Commit Graph

2327 Commits

Author SHA1 Message Date
Eric Blankenhorn ab6dc8d669 Add ability to set ECC Sign userCTX using WOLFSSL_CTX 2022-04-11 08:41:27 -05:00
Daniel Pouzzner 0d6c283f7a fixes for -Werror=declaration-after-statement in debug builds. 2022-04-04 09:29:26 -05:00
Daniel Pouzzner ae3996fd0e fix codebase for -Wvla -Wdeclaration-after-statement; fix some whitespace. 2022-04-01 14:44:10 -05:00
Eric Blankenhorn ea38e1aab5 Add wolfSSL_CTX_SetCertCbCtx to set user context for CB 2022-03-30 12:27:11 -05:00
Daniel Pouzzner 12776b3772 fixups for warnings from gcc-12:
src/internal.c: use XMEMCMP(), not ==, to compare array elements (fixes conflict of 74408e3ee3 vs 617eda9d44);

fix spelling of NAMEDGROUP_LEN (was NAMEDGREOUP_LEN);

src/ssl.c: in CheckcipherList() and wolfSSL_parse_cipher_list(), use XMEMCPY(), not XSTRNCPY(), to avoid (benign) -Wstringop-truncation;

scripts/sniffer-tls13-gen.sh: fix for shellcheck SC2242 (exit 1, not -1).
2022-03-24 16:33:36 -05:00
Anthony Hu ceae169a34 Merge pull request #4969 from dgarske/pk_pubkey 2022-03-24 12:40:03 -04:00
David Garske aa38d99538 Fix for TLS PK callback issue with Ed25519/Ed448 and public key not being set. 2022-03-22 08:33:54 -07:00
David Garske 59665a44b5 Fixes for allowing server to have a public key set when using external key with PK callbacks. 2022-03-21 13:14:24 -07:00
David Garske 29c120356e Sniffer asynchronous support.
* Adds stateful handling of DH shared secret computation in `SetupKeys`.
* Improved the decrypt handling to use internal functions and avoid generating alerts on failures.
* Fix for sniffer resume due to missing `sessionIDSz` broken in #4807.
* Fix sniffer test cases to split resume (session_ticket) tests.
* Add `snifftest` list of build features so test script can gate running resume test.
2022-03-21 12:05:08 -07:00
David Garske 8bf14ba1d3 Merge pull request #4957 from JacobBarthelmeh/Compatibility-Layer
alter return value and add error string
2022-03-21 09:10:04 -07:00
Sean Parkinson ef66a12a24 Merge pull request #4961 from dgarske/cust_fixups
Various portability improvements (Time, DTLS epoch size, IV alloc)
2022-03-18 11:38:57 +10:00
David Garske b546b2a5ec Improve logic around private key id/label. Adds WOLF_PRIVATE_KEY_ID. 2022-03-17 14:48:30 -07:00
David Garske ae25a48509 Improve the build message to not always allocate the IV (16 byte) (use fixed buffer if <= 16 bytes). 2022-03-17 14:01:57 -07:00
David Garske 3fba5d17c3 Various portability improvements:
* Change DTLS epoch size word16.
* Allow override of the `RECORD_SIZE` and `STATIC_BUFFER_LEN`.
* Remove endianness force from game build.
* Add `gmtime_s` option.
* Fix for macro conflict with `MAX_KEY_SIZE`.
* Expose functions `wolfSSL_X509_notBefore`, `wolfSSL_X509_notAfter`, `wolfSSL_X509_version` without `OPENSSL_EXTRA`.
2022-03-17 14:00:55 -07:00
JacobBarthelmeh d0e83be596 alter return value and add error string 2022-03-15 10:26:59 -07:00
Sean Parkinson 9ed061cc96 TLS: add peer authentication failsafe for TLS 1.2 and below
Tightened the TLS 1.3 failsafe checks too.
2022-03-15 08:51:44 +10:00
David Garske 570daa6a7f Enable support for STM32U585 and PQ on M4 2022-03-10 14:19:01 -05:00
David Garske 3839b0e675 Fixes for building wolfSSL along side openssl. 2022-03-04 12:06:24 -08:00
Sean Parkinson 63e4ba5854 Merge pull request #4906 from julek-wolfssl/ZD13606-master
Fix issues reported in ZD13606
2022-03-03 21:27:22 +10:00
Juliusz Sosinowicz c7c3ee00bb Address code review
- Use functions instead of accessing `BIO` members
- Add `wolfSSL_BIO_method_type`
2022-03-03 10:09:41 +01:00
David Garske 119f2d2651 Fix for padding in session tickets. Adds padding based on WOLFSSL_GENERAL_ALIGNMENT. Increases enc_len to 32-bit. Related to PR #4887 2022-03-01 15:40:57 -08:00
Juliusz Sosinowicz a104cf887e Ticket failure should result in a regular handshake 2022-03-01 10:34:43 +01:00
David Garske 821fd3c898 Peer review fixes. Check idSz and add comment about session variable use. 2022-02-25 11:38:05 -08:00
David Garske 269ab86002 Fixes for DoClientTicket changes. 2022-02-24 14:28:50 -08:00
David Garske 0824a64c92 Merge pull request #4807 from julek-wolfssl/stunnel-5.61
stunnel 5.61 support
2022-02-23 09:41:51 -08:00
Juliusz Sosinowicz 2c978a96b2 Prevent possibility of an infinite retry loop and resource exhaution
Reported in ZD13606
2022-02-23 10:07:21 +01:00
Juliusz Sosinowicz 617eda9d44 Fix misc memory issues
- Make `InternalTicket` memory alignment independent
2022-02-23 09:47:34 +01:00
Juliusz Sosinowicz ceff401269 Fixes for Jenkins tests
- Move test to `HAVE_IO_TESTS_DEPENDENCIES`
- Implement `wolfSSL_trust_peer_cert`
- have{cipher} options weren't being set with only RSA enabled
2022-02-23 09:47:34 +01:00
Juliusz Sosinowicz 91b08fb691 Allocate ssl->session separately on the heap
- Refactor session cache access into `AddSessionToCache` and `wolfSSL_GetSessionFromCache`
2022-02-23 09:47:34 +01:00
Juliusz Sosinowicz 1d712d47ba Access to session cache is now atomic
