Commit Graph

146 Commits

Author SHA1 Message Date
JacobBarthelmeh 8225d3642b save next status with OCSP response verify 2022-11-03 22:39:47 -07:00
Hayden Roche 294a26ba0c Merge pull request #5708 from JacobBarthelmeh/OCSP 2022-10-26 15:43:15 -07:00
JacobBarthelmeh d08c204466 remove extra memset 2022-10-26 12:54:17 -07:00
JacobBarthelmeh a26b89f66b fix leak with multiple entries 2022-10-26 09:29:06 -07:00
JacobBarthelmeh 7381846edb fix case of copying over status to existing struct 2022-10-25 15:33:17 -07:00
Uriah Pollock 19e30b081f Resolved sanitizer issue. 2022-10-24 16:27:18 -05:00
Uriah Pollock 6aff27c5c8 Resolved valgrind issue. Updated ASN1_TIME usage per feedback.
Refactored wolfSSL_d2i_OCSP_CERTID per feedback.
2022-10-21 13:16:32 -05:00
JacobBarthelmeh af518f8c86 adjust saving new OCSP cert 2022-10-18 08:33:13 -07:00
Uriah Pollock f48b736ec3 Changed some WOLFSSL_ASN1_TIME handling and other fixes. 2022-10-14 17:09:35 -05:00
Uriah Pollock 0f0496ae8f Added WOLFSSL_ASN1_TIME to CRL 2022-10-12 14:30:26 -05:00
Uriah Pollock 5cbb099dc9 Updated per PR comments. 2022-10-12 14:06:57 -05:00
Uriah Pollock 9117f8b51b Added more APIs for HaProxy integration. 2022-10-12 14:06:57 -05:00
JacobBarthelmeh 29f2dee991 handeling DER to internal of an OCSP response with no optional certificates 2022-08-29 15:25:50 -07:00
Daniel Pouzzner 8197f958a9 address peer review on PR #5449. 2022-08-10 13:33:57 -05:00
Daniel Pouzzner f771181e1a fixes for issues introduced in #5384:
added numerous missing _SMALL_STACK code paths (PK objects on the stack);

in settings.h, enable WOLFSSL_SMALL_STACK_STATIC by default when WOLFSSL_SMALL_STACK is defined (NO_WOLFSSL_SMALL_STACK_STATIC to override);

fixes for unsafe strcat()s in tests/quic.c;

fix for unsafe macro WOLFSSL_IS_QUIC();

fix to exclude quic from enable-all when enable-linuxkm (quic needs opensslextra, and opensslextra currently only works in-kernel in cryptonly builds);

fix for signed/unsigned clash in wolfSSL_quic_receive().
2022-08-10 13:33:56 -05:00
Jacob Barthelmeh 8eaa85e412 update copyright year to 2022 2022-07-19 10:44:31 -06:00
David Garske fbc7d5a6b2 Minor textual fixes. Thanks Hayden. 2022-02-23 09:43:10 -08:00
David Garske 2beb27972b OCSP IPv6 support with --enable-ipv6 or WOLFSSL_IPV6. Improve the logic around C99 and getaddrinfo. 2022-02-22 15:07:05 -08:00
Juliusz Sosinowicz e78f7f734e Add Apache 2.4.51 support
- Define `OPENSSL_COMPATIBLE_DEFAULTS` and `WOLFSSL_NO_OCSP_ISSUER_CHECK` for Apache config
- Fix `SSL_set_timeout` to match OpenSSL signature
- Implement `pkey` in `X509_INFO`
- Detect attempt to connect with plain HTTP
- Implement `wolfSSL_OCSP_request_add1_nonce`
- Set `ssl->cipher.bits` when calling `wolfSSL_get_current_cipher`
- Use custom flush method in `wolfSSL_BIO_flush` when set in BIO method
- Set the TLS version options in the `ssl->options` at the end of ClientHello parsing
- Don't modify the `ssl->version` when in a handshake (`ssl->msgsReceived.got_client_hello` is set)
- `wolfSSL_get_shutdown` returns a full bidirectional return when the SSL object is cleared. `wolfSSL_get_shutdown` calls `wolfSSL_clear` on a successful shutdown so if we detect a cleared SSL object, assume full shutdown was performed.
2021-12-16 12:39:38 +01:00
David Garske 9b6cf56a6e Expanded support for Curve25519/Curve448 and TLS v1.3 sniffer (#4335)
* Fixes for building with Ed/Curve25519 only. Fix for IoT safe demo to exit after running once. Added `WOLFSSL_DH_EXTRA` to `--enable-all` and `--enable-sniffer`. Cleanup uses of `==` in configure.ac. Various spelling fixes.

