Commit Graph

2486 Commits

Author SHA1 Message Date
Juliusz Sosinowicz 0dbd0ffb4e Merge pull request #5483 from embhorn/zd14659 2022-08-22 14:28:29 +02:00
Sean Parkinson 26c61f8e0f Merge pull request #5473 from icing/quic-hello-retry
Respect disabled curves on HelloRetryRequests
2022-08-22 08:32:30 +10:00
David Garske 1d0e83bd1a Merge pull request #5474 from julek-wolfssl/zd14644-2
Match OpenSSL self signed error return.
2022-08-19 06:46:26 -07:00
Eric Blankenhorn 3d8562f07b Fixes for build and runtime issues 2022-08-19 08:12:04 -05:00
Stefan Eissing 6cb0caa0a0 Adding disabledCurves as a member of WOLFSSL in the OPENSSL_EXTRA case.
- inheriting from WOLFSSL_CTX on creation
- enabling on WOLFSSL only when wolfSSL_set1_curves_list() is called
2022-08-19 11:03:23 +02:00
Juliusz Sosinowicz 008e947fec Match OpenSSL self signed error return.
OpenSSL compat expects ASN_SELF_SIGNED_E when a self signed cert can't be verified. This is useful when translating the error with GetX509Error into a X509_V_ERR_* error.
2022-08-17 12:40:16 +02:00
Sean Parkinson 7435402c30 Fixes to better handle re-use of a WOLFSSL object via wolfSSL_clear. 2022-08-16 15:44:05 -07:00
David Garske e56a2355ca Merge pull request #5464 from julek-wolfssl/zd14644
Translate the verify callback error to an X509_V_ERR_* value when OPENSSL_COMPATIBLE_DEFAULTS is defined
2022-08-15 06:30:36 -07:00
Juliusz Sosinowicz 551acd2b19 Translate verify callback error with compat layer 2022-08-12 16:27:31 +02:00
Anthony Hu 82a900b438 Initial commit to add Dilithium NIST PQC winner.
Also:

* added HAVE_FALCON guards as needed.
* corrected minor falcon bugs as I found them.
* handling OID sum collision between DILITHIUM_LEVEL5 and DILITHIUM_AES_LEVEL3

Tested with the following commands:

examples/server/server -v 4 -l TLS_AES_256_GCM_SHA384 \
    -c ~/tmp/dilithium_aes_level5_entity_cert.pem \
    -k ~/tmp/dilithium_aes_level5_entity_key.pem \
    -A ~/tmp/dilithium_aes_level5_root_cert.pem --pqc P521_KYBER_LEVEL5

examples/client/client -v 4 -l TLS_AES_256_GCM_SHA384 \
    -c ~/tmp/dilithium_aes_level5_entity_cert.pem \
    -k ~/tmp/dilithium_aes_level5_entity_key.pem \
    -A ~/tmp/dilithium_aes_level5_root_cert.pem --pqc P521_KYBER_LEVEL5

with permutations of SHAKE,AES variants and levels 2,3,5
2022-08-11 11:38:31 -04:00
David Garske 5e6c45a6fb Merge pull request #5397 from SparkiDev/cert_rsa_pss
Certs with RSA-PSS sig
2022-08-11 08:19:12 -07:00
Sean Parkinson fb531dacc2 Certs with RSA-PSS sig
Add support for parsing and verifying certificates with RSA-PSS
signatures. Including check PSS parameters in key with those in
signature algorithm.
Add support for parsing private RSA PSS key.
Add support for parsing public RSA PSS key.
2022-08-11 09:43:01 +10:00
Daniel Pouzzner 8197f958a9 address peer review on PR #5449. 2022-08-10 13:33:57 -05:00
Daniel Pouzzner f771181e1a fixes for issues introduced in #5384:
added numerous missing _SMALL_STACK code paths (PK objects on the stack);

in settings.h, enable WOLFSSL_SMALL_STACK_STATIC by default when WOLFSSL_SMALL_STACK is defined (NO_WOLFSSL_SMALL_STACK_STATIC to override);

fixes for unsafe strcat()s in tests/quic.c;

