the aes-ni asm file into the boundary if enabled.
3. Enable AES-ECB by default.
1. Moved the rest of the FIPS algorithms to FIPSv2.
2. Updated the fips-check and autogen scripts.
3. Updated the automake include for the crypto files.
4. Updated the example server to use the wolfSSL API and wolfSSL-based OpenSSL compatibility layer.
5. Added error code for the SHA-3 KAT.
6. Updated an test case in the API test for AES-GCM encrypt that is now considered a success case, but the FIPS mode was still treating as a failure.
More info can be found on-line at https://wolfssl.com/wolfSSL/Docs.html
# wolfSSL Release 4.3.0 (12/20/2019)
If you have questions about this release, then feel free to contact us on our info@ address.
Release 4.3.0 of wolfSSL embedded TLS has bug fixes and new features including:
##### New Feature Additions
* Add --enable-libwebsockets option for support of libwebsockets build
* Updated support for NGINX 1.15.0 and added support for 1.16.1
* Add wc_scrypt_ex API which can take in iterations rather than cost
* Updates to RSA-PSS salt lengths. Macro WOLFSSL_PSS_SALT_LEN_DISCOVER allows for discovering the salt length. Passing RSA_PSS_SALT_LEN_DISCOVER value into wc_RsaPSS_Verify_ex attempts to discover salt length and can use larger salt lengths
* Additional OpenSSL compatibility API wolfSSL_CertManagerGetCerts and wolfSSL_X509_STORE_GetCerts for retrieving certificates
* Add support for 4096-bit RSA/DH operations to SP (single precision) build
* Update support for Google WebRTC to branch m79
* Adds new FREESCALE_MQX_5_0 macro for MQX 5.0 support
* Adds a CMS/PKCS#7 callback for signing SignedData raw digests enabled with macro HAVE_PKCS7_RSA_RAW_SIGN_CALLBACK and call to function wc_PKCS7_SetRsaSignRawDigestCb
* Add --disable-errorqueue feature to disable adding debug nodes to queue with --enable-opensslextra build
* After defining WOLFSSL_SHUTDOWNONCE macro the function wolfSSL_shutdown will return a specific error code of SSL_SHUTDOWN_ALREADY_DONE_E, to indicate to the application that the shutdown has already occurred
* Add AES-CCM decryption to benchmarking app bundled with wolfSSL
##### Fixes
* Fixes IAR warnings with IAR-EWARM 7.50.2
* Alignment fixes for mmCAU with AES and hashing algorithms
* Fix check for plaintext length when using Encrypt-Then-MAC
* Fix for unit tests with NGINX and debug mode
* Fix for macro names in test cases (WOLFSSL_PUBLIC_MP) and pkcs7.c (HAVE_AESCCM)
* Fix for Apache want read case with BIO retry flag
* Fix for PKCS7 streaming mode that would error rather than verify bundle
* Fix for freeing mutex for X509 and wolfSSL_EVP_PKEY_free, applies to OPENSSL_EXTRA / --enable-opensslextra builds
* Fix for encrypt then MAC when re-handshaking, encrypted handshakes change over to ETM now
* Fix for curve25519 assembly optimizations with GCC + AVX2
* Fix to hang onto certificate for retrieval if using secure renegotiation and session resumption
* Fixes case where the heap hint is created before WOLFSSL_CTX, when calling wc_LoadStaticMemory instead of wolfSSL_CTX_load_static_memory
* Fix for setting correct return value in PKCS12 parse error case
* Reset certificate extension policy count
* Fix for memcpy with TLS I/O buffers when using staticmemory pools and loading memory as WOLFMEM_IO_POOL_FIXED
* Fixes and updates for STM32 port, including additional mutex protection, AES-GCM decrypt auth tag, AES-CTR mode with CubeMX, update to OpenSTM32 project
* Fix for EVP CipherUpdate decrypt and add a test case
* DTLS fixes including; some DTLS sequence number issues in general where the sequence was incremented twice for each record and some offset values in the DTLS window checking
* Fix sp_add to handle carries properly (--enable-sp-math build)
* Additional sanity check on OCSP response decoder
* Fix for vasprintf with Solaris and AIX builds
* Fix for missing variable declaration with --enable-scep --with-libz build
* Fix for certificate date check with async build
* Sanity check on “out” length with Base64_Decode added
* Decode X.509 name - check input length for jurisdiction
* Additional sanity check on variable out index with DecodePolicyOID
* Fix for PKCS#12 PBKDF buffer size for buffer overflow
* TLS supported curve extension check curve name is in range before checking for disabled
* Sanity check for non TLS 1.3 cipher suite with TLS 1.3 connection
* Poly1305 AVX2 assembly optimization fix for carry with large input values
* Fixes for coverity report including null termination of test case strings and initialization of PKCS7 variables
* Fix for API visibility of wc_ed25519_check_key which resolves a wolfcrypt-py install issue
* Sanity check on max ALPN length accepted
* Additional sanity check when parsing CRL’s for copying the structure, fix for bounds checking
* Additional checks on error string length for debug mode and check for null termination
* ProcessPeerCerts allocating memory for exts with OPENSSL_EXTRA properly
* Clear the top bit when generating a serial number
* Sanity check that ASN date characters are valid ASCII characters
* Fix to add deterministic ECDSA and fix corner cases for add point.
* When getting the DH public key, initialize the P, G, and Pub pointers to NULL, then set that we own the DH parameters flag. This allows FreeSSL to correctly clean up the DH key.
##### Improvements/Optimizations
* Added configure error report with using invalid build of --enable-opensslextra and --enable-opensslcoexist together
* Update PKCS11 for determining key type given the private key type
* Update DoVerifyCallback to check verify param hostName and ipasc (--enable-opensslextra builds)
* additional null sanity checks on input arguments with QSH and Cryptocell builds
* Additional checks on RSA key added to the function wc_CheckRsaKey
* Updates for EBSNET support, including fseek, revised macros in settings.h, and realloc support
* MISRA-C updates for SP math code
* Update to allow compiling for pwdbased/PBKDF2 with having NO_ASN defined
* Modify KeyShare and PreSharedKey TLS 1.3 extension linked list advancement to be easier for compilers to handle
* Optimization to parsing certificate extension name strings
* Adjustment to example server -x runtime behavior when encountering an unrecoverable error case
* Remove Blake2b support from HMAC
* Adds new hash wrapper init wc_HashInit_ex and Adds new PBKDF2 API wc_PBKDF2_ex for using heap hints for custom memory pools
* Adding script to cleanup generated test files, scripts/cleanup_testfiles.sh
* Support 20-byte serial numbers and disallow 0
* sp_div improved to handle when a has less digits than d (--enable-sp-math build)
* When decoding a policy OID and turning it into a human readable string use snprintf()
* set the IV length of EVP AES GCM to 96-bits by default
* Allow adding CAs for root CA's over the wire that do not have the extended key usage cert_sign set
* Added logging messages for SendAlert call and update to send alert after verify certificate callback
* updates for synchronous OCTEON support in the Sniffer
* Rework BER to DER functions to not be recursive
* Updates to find CRL by AuthKeyId
* Add a check for subject name hash after matching AKID
* Enhancement to mp_invmod/fp_exptmod/sp_exptmod to handle more inputs
* Remove requirement for macro NO_SKID when CRL use is enabled
* Improvements on XFTELL return code and MAX_WOLFSSL_FILE_SIZE checking
* When checking if value is prime return NO in the case of the value 1
* Additional sanity checks on arrays and buffers with OCSP
##### This release of wolfSSL includes a fix for 6 security vulnerabilities.
A fix for having an additional sanity check when parsing certificate domain names was added. This fix checks that the domain name location index is not past the maximum value before setting it. The reported issue affects users that are parsing certificates and have --enable-opensslextra (macro OPENSSL_EXTRA), or build options that turn this on such as --enable-all, when building wolfSSL. The CVE associated with the fix is CVE-2019-18840.
