wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2026-03-24 11:17:19 +01:00
Code Issues Packages Projects Releases Wiki Activity
9,890 Commits 13 Branches 184 Tags
12687e5a2a6ceaebf3edd032ae6af5ae42a2cae5
Commit Graph

54 Commits

Author SHA1 Message Date
John Safranek
246c444b93 Updates for v4.0.0 
Update the copyright dates on all the source files to the current year.
 2019-03-15 10:37:36 -07:00
John Safranek
b7663a940e Trusted CA Key Indication Extension 
Added an API for enabling the Trusted CA Key Indication extension from
RFC6066 section 6. If the server doesn't have a match for the client,
the client will abandon the session.
 2019-03-11 12:35:12 -07:00
toddouska
6e1b05316d Merge pull request #2104 from ejohnstown/renegotiation-testing 
Secure Renegotiation
 2019-03-11 12:10:48 -07:00
John Safranek
65c72ddfe1 Reverted an earlier change to the renegotiation resumption. Still need 
to check the cert subject hash.
 2019-02-26 14:26:09 -08:00
John Safranek
7389553bd6 1. For secure renegotiation, remove the check of the peer certificate's 
subject ID on renegotiation. Both endpoints are already
cryptographically linked on an encrypted channel.
2. The error code list has gaps where deprecated codes were deleted,
remove the redundant gaps where there aren't missing codes.
 2019-02-20 11:45:21 -08:00
Sean Parkinson
7aa5cd6f10 Support FFDHE in TLS 1.2 and below. Better TLS 1.3 version support. 
Add support for the fixed FFDHE curves to TLS 1.2. Same curves in TLS
1.3 already. On by default - no checking of prime required.
Add option to require client to see FFDHE parameters from server as per
'may' requirements in RFC 7919.

Change TLS 1.3 ClientHello and ServerHello parsing to find the
SupportedVersions extension first and process it. Then it can handle
other extensions knowing which protocol we are using.
 2019-02-18 14:51:59 +10:00
John Safranek
63f6c1d280 DTLS Nonblocking Updates 
1. Add error code for trying to retransmit a flight when transmitting
the flight hasn't finished.
2. Add function to retransmit the stored flight without updating the
timeout count.
 2019-01-18 09:15:11 -08:00
Eric Blankenhorn
02ff19a6c4 Moving PRF to wolfcrypt 2019-01-16 17:23:49 -06:00
David Garske
680a863054 Added support for building with certificate parsing only. ./configure --enable-asn=nocrypt. Added new API for parsing PIV format certificates wc_ParseCertPIV with WOLFSSL_CERT_PIV build option. Added wc_DeCompress_ex with ability to decompress GZIP. Moved the ZLIB error codes into wolfCrypt. 2018-10-02 15:18:56 -07:00
David Garske
f9e830bce7 First pass at changes to move PemToDer into asn.c. 2018-04-09 13:28:14 -07:00
Chris Conlon
2660ff0b93 Merge pull request #1251 from kojo1/openSSL-Compat-201711 
openSSL compatibility 201711
 2017-12-21 16:25:46 -07:00
David Garske
de05c563b6 Fix to handle non-blocking OCSP when WOLFSSL_NONBLOCK_OCSP is defined and not using async. OCSP callback should return OCSP_WANT_READ. Added ability to simulate non-blocking OCSP using TEST_NONBLOCK_CERTS. 2017-12-08 03:12:33 +01:00
Takashi Kojo
527c94c06b add test_wolfSSL_msgCb 2017-11-24 06:02:01 +09:00
David Garske
fd455d5a5e Fix for handling of static RSA PKCS formatting failures so they are indistinguishable from from correctly formatted RSA blocks (per RFC5246 section 7.4.7.1). Adjusted the static RSA preMasterSecret RNG creation for consistency in client case. Removed obsolete PMS_VERSION_ERROR. 2017-11-14 14:05:50 -08:00
Moisés Guimarães
0dd2ba2d80 adds unsupported_extension behavior to SNI 2017-11-03 15:31:13 -03:00
David Garske
911b6f95f8 Release v3.12.2 (lib 14.0.0). Updated copywright. 2017-10-22 15:58:35 -07:00
Sean Parkinson
24e9f7c43d Add NULL check after signature alg extension search 2017-08-01 13:55:06 +10:00
toddouska
66852a9252 add AlertCount to detect dos attempt 2017-07-31 15:17:54 -07:00
John Safranek
1657569605 DTLS Multicast 
1. Adding the prototypes for the sequence number high water callback.
2. Added the accessors to set the highwater callback function,
   trigger levels, and application context.
3. Calls the highwater callback at specified sequence number thresholds
   per peer.
 2017-07-19 13:34:32 -07:00
Sean Parkinson
8bd6a1e727 Add TLS v1.3 Cookie extension support 
Experimental stateless cookie
 2017-06-26 16:41:05 +10:00
Sean Parkinson
89e6ac91bf Improve PSK timeout checks 
Post-handshake Authentication

