wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2026-02-04 02:05:04 +01:00
Code Issues Packages Projects Releases Wiki Activity
21,554 Commits 12 Branches 184 Tags
478c0633e70be6c486192b8fdd421aeba369a04d
Commit Graph

2538 Commits

Author SHA1 Message Date
JacobBarthelmeh
eb1fff3ad3 Merge pull request #7141 from julek-wolfssl/zd/17249 
EarlySanityCheckMsgReceived: version_negotiated should always be checked
 2024-01-22 12:18:57 -08:00
JacobBarthelmeh
0c150d2391 Merge pull request #7150 from dgarske/getenv 
Fix build with `NO_STDIO_FILESYSTEM` and improve checks for `XGETENV`
 2024-01-22 08:33:24 -08:00
David Garske
76550465bd Fixes build with NO_STDIO_FILESYSTEM defined. 2024-01-19 12:49:53 -08:00
David Garske
6b8280f663 Merge pull request #7144 from bandi13/20240119-codesonar 
20240119 codesonar
 2024-01-19 09:35:02 -08:00
David Garske
a3a7012c81 Merge pull request #7136 from jpbland1/x509-new-ex 
add heap hint support for a few of the x509 functions
 2024-01-19 09:29:47 -08:00
Andras Fekete
7069a1805a Avoid "Use after free" 
Warning 544767.5627232
 2024-01-19 10:47:38 -05:00
Juliusz Sosinowicz
f6ef146149 EarlySanityCheckMsgReceived: version_negotiated should always be checked 
Multiple handshake messages in one record will fail the MsgCheckBoundary() check on the client side when the client is set to TLS 1.3 but allows downgrading.
  --> ClientHello
  <-- ServerHello + rest of TLS 1.2 flight
  Client returns OUT_OF_ORDER_E because in TLS 1.3 the ServerHello has to be the last message in a record. In TLS 1.2 the ServerHello can be in the same record as the rest of the server's first flight.
 2024-01-19 14:57:35 +01:00
Anthony Hu
9be390250d Adding support for dual key/signature certificates. (#7112) 
Adding support for dual key/signature certificates with X9.146. Enabled with `--enable-dual-alg-certs` or `WOLFSSL_DUAL_ALG_CERTS`.
 2024-01-18 13:20:57 -08:00
John Bland
41ea1109ec update uses of wolfSSL_X509_new and wolfSSL_X509_d2i 
where heap doesn't require a new ex function or struct field to avoid size increase
 2024-01-17 18:46:24 -05:00
David Garske
11029127df Merge pull request #7119 from JacobBarthelmeh/crl 
support for RSA-PSS signatures with CRL
 2024-01-16 15:23:16 -08:00
JacobBarthelmeh
b140f93b17 refactor sigParams allocation and adjust test file name 2024-01-16 14:41:24 -07:00
David Garske
06a32d3437 Merge pull request #7097 from lealem47/removeUserCrypto 
Remove user-crypto functionality and Intel IPP support
 2024-01-09 17:33:28 -08:00
JacobBarthelmeh
cd07e32b13 update crl files and add in compat support for RSA-PSS 2024-01-08 16:38:11 -08:00
JacobBarthelmeh
d58acef895 add RSA-PSS CRL test case 2024-01-05 14:47:53 -08:00
Juliusz Sosinowicz
5bdcfaa5d0 server: allow reading 0-RTT data after writing 0.5-RTT data 2024-01-04 13:19:44 +01:00
jordan
e175004f85 Fix Infer Uninitialized Values. 2024-01-02 12:16:20 -06:00
Lealem Amedie
837452b1ca Remove user-crypto functionality and Intel IPP support 2023-12-27 12:24:19 -07:00
Daniel Pouzzner
e65e9f11c7 fixes for clang -Wunreachable-code-aggressive (-Wunreachable-code/clang-diagnostic-unreachable-code in src/ssl.c:wolfSSL_CTX_load_verify_buffer_ex() and -Wunreachable-code/clang-diagnostic-unreachable-code-return in api.c:myCEKwrapFunc()). 2023-12-22 14:12:13 -06:00
Daniel Pouzzner
f2d573f01f wolfssl/wolfcrypt/asn.h, src/ssl.c: add "ANONk" to enum Key_Sum, and use the new value in wolfSSL_get_sigalg_info(), fixing clang-analyzer-optin.core.EnumCastOutOfRange. 
add suppressions in tests for expected clang-analyzer-optin.core.EnumCastOutOfRange's.
 2023-12-19 18:14:29 -06:00
Chris Conlon
2ffc818c28 Merge pull request #7069 from douzzer/20231213-misc-fixes 
20231213-misc-fixes
 2023-12-14 15:18:12 -07:00
Chris Conlon
f6ef58dbc2 Merge pull request #7064 from philljj/fix_infer_issues 
Fix issues from infer diff report.
 2023-12-14 12:27:34 -07:00
Daniel Pouzzner
16c6bd6846 examples/client/client.c and tests/api.c: add missing CloseSocket() calls. 2023-12-14 13:22:27 -06:00
Chris Conlon
d0aa80eb37 update example/test certs for end of year release 2023-12-13 16:41:59 -07:00
Chris Conlon
255086b7c8 fix API test warning, comparison of unsigned expression < 0 is always false 2023-12-13 16:41:59 -07:00
jordan
f222adf4c2 Fix issues from infer diff report. 2023-12-13 15:59:03 -06:00
Chris Conlon
a66137d2fe Merge pull request #7062 from lealem47/leaks 
Cleanup leaks in api.c and benchmark.c
 2023-12-13 14:09:23 -07:00
Lealem Amedie
5fd0470f76 Cleanup leaks in api.c and benchmark.c 2023-12-13 13:00:52 -07:00
David Garske
56c7e5c675 Merge pull request #7054 from cconlon/sslAlpnSelectCb 
Add wolfSSL_set_alpn_select_cb() for setting ALPN select callback on WOLFSSL session
 2023-12-13 09:24:07 -08:00
Chris Conlon
269542ed96 add wolfSSL_set_alpn_select_cb() for WOLFSSL-level ALPN select callbacks 2023-12-13 09:16:44 -07:00
Sean Parkinson
f12b61183b Merge pull request #7029 from julek-wolfssl/zd/17108-fix 
Additional TLS checks
 2023-12-13 14:31:11 +10:00
Juliusz Sosinowicz
493bb1760d Add option to remove early sanity checks 2023-12-12 17:31:48 +01:00
Juliusz Sosinowicz
51ba745214 ocsp: don't error out if we can't verify our certificate 
We can omit either the CeritificateStatus message or the appropriate extension when we can not provide the OCSP staple that the peer is asking for. Let peer decide if it requires stapling and error out if we don't send it.
 2023-12-12 14:49:52 +01:00
Juliusz Sosinowicz
627310d26a Additional TLS checks 
- double check which messages need to be encrypted
- check msgs that have to be last in a record

