toddouska
85da1a1d0a
Merge pull request #3271 from SparkiDev/tls13_peek
...
TLS 1.3: allow wolfSSL_peek() to return WANT_READ
2020-09-16 15:02:42 -07:00
toddouska
a3fca7f593
Merge pull request #3247 from JacobBarthelmeh/Compatibility-Layer
...
Compatiblity Layer Fixes for serial number / ASN1 time / and order of name components
2020-09-16 14:53:51 -07:00
Juliusz Sosinowicz
e34ccaf481
Fix window check
...
If `curLT` then diff needs to be decremented. For example: `diff` = 1 represents last packet so it would be the `window[idx] & (1 << 0)` bit of the window variable.
2020-09-09 23:27:49 +02:00
John Safranek
39b5448601
Merge pull request #3279 from dgarske/minor_fixes
...
Minor build fixes for typo and CMake
2020-09-08 16:45:52 -07:00
JacobBarthelmeh
58e03b2d26
Merge pull request #3272 from embhorn/zd10650
...
Check for non-blocking return code in BioSend
2020-09-08 14:25:16 -06:00
David Garske
6f5a7e87c5
Fix for CMake to only set ranlib arguments for Mac. Fix for stray typo of , -> ;. Fixes #3275 and Fixes #3278
2020-09-08 11:07:12 -07:00
Juliusz Sosinowicz
ee2d051536
Fix failing nightly
...
Failed tests when configured with `./configure --enable-dtls --enable-opensslextra --enable-sessioncerts`. Valgrind discovered a use after free bug. Nulling session->peer fixes the issue.
2020-09-07 14:36:57 +02:00
Sean Parkinson
93bb12ce86
TLS 1.3: allow wolfSSL_peek() to return WANT_READ
...
When handshake message is processed in wolfSSL_peek() then return
WANT_READ from peek instead of blocking waiting for application data.
Server may send an alert if the client certificate is invalid.
The server also may send NewSesionTicket after client has sent finished
message.
To detect alert before handling application data, then the socket needs
to be checked for data. If the data is an alert then wolfSSL_peek() will
handle the alert, but if it is a NewSessionTicket then wolfSSL_peek()
will process it and block waiting for application data - so return
WANT_READ if no application data seen after processing handshake
message.
2020-09-07 08:30:24 +10:00
toddouska
7fd51cf9d9
Merge pull request #3267 from SparkiDev/no_client_auth
...
Get builds with WOLFSSL_NO_CLIENT_AUTH compiling and testing
2020-09-03 15:55:38 -07:00
toddouska
9901eb9272
Merge pull request #3249 from SparkiDev/tls13_early_data_fix
...
TLS 1.3 Early Data: fix
2020-09-03 14:49:39 -07:00
toddouska
b3acd57de5
Merge pull request #3254 from dgarske/leaks
...
Fixes valgrind leak reports (related to small stack cache)
2020-09-02 10:44:49 -07:00
toddouska
9268de229a
Merge pull request #3266 from dgarske/unit_test
...
Fix for DH compute key compatibility function failure
2020-09-02 10:23:23 -07:00
JacobBarthelmeh
914905f1bc
Merge pull request #3193 from embhorn/zd10457_b
...
Fix CheckHostName matching
2020-09-02 10:36:02 -06:00
toddouska
6f56c3c800
Merge pull request #3204 from dgarske/ocsp_nonblock
...
Fix for OCSP response in non-blocking mode and testing script improvements
2020-09-01 15:56:52 -07:00
Jacob Barthelmeh
fd2074da00
fix for order of components in issuer when using compatiblity layer api to generate cert
2020-09-01 09:27:45 -06:00
Sean Parkinson
89b9a77eca
Get builds with WOLFSSL_NO_CLIENT_AUTH compiling and testing
...
Fix build for no client or server and no client auth.
Fix tests to detect when no client auth compiled and test is trying to
do client auth.
2020-09-01 15:27:46 +10:00
David Garske
c587ff72d2
Fix for occasional unit.test failure in test_wolfSSL_EVP_PKEY_derive.
2020-08-31 14:04:51 -07:00
David Garske
28b2be37cd
Merge pull request #3259 from ejohnstown/sniffer-no-oldtls
...
Sniffer without OldTls
2020-08-31 07:34:24 -07:00
Sean Parkinson
db864be6a4
TLS 1.3 Early Data: fix
...
Will process early data packets now.
Added test to check output of server for early data being received.
2020-08-31 09:03:05 +10:00
Juliusz Sosinowicz
c6d1d524fc
HAVE_SESSION_TICKET can also be defined without TLS 1.2
2020-08-28 16:05:28 +02:00
David Garske
3e685fdb5b
Fix for DTLS DoClientHello HMAC free (function has another exit point).
2020-08-27 10:02:15 -07:00
Jacob Barthelmeh
ab52bcf43d
add overried for max entries and certificate generation size
2020-08-26 19:22:57 -06:00
John Safranek
5b39976cc0
Sniffer without OldTls
...
1. Put a guard around the call to DeriveKeys() when building with
--enable-sniffer --disable-oldtls. Disabling OldTls removes the
DeriveKeys() function. Similar logic used in internal.c.
2020-08-26 16:47:44 -07:00
Eric Blankenhorn
ea5c290d60
Fix CheckHostName matching
2020-08-26 14:03:17 -05:00
David Garske
6d5731b8e9
Fixes for HMAC_CTX cleanup not being called to free SHA2 resources with WOLFSSL_SMALL_STACK_CACHE. Added return code checking and cleanup for openssl_test.
