Commit Graph

4554 Commits

Author SHA1 Message Date
Chris Conlon 54fe98716d Merge pull request #3415 from kojo1/config-options
Config options
2020-10-30 11:55:11 -06:00
toddouska 931eea30f5 Merge pull request #3397 from cconlon/rc2
RC2 ECB/CBC and PKCS#12 Integration
2020-10-28 15:06:47 -07:00
toddouska 3a9758f257 Merge pull request #3433 from dgarske/sniffer_sni
Fix for Sniffer with SSLv3 where SNI is not supported
2020-10-28 12:06:37 -07:00
David Garske a15769b12e Merge pull request #3435 from ejohnstown/ntf2
Nightly Test Fix 2
2020-10-28 06:39:15 -07:00
David Garske 4277ec62f9 Merge pull request #3431 from kaleb-himes/NO_FILESYSTEM_FIX
Remove file system constraint on wolfSSL_CTX_check_private_key()
2020-10-27 15:25:59 -07:00
John Safranek 6a77a8d8d6 Compatibility Layer
When making a AUTHORITY KEY object, if the ASN1 OBJECT fails, the key object is leaked.
2020-10-27 14:51:35 -07:00
David Garske a43d239271 Fix for Sniffer with SSLv3 where SNI is not supported. ZD 11169. 2020-10-27 11:26:02 -07:00
kaleb-himes f934fb03bd Remove file system constraint on wolfSSL_CTX_check_private_key() 2020-10-27 08:57:46 -06:00
John Safranek 7dbd6102d2 Compatibility Layer
When wolfSSL_X509_NAME_ENTRY_create_by_txt() needs to make a new ASN.1 object ID, actually store it in the name entry.
2020-10-26 16:10:44 -07:00
John Safranek 9c1049f112 Compatibility Layer
1. Changed the ASN1_OBJECT member of the X509_NAME_ENTRY to be a pointer
   rather than an object. It could lead to a double free on the name
   entry.
2. The ASN1_OBJECT allocator should set the dynamic flag, as the
   deallocator is the one that uses it.
3. General changes to treat the member as a pointer rather than a
   member.
4. In the api test, we were iterating over the name members in the name
   checking the NIDs. After the loop we freed the name member object.
   This led to a double free error.
2020-10-25 14:38:07 -07:00
Takashi Kojo 277edbb514 fix for --disable-tls13 --enable-sniffer 2020-10-24 07:14:43 +09:00
Takashi Kojo 02536461e6 fix for --enable-opensslall --disable-sha224 2020-10-24 07:06:24 +09:00
David Garske ff092c02d2 Merge pull request #3396 from SparkiDev/fips_armasm
FIPS ARMASM: get build working
2020-10-22 15:26:24 -07:00
tmael 6265006553 Merge pull request #3403 from elms/cppcheck/cleaup_fixes
Address some cppcheck issues
2020-10-22 12:56:19 -07:00
John Safranek e28303b40a In DoServerKeyExchange(), when reading the DH key from the server, the
client was checking it too strictly. The pubkey value should be checked
as strictly as the generator, for too large. The public key value is
checked mathematically elsewhere.
2020-10-21 21:47:32 -07:00
toddouska e4eda3e125 Merge pull request #3384 from SparkiDev/tls13_sess_tick_compat
TLS session tickets: cannot share between TLS 1.3 and TLS 1.2
2020-10-20 15:56:03 -07:00
toddouska 7aae784a53 Merge pull request #3399 from dgarske/zd11128
Fix for TLS sniffer with non-standard curves
2020-10-20 15:14:53 -07:00
toddouska a1afc6ca4f Merge pull request #3389 from tmael/ocsp_status
Process multiple OCSP responses
2020-10-20 15:11:42 -07:00
toddouska 1e43d65d2a Merge pull request #3392 from SparkiDev/ocsp_must_staple
TLS OCSP Stapling: MUST staple option
2020-10-20 15:07:08 -07:00
Sean Parkinson ffd55ac1fe Merge pull request #3406 from ejohnstown/dh-fix-2
DH Fix 2
2020-10-21 08:05:42 +10:00
toddouska c863ca54a3 Merge pull request #3308 from julek-wolfssl/thread-safety
Introduce thread safety to unsafe functions in wolfSSL
2020-10-20 14:56:04 -07:00
toddouska 7c89d10e53 Merge pull request #3260 from julek-wolfssl/non-blocking-scr
(D)TLS non-blocking SCR with example
2020-10-20 13:45:19 -07:00
John Safranek 2c5a4ba508 DH Fix 2
1. Add some missing frees for the error cases when the server DH public
   key is rejected.
2020-10-20 10:32:09 -07:00
Elms 86b2118550 Address some cppcheck issues 2020-10-19 11:47:53 -07:00
John Safranek cd05ed3347 iDH Fix
1. Changed the bounds of checking the key from comparisons to constants
   to comparisons against WOLFSSL object settings for the DH key bounds.
2. Removed redundant bounds check on the server's prime.
2020-10-19 08:08:04 -07:00
Juliusz Sosinowicz 147cb8e60c Jenkins scope fixes 2020-10-19 12:46:11 +02:00
John Safranek fc86e6a960 Fix a double error return. 2020-10-16 18:18:47 -07:00
John Safranek ec0aab1a23 DH Fix
1. Check the length values for the DH key domain and public key in the
   server key exchange message to make sure they are within the bounds
   set by the configuration. (Minimum key size is 2048 bits for DH.)
2020-10-16 16:28:27 -07:00
David Garske 85b4170047 Fix for TLS sniffer with non-standard curves. If curve not provided in key share data, then use private key curve. ZD 11128. 2020-10-16 16:13:42 -07:00
John Safranek 4364700c01 DH Fix
These changes fix several fuzz testing reports. (ZD 11088 and ZD 11101)
1. In GetDhPublicKey(), the DH Pubkey is owned by the SSL session. It
   doesn't need to be in the check for weOwnDh before freeing. There
   could be a chance it leaks.
2. In GeneratePublicDh() and GeneratePrivateDh(), the size of the
   destination buffer should be stored at the location pointed to by the
   size pointer. Check that before writing into the destination buffer.
3. Ensure the size of the private and public key values are in the size
   value before generating or getting the DH keys.
2020-10-16 15:35:23 -07:00
David Garske b58ea5842a wolfSSL RC2 template. 2020-10-16 11:46:40 -06:00
Juliusz Sosinowicz 24030d5f32 Move globalRNG and co to ssl.c 2020-10-16 17:33:28 +02:00
Sean Parkinson aeb44c5352 FIPS ARMASM: get build working 2020-10-16 16:41:18 +10:00
Sean Parkinson 07e69829d7 TLS 1.3 PSK: fix for session ticket timeout
Return straightaway if the ticket is out of date.
Need to fallback to full handshake.
2020-10-16 14:48:29 +10:00
Sean Parkinson 60b0b0170b TLS OCSP Stapling: MUST staple option
Can enable OCSP Must Staple option to mean that if the client sends a
request for an OCSP Staple then it must receive a response.
2020-10-16 09:03:27 +10:00
Sean Parkinson 134e1be189 TLS session tickets: cannot share between TLS 1.3 and TLS 1.2
When parsing ticket, check TLS version to see whether they are version
compatible.
2020-10-15 13:02:06 +10:00
David Garske 10b1884993 Added support for handling an OCSP response with multiple status responses. 2020-10-14 14:47:24 -07:00
toddouska 1c4b15d427 Merge pull request #3369 from dgarske/sniffer_ccm
Add AES CCM support to sniffer
2020-10-14 14:31:57 -07:00
toddouska 8898abcc99 Merge pull request #3378 from dgarske/zd11085
Fixes SSLv3 use of ECDH in sniffer
2020-10-14 14:30:15 -07:00
David Garske 232028d03b Merge pull request #3386 from ejohnstown/dh-maint
Fuzz Fix
2020-10-13 15:47:11 -07:00
David Garske 048a3a8d5b Merge pull request #3374 from JacobBarthelmeh/Testing
NO_FILESYSTEM build on Windows
2020-10-13 13:26:46 -07:00
John Safranek 422683f4c3 Fuzz Fix
GetPublicDhKey() assumes the ssl session owns the DH public key parts, and
tries to free them. They belong to the CTX initially, so it shouldn't be
freeing them, necessarily.

