Andras Fekete
1192d41f0e
First successful implementation of EVP_aes_*_ccm
2022-12-29 17:02:43 -05:00
Andras Fekete
27b5ac421e
Use the actual size of the structure
2022-12-29 17:02:43 -05:00
David Garske
5c0abfd7ad
Merge pull request #5936 from embhorn/zd15400
...
Fix unguarded XFPRINTF calls
2022-12-28 12:47:19 -08:00
Eric Blankenhorn
004705b38f
Fix unguarded XFPRINTF calls
2022-12-28 12:23:40 -06:00
Chris Conlon
aadce3af9c
Merge pull request #5930 from miyazakh/subscript_has_char
2022-12-28 10:18:43 -07:00
Anthony Hu
b3e99348cd
Purge the AES variant of Dilithium
2022-12-27 14:37:47 -05:00
Hideki Miyazaki
684646c8b9
fix shadows min and subscript by i486-netbsd-gcc
2022-12-25 07:20:04 +09:00
David Garske
49d23cf60a
Merge pull request #5913 from douzzer/20221219-no-sha-1-all-crypto
...
20221219-no-sha-1-all-crypto
2022-12-22 17:02:58 -08:00
David Garske
1b18da7e87
Merge pull request #5920 from jpbland1/unrecognized-http-header
...
remove http header length check for CRL verification
2022-12-22 17:01:54 -08:00
David Garske
5c89719c51
Merge pull request #5916 from julek-wolfssl/dtls-srtp-keying-material
...
DTLS-SRTP: use wolfSSL_export_keying_material instead of wc_PRF_TLS
2022-12-22 17:01:37 -08:00
David Garske
135b9f0566
Merge pull request #5915 from julek-wolfssl/dtls-remove-realloc-dep
...
DtlsMsgCombineFragBuckets: Remove realloc dependency
2022-12-22 17:01:31 -08:00
David Garske
62e3835b0e
Merge pull request #5911 from julek-wolfssl/DtlsMsgPoolSend-sendSz
...
DtlsMsgPoolSend: Use correct sendSz
2022-12-22 17:01:19 -08:00
John Safranek
9ce79c4de8
Merge pull request #5921 from cconlon/libsuffix
2022-12-22 11:37:28 -08:00
Chris Conlon
9a7ff8773b
add --with-libsuffix support, append suffix to library artifact name
2022-12-21 13:31:07 -07:00
John Bland
b36d585335
remove http header length check for CRL verification
2022-12-21 13:01:58 -05:00
Daniel Pouzzner
455e76873c
peer review fixes re: minor fixes to accommodate --disable-sha in combination with --enable-all-crypto.
2022-12-20 10:43:33 -06:00
Juliusz Sosinowicz
6a8be960ba
DTLS-SRTP: use wolfSSL_export_keying_material instead of wc_PRF_TLS
2022-12-20 16:42:28 +01:00
Juliusz Sosinowicz
2fe6555fcf
DtlsMsgCombineFragBuckets: Remove realloc dependency
2022-12-20 13:53:03 +01:00
Daniel Pouzzner
91869f6028
minor fixes to accommodate --disable-sha in combination with --enable-all-crypto.
2022-12-20 00:42:05 -06:00
Juliusz Sosinowicz
53b2be06d3
DtlsMsgPoolSend: Use correct sendSz
...
pool->sz is the size without the record header. The handshake header is present already.
Reproducible with
./udp_proxy -p 12345 -s 127.0.0.1:11111 -x 1:3 -S server
or
./udp_proxy -p 12345 -s 127.0.0.1:11111 -x 1:3 -S server
and
./examples/server/server -l ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305 -u -i
./examples/client/client -l ECDHE-RSA-AES256-GCM-SHA384 -u -R -p 12345 -i
2022-12-19 17:07:37 +01:00
JacobBarthelmeh
3d1775320b
Merge pull request #5900 from icing/tls12-no-tickets
...
WOLFSSL_OP_NO_TICKET fix for TLSv1.2
2022-12-16 14:42:50 -07:00
David Garske
07dcd5270e
Merge pull request #5898 from cconlon/androidSystemCa
...
Add Android CA certs path for wolfSSL_CTX_load_system_CA_certs()
2022-12-16 06:12:24 -08:00
Stefan Eissing
9d0b16097e
Fix builds without session tickets.
2022-12-16 09:40:51 +01:00
Stefan Eissing
dccabc60a5
Disabling TLSv1.2 session tickets when WOLFSSL_OP_NO_TICKET is being set.
...
There seems to have been a misunderstanding that WOLFSSL_OP_NO_TICKET would only disable tickets
for TLS version lower than 1.2. But it includes 1.2 as well.
2022-12-16 09:29:44 +01:00
Chris Conlon
f9bd8f76de
add Android system CA certs path for to wolfSSL_CTX_load_system_CA_certs() usage
2022-12-15 16:39:48 -07:00
gojimmypi
e0c9586b79
initialize resp_length = 0 in tls.c
2022-12-15 12:51:33 -08:00
Stefan Eissing
78fd5d7dbc
Fix wolfSSL_set_SSL_CTX() to be usable during handshake.
...
This method requires some explanation. Its sibling is
int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
which re-inits the WOLFSSL* with all settings in the new CTX.
That one is the right one to use *before* a handshake is started.
This method was added by OpenSSL to be used *during* the handshake, e.g.
when a server inspects the SNI in a ClientHello callback and
decides which set of certificates to use.
Since, at the time the SNI callback is run, some decisions on
Extensions or the ServerHello might already have been taken, this
method is very restricted in what it does:
- changing the server certificate(s)
- changing the server id for session handling
and everything else in WOLFSSL* needs to remain untouched.
