Commit Graph

3481 Commits

Author SHA1 Message Date
David Garske 11029127df Merge pull request #7119 from JacobBarthelmeh/crl
support for RSA-PSS signatures with CRL
2024-01-16 15:23:16 -08:00
JacobBarthelmeh b140f93b17 refactor sigParams allocation and adjust test file name 2024-01-16 14:41:24 -07:00
David Garske 06a32d3437 Merge pull request #7097 from lealem47/removeUserCrypto
Remove user-crypto functionality and Intel IPP support
2024-01-09 17:33:28 -08:00
JacobBarthelmeh cd07e32b13 update crl files and add in compat support for RSA-PSS 2024-01-08 16:38:11 -08:00
JacobBarthelmeh d58acef895 add RSA-PSS CRL test case 2024-01-05 14:47:53 -08:00
Juliusz Sosinowicz 5bdcfaa5d0 server: allow reading 0-RTT data after writing 0.5-RTT data 2024-01-04 13:19:44 +01:00
John Bland f6555fd753 update ech to use separate hsHashes for the ech log
which are not restarted and the inner hsHashes which are restared on HRR. also send empty string with 0 encLen when sending clientHelloInner2. setup works wolfssl->wolfssl but fails to match acceptance for first HRR message when talking to an openssl server, does still work without HRR when talking to cloudflare's server without HRR.
2024-01-02 19:31:52 -05:00
jordan e175004f85 Fix Infer Uninitialized Values. 2024-01-02 12:16:20 -06:00
John Bland bc77f9f466 fix writing empty string when sending enc in response
to an hrr, fix bad getSize for hrr ech, fix using the wrong transcript hash for hrr ech, add new hrr test for ech to api.c
2023-12-29 16:30:34 -05:00
Lealem Amedie 837452b1ca Remove user-crypto functionality and Intel IPP support 2023-12-27 12:24:19 -07:00
Daniel Pouzzner e65e9f11c7 fixes for clang -Wunreachable-code-aggressive (-Wunreachable-code/clang-diagnostic-unreachable-code in src/ssl.c:wolfSSL_CTX_load_verify_buffer_ex() and -Wunreachable-code/clang-diagnostic-unreachable-code-return in api.c:myCEKwrapFunc()). 2023-12-22 14:12:13 -06:00
Daniel Pouzzner f2d573f01f wolfssl/wolfcrypt/asn.h, src/ssl.c: add "ANONk" to enum Key_Sum, and use the new value in wolfSSL_get_sigalg_info(), fixing clang-analyzer-optin.core.EnumCastOutOfRange.
add suppressions in tests for expected clang-analyzer-optin.core.EnumCastOutOfRange's.
2023-12-19 18:14:29 -06:00
Chris Conlon 2ffc818c28 Merge pull request #7069 from douzzer/20231213-misc-fixes
20231213-misc-fixes
2023-12-14 15:18:12 -07:00
Chris Conlon f6ef58dbc2 Merge pull request #7064 from philljj/fix_infer_issues
Fix issues from infer diff report.
2023-12-14 12:27:34 -07:00
Daniel Pouzzner 16c6bd6846 examples/client/client.c and tests/api.c: add missing CloseSocket() calls. 2023-12-14 13:22:27 -06:00
Chris Conlon d0aa80eb37 update example/test certs for end of year release 2023-12-13 16:41:59 -07:00
Chris Conlon 255086b7c8 fix API test warning, comparison of unsigned expression < 0 is always false 2023-12-13 16:41:59 -07:00
jordan f222adf4c2 Fix issues from infer diff report. 2023-12-13 15:59:03 -06:00
Chris Conlon a66137d2fe Merge pull request #7062 from lealem47/leaks
Cleanup leaks in api.c and benchmark.c
2023-12-13 14:09:23 -07:00
Lealem Amedie 5fd0470f76 Cleanup leaks in api.c and benchmark.c 2023-12-13 13:00:52 -07:00
David Garske 56c7e5c675 Merge pull request #7054 from cconlon/sslAlpnSelectCb
Add wolfSSL_set_alpn_select_cb() for setting ALPN select callback on WOLFSSL session
2023-12-13 09:24:07 -08:00
Chris Conlon 269542ed96 add wolfSSL_set_alpn_select_cb() for WOLFSSL-level ALPN select callbacks 2023-12-13 09:16:44 -07:00
Sean Parkinson f12b61183b Merge pull request #7029 from julek-wolfssl/zd/17108-fix
Additional TLS checks
2023-12-13 14:31:11 +10:00
Juliusz Sosinowicz 493bb1760d Add option to remove early sanity checks 2023-12-12 17:31:48 +01:00
Juliusz Sosinowicz 51ba745214 ocsp: don't error out if we can't verify our certificate
We can omit either the CeritificateStatus message or the appropriate extension when we can not provide the OCSP staple that the peer is asking for. Let peer decide if it requires stapling and error out if we don't send it.
2023-12-12 14:49:52 +01:00
Juliusz Sosinowicz 627310d26a Additional TLS checks
- double check which messages need to be encrypted
- check msgs that have to be last in a record

