Commit Graph

365 Commits

Author SHA1 Message Date
toddouska 107290b552 Merge pull request #1515 from dgarske/buildfixes
Fixes for various build configurations
2018-04-25 10:23:27 -07:00
toddouska 5c61810d4d Merge pull request #1497 from SparkiDev/tls13_draft28
Tls13 draft28
2018-04-25 10:17:37 -07:00
David Garske 3c684886ad Fixes to resolve building --enable-tls13 --disable-ecc --enable-curve25519 --enable-ed25519. 2018-04-25 07:54:53 -07:00
toddouska 1ddccf63dc Merge pull request #1496 from JacobBarthelmeh/Compatibility-Layer
Compatibility layer
2018-04-24 13:33:33 -07:00
Sean Parkinson 94157634e1 TLS 1.3 fixes/improvements
Support Draft 28: able to compile code to return BAD_BINDER if no PSKs
match and certificates not to be used.
Change key share implementation to use server preference - server now
checks each client key share's group is in supported_groups extension.
Client and server examples modified to support server preference.
Application can set client's and server's supported groups by rank.
Server's supported groups is sent back in encrypted_extensions if
preferred group is not in client's list - able to be turned off at
compile time.
Application can query server's preferred group from client.
Able to compile using 0x0304 as version instead of draft version.
Fix state machine in TLS 1.3 to support unexpected hello_retry_request.
Also fixes non-blocking.
Fix resumption to use the named group from session.
Fix named group in session structure to be a 2-byte field.
Better detection of errors in message flow.
Fix DoTls13ClientHello when downgrading - don't do TLS 1.3 things.
Not downgrading on client fixed.
Downgrade protocol version from TLS 1.3 when not TLS 1.3 ciphersuite.
Get downgrading from TLS 1.3 and resumption working.
Change earlyData value to an enum.
Support no extensions data (as opposed to zero length extension data) in
TLS 1.3 ClientHello.
Check PSK cipher suite is available to both client and server before
using.
Check first PSK identity chosen when server says it is using early data
at client.
Check PSK extension is last in client_hello on server.
Check the PSK cipher suite to use is supported on client.
Check the returned cipher suite for pre-shared keys is the same as
client expects.
Send alert decrypt_error when verification fails in certificate_verify
or finished message doesn't match calculated value.
Fail when certificate messages recieved in handshake when using PSK.
Validate on the server that EndOfEarlyData message has been recieved
before finished message when server sent EarlyData extension.
2018-04-20 09:44:02 +10:00
Takashi Kojo bf950198f2 api.c: option conditions 2018-04-18 13:02:40 +09:00
Takashi Kojo 56af3a5b36 add HMAC SHA2 2018-04-18 08:47:39 +09:00
toddouska 09706a4ed2 Merge pull request #1488 from SparkiDev/tls13_perf
Changes for interop and performance
2018-04-16 09:16:13 -07:00
Jacob Barthelmeh f9eda5d790 free test certificate after use 2018-04-13 09:16:22 -06:00
Eric Blankenhorn a0d8327320 Coverity fixes 2 (#1493)
* Coverity fixes for wolfcrypt folder
* Fixes for remaining issues
* Fixes for test files
2018-04-13 05:35:18 -07:00
Sean Parkinson 0b47811c46 Changes for interop and performance
Changes made to test.h to allow interop of PSK with OpenSSL.
Changes to allow server to pre-generate key share and perform other
operations at later time.
Fix ChaCha20 code header to have bigger state to support assembly code
for AVX1.
Fix Curve25519 code to use define instead.
Change Curve25519 to memset all object data on init.
Change Poly1305 to put both sizes into one buffer to avoid a second call
to wc_Poly1305Update().
Added WOLFSSL_START and WOLFSSL_END API and calls to show time of
protocol message function enter and leave to analyse performance
differences.
Moved Curve25519 code in KeyShare extension out of general ECC code.