* Fix for sniffer with TLS v1.3 session tickets.

* Fix for ASN Template Ed25519 key export (missing version / not setting OID correctly).

* Add key import/export support for Curve25519/Curve448. Refactor of the 25519/448 ASN code to combine duplicate code.

* Refactor of Curve25519 code. Improved public key export to handle generation when only private is set. Improved private scalar buffer sizing.

* Fix for static ephemeral loading of file buffer.

* Added sniffer Curve25519 support and test case.

* Fix for sniffer to not use ECC for X25519 if both are set.

* Fix Curve448 public export when only private is set.

* Fix for `dh_generate_test` for small stack size.

* Reduce stack size use on new asymmetric DER import/export functions. Cleanup pub length calc.

* Fix invalid comment.
2021-09-01 09:28:24 +10:00
Juliusz Sosinowicz 1b6b16c2c3 HaProxy 2.4-dev18 support
*This patch is dependent on https://github.com/wolfSSL/wolfssl/pull/3871 because proto version selection logic is refactored in that pull request.*
This patch contains the following changes:
- Enable more options with `--enable-haproxy`
- Compatibility layer additions
    - `STACK_TYPE_X509_OBJ`
    - `OCSP_id_cmp`
    - `X509_STORE_get0_objects`
    - `X509V3_EXT_nconf_nid`
    - `X509V3_EXT_nconf`
    - `X509_chain_up_ref`
    - `X509_NAME_hash`
    - `sk_X509_NAME_new_null`
    - `X509_OBJECT_get0_X509`
    - `X509_OBJECT_get0_X509_CRL`
    - `ASN1_OCTET_STRING_free`
    - `X509_LOOKUP_TYPE`
    - `OSSL_HANDSHAKE_STATE`
- New `OPENSSL_COMPATIBLE_DEFAULTS` define will set default behaviour that is compatible with OpenSSL
    - WOLFSSL_CTX
        - Enable all compiled in protocols
        - Allow anonymous ciphers
        - Set message grouping
        - Set verify to SSL_VERIFY_NONE
- In `SetSSL_CTX`, don't change `send` and `recv` callback if currently using `BIO`
- `ssl->peerVerifyRet`
    - Return first that occured
    - Set correct value on date error
    - Set revoked error on OCSP or CRL error
    - Save value in session and restore on resumption
    - Add to session serialization
- With `OPENSSL_EXTRA`, send an alert on invalid downgrade attempt
- Handle sni callback `SSL_TLSEXT_ERR_NOACK`
- Add `WOLFSSL_VERIFY_DEFAULT` option for `wolfSSL_CTX_set_verify` and `wolfSSL_set_verify` to allow resetting to default behaviour
2021-07-06 15:39:23 +02:00
toddouska 95b91d8913 Merge pull request #3886 from DKubasekRA/fix/RA/v4.7.0-coverity
RA - Fixes for Coverity issues
2021-03-31 10:41:54 -07:00
Stanislav Klima 2e25c53111 Revert "Fixed CID 583215."
This reverts commit 26578be1a7.
2021-03-22 09:50:20 +01:00
David Garske 14e79a165a Merge pull request #3880 from embhorn/cov_fixes
Fix resource leak
2021-03-18 15:18:38 -07:00
Eric Blankenhorn 36f80d53aa Fix resource leak 2021-03-12 14:57:45 -06:00
Jacob Barthelmeh c729318ddd update copyright date 2021-03-11 13:42:46 +07:00
Radim Smat 027f05e349 Fixed CID 583215. 2021-03-04 13:40:45 +01:00
Martin Kinčl b383d93274 Fixed CID 582952. 2021-03-03 21:32:34 +01:00
Radim Smat 26578be1a7 Fixed CID 583215. 2021-03-03 15:51:22 +01:00
Radim Smat ef34e613e8 Fixed CID 582947. 2021-03-03 15:46:37 +01:00
Juliusz Sosinowicz 0ae1a8b8c5 Jenkins fixes
- Change pushCAx509Chain to an iterative implementation
- Fix variable names shadowing global names
2021-02-16 14:25:45 +01:00
Juliusz Sosinowicz b90862fa3f Free OcspEntry.status only when the struct owns the pointer 2021-02-16 14:25:45 +01:00
Juliusz Sosinowicz 9a1e54cfd5 Nginx 1.19.6 Fixes 2021-02-16 14:25:45 +01:00
Jacob Barthelmeh a948066f86 some infer fixes 2020-12-17 01:49:48 +07:00
Hayden Roche 03c7e52f5f Add OpenSSL compatibility functions for Apache httpd's OCSP module. 2020-12-03 11:22:43 -06:00
Hayden Roche bca43654df Make changes to OCSP ASN code.
- Use OcspEntry in OcspResponse instead of CertStatus. OcspEntry is more
  analogous to an OCSP SingleResponse, which contains issuer name and key
  hashes. Correspondingly, remove these hashes from OcspResponse, since they'll
  now be stored per SingleResponse in an OcspEntry.
- Add a hashAlgoOID to OcspEntry (corresponds to hashAlgorithm in CertId in RFC
  6960). This makes OcspEntry more closely resemble an OCSP SingleResponse.
- Change WOLFSSL_OCSP_CERTID to map to OcspEntry. OcspEntry contains all the
  information that an OCSP CertID contains, and is a better fit than
  OcspRequest.
- Add a pointer to the raw CertId in an OCSP SingleResponse to OcspEntry, along
  with a size field to indicate how many bytes the CertId occupies. This will
  be used in an OpenSSL compatibility function, i2d_OCSP_CERTID, which yields
  the raw bytes of the CertId.
2020-12-03 11:22:43 -06:00
Glenn Strauss 92c3296e13 preprocessor -DNO_BIO to omit OpenSSL BIO API 2020-11-05 20:40:43 -06:00
Glenn Strauss 503de43cbd build updates for lighttpd
Update configure.ac and various #ifdefs to enable WolfSSL to
build features for use by lighttpd.