ZD17108
 2023-12-12 13:57:12 +01:00
David Garske
cb6676fa27 Merge pull request #7030 from julek-wolfssl/gh/7000 
Store ssl->options.dtlsStateful when exporting DTLS session
 2023-12-11 09:39:54 -08:00
Juliusz Sosinowicz
4ce4dd7479 Use correct size for memset 2023-12-11 14:30:54 +01:00
JacobBarthelmeh
ac447d1afb Merge pull request #7031 from douzzer/20231201-openssl-compat-fixes 
20231201-openssl-compat-fixes
 2023-12-08 17:25:53 -07:00
Juliusz Sosinowicz
6c7b47e003 Store ssl->options.dtlsStateful when exporting DTLS session 2023-12-08 15:35:34 +01:00
Sean Parkinson
6c8bf7be55 Merge pull request #6963 from julek-wolfssl/dynamic-certs-n-ciphers 
Add API to choose dynamic certs based on client ciphers/sigalgs
 2023-12-08 07:45:36 +10:00
Juliusz Sosinowicz
fbe79d7317 Code review 2023-12-07 11:13:16 +01:00
Daniel Pouzzner
106e39bd76 tests/api.c: in test_wc_CmacFinal(), don't use wc_CmacFinalNoFree() if FIPS <5.3. 2023-12-06 21:58:55 -06:00
Daniel Pouzzner
b14aba48af wolfcrypt/src/cmac.c: add wc_CmacFree(), revert wc_CmacFinal(), rename wc_CmacFinal() as wc_CmacFinalNoFree() removing its deallocation clauses, and add new wc_CmacFinal() that calls wc_CmacFinalNoFree() then calls wc_CmacFree() unconditionally, for compatibility with legacy client code (some of which may have previously leaked). 
tests/api.c: modify test_wc_CmacFinal() to use wc_CmacFinalNoFree() except for the final call.