ZD17108
2023-12-12 13:57:12 +01:00
David Garske cb6676fa27 Merge pull request #7030 from julek-wolfssl/gh/7000
Store ssl->options.dtlsStateful when exporting DTLS session
2023-12-11 09:39:54 -08:00
Juliusz Sosinowicz 4ce4dd7479 Use correct size for memset 2023-12-11 14:30:54 +01:00
JacobBarthelmeh ac447d1afb Merge pull request #7031 from douzzer/20231201-openssl-compat-fixes
20231201-openssl-compat-fixes
2023-12-08 17:25:53 -07:00
Juliusz Sosinowicz 6c7b47e003 Store ssl->options.dtlsStateful when exporting DTLS session 2023-12-08 15:35:34 +01:00
Sean Parkinson 6c8bf7be55 Merge pull request #6963 from julek-wolfssl/dynamic-certs-n-ciphers
Add API to choose dynamic certs based on client ciphers/sigalgs
2023-12-08 07:45:36 +10:00
Juliusz Sosinowicz fbe79d7317 Code review 2023-12-07 11:13:16 +01:00
Daniel Pouzzner 106e39bd76 tests/api.c: in test_wc_CmacFinal(), don't use wc_CmacFinalNoFree() if FIPS <5.3. 2023-12-06 21:58:55 -06:00
Daniel Pouzzner b14aba48af wolfcrypt/src/cmac.c: add wc_CmacFree(), revert wc_CmacFinal(), rename wc_CmacFinal() as wc_CmacFinalNoFree() removing its deallocation clauses, and add new wc_CmacFinal() that calls wc_CmacFinalNoFree() then calls wc_CmacFree() unconditionally, for compatibility with legacy client code (some of which may have previously leaked).
tests/api.c: modify test_wc_CmacFinal() to use wc_CmacFinalNoFree() except for the final call.

wolfcrypt/src/aes.c:
* fix wc_AesEaxEncryptAuth() and wc_AesEaxDecryptAuth() to call wc_AesEaxFree() only if wc_AesEaxInit() succeeded.
* fix wc_AesEaxInit() to free all resources on failure.
* revert wc_AesEaxEncryptFinal() and wc_AesEaxDecryptFinal() changes, then change wc_CmacFinal() calls in them to wc_CmacFinalNoFree() calls.
* wc_AesEaxFree(): add wc_CmacFree() calls.
2023-12-06 16:55:57 -06:00
Sean Parkinson c6d6100136 Merge pull request #7010 from julek-wolfssl/dtls13-0.5-rtt
dtls13: Add support for 0.5-RTT data
2023-12-07 08:41:42 +10:00
Daniel Pouzzner 689a82a622 fix AES-related code, in both crypto and TLS layers, for various uninitialized data and resource leak defects around wc_AesInit() and wc_AesFree():
* followup to https://github.com/wolfSSL/wolfssl/pull/7009 "20231128-misc-fixes" and  https://github.com/wolfSSL/wolfssl/pull/7011 "Add missing wc_AesInit calls."

* adds WC_DEBUG_CIPHER_LIFECYCLE, which embeds asserts in low-level AES implementations for proper usage of wc_AesInit() and wc_AesFree().

* fixes native CMAC, AES-EAX, and AES-XTS implementations to assure resource release.

