1. Removed a flag set that would force all certificates in a chain
to be verified. There was a compile time option to make that happen
already.
2. Replace some options for some test failure test cases that were added
and immediately removed.
(ZD 11292)
1. Fixed a couple possible 0 byte allocations.
2. Fixed a couple missed frees due to error conditions.
3. Fixed a possible double free.
To recreate:
$ scan-build ./configure --disable-shared --enable-opensslextra=x509small --disable-memory
$ scan-build ./configure --disable-shared --enable-opensslextra --disable-memory
Make default to pick lowest hash with RSA and ECC (TLS 1.2 and lower).
WOLFSSL_STRONGEST_HASH_SIG picks the strongest hash.
WOLFSSL_ECDSA_MATCH_HASH will pick the hash to match the ECC curve.
--enable-leanpsk --disable-tls13:
ensure WriteSEQ is defined when !WOLFSSL_NO_TLS12 (tls.c)
CFLAGS=-DWOLFSSL_NO_CLIENT_AUTH -disable-tls13"
TLS server was expecting certificate from peer when verifyPeer is
set. Fix with checks for !WOLFSSL_NO_CLIENT_AUTH.
1. Changed the ASN1_OBJECT member of the X509_NAME_ENTRY to be a pointer
rather than an object. It could lead to a double free on the name
entry.
2. The ASN1_OBJECT allocator should set the dynamic flag, as the
deallocator is the one that uses it.
3. General changes to treat the member as a pointer rather than a
member.
4. In the api test, we were iterating over the name members in the name
checking the NIDs. After the loop we freed the name member object.
This led to a double free error.
client was checking it too strictly. The pubkey value should be checked
as strictly as the generator, for too large. The public key value is
checked mathematically elsewhere.
1. Changed the bounds of checking the key from comparisons to constants
to comparisons against WOLFSSL object settings for the DH key bounds.
2. Removed redundant bounds check on the server's prime.
1. Check the length values for the DH key domain and public key in the
server key exchange message to make sure they are within the bounds
set by the configuration. (Minimum key size is 2048 bits for DH.)
These changes fix several fuzz testing reports. (ZD 11088 and ZD 11101)
1. In GetDhPublicKey(), the DH Pubkey is owned by the SSL session. It
doesn't need to be in the check for weOwnDh before freeing. There
could be a chance it leaks.
2. In GeneratePublicDh() and GeneratePrivateDh(), the size of the
destination buffer should be stored at the location pointed to by the
size pointer. Check that before writing into the destination buffer.
3. Ensure the size of the private and public key values are in the size
value before generating or getting the DH keys.