Fix to set a limit on the maximum size of DTLS handshake messages. By default the RFC allows for handshake message sizes of up to 2^24-1 bytes long but in typical field use cases the handshake messages are not this large. Setting a maximum size limit on the handshake message helps avoid a potential DoS attack due to memory being malloc’d. The new default max size is set to handle a certificate chain length of approximately 9, 2048 bit RSA certificates. This only effects builds that have DTLS turned on and have applications that are using DTLS.
Fix for a potential hang when ECC caching is enabled (off by default) and --enable-fastmath is used. ECC caching is off by default and is turned on in builds that are using --enable-all or --enable-fpecc. This issue does not affect builds that are using the macro WOLFSSL_VALIDATE_ECC_IMPORT which turns on validating all ECC keys that are imported. To fix this potential hang case a sanity check on the input values to the internal invmod function was added.
To fix a potential fault injection attack on a wrapper function for wolfCrypt RSA signature generations an additional sanity check verifying the signature after it’s creation was added. This check is already done automatically in current versions of wolfSSL with TLS connections (internal function call of VerifyRsaSign during TLS state machine). The report only affects users making calls to the wolfCrypt function wc_SignatureGenerateHash and does not affect current TLS use cases. Thanks to Daniel Moghimi (@danielmgmi) from Worcester Polytechnic Institute for the report.
Blinding was added for DSA signing operations. The DSA signing uses the BEEA algorithm during modular inversion of the nonce which can potentially leak the nonce through side channels such as cache and power fluctuations. The fix of adding in blinding makes the DSA signing operation more resistant to side channel attacks. Users who have turned on DSA (disabled by default) and are performing signing operations should update. Note that DSA is not used in any TLS connections. Thanks to Daniel Moghimi (@danielmgmi) from Worcester Polytechnic Institute for the report.
Fix to add additional side channel cache attack resistance to the internal ECC function wc_ecc_mulmod_ex. This function by default is used with ECDSA signing operations. Users should update if performing ECDSA singing operations (server side ECC TLS connections, mutual authentication on client side) or calling wolfCrypt ECC sign functions and have the potential for outside users to perform sophisticated monitoring of the cache.Thanks to Daniel Moghimi (@danielmgmi) from Worcester Polytechnic Institute for the report.
For additional vulnerability information visit the vulnerability page at https://www.wolfssl.com/docs/security-vulnerabilities/
See INSTALL file for build instructions.
More info can be found on-line at http://wolfssl.com/wolfSSL/Docs.html
# wolfSSL Release 4.2.0 (10/22/2019)
If you have questions about this release, then feel free to contact us on our info@ address.
Release 4.2.0 of wolfSSL embedded TLS has bug fixes and new features including:
##### New Feature Additions
* Over 198 OpenSSL compatibility API’s added
* Apache port added for compiling with wolfSSL using --enable-apachehttpd
* Port for using wolfSSL with OpenVSwitch
* Port for Renesas TSIP added
* Visual Studio Solution for Azure Sphere Devices (MT3620 and MT3620-mini) added to the directory IDE/VS-AZURE-SPHERE
* Addition of Coldfire MCF5441X NetBurner example to the directory IDE/M68K/
* Added support for prime checking to SP math build
* Addition of DYNAMIC_TYPE_BIGINT type for tracking mp_int allocations
* Addition of wc_ecc_get_curve_params API for getting ecc_set_type params for a curve
* Adding in TLS_SHA256_SHA256 and TLS_SHA384_SHA384 TLS1.3 cipher suites (null ciphers)
* Added in PKCS7 decryption callbacks for CMS operations
* Added handling for optional ECC parameters with PKCS7 KARI
* Addition to configure.ac for FIPS wolfRand builds
* Adding the flag WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY for ignoring certificate date checks with the functions wolfSSL_CTX_load_verify_buffer_ex and wolfSSL_CTX_load_verify_locations_ex
* Support for PKCS8 keys added to the function wolfSSL_CTX_use_PrivateKey_buffer
* Support for KECCAK hashing. Build with macro WOLFSSL_HASH_FLAGS and call wc_Sha3_SetFlags(&sha, WC_HASH_SHA3_KECCAK256) before the first SHA3 update
* Addition of setting secure renegotiation at CTX level
* Addition of KDS (NXP Kinetis Design Studio) example project to directory IDE/KDS/
* Support for Encrypt-Then-MAC to TLS 1.2 and below
* Added a new build option for a TITAN session cache that can hold just over 2 million session entries (--enable-titancache)
* Synchronous Quick Assist Support for Sniffer
* Added Support for SiFive HiFive Unleashed board
* Support for Google WebRTC added in to compatibility layer build
* Additional Sniffer features; IPv6 sniffer support, Fragment chain input, Data store callback, Various statistics tweaks and other Sniffer fixes
##### Fixes
* Addition of internal content digest checks for PKCS7 SignedData message types that also have signed attributes present. Users could previously check the content digest against the messageDigest attribute, but this adds a default internal check. It’s advised that if users are not doing their own checks that they update wolfSSL version.
