Commit Graph

2095 Commits

Author SHA1 Message Date
Marco Oliverio 7edc916057 wolfcrypt/wolfssl: tests: adding missing wc_Aes*Free()
In some Aes implementation this may leak resources
2021-12-30 20:30:33 +01:00
David Garske 930cad649e Fix to resolve possible memory leak with DSA wc_DsaPublicKeyDecode in API unit test when used with HAVE_WOLF_BIGINT. 2021-12-28 16:34:54 -08:00
David Garske 569c066fab Improve TLS client side session cache references to provide option for not returning an internal session cache pointer. Now use wolfSSL_get1_sesson for reference logic, that requires calling wolfSSL_SESSION_free. To disable this feature use NO_SESSION_CACHE_REF. 2021-12-23 14:25:45 -08:00
David Garske 57d2555ac8 Merge pull request #4695 from douzzer/20211222-fips-config-update-and-fix-test_RsaDecryptBoundsCheck
fips config update and test-driven cleanup
2021-12-23 10:38:36 -08:00
Chris Conlon 9892f1f2d5 Merge pull request #4679 from dgarske/fips_ecc_pct 2021-12-23 10:27:51 -07:00
Daniel Pouzzner b0a5b16068 api.c: fix logic in test_RsaDecryptBoundsCheck(). 2021-12-22 17:32:36 -06:00
David Garske 38214bd083 Disable the FIPS consistency checks in ECC and DH for key generation by default. 2021-12-22 10:06:19 -08:00
David Garske 9d137668c7 Merge pull request #4675 from julek-wolfssl/openssh-8.8
Fix macro name conflicts with openssh
2021-12-22 08:31:36 -08:00
Juliusz Sosinowicz 8435eb4644 Add WC_ namespace to variable handling defines 2021-12-22 12:16:02 +01:00
Juliusz Sosinowicz dd9b1afb72 Remove magic numbers from WOLFSSL_ASN_TEMPLATE code (#4582)
* pkcs8KeyASN and other misc asn fixes