wolfcrypt/src/aes.c:
* fix wc_AesEaxEncryptAuth() and wc_AesEaxDecryptAuth() to call wc_AesEaxFree() only if wc_AesEaxInit() succeeded.
* fix wc_AesEaxInit() to free all resources on failure.
* revert wc_AesEaxEncryptFinal() and wc_AesEaxDecryptFinal() changes, then change wc_CmacFinal() calls in them to wc_CmacFinalNoFree() calls.
* wc_AesEaxFree(): add wc_CmacFree() calls.
 2023-12-06 16:55:57 -06:00
Sean Parkinson
c6d6100136 Merge pull request #7010 from julek-wolfssl/dtls13-0.5-rtt 
dtls13: Add support for 0.5-RTT data
 2023-12-07 08:41:42 +10:00
Daniel Pouzzner
689a82a622 fix AES-related code, in both crypto and TLS layers, for various uninitialized data and resource leak defects around wc_AesInit() and wc_AesFree(): 
* followup to https://github.com/wolfSSL/wolfssl/pull/7009 "20231128-misc-fixes" and  https://github.com/wolfSSL/wolfssl/pull/7011 "Add missing wc_AesInit calls."

* adds WC_DEBUG_CIPHER_LIFECYCLE, which embeds asserts in low-level AES implementations for proper usage of wc_AesInit() and wc_AesFree().

* fixes native CMAC, AES-EAX, and AES-XTS implementations to assure resource release.

* adds missing wc_AesXtsInit() API, and adds a new wc_AesXtsSetKey_NoInit().

* fixes misspellings in EVP that unconditionally gated out AES-OFB and AES-XTS.

* fixes misspellings in EVP that unconditionally gated out AES-CBC and AES-CFB code in wolfSSL_EVP_CIPHER_CTX_cleanup_cipher().

* openssl compat AES low level cipher API has no counterpart to wc_AesFree(), so these compat APIs will now be gated out in configurations where they would otherwise leak memory or file descriptors (WOLFSSL_AFALG, WOLFSSL_DEVCRYPTO, WOLF_CRYPTO_CB, etc.).  A new macro, WC_AESFREE_IS_MANDATORY, is defined in wolfcrypt/aes.h to streamline this dependency.

* fixes 40 missing EVP_CIPHER_CTX_cleanup()s and 11 wc_AesFree()s in src/ssl.c, src/ssl_crypto.c, tests/api.c, and wolfcrypt/test/test.c.
 2023-12-05 15:58:09 -06:00
JacobBarthelmeh
1857648d7d Merge pull request #6976 from embhorn/gh6974 
Fix build errors with dtls1.3 and no tls1.2
 2023-12-04 14:53:35 -07:00
jordan
8c1ab783a1 Add missing wc_AesInit calls: small cleanup. 2023-11-29 18:02:45 -06:00
Juliusz Sosinowicz
3edfcfe162 Jenkins fixes 2023-11-29 23:17:10 +01:00
Juliusz Sosinowicz
9337cfbb16 Add wolfSSL_get_sigalg_info 2023-11-29 23:04:19 +01:00
Juliusz Sosinowicz
7c2344c389 Add API to get information about ciphersuites 2023-11-29 23:04:19 +01:00
Juliusz Sosinowicz
fbd8996949 Add API to choose dynamic certs based on client ciphers/sigalgs 2023-11-29 23:04:19 +01:00
jordan
3158e04863 Add missing wc_AesInit calls. 2023-11-29 12:54:28 -06:00