fix for unsafe macro WOLFSSL_IS_QUIC();

fix to exclude quic from enable-all when enable-linuxkm (quic needs opensslextra, and opensslextra currently only works in-kernel in cryptonly builds);

fix for signed/unsigned clash in wolfSSL_quic_receive().
2022-08-10 13:33:56 -05:00
Stefan Eissing 4431438fb2 add QUIC support. 2022-08-08 13:24:00 +02:00
David Garske 7004157869 Merge pull request #5387 from TakayukiMatsuo/tk14445
Suppress build errors when defining some disable macros
2022-08-07 20:09:41 -07:00
TakayukiMatsuo 79fb1783c4 Suppress build errors when defining some disable macros 2022-08-07 17:11:22 +09:00
David Garske 2d2c55f1c1 Merge pull request #5431 from haydenroche5/wolfssl_error
Expand error queue usage with new macro WOLFSSL_ERROR_VERBOSE.
2022-08-05 15:14:44 -07:00
David Garske 96fcc129ec Merge pull request #5213 from JacobBarthelmeh/req
expand functions included in opensslextra and add REQ print out
2022-08-05 13:20:21 -07:00
Hayden Roche 3bf21b5a05 Expand error queue usage with new macro WOLFSSL_ERROR_VERBOSE.
We have users who need to debug errors coming out of libwolfssl in production,
where --enable-debug isn't an option. Our error queue implementation is the
solution, but our usage of WOLFSSL_ERROR isn't consistent. This commit greatly
expands our usage of WOLFSSL_ERROR. There are too many error cases to tackle
all at once, and not all error cases are particularly meaningful or likely to be
hit in regular operation of the library. I've tried to focus on errors that
users are likely to hit, and I've chosen to ignore things like the mountain of
BUFFER_E and BAD_FUNC_ARG cases (for the most part). I've also tried to expand
WOLFSSL_ERROR usage in files where we haven't been using it historically
(e.g. aes.c), so the pattern is now there for other developers to follow. In
order to prevent these additions from exploding the size of libwolfssl, they're
all behind a new macro, WOLFSSL_ERROR_VERBOSE. If WOLFSSL_VERBOSE_ERRORS is
defined, WOLFSSL_ERROR_VERBOSE just maps to WOLFSSL_ERROR.
2022-08-05 10:32:18 -07:00
Sean Parkinson 56be09005f Merge pull request #5427 from julek-wolfssl/dtls-timeout-and-closed-socket
DTLS socket and timeout fixes
2022-08-05 08:13:14 +10:00
JacobBarthelmeh ff512a34c6 adjust temporary buffer size and memory free'ing 2022-08-04 15:11:24 -07:00
David Garske 99dad91344 Merge pull request #5435 from douzzer/20220803-gcc-12-ASAN
20220803-gcc-12-ASAN
2022-08-04 08:41:26 -07:00
Juliusz Sosinowicz 6d4f0146ca Refactor sending alert on decryption failure
Take sending of the alert outside of DecryptTls() and DecryptTls13(). The alert is now sent in ProcessReplyEx().
2022-08-04 12:06:26 +02:00
Juliusz Sosinowicz 3278210e1c Silently discard DTLS msgs that fail decryption
Don't send alerts when decryption fails inside a DTLS connection.
TLS should always send a bad_record_mac when decryption fails.
2022-08-04 11:27:45 +02:00
Juliusz Sosinowicz fd1e8c49eb Reset timeout when reading a valid DTLS message
- Increment the DTLS 1.3 timeout on a long timeout
2022-08-04 11:27:45 +02:00
Sean Parkinson e32cfb79e5 Merge pull request #5419 from dgarske/aurix
Support for Infineon AURIX IDE and minor compiler warnings.
2022-08-04 08:01:57 +10:00
Daniel Pouzzner a7f0c92c0d src/internal.c: in GetCipherKeaStr(), when gcc-12 or higher and __SANITIZE_ADDRESS__, wrap in a pragma to ignore -Wstringop-overread, due to false positives. 2022-08-03 12:30:29 -05:00