2018-04-13 12:01:20 +10:00
Jacob Barthelmeh cfaed48f90 adjust GetInt call with ASN1 integer to big number 2018-04-12 14:40:20 -06:00
Jacob Barthelmeh df06707496 Handle larger values with ASN1 INTEGER structure 2018-04-12 14:07:29 -06:00
David Garske ce6728951f Added a new --enable-opensslall option, which ensures all openssl features are enabled. Documented and tested building the various open source defines we support in our build. 2018-04-11 13:54:07 -07:00
David Garske a38576146e * Added support for disabling PEM to DER functionality using WOLFSSL_PEM_TO_DER. This allows way to use with DER (ASN.1) certificates only in an embedded environment. This option builds, but internal make check requires PEM support for tests.
* More cleanup to move PEM functions from ssl.c to asn.c (`wolfSSL_CertPemToDer`, `wolfSSL_KeyPemToDer`, `wolfSSL_PubKeyPemToDer`). Renamed these API's to `wc_` and added backwards compatability macro for old function names.
2018-04-09 13:28:15 -07:00
David Garske 6de8348918 Fixes for various build configurations. Added --enable-enckeys option to enable support for encrypted PEM private keys using password callback without having to use opensslextra. Moved ASN CryptKey function to wc_encrypt.c as wc_CryptKey. Fixup some missing heap args on XMALLOC/XFREE in asn.c. 2018-04-09 13:28:15 -07:00
David Garske c83e63853d Refactor unqiue hash types to use same internal values (ex WC_MD5 == WC_HASH_TYPE_MD5). Refactor the Sha3 types to use wc_ naming. 2018-04-09 13:28:15 -07:00
David Garske 21833e245f Fix TLS 1.3 with ECC disabled and CURVE25519 enabled. Resolves issue with using ./configure --disable-ecc --enable-curve25519 --enable-ed25519 --enable-tls13. Refactor TLSX_KeyShare_GenEccKey to support either ECC or CURVE25519. Fix for PemToDer to handle ED25519 without ECC enabled. 2018-04-09 10:10:08 -07:00
David Garske c288d0815d Added support for building and using PKCS7 without RSA (assuming ECC is enabled). 2018-04-03 09:26:57 -07:00
jrblixt 1cd6075b9d Nightly build fix. 2018-03-27 16:54:14 -06:00
Chris Conlon c08f5b86cf Merge pull request #1444 from jrblixt/unitTest_api_addPkcs-PR03162018
Unit test functions for PKCS#7.
2018-03-23 10:00:33 -06:00
jrblixt 316a2b9fb4 Review changes: Chris. 2018-03-22 15:35:25 -06:00
Jacob Barthelmeh df6ea54cd5 add support for PKCS8 decryption to OPENSSL_EXTRA_X509_SMALL build 2018-03-20 15:06:35 -06:00
jrblixt 2788183e79 Known config. tests fix. 2018-03-20 14:35:26 -06:00
jrblixt 1aba6e9b44 Prepare for PR. 2018-03-16 17:07:28 -06:00
Jacob Barthelmeh e0afec0600 fix RSA macro, tickets without server, and add test case 2018-03-08 14:36:43 -07:00
toddouska 442430d39e Merge pull request #1392 from ejohnstown/rsa-decrypt-check
RSA Decrypt Bounds Checking
2018-02-26 12:19:37 -08:00
John Safranek a49553df6a RSA Decrypt Bounds Checking
1. Added some bounds checking on the ciphertext passed into the RSA decrypt function. NIST SP 800-56B specifies that the ciphertext shouldn't be a number larger than the modulus.