* A fix for BIO and base64 encoding/decoding
* A fix for memory management of CTX / WOLFSSL_METHOD pointer with staticmemory build
* A fix for detection of AES-NI support to read bit 25 from ECX
* A fix a DTLS handshake message retransmit bug corner case
* Additional fixes to coding style and uninitialized values using cppcheck tool
* Fixes for failing IAR builds, thanks to Joseph C. for the report
* Fixes for ARMv8 Poly1305 inline assembly code to compile with clang 3.5
* Fixes for esp-idf build warnings
* A fix for XSNPRINTF with mingw32 builds
* Fixes for strncpy warnings when compiling with newer versions of GCC
* A fix for using IV of all 0’s as default case with AES-NI when no IV passed in
* Fixes for types with 16 bit systems, thanks to Ralf Schlatterbeck
* Fixes for build with devcrypto/afalg and aesccm, thanks to GitHub user cotequeiroz for the report
* Fixes for addressing handling of pathLen constraint when parsing certificate chains
* A DTLS fix for alert packet injection at end of handshake
* Fixes for Poly1305 AArch64 assembly code
* A fix for memory management in error cases when adding a CA, this resolves a coverity report
* A fix for SP math for precomputation tables to not include infinity field
* Fixes for checks on defines with AVX2 and Poly1305 build
* Fixes for CubeMX HAL v1.15 with STM32F7
* A fix for TLS 1.3 to always send Key Share extension
* A fix for a potential buffer over read in TLS 1.3 DoTls13SupportedVersions, thanks to Artem for the report
##### Improvements/Optimizations
* Optimization to SP math, changing variables to const where possible. Thanks to Yair Poleg (yair.poleg@ayyeka.com) of Ayyeka for proposing static declaration of global constant variables in SP code
* Additional fuzz testing and fixes for TLS 1.3 use, including additional TLS 1.3 alert messages (PR#2440 for more information)
* Additional sanity check that ciphersuite from client hello is used in server hello response (check can be removed with the macro WOLFSSL_NO_STRICT_CIPHER_SUITE)
* Improved MMCAU performance: SHA-1 by 35%, SHA-256 by 20% and MD5 by 78%
* By default, disallow SHA-2 cipher suites from being used in TLS 1.0 and 1.1 handshakes (can be ignored with macro WOLFSSL_OLDTLS_SHA2_CIPHERSUITES)
* Optimization of export session buffer size with enable option --enable-sessionexport=nopeer
* Spelling fixes in comments and some cast warnings resolved
* Updates to abstract atoi to XATOI when used, this allows for better portability when making calls to the system function atoi for converting strings to integers
* Improvements to the STSAFE-A100 error code handling, providing better debug information
* Adding a sanity check on TLS 1.3 ticket encrypt callback
* Specialized implementations of mod exp when base is 2
##### This release of wolfSSL includes a fix for 5 security vulnerabilities.
Fix for sanity check on reading TLS 1.3 pre-shared key extension. This fixes a potential for an invalid read when TLS 1.3 and pre-shared keys is enabled. Users without TLS 1.3 enabled are unaffected. Users with TLS 1.3 enabled and HAVE_SESSION_TICKET defined or NO_PSK not defined should update wolfSSL versions. Thanks to Robert Hoerr for the report.
Fix for potential program hang when ocspstapling2 is enabled. This is a moderate level fix that affects users who have ocspstapling2 enabled(off by default) and are on the server side. In parsing a CSR2 (Certificate Status Request v2 ) on the server side, there was the potential for a malformed extension to cause a program hang. Thanks to Robert Hoerr for the report.
Two moderate level fixes involving an ASN.1 over read by one byte. CVE-2019-15651 is for a fix that is due to a potential one byte over read when decoding certificate extensions. CVE-2019-16748 is for a fix on a potential one byte overread with checking certificate signatures. This affects builds that do certificate parsing and do not have the macro NO_SKID defined.Thanks to Yan Jia and the researcher team from Institute of Software, Chinese Academy of Sciences for the report.
High level fix for DSA operations involving an attack on recovering DSA private keys. This fix affects users that have DSA enabled and are performing DSA operations (off by default). All users that have DSA enabled and are using DSA keys are advised to regenerate DSA keys and update wolfSSL version. ECDSA is NOT affected by this and TLS code is NOT affected by this issue. Thanks to Ján Jančár for the report.
For additional vulnerability information visit the vulnerability page at https://www.wolfssl.com/docs/security-vulnerabilities/
See INSTALL file for build instructions.
More info can be found on-line at http://wolfssl.com/wolfSSL/Docs.html
# wolfSSL Release 4.1.0 (07/22/2019)
Release 4.1.0 of wolfSSL embedded TLS has bug fixes and new features including:
* A fix for the check on return value when verifying PKCS7 bundle signatures, all users with applications using the function wc_PKCS7_VerifySignedData should update
* Adding the function wc_PKCS7_GetSignerSID for PKCS7 firmware bundles as a getter function for the signers SID
* PKCS7 callback functions for unwrapping of CEK and for decryption
* Adding the error value PKCS7_SIGNEEDS_CHECK when no certificates are available in a PKCS7 bundle to verify the signature
* TLS 1.3 fixes including if major version is TLS Draft then it is now ignored and if version negotiation occurs but none were matched then an alert is now sent
* Addition of the WOLFSSL_PSK_ONE_ID macro for indicating that only one identity in TLS 1.3 PSK is available and will be cached
* Adding sanity checks on length of PSK identity from a TLS 1.3 pre-shared key extension
* Additional sanity checks and alert messages added for TLS 1.3
* Adding XTIME_MS macro to simplify the tls13.c time requirement
* Improvements and refactoring of code related to parsing and creating TLS 1.3 client hello packets
* TLS 1.3 version renegotiation now happens before interpreting ClientHello message
* Chacha20 algorithm optimizations on the ARM architecture for performance increase
* Poly1305 algorithm performance enhancements for the ARM architecture using the SIMD NEON extension
* Curve25519 and Ed25519 optimized for ARM architecture for performance increase
* SHA-512/384 optimizations for performance with ARM architecture using the SIMD NEON extension
* Sniffer updates including adding support for the null cipher and static ECDH key exchange and new SSLWatchCb callback
* Cipher suite TLS_RSA_WITH_NULL_MD5 for use with the sniffer (off by default)
* Sniffer statistic print outs with the macro WOLFSSL_SNIFFER_STATS defined
* A fix for wolfSSL_DH_generate_key when WOLFSSL_SMALL_STACK is defined
* wolfSSL_BN_Init implementation for opensslextra builds
* Updates to the function wolfSSL_i2d_RSAPrivateKey and additional automated tests
* Fixes for EVP_CipherFinal edge cases to match behavior desired
* Check for appropriate private vs public flag with ECC key decode in wolfSSL_EC_KEY_LoadDer_ex, thanks to Eric Miller for the report
* Implementation of the function wolfSSL_PEM_write_DHparams
* wolfSSL_RAND_seed is called in wolfSSL_Init now when opensslextra is enabled
* CryptoCell-310 support on nRF52840 added
* Fixes for atmel_ecc_create_pms to free the used slot.
* Fixes for building ATECC with ATCAPRINTF or WOLFSSL_PUBLIC_MP
* Cortex-M code changes to support IAR compiler
* Improvements to STM32 AES-GCM performance
* Fixes for 16-bit systems including PK callbacks, ATECC and LowResTimer function ptoto.