* adds missing wc_AesXtsInit() API, and adds a new wc_AesXtsSetKey_NoInit().

* fixes misspellings in EVP that unconditionally gated out AES-OFB and AES-XTS.

* fixes misspellings in EVP that unconditionally gated out AES-CBC and AES-CFB code in wolfSSL_EVP_CIPHER_CTX_cleanup_cipher().

* openssl compat AES low level cipher API has no counterpart to wc_AesFree(), so these compat APIs will now be gated out in configurations where they would otherwise leak memory or file descriptors (WOLFSSL_AFALG, WOLFSSL_DEVCRYPTO, WOLF_CRYPTO_CB, etc.).  A new macro, WC_AESFREE_IS_MANDATORY, is defined in wolfcrypt/aes.h to streamline this dependency.

* fixes 40 missing EVP_CIPHER_CTX_cleanup()s and 11 wc_AesFree()s in src/ssl.c, src/ssl_crypto.c, tests/api.c, and wolfcrypt/test/test.c.
2023-12-05 15:58:09 -06:00
JacobBarthelmeh 1857648d7d Merge pull request #6976 from embhorn/gh6974
Fix build errors with dtls1.3 and no tls1.2
2023-12-04 14:53:35 -07:00
jordan 8c1ab783a1 Add missing wc_AesInit calls: small cleanup. 2023-11-29 18:02:45 -06:00
Juliusz Sosinowicz 3edfcfe162 Jenkins fixes 2023-11-29 23:17:10 +01:00
Juliusz Sosinowicz 9337cfbb16 Add wolfSSL_get_sigalg_info 2023-11-29 23:04:19 +01:00
Juliusz Sosinowicz 7c2344c389 Add API to get information about ciphersuites 2023-11-29 23:04:19 +01:00
Juliusz Sosinowicz fbd8996949 Add API to choose dynamic certs based on client ciphers/sigalgs 2023-11-29 23:04:19 +01:00
jordan 3158e04863 Add missing wc_AesInit calls. 2023-11-29 12:54:28 -06:00
Juliusz Sosinowicz c87339e5c3 dtls13: Add support for 0.5-RTT data 2023-11-29 15:55:59 +01:00
JacobBarthelmeh 5b3f5496f8 Merge pull request #6430 from kareem-wolfssl/memcached
Add memcached support.
2023-11-22 16:20:28 -07:00
Eric Blankenhorn 7223b5a708 Fix spelling warnings 2023-11-22 12:34:56 -06:00
JacobBarthelmeh 538ce14c62 Merge pull request #6953 from SKlimaRA/SKlimaRA/enable-ca-false
Enable encoding CA:FALSE with build flag
2023-11-20 15:03:14 -07:00
Kareem ca61034d22 Add memcached support.
memcached support: add required functions/defines.

Fix running unit test when defining DEBUG_WOLFSSL_VERBOSE without OPENSSL_EXTRA.

Break out session_id_context APIs into separate option WOLFSSL_SESSION_ID_CTX, so they can be used without OPENSSL_EXTRA.

Make wolfSSL_ERR_get_error and wolfSSL_CTX_set_mode available for memcached.

Add --enable-memcached.

Include required defines for memcached.

Revert unit test fix, no longer needed.

Add Github actions test for memcached.  Stop defining DEBUG_WOLFSSL_VERBOSE for memcached.

Add auto retry to writes.

Memcached CI: correct libevent package name.

Memcached CI: Add pkgconfig path for Github CI wolfSSL prefix.

memcached: Fix WOLFSSL_OP_NO_RENEGOTIATION going outside of int bounds, add LD_LIBRARY_PATH for memcached CI test.

memcached CI: Use correct path for wolfSSL

memcached: Add required perl dependency for SSL tests

memcached: Update to 1.6.22

memcached: actually test tls

memcached: Update wolfSSL_SSL_in_before to be side agnostic.
2023-11-20 10:10:34 -07:00
JacobBarthelmeh 6945093221 Merge pull request #6935 from SparkiDev/ssl_crypto_extract
ssl.c: Move out crypto compat APIs
2023-11-16 11:58:14 -07:00
Eric Blankenhorn 7bbeadcf97 Fix build errors with dtls1.3 and no tls1.2 2023-11-15 10:37:09 -06:00