2. Added an API test to check that the direct RSA decrypt function returns an error with a "bad" message.
3. Added an ifndef guard to disable the bounds check. Default is to keep the bounds check.
4. RSA Decrypt bounds check only checked the first time into wc_RsaFunction().
2018-02-23 17:04:05 -08:00
JacobBarthelmeh 89390180a0 Merge branch 'master' into Compatibility-Layer 2018-02-22 15:24:31 -07:00
Jacob Barthelmeh fd7ffc992f fix for unused variables 2018-02-21 11:19:49 -07:00
Jacob Barthelmeh 2a15b3912b revert pkcs7 attrib structure for scep and add more macro guards for AES key size 2018-02-19 17:32:39 -07:00
Jacob Barthelmeh c9525d9c1d add opensslextra=x509small build option 2018-02-19 17:32:39 -07:00
Jacob Barthelmeh f569645212 add wolfSSL_SHA256 function 2018-02-16 16:57:45 -07:00
Jacob Barthelmeh a651b08afa add wolfSSL_AES_ecb_encrypt function 2018-02-16 15:08:31 -07:00
JacobBarthelmeh 223edab6d9 Merge pull request #1378 from dgarske/evp_gcc7_async_test
Fixes a few build errors with EVP/wolfCrypt test and async API test hang
2018-02-16 13:11:36 -07:00
David Garske ae5dac8994 Fixes for GCC 7 build errors with evp.c and switch fall through. General EVP code formatting cleanup. Fix for wolfCrypt test un-used var when HAVE_AES_CBC not defined. Fix for async in test_wolfSSL_SESSION with err not being initialized. 2018-02-16 09:32:40 -08:00
Jacob Barthelmeh 488a795747 add wolfSSL_PEM_read_bio_RSAPrivateKey function 2018-02-15 22:34:50 -07:00
John Safranek d8eff923f1 Merge pull request #1372 from JacobBarthelmeh/UnitTests
clear error node queue after test case and initialize logging buffer
2018-02-15 08:40:45 -08:00
David Garske 9ff97997a6 Merge pull request #1360 from SparkiDev/sp_math
Minimal implementation of MP when using SP.
2018-02-14 15:49:23 -08:00
Jacob Barthelmeh c1b1fbaf7e clear error node queue after test case 2018-02-14 13:55:43 -07:00
Jacob Barthelmeh c09e55c749 add check for having ECC enabled when testing with ECC certificate 2018-02-12 09:59:35 -07:00
toddouska d827e93af9 Merge pull request #1329 from JacobBarthelmeh/PKCS12
PKCS12 reverse order that certificates are compared for keypair
2018-02-09 13:15:07 -08:00
Sean Parkinson a3a4f2d59c Minimal implementation of MP when using SP.
--enable-sp-math to include minimal implementation of MP (only with
--enable-sp.)
Add futher functionality for ECC (conditionally compiled):
- check key
- is point on curve
- API to add and double projective points
- API to map from project to affine
- Uncompress point (including sqrt)
Some configuration options will not work with SP math - configure.ac
detects this and errors out.
Change test code to better support SP sizes only.
2018-02-08 15:50:17 +10:00
Jacob Barthelmeh 62b8c0c3fd add test case for order of certificates with PKCS12 parse 2018-02-07 16:52:39 -07:00
toddouska d63373066b Merge pull request #1331 from JacobBarthelmeh/Compatibility-Layer
add comments and better error checking for PKCS8 strip
2018-02-02 10:50:29 -08:00
Takashi Kojo 162326dfcb fix shadow global 2018-01-22 01:19:45 +09:00
Jacob Barthelmeh 1428934ad5 add comments and better error checking for PKCS8 strip 2018-01-19 16:53:12 -07:00
toddouska 2efe7f6d96 Merge pull request #1319 from JacobBarthelmeh/Compatibility-Layer-Part5
Compatibility layer part4
2018-01-19 14:49:12 -08:00
John Safranek 9654f19075 RSA Key Gen Test Fix
A recent change to the RSA key generation process is capping the number of attempts of finding a probable prime to a multiple of the prime's size, in FIPS builds. This means it might fail once in a while. (It could also fail for a couple other reasons but this is the most likely.) The API is changed to retry key generation until it succeeds. Non-FIPS builds keep trying until they find a prime.
2018-01-18 12:20:25 -08:00
Jacob Barthelmeh 19288ea127 casting values, update names, g++ build 2018-01-17 12:18:00 -07:00