* IAR-EWARM compiler warning fix
* Clean up of user_settings for CS+ port
* Updating Renesas example projects to the latest version
* Micrium updates adjusting STATIC macro name and added inline flag
* Fixes for building with WOLFSSL_CUSTOM_CURVES on Windows
* Updates and refactor to the default build settings with Arduino
* Fixes for visibility tags with Cygwin build
* STSAFE Improvements to support wolfSSL Crypto Callbacks
* Improvements to NetBSD builds and mutex use in test case
* Updating TI hardware offload with WOLFSSL_TI_CRYPT build
* Maintaining Xilinx FreeRTOS port by adjusting time.h include in wolfSSL
* SiFive HiFive E31 RISC‐V core family port
* Port for Telit IoT AppZone SDK
* OCSP Response signed by issuer with identical SKID fix
* Fix for sending revoked certificate with OCSP
* Honor the status sent over connection with peers and do not perform an internal OCSP lookup
* Adding the build flag `--enable-ecccustcurves=all` to enable all curve types
* Support add for Ed25519ctx and Ed25519ph sign/verify algorithms as per RFC 8032
* Addition of the macro WOLFSSL_NO_SIGALG to disable signature algorithms extension
* wc_AesCtrEncrypt in place addition, where input and output buffer can be the same buffer
* Single shot API added for SHA3; wc_Sha3_224Hash, wc_Sha3_256Hash, wc_Sha3_384Hash, wc_Sha3_512Hash
* Function additions for JSSE support some of which are wolfSSL_get_ciphers_iana and wolfSSL_X509_verify along with expansion of the --enable-jni option
* Macro guards for more modular SHA3 build (i.e. support for 384 size only)
* Benchmarking -thread <num> argument support for asynchronous crypto
* Blake2s support (--enable-blake2s), which provides 32-bit Blake2 support
* Macro SHA256_MANY_REGISTERS addition to potentially speed up SHA256 depending on architecture
* Additional TLS alert messages sent with the macro WOLFSSL_EXTRA_ALERTS defined
* Feature to fail resumption of a session if the session’s cipher suite is not in the client’s list, this can be overridden by defining the macro NO_RESUME_SUITE_CHECK
* Fallback SCSV (Signaling Cipher Suite Value) support on Server only (--enable-fallback-scsv)
* DTLS export state only (wolfSSL_dtls_export_state_only) which is a subset of the information exported from previous DTLS export function
* Function wc_DhCheckPubValue added to perform simple validity checks on DH keys
* Support for RSA SHA-224 signatures with TLS added
* Additional option “-print” to the benchmark app for printing out a brief summary after benchmarks are complete
* Adding (--disable-pkcs12) option and improvements for disabled sections in pwdbased.c, asn.c, rsa.c, pkcs12.c and wc_encrypt
* Added DES3 support to the wolfSSL crypto callbacks
* Compile time fixes for build case with SP math and RSA only
* Fixes for Coverity static analysis report including explicit initialization of reported stack variables some additional Coverity fixes added thanks to Martin
* Fixes for scan build warnings (i.e possible null dereference in ecc.c)
* Resetting verify send value with a call to wolfSSL_clear function
* Fix for extern with sp_ModExp_2048 when building with --cpp option
* Fix for typo issue with --enable-sp=cortexm
* Adding #pragma warning disable 4127 for tfm.c when building with Visual Studio
* Improvements to the maximum ECC signature calculations
* Improvements to TLS write handling in error cases which helps user application not go through with a wolfSSL_write attempt after a wolfSSL_read failure
* Fix for read directory functions with Windows (wc_ReadDirFirst and wc_ReadDirNext)
* Sanity check on index before accessing domain component buffer in call to wolfSSL_X509_NAME_get_entry
* Sending fatal alert from client side on version error
* Fix for static RSA cipher suite with PK callback and no loaded private key
* Fix for potential memory leak in error case with the function wc_DsaKeyToDer, thanks to Chris H. for the report
* Adjusting STRING_USER macro to remove includes of standard lib <string.h> or <stdio.h>
* Bug fix for checking wrong allocation assignment in the function wc_PBKDF2 and handling potential leak on allocation failure. This case is only hit when the specific call to malloc fails in the function wc_PBKDF2. Thanks to Robert Altnoeder (Linbit) for the report
* Improved length checks when parsing ASN.1 certificates
* extern "C" additions to header files that were missing them
* Improved checking of return values with TLS extension functions and error codes
* Removing redundant calls to the generate function when instantiating and reseeding DRBG
* Refactoring and improvements to autoconf code with consolidating AM_CONDITIONAL statements
* Improvements for handling error return codes when reading input from transport layer
* Improvements to efficiency of SNI extension parsing and error checking with ALPN parsing
* Macro WOLFSSL_DEBUG_TLS addition for printing out extension data being parsed during a TLS connection
* Adjustment of prime testing with --disable-fastmath builds
This release of wolfSSL includes a fix for 2 security vulnerabilities.
There is a fix for a potential buffer overflow case with the TLSv1.3 PSK extension parsing. This affects users that are enabling TLSv1.3 (--enable-tls13). Thanks to Robert Hoerr for the report. The CVE associated with the report is CVE-2019-11873.
There is a fix for the potential leak of nonce sizes when performing ECDSA signing operations. The leak is considered to be difficult to exploit but it could potentially be used maliciously to perform a lattice based timing attack against previous wolfSSL versions. ECC operations with --enable-sp and --enable-sp-asm are not affected, users with private ECC keys in other builds that are performing ECDSA signing operations should update versions of wolfSSL along with private ECC keys. Thanks to Ján Jančár from Masaryk University for the report.
# wolfSSL Release 4.0.0 (03/20/2019)
Release 4.0.0 of wolfSSL embedded TLS has bug fixes and new features including:
* Support for wolfCrypt FIPS v4.0.0, certificate #3389
* FIPS Ready Initiative
* Compatibility fixes for secure renegotiation with Chrome
* Better size check for TLS record fragment reassembly
* Improvements to non-blocking and handshake message retry support for DTLS
* Improvements to OCSP with ECDSA signers
* Added TLS server side secure renegotiation
* Added TLS Trusted CA extension
* Add support for the Deos Safety Critical RTOS
* OCSP fixes for memory management and initializations
* Fixes for EVP Cipher decryption padding checks
* Removal of null terminators on `wolfSSL_X509_print` substrings
*`wolfSSL_sk_ASN1_OBJCET_pop` function renamed to `wolfSSL_sk_ASN1_OBJECT_pop`
* Adjustment to include path in compatibility layer for evp.h and objects.h
* Fixes for decoding BER encoded PKCS7 contents
* TLS handshake now supports using PKCS #11 for private keys
* PKCS #11 support of HMAC, AES-CBC and random seeding/generation
* Support for named FFDHE parameters in TLS 1.2 (RFC 7919)
* Port to Zephyr Project
* Move the TLS PRF to wolfCrypt.
* Update to CMS KARI support
* Added ESP32 WROOM support
* Fixes and additions to the OpenSSL compatibility layer
* Added WICED Studio Support
* MDK CMSIS RTOS v2
* Xcode project file update
* Fixes for ATECC508A/ATECC608A
* Fixes issue with CA path length for self signed root CA's
* Fixes for Single Precision (SP) ASM when building sources directly
* Fixes for STM32 AES GCM
* Fixes for ECC sign with hardware to ensure the input is truncated
* Fixes for proper detection of PKCS7 buffer overflow case
* Fixes to handle degenerate PKCS 7 with BER encoding
* Fixes for TLS v1.3 handling of 6144 and 8192 bit keys
* Fixes for possible build issues with SafeRTOS
* Added `ECC_PUBLICKEY_TYPE` to the support PEM header types
* Added strict checking of the ECDSA signature DER encoding length
* Added ECDSA option to limit sig/algos in client_hello to key size with
`USE_ECDSA_KEYSZ_HASH_ALGO`
* Added Cortex-M support for Single Precision (SP) math
* Added wolfCrypt RSA non-blocking time support
* Added 16-bit compiler support using --enable-16bit option
* Improved Arduino sketch example
* Improved crypto callback features
* Improved TLS benchmark tool
* Added new wrapper for snprintf for use with certain Visual Studio builds,
thanks to David Parnell (Cambridge Consultants)
This release of wolfSSL includes a fix for 1 security vulnerability.