- Test fixes for testing with `USE_CERT_BUFFERS_1024`

* intASN

* bitStringASN

* objectIdASN

* algoIdASN

* rsaKeyASN

* pbes2ParamsASN

* pbes1ParamsASN

* pkcs8DecASN

* p8EncPbes1ASN

* rsaPublicKeyASN

* dhParamASN

* dhKeyPkcs8ASN

* dsaKeyASN

* dsaPubKeyASN

- Add `wc_SetDsaPublicKey` without header testing

* dsaKeyOctASN

* rsaCertKeyASN

* eccCertKeyASN

* rdnASN

* certNameASN

* digestInfoASN

* otherNameASN

* altNameASN

* basicConsASN

* crlDistASN

* accessDescASN

* authKeyIdASN

* keyUsageASN

* keyPurposeIdASN

* subTreeASN

* nameConstraintsASN

* policyInfoASN

* certExtHdrASN

* certExtASN

* x509CertASN

* reqAttrASN

* strAttrASN

* certReqASN

* eccPublicKeyASN

* edPubKeyASN

* ekuASN

* nameASN

* certExtsASN

* sigASN

* certReqBodyASN_IDX_EXT_BODY

* dsaSigASN

* eccSpecifiedASN

* eccKeyASN

* edKeyASN

* singleResponseASN

* respExtHdrASN

* ocspRespDataASN

* ocspBasicRespASN

* ocspResponseASN

* ocspNonceExtASN

* ocspRequestASN

* revokedASN

* crlASN

* pivASN

* pivCertASN

* dateASN

* `wc_SetDsaPublicKey` was not including `y` in the sequence length

* All index names changed to uppercase

* Shorten names in comments

* Make sure extensions have sequence header when in cert gen

* Fix/refactor size calc in `SetNameEx`

* Pad blocks for encryption

* Add casting for increased enum portability

* Use stack for small ASN types
2021-12-22 11:28:01 +10:00
Sean Parkinson bf37845e2d Merge pull request #4680 from JacobBarthelmeh/certs
update certificate expiration dates and fix autorenew
2021-12-22 08:48:35 +10:00
JacobBarthelmeh c0f8fd5f5d update certificate dates and fix autorenew 2021-12-20 16:04:05 -08:00
Anthony Hu 7d4c13b9a4 --with-liboqs now defines HAVE_LIBOQS and HAVE_PQC
AKA: The Great Rename of December 2021
2021-12-20 11:48:03 -05:00
David Garske ce4f436d0f Merge pull request #4587 from SparkiDev/dis_algs_fix_1
Disable algorithms: fixes
2021-12-19 20:12:30 -08:00
Juliusz Sosinowicz 21a5a571e8 Fix test_wolfSSL_BIO_should_retry test
When `OPENSSL_COMPATIBLE_DEFAULTS` is defined then `SSL_MODE_AUTO_RETRY` is set on context creation. For this test we need to clear this mode so that the `WOLFSSL_CBIO_ERR_WANT_READ` can propagate up to the user.
2021-12-17 12:32:25 +01:00
David Garske dec78169bf Merge pull request #4658 from julek-wolfssl/apache-2.4.51
Add Apache 2.4.51 support
2021-12-16 08:52:10 -08:00
Juliusz Sosinowicz e78f7f734e Add Apache 2.4.51 support
- Define `OPENSSL_COMPATIBLE_DEFAULTS` and `WOLFSSL_NO_OCSP_ISSUER_CHECK` for Apache config
- Fix `SSL_set_timeout` to match OpenSSL signature
- Implement `pkey` in `X509_INFO`
- Detect attempt to connect with plain HTTP
- Implement `wolfSSL_OCSP_request_add1_nonce`
- Set `ssl->cipher.bits` when calling `wolfSSL_get_current_cipher`
- Use custom flush method in `wolfSSL_BIO_flush` when set in BIO method
- Set the TLS version options in the `ssl->options` at the end of ClientHello parsing
- Don't modify the `ssl->version` when in a handshake (`ssl->msgsReceived.got_client_hello` is set)
- `wolfSSL_get_shutdown` returns a full bidirectional return when the SSL object is cleared. `wolfSSL_get_shutdown` calls `wolfSSL_clear` on a successful shutdown so if we detect a cleared SSL object, assume full shutdown was performed.
2021-12-16 12:39:38 +01:00
Chris Conlon 5172130287 add wc_GetPubKeyDerFromCert(), get pub key DER from DecodedCert 2021-12-15 11:04:52 -07:00
David Garske a6c7d56c32 Merge pull request #4655 from haydenroche5/wc_pkcs12_from_file
Add wc_d2i_PKCS12_fp to parse a PKCS #12 file directly in wolfCrypt.
2021-12-14 08:58:57 -08:00
John Safranek 2359045b28 Merge pull request #4649 from kaleb-himes/KCAPI_FIPS_READY
The minimal changes needed to add KCAPI support with fips-ready
2021-12-13 17:33:03 -08:00
Hayden Roche 92d207a1cd Add wc_d2i_PKCS12_fp to parse a PKCS #12 file directly in wolfCrypt. 2021-12-13 15:28:34 -08:00
Daniel Pouzzner 355b779a3e feature gating tweaks to better support --disable-rsa --disable-dh --disable-dsa. also a whitespace fix in ssl.c. 2021-12-11 14:08:04 -06:00
kaleb-himes 7cccaa98b7 The minimal changes needed to add KCAPI support with fips-ready 2021-12-10 14:44:20 -07:00
Hayden Roche 6764e7c15f Make wolfCrypt ASN cert parsing functionality public.
Currently, the `ParseCert` function is only available if `WOLFSSL_ASN_API` is
defined to `WOLFSSL_API`. The only way to achieve this without enabling the
compatibility layer is to define `WOLFSSL_TEST_CERT`. There are users defining
this so that they can parse certs with wolfCrypt, even though this doesn't seem
to be the original intent of the define. This commit adds the function
`wc_ParseCert` to the public wolfCrypt API. It's simply a wrapper around