- Adding and getting sessions to and from the local cache is now atomic.
  - The new internal `wolfSSL_GetSessionFromCache` requires a destination object to be supplied when retrieving from the cache so that items can be retrieved independently from the cache. For most existing calls, the destination is `ssl->session`.
  -`PREALLOC_SESSION_TICKET_LEN` defines how much memory is temporarily allocated for the ticket if it doesn't fit in the static session buffer.
2022-02-23 09:47:34 +01:00
Juliusz Sosinowicz afca455cda stunnel 5.61 support
- New/Implemented API
  - `SSL_has_pending`
  - `wolfSSL_CertManagerLoadCRLFile`
  - `wolfSSL_LoadCRLFile`
  - `wolfSSL_CTX_LoadCRLFile`
  - `wolfSSL_CTX_add_session`
- Calling chain certificate API (for example `wolfSSL_CTX_use_certificate_chain_file`) no longer requires an actual chain certificate PEM file to be passed in as input. `ProcessUserChain` error in `ProcessBuffer` is ignored if it returns that it didn't find a chain.
- Add `WOLFSSL_TICKET_HAVE_ID` macro. When defined tickets will include the original session ID that can be used to lookup the session in internal cache. This is useful for fetching information about the peer that doesn't get sent in a resumption (such as the peer's certificate chain).
  - Add `ssl->ticketSessionID` field because `ssl->session.sessionID` is used to return the "bogus" session ID sent by the client in TLS 1.3
- `OPENSSL_COMPATIBLE_DEFAULTS` changes
  - Define `WOLFSSL_TRUST_PEER_CERT` and certificates added as CA's will also be loaded as trusted peer certificates
  - Define `WOLFSSL_TLS13_MIDDLEBOX_COMPAT`
- Seperate `internalCacheOff` and `internalCacheLookupOff` options to govern session addition and lookup
- `VerifyServerSuite` now determines if RSA is available by checking for it directly and not assuming it as the default if static ECC is not available
- `WOLFSSL_SESSION` changes
  - `ssl->extSession` added to return a dynamic session when internalCacheOff is set
  - `ssl->session.refPtr` made dynamic and gets free'd in `SSL_ResourceFree`
- If `SSL_MODE_AUTO_RETRY` is set then retry should only occur during a handshake
- `WOLFSSL_TRUST_PEER_CERT` code now always uses `cert->subjectHash` for the `cm->tpTable` table row selection
- Change some error message names to line up with OpenSSL equivalents
- Run `MatchSuite` again if certificate setup callback installed and successful
- Refactor clearing `ASN_NO_PEM_HEADER` off the error queue into a macro
- `wolfSSL_get_peer_certificate` now returns a duplicated object meaning that the caller needs to free the returned object
- Allign `wolfSSL_CRYPTO_set_mem_functions` callbacks with OpenSSL API
- `wolfSSL_d2i_PKCS12_bio` now consumes the input BIO. It now supports all supported BIO's instead of only memory BIO.
- stunnel specific
  - Always return a session object even if we don't have a session in cache. This allows stunnel to save information in the session external data that will be transfered to new connections if the session is reused
  - When allocating a dynamic session, always do `wolfSSL_SESSION_set_ex_data(session, 0, (void *)(-1)`. This is to mimic the new index callback set in `SSL_SESSION_get_ex_new_index`.
- Fix comment in `wolfSSL_AES_cbc_encrypt`
- Trusted peer certificate suite tests need to have CRL disabled since we don't have the issuer certificate in the CA store if the certificates are only added as trusted peer certificates.
tested
2022-02-23 09:47:34 +01:00
Sean Parkinson d33b787993 BIO: move APIs out of ssl.c
Get configuration working: --enable-all CFLAGS=-DNO_BIO
2022-02-23 14:11:30 +10:00
David Garske fef8a57eb2 Merge pull request #4880 from julek-wolfssl/plain-alert
Detect if we are processing a plaintext alert
2022-02-22 10:11:08 -08:00
David Garske 6a81cc976e Merge pull request #4872 from SparkiDev/tls13_empty_cert_cli
TLS 1.3: fail immediately if server sends empty certificate message
2022-02-21 14:10:40 -08:00
David Garske 38d4da56ab Merge pull request #4857 from julek-wolfssl/ZD13631
Reported in ZD13631
2022-02-21 14:01:51 -08:00
Sean Parkinson 9263e6ead3 TLS 1.3: fail immediately if server sends empty certificate message 2022-02-21 21:34:13 +10:00
Maxime Vincent 111ae9da84 Fix WOLFSSL_NO_TLS12 for Async dev 2022-02-17 08:10:19 +01:00
Juliusz Sosinowicz c5875cfc5a Detect if we are processing a plaintext alert 2022-02-16 10:50:44 +01:00
David Garske 16566f329e Fix typo for no server. Should be NO_WOLFSSL_SERVER. 2022-02-14 10:37:34 -08:00
Juliusz Sosinowicz 445ed2f234 Reported in ZD13631
`ssl->peerVerifyRet` wasn't being cleared when retrying with an alternative cert chain
2022-02-14 11:01:59 +01:00
Eric Blankenhorn c472b3582e Merge pull request #4839 from douzzer/20220207-clang-tidy-15
20220208 clang-tidy-15 fixes etc.
2022-02-09 08:36:18 -06:00
Daniel Pouzzner 74408e3ee3 fixes for whitespace, C++ warnings, and LLVM 15 clang-tidy defects/carps:
* whitespace in src/ssl.c, tests/api.c, wolfssl/openssl/fips_rand.h.