* Fixed a bug in tls_bench.c example test application unrelated to the crypto
or TLS portions of the library. (CVE-2019-6439)
# wolfSSL Release 3.15.7 (12/26/2018)
Release 3.15.7 of wolfSSL embedded TLS has bug fixes and new features including:
* Support for Espressif ESP-IDF development framework
* Fix for XCode build with iPhone simulator on i386
* PKCS7 support for generating and verify bundles using a detached signature
* Fix for build disabling AES-CBC and enabling opensslextra compatibility layer
* Updates to sniffer for showing session information and handling split messages across records
* Port update for Micrium uC/OS-III
* Feature to adjust max fragment size post handshake when compiled with the macro WOLFSSL_ALLOW_MAX_FRAGMENT_ADJUST
* Adding the macro NO_MULTIBYTE_PRINT for compiling out special characters that embedded devices may have problems with
* Updates for Doxygen documentation, including PKCS #11 API and more
* Adding Intel QuickAssist v1.7 driver support for asynchronous crypto
* Adding Intel QuickAssist RSA key generation and SHA-3 support
* RSA verify only (--enable-rsavfy) and RSA public only (--enable-rsapub) builds added
* Enhancements to test cases for increased code coverage
* Updates to VxWorks port for use with Mongoose, including updates to the OpenSSL compatibility layer
* Yocto Project ease of use improvements along with many updates and build instructions added to the INSTALL file
* Maximum ticket nonce size was increased to 8
* Updating --enable-armasm build for ease of use with autotools
* Updates to internal code checking TLS 1.3 version with a connection
* Removing unnecessary extended master secret from ServerHello if using TLS 1.3
* Fix for TLS v1.3 HelloRetryRequest to be sent immediately and not grouped
This release of wolfSSL includes a fix for 1 security vulnerability.
Medium level fix for potential cache attack with a variant of Bleichenbacher’s attack. Earlier versions of wolfSSL leaked PKCS #1 v1.5 padding information during private key decryption that could lead to a potential padding oracle attack. It is recommended that users update to the latest version of wolfSSL if they have RSA cipher suites enabled and have the potential for malicious software to be ran on the same system that is performing RSA operations. Users that have only ECC cipher suites enabled and are not performing RSA PKCS #1 v1.5 Decryption operations are not vulnerable. Also users with TLS 1.3 only connections are not vulnerable to this attack. Thanks to Eyal Ronen (Weizmann Institute), Robert Gillham (University of Adelaide), Daniel Genkin (University of Michigan), Adi Shamir (Weizmann Institute), David Wong (NCC Group), and Yuval Yarom (University of Adelaide and Data61) for the report.
The paper for further reading on the attack details can be found at http://cat.eyalro.net/cat.pdf.
See INSTALL file for build instructions.
More info can be found on-line at http://wolfssl.com/wolfSSL/Docs.html
# wolfSSL Release 3.15.5 (11/07/2018)
Release 3.15.5 of wolfSSL embedded TLS has bug fixes and new features including:
* Fixes for GCC-8 warnings with strings
* Additional compatibility API’s added, including functions like wolfSSL_X509_CA_num and wolfSSL_PEM_read_X509_CRL
* Fixes for OCSP use with NGINX port
* Renamed the macro INLINE to WC_INLINE for inline functions
* Doxygen updates and formatting for documentation generation
* Added support for the STM32L4 with AES/SHA hardware acceleration
* Adds checking for critical extension with certificate Auth ID and the macro WOLFSSL_ALLOW_CRIT_SKID to override the check
* Added public key callbacks to ConfirmSignature function to expand public key callback support
* Added ECC and Curve25519 key generation callback support
* Fix for memory management with wolfSSL_BN_hex2bn function
* Added support for dynamic allocation of PKCS7 structure using wc_PKCS7_New and wc_PKCS7_Free
* Port to apache mynewt added in the directory wolfssl-3.15.5/IDE/mynewt/*
* OCSP stapling in TLS 1.3 additions
* Port for ASIO added with --enable-asio configure flag
* Contiki port added with macro WOLFSSL_CONTIKI
* Memory free optimizations with adding in earlier free’s where possible
* Made modifications to the primality testing so that the Miller-Rabin tests check against up to 40 random numbers rather than a fixed list of small primes
* Certificate validation time generation updated
* Fixes for MQX classic 4.0 with IAR-EWARM
* Fix for assembly optimized version of Curve25519
* Make SOCKET_PEER_CLOSED_E consistent between read and write cases
* Relocate compatibility layer functions for OpenSSH port update
* Update to Intel® SGX port, files included by Windows version and macros defined when using WOLFSSL_SGX
* Updates to Nucleus version supported
* Stack size reduction with smallstack build
* Updates to Rowley-Crossworks settings for CMSIS 4
* Added reference STSAFE-A100 public key callbacks for TLS support
* Added reference ATECC508A/ATECC608A public key callbacks for TLS support
* Updated support for latest CryptoAuthLib (10/25/2018)
* Added a wolfSSL static library project for Atollic TrueSTUDIO
* Flag to disable AES-CBC and have only AEAD cipher suites with TLS
* AF_ALG and cryptodev-linux crypto support added
* Update to IO callbacks with use of WOLFSSL_BIO
* Additional support for parsing certificate subject OIDs (businessCategory, jurisdiction of incorporation country, and jurisdiction of incorporation state)
* Added wc_ecc_ecport_ex and wc_export_inti API's for ECC hex string exporting
* Updates to XCODE build with wolfSSL
* Fix for guard on when to include sys/time.h header
ARM® TrustZone® CryptoCell 310 is a security subsystem which provides root of trust (RoT) and cryptographic services for a device.
You can enable the wolfSSL support for ARM CryptoCell using the `#define WOLFSSL_CRYPTOCELL`, The CryptoCell APIs are distributed as part of the Nordic nRF5 SDKs [here](https://infocenter.nordicsemi.com/index.jsp?topic=%2Fcom.nordic.infocenter.sdk5.v15.0.0%2Fgroup__cryptocell__api.html) .
## Prerequisites
1. Follow the Nordic website [here](https://www.nordicsemi.com/Software-and-Tools/Software/nRF5-SDK) to download the Nordic nRF5-SDK and software tools.
2. Install the SEGGER Embedded Studio IDE.
3. Run a simple blinky application on your Nordic nRF52840 (PCA10056) development board to confirm that your board functions as expected and the communication between your computer and the board works.
## Usage
You can start with a wolfcrypt SEGGER embedded studio (ses) example project to integrate the wolfSSL source code.
wolfSSL supports a compile-time user configurable options in the `IDE/CRYPTOCELL/user_settings.h` file.