Change signature of wolfSSL_GetVersion() to take const arg.
Pass (const WOLFSSL*) to wolfSSL_GetVersion() for use with
SSL_CTX_set_info_callback(), where OpenSSL callback takes (const SSL *)
2020-11-05 20:40:43 -06:00
David Garske 10b1884993 Added support for handling an OCSP response with multiple status responses. 2020-10-14 14:47:24 -07:00
David Garske 085f55195a Fix for handling OCSP response in non-blocking mode. 2020-08-21 15:50:34 -07:00
Sean Parkinson 55ea2facdd Changes to clear issues raised by cppcheck 2020-01-30 14:24:32 +10:00
JacobBarthelmeh 6b4551c012 Merge pull request #2654 from cariepointer/qt-512-513
Add Qt 5.12 and 5.13 support
2020-01-10 17:34:23 -07:00
Chris Conlon 45c5a2d39c update copyright to 2020 2020-01-03 15:06:03 -08:00
Carie Pointer ee13dfd878 Add Qt 5.12 and 5.13 support
Co-Authored-By: aaronjense <aaron@wolfssl.com>
Co-Authored-By: MJSPollard <mpollard@wolfssl.com>
Co-Authored-By: Quinn Miller <quinnmiller1997@users.noreply.github.com>
Co-Authored-By: Tim Parrish <timparrish@users.noreply.github.com>
2019-12-06 14:27:01 -07:00
Juliusz Sosinowicz 9064de1e75 Set proper WOLFSSL_ASN1_TIME in thisupd and nextupd in wolfSSL_OCSP_resp_find_status 2019-11-27 17:45:49 +01:00
David Garske ca5549ae91 Improvements for XFTELL return code and MAX_WOLFSSL_FILE_SIZE checking.
Fixes #2527
2019-11-18 13:49:06 -08:00
Jacob Barthelmeh 95c036a08a static analysis tests for memory management 2019-10-14 17:17:46 -06:00
David Garske 4c89a21d12 Updates from peer review. Refactor to combine some BIO elements into ptr. Revert change to BIO_set_fd. 2019-09-27 11:19:42 -07:00
cariepointer 2dafd2102c Add Apache HTTP Server compatibility and --enable-apachehttpd option (#2466)
* Added Apache httpd support `--enable-apachehttpd`.

* Added `SSL_CIPHER_get_version`, `BIO_new_fp`, `SSL_SESSION_print` and `SSL_in_connect_init` compatibility API's.

* Fix to expose `ASN1_UTCTIME_print` stub.

* Pulled in `wolfSSL_X509_get_ext_count` from QT.

* Added `X509_get_ext_count`, `BIO_set_callback`, `BIO_set_callback_arg` and `BIO_get_callback_arg`.

* Added `wolfSSL_ERR_print_errors`.

* Added `BIO_set_nbio` template.

* Fixes for building with Apache httpd.

* Added DH prime functions required for Apache httpd.

* Fix and move the BN DH prime macros.