`ParseCert`. Similarly, this commit adds `wc_InitDecodedCert` and
`wc_FreeDecodedCert` to the public API, which are wrappers around
`InitDecodedCert` and `FreeDecodedCert`, respectively.
2021-12-10 10:43:28 -08:00
Sean Parkinson 6da0cc1ced Merge pull request #4600 from dgarske/cust_oid
Support for Custom OID in subject and CSR request extension
2021-12-09 11:24:30 +10:00
David Garske b4c6140b64 Merge pull request #4442 from julek-wolfssl/kerberos
Add Kerberos 5 support
2021-12-02 09:07:34 -08:00
David Garske 5c172ca955 Merge pull request #4622 from douzzer/fix-wolfsentry-build
wolfsentry fixes re HAVE_EX_DATA and wolfsentry_sockaddr
2021-12-01 08:16:07 -08:00
Sean Parkinson d06ada2ccc Merge pull request #4610 from julek-wolfssl/nginx-1.21.4
Add support for Nginx 1.21.4
2021-12-01 22:27:12 +10:00
Juliusz Sosinowicz aac1b406df Add support for Nginx 1.21.4
- Add KEYGEN to Nginx config
- Check for name length in `wolfSSL_X509_get_subject_name`
- Refactor `wolfSSL_CONF_cmd`
- Implement `wolfSSL_CONF_cmd_value_type`
- Don't forecfully overwrite side
- `issuerName` should be `NULL` since the name is empty
2021-12-01 09:49:52 +01:00
Daniel Pouzzner 3f65916f3a HAVE_EX_DATA: fix wolfssl/ssl.h and tests/api.c to build -DHAVE_EX_DATA but -UOPENSSL_EXTRA. 2021-11-30 23:39:16 -06:00
JacobBarthelmeh b69a1c860c Merge pull request #3996 from cconlon/pkcs7_detachedhash
adjust PKCS7_VerifySignedData to correctly verify precomputed content hash with detached signature
2021-11-30 12:46:46 -08:00
David Garske 7524ededd3 Support for Custom OID in subject and CSR request extension:
* Adds new build option `WOLFSSL_CUSTOM_OID` for supplying a custom OID in a CSR
* Fixes in ASN template CSR generation.
* Fix to allow calling `wc_Ed25519PublicKeyToDer` and `wc_Ed448PublicKeyToDer` with NULL output buffer to get length only.
* Refactor of the certificate subject name encoding.
* Refactor of the OID's to consolidate.
* Improvements to the Domain Component API unit test.
ZD 12943
2021-11-23 09:51:13 -08:00
Juliusz Sosinowicz 1d7b2de074 Code review changes 2021-11-22 11:48:31 +01:00
Juliusz Sosinowicz 3da810cb1b Implement OpenSSL API's
- `OBJ_DUP`
- `i2d_PKCS7`
- `BN_rshift1
- `BN_rshift` testing
- Add `--enable-krb`
2021-11-22 11:47:58 +01:00
Juliusz Sosinowicz e7c5f137be Implement BN_rand_range 2021-11-22 11:45:27 +01:00
Juliusz Sosinowicz ccbe184434 Implement CTS
Ciphertext stealing on top of CBC is implemented with `wolfSSL_CRYPTO_cts128_encrypt` and `wolfSSL_CRYPTO_cts128_decrypt` APIs
2021-11-22 11:45:27 +01:00
Juliusz Sosinowicz fa662c2ab1 AES_cbc_encrypt enc parameter flipped. 1 = encrypt 0 = decrypt
This change makes the `enc` parameter of `AES_cbc_encrypt` consistent with OpenSSL. This commit flips the meaning of this parameter now.
2021-11-22 11:45:27 +01:00
Chris Conlon c3500fa24e Merge pull request #4581 from miyazakh/max_earlydata
add get_max_eraly_data
2021-11-19 09:42:01 -07:00
Sean Parkinson 5a72fee3df Disable algorithms: fixes
WOLFSSL_PUBLIC_MP and disable algorithms didn't work because of api.c.
 - mp_cond_copy not available unless ECC compiled in
 - wc_export_int not available unless ECC compiled in
Enabling only DH and using SP with SP Math didn't work as the DH
parameters were too small.
sp_cmp is needed when only DH.
mp_set_int is was not available in SP math when RSA is not defined.
mp_set is close enough for the use cases.
Configure with SP and SP math but not RSA, DH and ECC didn't configure -
now default to small maths.
2021-11-19 16:56:33 +10:00
David Garske 2841b5c93b Merge pull request #3010 from kaleb-himes/ZD10203
Consistency in PP checking on use of WOLFSSL_CRYPTO_EX_DATA
2021-11-18 14:47:25 -08:00
Hideki Miyazaki 7da0d524ff add get_max_eraly_data
support set/get_max_eraly_data compatibility layer
2021-11-18 09:07:32 +09:00
Masashi Honma 4800db1f9d Enable max/min int test even when non 64bit platform
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2021-11-18 06:58:21 +09:00
Juliusz Sosinowicz 361975abbc Refactor sk_*_free functions
Use a single `wolfSSL_sk_pop_free` and `wolfSSL_sk_free` function that free's the stack and optionally free's the node content as well.
2021-11-12 13:55:37 +01:00
kaleb-himes 6547bcb44c Consistency in PP checking on use of WOLFSSL_CRYPTO_EX_DATA 2021-11-11 17:47:17 -07:00
David Garske bd0f6736c5 Merge pull request #4513 from masap/wpa_sup_dpp
Fix X509_PUBKEY_set() to show correct algorithm and parameters
2021-11-09 10:26:59 -08:00
Daniel Pouzzner 0b4f34d62a typographic cleanup: fix whitespace, remove unneeded UTF-8, convert C++ comment constructs to C. 2021-11-08 17:35:05 -06:00
Masashi Honma ee39fd079f Fix X509_PUBKEY_set() to show correct algorithm and parameters
When build with OpenSSL, trailing program outputs these messages.