2020-08-26 09:45:26 -07:00
David Garske
61545df606
Fix to make sure DTLS cookie HMAC free gets called. Note: This does not cover the many error case paths.
2020-08-26 09:41:26 -07:00
David Garske
14e1489365
Fix for SRP leaks with WOLFSSL_SMALL_STACK_CACHE
2020-08-26 09:41:09 -07:00
Jacob Barthelmeh
bc58dde700
fix for serial number containing 0's and for RNG fail case
2020-08-26 00:03:39 -06:00
Jacob Barthelmeh
ef9beaf271
adjust sanity check on serial number size to match fix
2020-08-24 18:15:05 -06:00
Jacob Barthelmeh
c4a6fba591
fix for ASN1 time and serial number
2020-08-24 17:00:19 -06:00
David Garske
7ee2b61a5a
Peer review feedback to also check EAGAIN and always have supported.
2020-08-24 08:18:25 -07:00
David Garske
085f55195a
Fix for handling OCSP response in non-blocking mode.
2020-08-21 15:50:34 -07:00
David Garske
51c2960407
Added function comment for wolfSSL_i2a_ASN1_OBJECT. Added heap context for wolfSSL_CertManagerCheckOCSP
2020-08-21 15:47:02 -07:00
David Garske
5f059306fd
Fix for case with ssl->error not being set.
2020-08-21 15:47:02 -07:00
David Garske
1d55b2f526
Fixes for several memory leaks related to HAVE_WOLF_BIGINT.
2020-08-20 14:25:06 -07:00
John Safranek
55632a0567
Two more out of order DTLS message fixes.
2020-08-18 17:54:25 -07:00
John Safranek
113753370d
Long Test Fixes
...
1. Sniffer was trying to log a NULL pointer as a string. Logged a string instead.
2. Few misc fixes in ECC.
2020-08-18 17:54:25 -07:00
toddouska
028bddd7ab
Merge pull request #3215 from ejohnstown/release-4.5.0
...
Release Update
2020-08-17 13:51:23 -07:00
John Safranek
3be7f3ea3a
Reject DTLS application data messages in epoch 0 as out of order.
2020-08-14 17:21:39 -07:00
John Safranek
3f6861ee82
FIPS Ready Fix with ECC Timing Resistance
...
Commit 6467de5 added some timing resistance to ECC shared secret
agreement. It involved adding an RNG object to the ecc keys so
a random z value can be added to the mix. The older FIPS release
has ECC outside the boundary, so it uses the new ECC code. FIPSv2
has ECC inside the boundary, but all the TLS code checks for that
version of FIPS and leaves out the calls to the new functions as
it is using an older version of ecc.c. FIPS Ready uses the latest
version of ecc.c but compiles as FIPSv2. So, the code outside of
the crypto layer is treating ECC as FIPSv2 and not calling the new
functions, but the crypto layer assumes the RNG should be present,
and errs out on testing.
1. Added a separate option for FIPS Ready to the enable-fips
configure option. `--enable-fips=ready`. It will treat FIPS
Ready as the next kind of FIPS release. FIPS Ready will be
treated like FIPS v3 in the build.
2. Changed the C preprocessor checks for FIPS version 2 to be
checks for not version 2, with respect to ECC Timing Resistance
and FIPS builds.
2020-08-14 10:54:55 -07:00
Eric Blankenhorn
7744f0d543
Check for non-blocking return code in BioSend
2020-08-13 15:33:20 -05:00
John Safranek
64084bcba2
Add a void to the empty parameter list for the function wolfSSL_SESSION_new().
2020-08-13 13:18:29 -07:00
Sean Parkinson
bc74bfebdd
Fixes from C++ and address access checking
...
Fix access of table for cache resistance.
Don't name variable public or private.
Cast from void*
2020-08-13 15:19:49 +10:00
toddouska
21ed05b85e
Merge pull request #3214 from dgarske/snifferFreeFix
...
Fix for SSL sniffer free to properly cleanup globals
2020-08-11 20:27:09 -07:00
toddouska
fa146870bd
Merge pull request #3155 from julek-wolfssl/openssh-fixes-cherry-picked
...
Additional OpenSSL compat stuff for OpenSSH
2020-08-11 16:32:31 -07:00
toddouska
532c2f50e8
Merge pull request #3083 from julek-wolfssl/openssl-compat-X509V3_EXT_i2d
...
Implement more OpenSSL compatibility functions
2020-08-11 15:01:41 -07:00
David Garske
65bcc03885
Fix for SSL sniffer free to properly cleanup globals (resolves issue with then calling ssl_InitSniffer -> ssl_FreeSniffer then ssl_InitSniffer again). ZD 10757.
2020-08-11 14:07:32 -07:00
Jacob Barthelmeh
5cede22d1e
wait to set size till after sanity check
2020-08-11 12:59:01 -06:00
toddouska
87a00df2ea
Merge pull request #3118 from julek-wolfssl/aead-only-fix
...
Check for WOLFSSL_AEAD_ONLY in wolfSSL_dtls_import_internal
2020-08-11 09:33:47 -07:00
toddouska
4e6bc02257
Merge pull request #2982 from SparkiDev/ecc_sc
...
ECC now calls mp_submod_ct and mp_addmod_ct
2020-08-11 09:26:56 -07:00