2022-12-15 09:33:01 +01:00
Sean Parkinson
a3f3c76faa
Merge pull request #5890 from anhu/fix_iv_size
...
Fix the wrong IV size.
2022-12-15 08:43:25 +10:00
Sean Parkinson
3d8f25ab7d
Merge pull request #5430 from dgarske/sniffer_multithread
...
Support for multi-threaded sniffer
2022-12-15 08:18:49 +10:00
Anthony Hu
472a31a801
Fix the wrong IV size.
2022-12-14 13:04:38 -05:00
Anthony Hu
ad6d6be620
Kyber with DTLS 1.3 tests
2022-12-14 12:46:24 -05:00
David Garske
6be0512728
Peer review cleanups.
2022-12-14 09:25:04 -08:00
David Garske
e33d59cd76
Review cleanups.
2022-12-13 10:55:22 -08:00
Anthony Hu
364835dc9e
Allow session tickets to properly resume when using PQ KEMs.
...
Found with:
```
./configure --with-liboqs --enable-session-ticket
./examples/server/server -v 4 -r --pqc P521_KYBER_LEVEL5
./examples/client/client -v 4 -r --pqc P521_KYBER_LEVEL5
```
2022-12-13 11:36:00 -05:00
Sean Parkinson
a7a6d5b297
Merge pull request #5874 from JacobBarthelmeh/tls13
...
adjust post auth support with TLS 1.3
2022-12-13 09:39:31 +10:00
David Garske
d0c9ec6681
Merge pull request #5854 from JacobBarthelmeh/Certs
...
fix other name san parsing and add RID cert to test parsing
2022-12-12 14:44:07 -08:00
David Garske
a1e883b43d
Merge pull request #5875 from JacobBarthelmeh/Compatibility-Layer
...
fix for handling DEFAULT:... cipher suite list
2022-12-12 14:43:50 -08:00
David Garske
78f495cdae
Merge pull request #5877 from SparkiDev/x509v3_d2i_aia
...
X509v3 EXT d2i: fix freeing of aia
2022-12-12 08:59:15 -08:00
David Garske
de22dbe61d
Support for multi-threaded sniffer. Add support for atomic operations instead of mutex in wc_port.h.
2022-12-12 08:39:42 -08:00
David Garske
b871829833
Merge pull request #5811 from lealem47/zd15184
...
Async Sniffer: Fix for decryption after second handshake
2022-12-12 08:21:35 -08:00
Sean Parkinson
7f3de91e25
X509v3 EXT d2i: fix freeing of aia
...
aia is a stack and must be pop freed rather than freed with XFREE.
Extract function that creates Authority Info Access stack.
Fix spelling issue raised by codespell.
2022-12-12 10:13:13 +10:00
Sean Parkinson
9ab8867b42
TLS: detect duplicate known extensions
...
TLS specification requires that there not be more than one extension of
the same type in a given extension block. E.g. ClientHello
2022-12-12 08:35:04 +10:00
JacobBarthelmeh
8b296877ab
fix for handling DEFAULT:... cipher suite list
2022-12-10 14:53:43 -08:00
JacobBarthelmeh
389cf6ed0a
adjust post auth support with TLS 1.3
2022-12-10 06:49:51 -08:00
Anthony Hu
937d247c7d
Don't create a key if we don't support the curve.
...
Found with the following configuration:
./configure --enable-tls13 --disable-oldtls --enable-static --enable-singlethreaded --enable-dtls --enable-dtls13 --enable-dtls-mtu --enable-sp=yes,4096 --disable-shared --disable-sha3 --disable-dh --enable-curve25519 --enable-secure-renegotiation --enable-debug --enable-opensslextra 'CFLAGS=-DWOLFSSL_DTLS_ALLOW_FUTURE -DWOLFSSL_MIN_RSA_BITS=2048 -DWOLFSSL_MIN_ECC_BITS=256 -DFP_MAX_BITS=8192 -fomit-frame-pointer'
2022-12-08 12:13:12 -05:00
JacobBarthelmeh
eb69ccb22c
Merge pull request #5856 from icing/errq-improvements
...
Improvements in OpenSSL Compat ERR Queue handling.
2022-12-08 09:28:05 -07:00
Stefan Eissing
02094ebb2e
Updates after review by JacobBarthelmeh.
...
- fix err/ret rename leftover for python builds
- add documenetation to thread-local functions
- move generic queue functions up
2022-12-08 09:53:05 +01:00
Stefan Eissing
45f9ef5dd9
Improvements in OpenSSL Compat ERR Queue handling.
...
Configuration
- thread-local storaoge is selected when available
- '--enable-error-queue-per-thread' and '--disable-error-queue-per-thread' can
be used as before to explicitly en-/disable the feature.
Implementation:
- with thread-local-storage, error queue is realized in one struct without
allocations. Queue size is restricted to 16 entries (per thread), which
is the same limit in OpenSSL 1.1.x.
- without thread-local-storage, all error queue operations are mutex locked
- wc_PeekErrorNodeLineData() and wc_GetErrorNodeErr() added for use by SSL
functions to allow locked queue iterations/manipulations.
2022-12-07 18:14:45 +01:00
Kosmas Valianos
11f9bd85ee
Fix wrong function name in wolfSSL_X509_get_name_oneline()
2022-12-07 16:00:05 +01:00
Sean Parkinson
e5d03cf5ad
Merge pull request #5848 from philljj/fix_mingw64_build
...
Fix mingw-w64 build issues on windows.
2022-12-07 08:57:07 +10:00