Fix KeyUpdate to derive keys properly

Fix supported curves (not checking ctx extensions)
 2017-06-14 11:28:53 -07:00
Sean Parkinson
2b1e9973ec Add TLS v1.3 as an option 2017-05-04 14:51:30 -07:00
toddouska
15423428ed add wolfSSL_write_dup(), creates write_only WOLFSSL to allow concurrent access 2017-03-20 15:08:34 -07:00
David Garske
628f740363 Added support for inline CRL lookup when HAVE_CRL_IO is defined (shares code with OCSP lookup in io.c). Added http chunk transfer encoding support. Added default connection timeout value (DEFAULT_TIMEOUT_SEC) and new wolfIO_SetTimeout() API with HAVE_IO_TIMEOUT. Added generic wolfIO_ API’s for connect, select, non-blocking, read and write. Added new define USE_WOLFSSL_IO to enable access to new wolfIO_* socket wrappers even when WOLFSSL_USER_IO is defined. Moved all API declarations for io.c into new io.h header. Added HAVE_HTTP_CLIENT to expose HTTP API’s. Moved SOCKET_T and SOCKET_ defines into io.h. Added WOLFIO_DEBUG define to display request/responses. 2017-03-15 12:26:18 -07:00
David Garske
a55ebb4c18 Fixes for building CRL with Windows. Refactor load_verify_buffer and LoadCRL to use new wc_ReadDir* functions. Added new directory/file API's: wc_ReadDirFirst(), wc_ReadDirNext(), wc_ReadDirClose(). Moved MAX_PATH and MAX_FILENAME_SZ to wc_port.h. Moved BAD_PATH_ERROR into error-crypt.h. The wc_ReadDir is only supported when NO_WOLFSSL_DIR and NO_FILESYSTEM are not defined. Add map to __FUNCTION__ macro in Windows with debug enabled (to resolve build error with VS and __func__ missing). Fix cast warning on response from EncodeOcspRequestExtensions. Fix for cast to call to BuildCertificateStatus. 2017-03-08 11:21:11 -08:00
John Safranek
be65f26dd2 If there is a badly formed handshake message with extra data at the 
end, but the correct size with the extra data, send a decode_error
alert and fail the handshake.
 2016-12-14 16:02:29 -08:00
John Safranek
a3ea8378ec Cap the size of the transmit and receive DTLS message lists at 255. 2016-11-02 09:15:05 -07:00
toddouska
c1ac0c0f8c Merge pull request #545 from ejohnstown/ems 
Extended Master Secret
 2016-09-15 11:25:41 -07:00
toddouska
a5db13cd01 detect server forcing compression on client w/o support 2016-09-07 09:17:14 -07:00
Chris Conlon
e4f527a332 initial extended master secret support 2016-09-01 15:12:54 -06:00
David Garske
17a34c5899 Added asynchronous wolfCrypt RSA, TLS client and Cavium Nitrox V support. Asynchronous wolfSSL client support for "DoServerKeyExchange", "SendClientKeyExchange", "SendCertificateVerify" and "DoCertificateVerify". Fixes for async DTLS. Refactor of the wolf event and async handling for use in wolfCrypt. Refactor of the async device support so its hardware agnostic. Added Cavium Nitrox V support (Nitrox tested using SDK v0.2 CNN55XX-SDK with new configure "--with-cavium-v=/dir" option). Moved Nitrox specific functions to new port file "port/cavium/cavium_nitrox.c". RSA refactor to handle async with states. RSA optimization for using dpraw for private key decode. Use double linked list in wolf event for faster/cleaner code. Use typedef for wolf event flag. Cleanup of the async error codes. wolfCrypt test and benchmark support for async RSA. Asynchronous mode enabled using "./configure --enable-asynccrypt". If no async hardware is defined then the internal async simulator (WOLFSSL_ASYNC_CRYPT_TEST) is used. Note: Using async mode requires async.c/h files from wolfSSL. If interested in using asynchronous mode please send email to info@wolfssl.com. 2016-08-15 13:59:41 -06:00