The `IDE/CRYPTOCELL/main.c` example application provides a function to run the selected examples at compile time through the following two #defines in user_settings.h. You can define these macro options to disable the test run.
```
- #undef NO_CRYPT_TEST
- #undef NO_CRYPT_BENCHMARK
```
## Supported features
- SHA-256
- AES CBC
- CryptoCell 310 RNG
- RSA sign/verify and RSA key gen (2048 bit in PKCSv1.5 padding mode)
- RSA encrypt/decrypt
- ECC sign/verify/shared secret
- ECC key import/export and key gen pairs
- Hardware RNG
- RTC for benchmark timing source
Note: All Cryptocell features are not supported. The wolfcrypt RSA API allows import and export of Private/Public keys in DER format. However, this is not possible with key pairs generated with Cryptocell because the importing/exporting Cryptocell keys has not been implemented yet.
## Setup
### Setting up Nordic SDK with wolfSSL
1. Download the wolfSSL source code or a zip file from GitHub and place it under your SDK `InstallFolder/external/` directory. You can also copy or simlink to the source.
Or, assuming you have already cloned the wolfSSL source code under ~/wolfssl.
$cd ~/nRF5_SDK_15.2.0_9412b96/external
$ln -s ~/wolfssl wolfssl
```
2. Copy the example project from [here](https://github.com/tmael/nRF5_SDK/tree/master/examples/crypto/nrf_cc310/wolfcrypt) into your `nRF5_SDK_15.2.0_9412b96/examples/crypto/nrf_cc310/` directory.
4. In the main menu, go to File >Open Solutions to open the example solution. Browse to the location containing the wolfcrypt code `/examples/crypto/nrf_cc310/wolfcrypt/pca10056/blank/ses/wolfcrypt_pca10056.emProject` and choose Open.
## Building and Running
In the main menu, go to Build > Rebuild your project, then load and run your image on your nRF52840 target platform. Review the test results on the console output.
### `wolfcrypt_test()`
wolfcrypt_test() prints a message on the target console similar to the following output:
```
wolfCrypt Test Started
error test passed!
base64 test passed!
asn test passed!
SHA test passed!
SHA-256 test passed!
Hash test passed!
HMAC-SHA test passed!
HMAC-SHA256 test passed!
AES test passed!
RANDOM test passed!
RSA test passed!
ECC test passed!
ECC buffer test passed!
logging test passed!
mutex test passed!
wolfCrypt Test Completed
```
### `benchmark_test()`
benchmark_test() prints a message on the target console similar to the following output.
You can enable the wolfSSL support for Deos RTOS available [here](https://www.ddci.com/products_deos_do_178c_arinc_653/) using the `#define WOLFSSL_DEOS`.
Deos is a time & space partitioned, multi-core enabled, DO-178C DAL A certifiable RTOS.
## Usage
You can start with your OpenArbor IDE-based example project for Deos with the network stack (lwip) to integrate wolfSSL source code.
wolfSSL supports a compile-time user configurable options in the `IDE/ECLIPSE/DEOS/user_settings.h` file.
The `tls_wolfssl.c` example application provides a simple function to run the selected examples at compile time through the following four #defines in user_settings.h. You can undefine any of these macro options to run a test.
```
1. #undef NO_CRYPT_TEST
2. #undef NO_CRYPT_BENCHMARK
3. #undef NO_WOLFSSL_CLIENT
4. #undef NO_WOLFSSL_SERVER
```
Do one of the following steps for building and running wolfSSL with the Deos kernel examples, which are included in the DDS release:
If you want to create a project from scratch, skip the Importing the project section and follow the steps in the other sections.
If you want to use an pre-configured example project, go to the Importing the project section, skip the other sections and follow the Building and Running section.
#### Importing the project
In this section you will import a pre-configured example project.
1. Launch the OpenArbor IDE as an administrator
2. In the Workspace Launcher dialog, in the Workspace field, enter your
workspace
3. Right-click in the Project Explorer view and select Import
4. In the Import dialog, select General > Existing Projects into Workspace, then click Next.
5. In the Import Projects dialog, select Select archive file, then browse to `IDE/ECLIPSE/DEOS/` and double-click `deosWolfssl.zip` file
6. In the Import Projects dialog, click Finish
#### Setting up a Deos project with wolfSSL
1. Download the wolfSSL source code or a zip file from GitHub. You can remove all of the files except for these folders and its contents. The top folder for this example is wolfsslPort.
```
wolfsslPort
|-- IDE
| -- ECLIPSE
| -- DEOS
|-- src
|-- wolfcrypt
| -- benchmark
| -- src
| -- test
|-- wolfssl
|-- openssl
|-- wolfcrypt
|-- port
```
2. Remove these two platform specific assembly source files:
- wolfsslPort/wolfcrypt/src/aes_asm.asm
- wolfsslPort/wolfcrypt/src/aes_asm.S
3. Launch the OpenArbor IDE as an administrator
4. Create a DDC-I Deos example project. In the main menu, go to File >DDC-I Deos example project > socket > udp-vs-tcp
5. Import the `wolfSSLPort` source code into your project.
- Right-click the ` udp-vs-tcp` project and choose File -> Import.
- Expand the General folder and select File System, then click Next. You should now see the Import File system dialog.
- Browse to the location containing the wolfSSL code and choose OK. Select the `wolfsslPort` folder and check the `Create top-level folder` button, then select Finish. You should see the folder hierarchy the same as wolfSSL folder structures.
6. Review the configuration in $(PROJECT_DIR)/wolfsslPort/IDE/ECLIPSE/DEOS/user_setting.h
7. Review the custom malloc/realloc/free configuration $(PROJECT_DIR)/wolfsslPort/IDE/ECLIPSE/DEOS/deos_malloc.c . Memory allocated with malloc() is never freed.
#### Configuring the Deos Project
1. Customize your config/udp-vs-tcp.pd.xml with the following changes:
```
<processTemplate
mutexQuota = "5"
>
<logicalMemoryPools>
pagesNeeded = "500"
></pool>
</logicalMemoryPools>
<threadTemplate
stackSizeInPages = "20"
></threadTemplate>
<mutexTemplates>
<mutexTemplate
name = "protectWolfSSLTemp"
lockTimeInUsec = "40"
priority = "fastest"
></mutexTemplate>
</mutexTemplates>
</processTemplate>
```
Depending on your configuration, wolfSSL uses upto four mutexes. You also need to configure enough memory for the stack of each threads and the process logical memory pool.
2. Right click on the `udp-vs-tcp` project, select properties and add the following macros in the DDC-I Options > C Compile > Preprocessor
- DEOS_ALLOW_OBSOLETE_DEFINITIONS
- WOLFSSL_USER_SETTINGS
3. Add the following directory paths in the DDC-I Options > C Compile > Directories and in the DDC-I Options > C++ Compile > Directories
- $(PROJECT_DIR)/wolfsslPort
- $(PROJECT_DIR)/wolfsslPort/wolfssl
- $(PROJECT_DIR)/wolfsslPort/IDE/ECLIPSE/DEOS
- $(PROJECT_DIR.printx)/code
4. Change the optimization level in the DDC-I Options > C Compile > Code Generation > Optimization level:g
- g
5. Add the following library dependencies in the DDC-I Options > Deos > Dependencies
- math
- dart
- ansi
- printx
- You must add printx into your workspace, File >DDC-I Deos example project > training > printx
6. Edit $(PROJECT_DIR)/wolfsslPort/IDE/ECLIPSE/DEOS/user_setting.h to customize your configuration. For example, you can undef or define these tests.