David Garske 4937557ddc Merge pull request #5422 from julek-wolfssl/dtls-async-fix
Fix dtls + async multi-test misc errors
2022-08-03 07:24:58 -07:00
David Garske 53e0483e47 Support for Infineon AURIX IDE. Fixes for Aurix compiler warnings. 2022-08-02 16:53:47 -07:00
Jacob Barthelmeh 52b80ea52a expand functions included in opensslextra and add REQ print out 2022-08-01 09:21:43 -07:00
Marco Oliverio 8878922f95 fix: dtls13: use correct buffer index to get epoch bits
Fixes: d079662765
2022-08-01 14:24:20 +02:00
Juliusz Sosinowicz fb2feee9b6 Fix dtls + async multi-test misc errors
DTLS uses DtlsMsgStore() to process messages when using async crypto. A check was skipping the storing straight to DtlsMsgDrain().
2022-07-29 15:49:49 +02:00
Daniel Pouzzner 9256d6aa7c src/internal.c: fixes for redundant assignments and preprocessor typo. 2022-07-27 14:42:00 -05:00
Sean Parkinson 01aad13c38 Rework 2022-07-27 12:02:15 +10:00
David Garske 9c480ece66 Fix to use the new outTmp. 2022-07-26 15:48:58 -07:00
Marco Oliverio 856ea2ffc8 internal.c: RsaDec improvements 2022-07-26 20:59:01 +02:00
Marco Oliverio 1727efbc2c internal.c: rsa decription buffer handling 2022-07-26 20:59:01 +02:00
David Garske a98642ba61 Merge pull request #5383 from julek-wolfssl/negating-ciphersuites
Expand SetCipherList()
2022-07-25 08:26:47 -07:00
Juliusz Sosinowicz e7cd1562b4 Expand SetCipherList()
- support disabling ciphersuites starting from the default list
2022-07-25 11:14:16 +02:00
Sean Parkinson dc8b796d1d Merge pull request #5347 from dgarske/async_sess_tick
Support for asynchronous session ticket callback
2022-07-22 08:04:48 +10:00
Marco Oliverio 53dde1dafe dtls12: async: store the message only if async is really used 2022-07-21 12:00:18 -07:00
Marco Oliverio dce63fdfb3 async: fix issue with DTLSv1.3 2022-07-21 12:00:16 -07:00
JacobBarthelmeh 1281d97b1e Merge pull request #5373 from haydenroche5/error_queue_fix
Fix backwards behavior for various wolfSSL_ERR* functions.
2022-07-21 09:35:21 -06:00
David Garske 8605195709 Support for asynchronous session ticket callback (can return WC_PENDING_E). Requires wolfAsyncCrypt support. ZD 14420. 2022-07-20 16:43:17 -07:00
David Garske 706ab6aac0 Merge pull request #5377 from kareem-wolfssl/rsaKeyEncipher
Don't require digital signature bit for static RSA cipher suites.  Make wolfSSL_CTX_clear_options available without OPENSSL_EXTRA.
2022-07-20 15:28:55 -07:00
Kareem 873890316c Don't require digital signature bit for static RSA cipher suites. 2022-07-20 12:08:20 -07:00
David Garske 1c7f64cce9 Fixes for sniffer session ticket resumption with TLS v1.2. ZD14531. 2022-07-20 11:18:19 -07:00
David Garske b46a308544 Merge pull request #5361 from embhorn/zd14491
Fix for build with NO_TLS
2022-07-20 09:28:23 -07:00
Hayden Roche e6da540fb3 Fix backwards behavior for various wolfSSL_ERR* functions.
wolfSSL_ERR_get_error and wolfSSL_ERR_peek_error_line_data should return the
earliest error in the queue (i.e. the error at the front), but prior to this
commit, they returned the latest/most recent one instead.

In DoAlert, we were adding an error to the queue for all alerts. However, a
close_notify isn't really an error. This commit makes it so DoAlert only adds
errors to the queue for non-close_notify alerts. In ReceiveData, similarly, we
were adding an error to the queue when the peer sent a close_notify, as
determined by ssl->error == ZERO_RETURN. Now, we don't add an error in this
case.
2022-07-20 08:56:48 -07:00