1. Add a check for weOwnDh first, then free the buffers if needed.
2. If there is a problem reading the keys, free the new buffers before exiting.
3. Set weOwnDh once the buffers and values have been stored
   successfully.
2020-10-13 10:15:58 -07:00
David Garske 0d685e4f28 Merge pull request #3358 from douzzer/wolfSSL_get_ocsp_producedDate
add wolfSSL_get_ocsp_producedDate().
2020-10-12 15:21:10 -07:00
John Safranek 0ca202f389 Rename SKIP_SUITE to something more descriptive. Add some comments. 2020-10-12 09:49:02 -07:00
John Safranek a05a305d70 Fix unused parameters in SKIP_SUITE. 2020-10-09 15:59:14 -07:00
John Safranek 6cfb038d11 Fix a bad ifdef. 2020-10-09 15:54:44 -07:00
John Safranek 2d85061c47 Maintenance Fixes
Improve the reporting of the NTRU based cipher suites with the function
wolfSSL_sk_CIPHER_description().
2020-10-09 15:01:39 -07:00
John Safranek d8299e2764 Maintenance Fixes
When building the list of ciphers with wolfSSL_get_ciphers_compat(),
skip the fake indicator ciphers like the renegotiation indication
and the quantum-safe hybrid since they do not have encryption or mac
algorithms associated to them.
2020-10-09 15:01:38 -07:00
David Garske f3fbb921c0 Fixes SSLv3 use of ECDH. The public key length byte needs to be skipped for import with SSLv3 and TLS (not TLS v1.3). ZD 11085 2020-10-09 12:01:41 -07:00
JacobBarthelmeh bfb10ddfb5 NO_FILESYSTEM build on Windows 2020-10-09 09:45:00 -07:00