-#undef NO_CRYPT_TEST
-#undef NO_CRYPT_BENCHMARK
-#undef NO_WOLFSSL_CLIENT
-#undef NO_WOLFSSL_SERVER
7. Edit your application source file where main() thread is defined and add the following:
You can modify the `TCP_SERVER_IP_ADDR` and `TCP_SERVER_PORT` macros in the `tls_wolfssl.c` file to configure the host address and port. You will also need to define the server certificate. The example client uses the GET request to get a web resource from the server at https://google.com.
### `wolfssl_server_test()`
You can modify the `TLS_SERVER_PORT` in the `tls_wolfssl.c` file to configure the port number to listen on a local-host.
Once you start the TLS server and `Listening for client connection` displays on the serial console, the server is ready to accept client connections.
You can connect to the server using the wolfssl TLS client example from your Linux or Windows host as follows:
You can enable the wolfSSL support for Micrium μC/OS-III RTOS available [here](http://www.micriums.com/) using the define `MICRIUM`.
## Usage
You can start with your IDE-based example project for Micrium uC/OS-III and uC/TCPIP stack. You must include the uC-Clk module into your project because wolfSSL uses Micrium’s Clk_GetTS_Unix () function from <clk.h> in order to authenticate the start and end dates of certificates.
wolfSSL supports a compile-time user configurable options in the `IDE/ECLIPSE/MICRIUM/user_settings.h` file.
The `wolfsslRunTests.c` example application provides a simple function to run the selected examples at compile time through the following four #defines in user_settings.h.
```
1. #define WOLFSSL_WOLFCRYPT_TEST
2. #define WOLFSSL_BENCHMARK_TEST
3. #define WOLFSSL_CLIENT_TEST
4. #define WOLFSSL_SERVER_TEST
You can define one or all of the above options.
```
1. Open your IDE-based example project for Micrium uC/OS-III (with the uC-Clk module) and uC/TCPIP stack.
2. Create the following folder and sub-folders structures in your project.
```
wolfssl
|src
|wolfcrypt
|benchmark
|src
|test
|wolfssl
|openssl
|wolfcrypt
|exampleTLS
```
The folder hierarchy is the same as the wolfSSL folders with an exception of the exampleTLS folder.
3. Right click on the exampleTLS folder, add or link all of the header and source files in `IDE/ECLIPSE/MICRIUM/` folder into the exampleTLS folder.
4. Right click on each folders, add or link all the source code in the corresponding folder in wolfSSL.
5. Remove non-C platform dependent files from your build. At the moment, only aes_asm.asm and aes_asm.s must be removed from your wolfssl/wolfcrypt/src folder.
6. In your C/C++ compiler preprocessor settings, add the wolfSSL directories to your include paths.
Here's an example of the paths that must be added.
```
$PROJ_DIR$\...
$PROJ_DIR$\...\wolfcrypt
$PROJ_DIR$\...\wolfssl
$PROJ_DIR$\...\IDE\ECLIPSE\MICRIUM
```
7. In your C/C++ compiler preprocessor settings, define the WOLFSSL_USER_SETTINGS symbol to add user_settings.h file in your project.
8. Add a call to `wolfsslRunTests()` from your startup task. Here's an example:
10. Now you are ready to download and debug your image on the board.
The test results below were collected from the NXP Kinetis K70 (Freescale TWR-K70F120M MCU) tower system board with the following software and tool chains:
- IAR Embedded Workbench IDE - ARM 8.32.1 (IAR ELF Linker V8.32.1.169/W32 for ARM)
- The starting project is based on an IAR EWARM project from Micrium download center at [micrium_twr-k70f120m-os3/](https://www.micrium.com/download/micrium_twr-k70f120m-os3/) but the K70X_FLASH.icf linker script file was slightly modified to configure the stack and heap sizes to 16KB and 20KB. The test was run on a 1 MBytes of program flash and 128 KBytes of static RAM.
ED 2519 key gen 2 ops took 1.27 sec, avg 66.099ms, 1.572 ops/sec
ED 25519 sign 2 ops took 1.303 sec, ag 65.633 ms, 1.35 op/sec
ED 25519 verify 2 ops took 2.674 sec, avg1337.68 ms 0.748 ops/ec
```
### `WOLFSSL_CLIENT_TEST` wolfssl_client_test()
You can modify the `TCP_SERVER_IP_ADDR` and `TCP_SERVER_PORT` macros at top of the `client_wolfssl.c` file to configure the host address and port. You will also need the server certificate. This example uses TLS 1.2 to connect to a remote host.
### `WOLFSSL_SERVER_TEST` wolfssl_server_test()
You can modify the `TLS_SERVER_PORT` at top of `server_wolfssl.c` to configure the port number to listen on local-host.
Once you start the TLS server and `Listening for client connection` displays on the serial console, the server is ready to accept client connections.
You can connect to the server using the wolfssl TLS client example from your Linux or Windows host as follows:
@ -14,36 +14,92 @@ This example is for Cortex M series, but can be adopted for other architectures.
1. Make sure you have `gcc-arm-none-eabi` installed.
2. Modify the `Makefile.common`:
* Use correct toolchain path `TOOLCHAIN`.
* Use correct architecture 'ARCHFLAGS' (default is cortex-m0 / thumb). See [GCC ARM Options](https://gcc.gnu.org/onlinedocs/gcc-4.7.3/gcc/ARM-Options.html) `-mcpu=name`.
3. Use `make` and it will build the static library and wolfCrypt test/benchmark and wolfSSL TLS client targets as `.elf` and `.hex` in `/Build`.
* Use correct architecture 'ARCHFLAGS'. See [GCC ARM Options](https://gcc.gnu.org/onlinedocs/gcc-4.7.3/gcc/ARM-Options.html) `-mcpu=name`.
* Confirm memory map in linker.ld matches your flash/ram or comment out `SRC_LD = -T./linker.ld` in Makefile.common.
3. Use `make` to build the static library (libwolfssl.a), wolfCrypt test/benchmark and wolfSSL TLS client targets as `.elf` and `.hex` in `/Build`.
### Building for Raspberry Pi
Example `Makefile.common` changes for Rasperry Pi with Cortex-A53:
## Building for Raspberry Pi
1. Change ARCHFLAGS to `ARCHFLAGS = -mcpu=cortex-a53 -mthumb -mabi=aapcs` to specify Cortex-A53.
Example `Makefile.common` changes for Raspberry Pi with Cortex-A53:
1. In Makefile.common change `ARCHFLAGS` to `-mcpu=cortex-a53 -mthumb`.
2. Comment out `SRC_LD`, since custom memory map is not applicable.
3. Clear `TOOLCHAIN`, so it will use default `gcc`. Set `TOOLCHAIN = `
4. Comment out `LDFLAGS += --specs=nano.specs --specs=nosys.specs` to disable newlib-nano.
4. Comment out `LDFLAGS += --specs=nano.specs` and `LDFLAGS += --specs=nosys.specs` to nosys and nano.
Note: To comment out a line in a Makefile use place `#` in front of line.