* clang-analyzer-core.StackAddressEscape from llvm-15 clang-tidy, in tests/suites.c:execute_test_case().

* bugprone-suspicious-memory-comparison from llvm-15 clang-tidy, in src/internal.c:DoSessionTicket() and src/ssl.c:wolfSSL_sk_push().
2022-02-08 15:20:22 -06:00
David Garske 3cdb1c639d Improve the client certificate checking logic. Make sure calling wolfSSL_CTX_mutual_auth is also checked. 2022-02-07 08:09:38 -08:00
David Garske 1f8ff7d9fe Merge pull request #4822 from embhorn/zd13613
Fix warnings in VS
2022-02-04 15:37:31 -08:00
Eric Blankenhorn f0b953ce0c Fix warnings in VS 2022-02-03 07:19:43 -06:00
David Garske d3e3f57b77 Merge pull request #4818 from julek-wolfssl/guido-13454
`object` and `value` need to be `free`'ed
2022-02-02 16:04:39 -08:00
Juliusz Sosinowicz 97dd974a94 object and value need to be free'ed 2022-02-02 23:13:59 +01:00
Juliusz Sosinowicz 1552e89810 For 0 OpenSSL prints "ok" 2022-02-02 15:54:21 +01:00
David Garske 99799a3e3e Merge pull request #4806 from anhu/kill_idea
Purge IDEA cipher
2022-02-01 12:27:55 -08:00
Hayden Roche 24a2ed7e9e Merge pull request #4780 from dgarske/ipsec_racoon 2022-01-31 15:10:58 -08:00