algorithm: id-ecPublicKey
parameters: prime256v1

But with wolfSSL, X509_PUBKEY_get0_param() fails.
This patch fixes wolfSSL to display the same values as OpenSSL.

This program was extracted from wpa_supplicant in order to reproduce the
issue.

----------------
int main(void)
{
    EVP_PKEY *pkey;
    X509_PUBKEY *pub = NULL;
    ASN1_OBJECT *ppkalg, *poid;
    const ASN1_OBJECT *pa_oid;
    const uint8_t *pk;
    int ppklen, ptype;
    X509_ALGOR *pa;
    void *pval;
    char buf[100];
    const uint8_t data[] = {
        0x30, 0x39, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a,
        0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x22, 0x00, 0x03, 0x33, 0x6d, 0xb4, 0xe9, 0xab,
        0xf1, 0x1c, 0x96, 0x87, 0x5e, 0x02, 0xcc, 0x92, 0xaf, 0xf6, 0xe1, 0xed, 0x2b, 0xb2, 0xb7, 0xcc,
        0x3f, 0xd2, 0xb5, 0x4e, 0x6f, 0x20, 0xc7, 0xea, 0x2f, 0x3f, 0x42
    };
    size_t data_len = sizeof(data);
    const uint8_t *p;
    int res;

    p = data;
    pkey = d2i_PUBKEY(NULL, &p, data_len);
    if (!pkey) {
        fprintf(stderr, "d2i_PUBKEY() failed\n");
        return -1;
    }

    if (EVP_PKEY_type(EVP_PKEY_id(pkey)) != EVP_PKEY_EC) {
        fprintf(stderr, "invalid type\n");
        EVP_PKEY_free(pkey);
        return -1;
    }

    res = X509_PUBKEY_set(&pub, pkey);
    if (res != 1) {
        fprintf(stderr, "X509_PUBKEY_set() failed\n");
        return -1;
    }

    res = X509_PUBKEY_get0_param(&ppkalg, &pk, &ppklen, &pa, pub);
    if (res != 1) {
        fprintf(stderr, "X509_PUBKEY_get0_param() failed\n");
        return -1;
    }
    res = OBJ_obj2txt(buf, sizeof(buf), ppkalg, 0);
    if (res < 0 || (size_t) res >= sizeof(buf)) {
        fprintf(stderr, "OBJ_obj2txt() failed\n");
        return -1;
    }
    fprintf(stdout, "algorithm: %s\n", buf);

    X509_ALGOR_get0(&pa_oid, &ptype, (void *) &pval, pa);
    if (ptype != V_ASN1_OBJECT) {
        fprintf(stderr, "X509_ALGOR_get0() failed\n");
        return -1;
    }
    poid = pval;
    res = OBJ_obj2txt(buf, sizeof(buf), poid, 0);
    if (res < 0 || (size_t) res >= sizeof(buf)) {
        fprintf(stderr, "OBJ_obj2txt() failed\n");
        return -1;
    }
    fprintf(stdout, "parameters: %s\n", buf);

    X509_PUBKEY_free(pub);
    EVP_PKEY_free(pkey);
    return 0;
}

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2021-11-09 07:30:58 +09:00
David Garske 478f57b347 Merge pull request #4535 from kareem-wolfssl/zd13165
Fix building with NO_ECC_KEY_EXPORT.
2021-11-08 11:11:53 -08:00
David Garske 4fe17cc143 Merge pull request #4527 from julek-wolfssl/zd13097
Fix a heap buffer overflow with mismatched PEM structure ZD13097
2021-11-05 08:50:28 -07:00
Chris Conlon ae84a2a326 Merge pull request #4293 from TakayukiMatsuo/set_min_proto
Add support for value zero as version parameter for SSL_CTX_set_min/max_proto_version
2021-11-04 14:59:34 -06:00