### Example Build
## Building for FIPS
1. Request evaluation from wolfSSL by emailing fips@wolfss.com.
2. Modify user_settings.h so section for `HAVE_FIPS` is enabled.
3. Use `make`.
4. Run the wolfCrypt test `./Build/WolfCryptTest.elf` to generate the FIPS boundary HASH
These settings are located in `Header/user_settings.h`.
@ -57,11 +113,13 @@ These settings are located in `Header/user_settings.h`.
*`ECC_TIMING_RESISTANT`: Enables timing resistance for ECC and uses slightly less memory.
*`ECC_SHAMIR`: Doubles heap usage, but slightly faster
*`RSA_LOW_MEM`: Half as much memory but twice as slow. Uses Non-CRT method for private key.
AES GCM: `GCM_SMALL`, `GCM_WORD32` or `GCM_TABLE`: Tunes performance and flash/memory usage.
*AES GCM: `GCM_SMALL`, `GCM_WORD32` or `GCM_TABLE`: Tunes performance and flash/memory usage.
*`CURVED25519_SMALL`: Enables small versions of Ed/Curve (FE/GE math).
*`USE_SLOW_SHA`: Enables smaller/slower version of SHA.
*`USE_SLOW_SHA256`: About 2k smaller and about 25% slower
*`USE_SLOW_SHA512`: Over twice as small, but 50% slower
*`USE_CERT_BUFFERS_1024` or `USE_CERT_BUFFERS_2048`: Size of RSA certs / keys to test with.
*`BENCH_EMBEDDED`: Define this if using the wolfCrypt test/benchmark and using a low memory target.
*`ECC_USER_CURVES`: Allows user to defines curve sizes to enable. Default is 256-bit on. To enable others use `HAVE_ECC192`, `HAVE_ECC224`, etc....
*`ECC_USER_CURVES`: Allows user to define curve sizes to enable. Default is 256-bit on. To enable others use `HAVE_ECC192`, `HAVE_ECC224`, etc....
*`TFM_ARM`, `TFM_SSE2`, `TFM_AVR32`, `TFM_PPC32`, `TFM_MIPS`, `TFM_X86` or `TFM_X86_64`: These are assembly optimizations available with USE_FAST_MATH.
* Single Precision Math for ARM: See `WOLFSSL_SP`. Optimized math for ARM performance of specific RSA, DH and ECC algorithms.
This directory is to help with building wolfSSL for use with DSP. It assumes that the Hexagon SDK has been setup on the machine and that the environment variables have been set by calling (source ~/Qualcomm/Hexagon_SDK/3.4.3/setup_sdk_env.source). Currently offloading ECC 256 verify operations to the DSP is supported. When WOLFSSL_DSP is defined ECC verify operations are offloaded to the aDSP by default. When not in SINGLE_THREADED mode a call back function must be set for getting the handle or a handle must be set in the ecc_key structure for the operation to make use of multiple threads when offloading to the DSP. This is because creating new handles for new threads must be done.
## Building
The directory is divided up into a build for the CPU portion in IDE/HEXAGON and a build for use on the DSP located in IDE/HEXAGON/DSP. Each section has their own Makefile. The Makefile default to an Ubuntu + hexagon v65 release build but can be changed by using V=<buildtype>. An example of building both would be:
```
cd IDE/HEXAGON
make V=UbuntuARM_Release_aarch64
cd DSP
make V=hexagon_Release_dynamic_toolv83_v65
```
The results from each build will be placed into the ship directories of each, for example ./UbuntuARM_Release_aarch64/ship/* and ./DSP/hexagon_Release_dynamic_toolv83_v65/ship/*.
The Makefile creates a DSP library libwolfssl_dsp_skel.so, library libwolfssl.so, executable benchmark, example ecc-verify, example ecc-verify-benchmark and executable testwolfcrypt.
These then need pushed to the device in order to run. An example of pushing the results to the device would be:
To change the settings wolfSSL is built with macros can be set in IDE/HEXAGON/user_settings.h. It contains a default setting at this point that was used for collecting benchmark values. The macro necessary to turn on use of the DSP is WOLFSSL_DSP.
The script IDE/HEXAGON/build.sh was added to help speed up building and testing. An example of using the script would be:
```
cd IDE/HEXAGON
./build.sh Release
```
This will delete the previous build and rebuild for Release mode. Then it will try to push the resulting library and some of the executables to the device.
For increased performance uncomment the -O3 flag in IDE/HEXAGON/Makefile and IDE/HEXAGON/DSP/Makefile.
## Use
A default handle is created with the call to wolfCrypt_Init() and is set to use the aDSP. A default mutex is locked for each use of the handle to make the library stable when multiple threads are calling to DSP supported operations.
To use wolfSSL with a user created handle it can be done by calling wc_ecc_set_handle or by setting a callback function using wolfSSL_SetHandleCb(). This should be set in the case of multithreaded applications to account for having a handle for each thread being used.
#### wolfSSL_SetHandleCb
The API wolfSSL_SetHandleCb takes a function pointer of type "int (*wolfSSL_DSP_Handle_cb)(remote_handle64 *handle, int finished void *ctx);". This callback is executed right before the operation is handed off to the DSP (finished set to 0) and right after done with the handle (finished set to 1). With ECC this would be after the ECC verify function has been called but before the information is passed on to the DSP and once again with the finished flag set after the result is returned.
The callback set should return 0 on successfully setting the input handle. The ctx argument is for future custom context to be passed in and is currently not used.
#### Expected Performance
This is the expected results from running ./eccbenchmark using the -O3 flag
benchmarking using default (locks on handle for aDSP)
5000 verifies on 1 threads took 17.481616 seconds
10000 verifies on 2 threads took 35.324308 seconds
benchmarking using software (+NEON if built in)
5000 verifies on 1 threads took 1.398336 seconds
10000 verifies on 2 threads took 1.383992 seconds
benchmarking using threads on aDSP
5000 verifies on 1 threads took 17.616811 seconds
10000 verifies on 2 threads took 19.215413 seconds
15000 verifies on 3 threads took 20.410200 seconds
20000 verifies on 4 threads took 23.261446 seconds
/* Max ECC bits (curve size * 8). ECC521 is (66*8) = 528. */
#undef ALT_ECC_SIZE
#define ALT_ECC_SIZE
#undef FP_MAX_BITS_ECC
#define FP_MAX_BITS_ECC 528
/* wolfSSL will compute the FP_MAX_BITS_ECC, but it can be overriden */
/* MAX ECC BITS = ROUND8(MAX ECC) * 2 */
//#undef FP_MAX_BITS_ECC
//#define FP_MAX_BITS_ECC (528 * 2)
/* Enable TFM optimizations for ECC */
#define TFM_ECC192
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