* Fix for `SSL_CTX_set_tlsext_servername_arg` to have return code.

* Only add the `BN_get_rfc*_prime_*` macro's if older than 1.1.0.

* Added `ERR_GET_FUNC`, `SSL_CTX_clear_extra_chain_certs` prototypes.

* Added `wolfSSL_CTX_set_client_cert_cb` template and `OPENSSL_load_builtin_modules` stub macro.

* Added `X509_INFO` templates (`X509_INFO_new`, `X509_INFO_free`, `sk_X509_INFO_new_null`, `sk_X509_INFO_num`, `sk_X509_INFO_value`, `sk_X509_INFO_free`). Added `sk_X509_shift`.

* Added BIO_set_callback, BIO_get_callback, BIO_set_callback_arg, BIO_get_callback_arg

* add BIO_set_nbio, ERR_print_errors and tests

* add X509 INFO stack push function

* Add ASN1_UTCTIME_print and unit test

* Add X509_get_ext_count unit test

* initial commit of wolfSSL_PEM_X509_INFO_read_bio

* Added `sk_X509_NAME_new`, `sk_X509_NAME_push`, `sk_X509_NAME_find`, `sk_X509_NAME_set_cmp_func` and `sk_X509_NAME_free`. Grouped `sk_X509_NAME_*` functions.

* Cleanup sk X509 NAME/INFO pop free template.

* Advance openssl compatibility to v1.1.0 for Apache httpd. Added TLS version macros. Implemented sk X509 NAME/INFO pop and pop_free.

* Added `TLS_client_method` support.

* Added `SSL_get_server_tmp_key` and `EC_curve_nid2nist`.

* Added `SSL_CTX_set_min_proto_version` and `SSL_CTX_set_max_proto_version`. Fix for `BN_get_rfc*_prime_*` with the v1.1.0 change.

* add test cases for PEM_X509_INFO_read_bio

* Fixes for `BN_get_rfc*_prime_*` macros. Added template for `SSL_DH_set0_pqg`. Fix for `SSL_OP_NO_` to use Macro's (as is done in openssl). Added `SSL_set_verify_result`. Added stub for `OPENSSL_malloc_init`.

* Apache httpd compatibility functions. BIO setter/getters.

* implement ASN1_TIME_check and add test case

* add SSL_get_client_CA_list

* add initial implementation of wolfSSL_DH_set0_pqg

* Add apache support to OBJ_txt2nid and unit test, add stub for OBJ_create

* add X509_STORE_CTX_get1_chain, sk_free, sk_X509_dup

* Add sk_SSL_COMP_num and SSL_COMP struct

* implement and test of SSL_SESSION_print

* add SSL_CTX_set_client_cert_cb

* expand BIO_printf and add test case

* Added `OCSP_CERTID_dup`. Added `ASN1_TYPE`.

* add implementation for wolfSSL_get_server_tmp_key

* add wolfSSL_BIO_puts and test case

* Add X509_EXTENSION_get_object and X509_EXTENSION_get_data

* add helper for bio flag set and null x509 stack

* add test adn implementation for wolfSSL_i2d_PrivateKey

* Added `ASN1_OTHERNAME`, `ACCESS_DESCRIPTION` and `GENERAL_NAME`. Added `sk_ACCESS_DESCRIPTION_pop_free` and `ACCESS_DESCRIPTION_free` stubs.

* add wolfSSL_PEM_read_bio_ECPKParameters

* add BIO_vfree

* add X509_up_ref

* add X509_STORE_CTX_set_ex_data

* add _GNU_SOURCE macro and wolfSSL_EVP_read_pw_string

* add wolfSSL_EVP_PKEY_ref_up function

* X509_get_ext, X509V3_EXT_print, and d2i_DISPLAYTEXT stubs

* add X509_set_issuer_name

* add wolfSSL_sk_SSL_CIPHER_* functions and tests

* add prototype for sk_X509_EXTENSION and ACCESS_DESCRIPTION

* fix casting to avoid clang warning

* adjust test_wolfSSL_X509_STORE_CTX test case

* Added `OpenSSL_version`

* renegotiate functions and additional stack functions

* add aditional stub functions

* Add Apache httpd requirements for ALPN, CRL, Cert Gen/Req/Ext and SecRen. Fix for `sk_X509_INFO_new_null`.

* add ocsp stub functions

* Proper fix for `sk_X509_INFO_new_null`. Added templates for `X509_get_ext_by_NID` and `X509_add_ext`. Added templates for `ASN1_TIME_diff` and `ASN1_TIME_set`.