Jacob Barthelmeh
0589fe0d39 free ctx in case of InitMutex fail 2016-06-28 09:29:28 -06:00
toddouska
6551c9fcab add getter for max output size 2016-06-09 14:51:07 -07:00
Jacob Barthelmeh
3897f78073 truncated hmac export and sanity checks 2016-05-13 09:11:38 -06:00
Jacob Barthelmeh
3129bb22cd minimum ECC key size check at TLS/SSL level 2016-04-19 15:50:25 -06:00
Jacob Barthelmeh
c9891567e8 add check for min RSA key size at TLS/SSL level 2016-04-14 13:35:49 -06:00
toddouska
63b1282e67 Merge pull request #335 from dgarske/asynccrypt 
Asynchronous crypto and wolf event support
 2016-03-30 20:12:41 -07:00
Jacob Barthelmeh
e99a5b0483 prepare for release v3.9.0 2016-03-17 16:02:13 -06:00
David Garske
e1787fe160 Added "--enable-asynccrypt" option for enabling asynchronous crypto. This includes a refactor of SendServerKeyExchange and DoClientKeyExchange to support WC_PENDING_E on key generation, signing and verification. Currently uses async simulator (WOLFSSL_ASYNC_CRYPT_TEST) if cavium not enabled. All of the examples have been updated to support WC_PENDING_E on accept and connect. A generic WOLF_EVENT infrastructure has been added to support other types of future events and is enabled using "HAVE_WOLF_EVENT". Refactor the ASN OID type (ex: hashType/sigType) to use a more unique name. The real "async.c" and "async.h" files are in a private repo. 2016-03-17 13:31:03 -07:00
Jacob Barthelmeh
18f1faa13d check error strings and update comment 2016-01-27 09:50:20 -07:00
toddouska
32b2d7f9e4 have calling thread wait for crl monitor thread to setup for simpler cleanup 2015-11-23 14:15:12 -08:00
Moisés Guimarães
21d70636dc Merge branch csr into 'master' 2015-11-02 15:51:01 -03:00
toddouska
a0a4386504 fix alpn example client merge command options 2015-10-13 15:00:53 -07:00
John Safranek
a7ae5155ce fix defragment of handshake messages in TLS 2015-10-06 20:18:55 -07:00
toddouska
5bbcda3c79 add TLS signature fault checks indpendent of build options, plugins, callbacks, etc 2015-09-09 09:59:10 -07:00
Moisés Guimarães
ca01cebd28 adds SNI abort option to turn SNI mandatory for WebSocket (RFC6455 page 17). 
@see WOLFSSL_SNI_ABORT_ON_ABSENCE and the xxxSNI_SetOptions() functions for further details.
 2015-07-01 19:21:18 -03:00
John Safranek
64602d1969 added check for allowed minimum DH key size 2015-05-21 10:11:21 -07:00
toddouska
e730aa571c add sanity checks to user session ticket encrypt callback 2015-05-18 09:29:25 -07:00
toddouska
f6d12bfc37 initial server side session ticket support 2015-05-15 12:51:44 -07:00
toddouska
0519085c69 add SOCKET_PEER_CLOSED_E vs general SOCKET_E for case where peer closes underlying transport w/o close notify 2015-04-06 11:40:51 -07:00