* x509 extension stack additions

* Fixed template for `OCSP_id_get0_info`.

* add X509 stub functions

* add X509_STORE_CTX_get0_store() and unit test

* Added `EVP_PKEY_CTX_new_id`, `EVP_PKEY_CTX_set_rsa_keygen_bits`, `EVP_PKEY_keygen_init`, `EVP_PKEY_keygen` and `BN_to_ASN1_INTEGER`.

* x509v3 stubs and req add extensions

* Add OBJ_txt2obj and unit test; add long name to wolfssl_object_info table for use by OBJ_* functions

* wolfSSL_set_alpn_protos implementation

* Added `EVP_SignInit_ex` and `TLS_server_method` implementation. Added stubs for  `RSA_get0_key` and `i2d_OCSP_REQUEST_bio`. Fix typo on `OCSP_response_create`. Fix warning in `wolfSSL_set_alpn_protos`.

* Added `X509_EXTENSION_free` stub. Fixed a few macro typos/adding missing.

* add X509_STORE_CTX_get0_current_issuer and unit test

* add OBJ_cmp and unit test

* add RSA_get0_key and unit test

* add OCSP_check_nonce

* Implement X509_set_notAfter/notBefore/serialNumber/version,X509_STORE_CTX_set_depth,X509V3_set_ctx.

* Modify wolfSSL_X509_set_notAfter/notBefore and add tests for each.

* Add test_wolfSSL_X509_set_version w/ fixes to _set_version and fix _set_notBefore/notAfter tests

* add OCSP_id_get0_info and unit test, move WOLFSSL_ASN1_INTEGER to asn_public.h from ssl.h

* inital implementation of wolfSSL_X509_sign

* add debugging messages and set data for BIO's

* Add i2d_OCSP_REQUEST_bio.

* implementation of some WOLFSSL_BIO_METHOD custom functions

* fix for ASN time structure and remove log node

* initial eNULL support and sanity checks

* fixes after rebasing code

* adjust test cases and ASN1_TIME print

* Various fixes for memory leaks

* Apache compatibility in CTX_set_client_CA_list for X509_NAME use; add X509_NAME_dup as supporting function

* Add initial X509_STORE_load_locations stub for Apache

* Updates to X509_get_ext_d2i to return GENERAL_NAME struct instead of ASN1_OBJECT for alternative names and add supporting GENERAL_NAME functions

* Add X509_STORE_load_locations implementation; add wolfSSL_CertManagerLoadCRL_ex; initial renegotiation fixes/updates

* Fix for freeing peer cert in wolfSSL_Rehandshake instead of FreeHandShakeResources during secure renegotiation

* Add X509_ALGOR and X509_PUBKEY structs for X509_PUBKEY_get0_param and X509_get_X509_PUBKEY implementation

* Initial implementation of wolfSSL_X509_get_X509_PUBKEY and wolfSSL_X509_PUBKEY_get0_param

* Add implementation for X509_get0_tbs_sigalg and X509_ALGOR_get0

* Add OBJ_nid2ln implementation

* Fix compile errors in tests/api.c for some build options

* Updates to X509_STORE_load_locations for non-CRL types; Add additional DETECT_CERT_TYPE enum and logic for detecting certificate type in ProcessFile

* Add X509_STORE_load_locations unit test and minor error handling fixes

* Add unit test for X509_sign

* Set correct alert type for revoked certificates; add/fix a few WOLFSSL_ENTER messages

* Add X509_ALGOR member to X509 struct; refactoring and unit tests for wolfSSL_X509_ALGOR_get0 and wolfSSL_X509_get0_tbs_sigalg

* Add X509_PUBKEY member to X509 struct; refactoring and unit tests for wolfSSL_X509_get_X509_PUBKEY and wolfSSL_X509_PUBKEY_get0_param

* Stack fixes after rebase

* Secure renegotiation refactoring: add ACCEPT_BEGIN_RENEG to AcceptState for use in wolfSSL_SSL_in_connect_init; free old peer cert when receiving new cert to fix memory leak

* Move enc-then-mac enable option in configure.ac for apache httpd compatibility

* Simplify wolfSSL_SSL_in_connect_init logic

* Remove unneeded wolfSSL_CertManagerLoadCRL_ex

* Fixes for jenkins test failures

* SSL_get_secure_renegotiation_support for print statement in Apache
2019-09-19 17:11:10 -07:00
Takashi Kojo fd0390430d Give error code resolution to wolfSSL_CertManagerCheckOCSPResponse 2019-08-20 07:22:54 +09:00