Commit Graph

5578 Commits

Author SHA1 Message Date
Sean Parkinson f04380d624 Merge pull request #4475 from douzzer/fix-scan-build-UnreachableCode
scan-build LLVM-13 fixes and expanded coverage
2021-10-20 08:30:46 +10:00
Sean Parkinson 41eecd37e5 Merge pull request #4471 from embhorn/zd11886
Fix build errors with NO_BIO config
2021-10-20 08:06:42 +10:00
Sean Parkinson 93f033823c Merge pull request #4482 from miyazakh/mindowngarde_staticrsa
TLS 1.3: ServerHello downgrade with no extensions fix
2021-10-20 07:58:34 +10:00
Eric Blankenhorn c0b592ef82 Fix build error with WOLFSSL_USER_IO 2021-10-19 08:27:43 -05:00
Hideki Miyazaki 91cd2b1731 TLS 1.3 ServerHello additional fix for PR4439 in Static RSA case 2021-10-19 17:51:00 +09:00
Daniel Pouzzner 69bc801c13 scan-build LLVM-13 fixes: src/ssl.c: work around deadcode.DeadStores warning in wolfSSL_X509_REQ_sign() in a different way, avoiding WC_MAYBE_UNUSED. 2021-10-18 21:46:09 -05:00
Daniel Pouzzner 007f01e7ec scan-build LLVM-13 fixes: in src/tls.c TLSX_PopulateExtensions(), avoid -Wunreachable-code-return by refactoring iteration to use an array terminator (a new "WOLFSSL_NAMED_GROUP_INVALID" with value 0) rather than a compile-time-calculated constant of iteration. 2021-10-18 21:46:09 -05:00
Daniel Pouzzner 816527e826 scan-build fixes: back out all "#ifndef __clang_analyzer__" wrappers added to suppress false and frivolous positives from alpha.deadcode.UnreachableCode, and rename new macro WC_UNUSED to WC_MAYBE_UNUSED to make its meaning more precisely apparent. build is still clean with -Wunreachable-code-break -Wunreachable-code-return under scan-build-13. 2021-10-18 21:46:09 -05:00
Daniel Pouzzner 62822be6ce scan-build LLVM-13 fixes and expanded coverage: add WC_UNUSED and PRAGMA_CLANG_DIAG_{PUSH,POP} macros; deploy "#ifndef __clang_analyzer__" as needed; fix violations and suppress false positives of -Wunreachable-code-break, -Wunreachable-code-return, and -enable-checker alpha.deadcode.UnreachableCode; expand scan-build clean build scope to --enable-all --enable-sp-math-all. 2021-10-18 21:46:09 -05:00
David Garske a50d1f4870 Merge pull request #4301 from julek-wolfssl/issue-4298
`mem_buf` only used with memory BIO
2021-10-18 10:29:55 -07:00
Eric Blankenhorn 17e0249a26 Fixing NO_BIO and OPENSSL_ALL errrors 2021-10-14 16:03:52 -05:00
Eric Blankenhorn 1396c46281 Fix build errors with NO_BIO config 2021-10-14 09:06:54 -05:00
Sean Parkinson 544e64f9e4 TLS: don't set the handshake state to the record type 2021-10-12 08:52:58 +10:00
Sean Parkinson 69d5405e91 Merge pull request #4350 from cconlon/pythonCompatD
OpenSSL compatibility fixes: BIO_set_nbio(), SHA3 NID, WOLFSSL_PYTHON
2021-10-12 08:14:34 +10:00
Sean Parkinson 511c74ea52 Merge pull request #4456 from dgarske/zd13032
Fix to not try OCSP or CRL checks if there is already an error
2021-10-11 08:20:58 +10:00
JacobBarthelmeh f757318eeb Merge pull request #4454 from dgarske/static_mem
Fix for `Bad memory_mutex lock` on static memory cleanup
2021-10-09 00:13:10 +07:00
David Garske 854512105f Merge pull request #4314 from SparkiDev/libkcapi
KCAPI: add support for using libkcapi for crypto (Linux Kernel)
2021-10-07 21:23:05 -07:00
Sean Parkinson e0abcca040 KCAPI: add support for using libkcapi for crypto (Linux Kernel)
RSA, DH and ECC not testable as no Linux Kernel driver to use.
ECC implementation is customer specific.
2021-10-08 09:07:22 +10:00
David Garske 668f8700a4 Fix to not try OCSP or CRL checks if there is already an error. This fix prevents an error code from being overwritten if there is already a failure. ZD13032 2021-10-07 15:30:16 -07:00
David Garske 9d2082f7e1 Fixes and improvements for crypto callbacks with TLS (mutual auth) (#4437)
* This PR resolves issues with using TLS client authentication (mutual auth) with crypto callbacks. The TLS client auth will not be sent without a private key being set. The solution is to allow setting a public key only if crypto callbacks is enabled and a devId is set.

* Fix to allow using crypto callbacks with TLS mutual authentication where a private key is not available.
* Fix for ED25519 sign when only a private key is loaded.
* Fix to enable crypto callbacks for ED25519 and Curve25519 in TLS by using the _ex init functions.
* Fix for wc_PemToDer return code where a PKCS8 header does not exist.
* Remove duplicate logs in DoCertificateVerify.
* Doxygen API updates: Added crypto callback help and updated use_PrivateKey with info about public key use.

* * Added crypto callback tests for TLS client and server with mutual auth for RSA, ECC and ED25519.
* Enhanced the API unit test TLS code to allow setting CA, cert and key.

* Revert ED25519 changes. Opt to calculate public key directly when required for signing in the TLS crypto callback test. Build configuration fixes.

* Fix to use proper devId in `ProcessBufferTryDecode`.

* Various build fixes due to changes in PR. G++ issue with `missing-field-initializers`. Unused api.c func with DTLS and session export. Duplicate `eccKeyPubFile` def.

* Added crypto callback TLS tests at WOLFSSL object level. Fix for ED25519/ED448 with client mutual auth where the private key is not set till WOLFSSL object. Fix issues with  `wolfSSL_CTX_GetDevId` where devId is set on WOLFSSL object. Enable the `_id` API's for crypto callbacks.

* Proper fix for `eccKeyPubFile` name conflict. Was causing RSA test to fail (expected DER, not PEM).
2021-10-07 11:12:06 +10:00
David Garske 9f57345614 Fix for Bad memory_mutex lock on static memory cleanup (was free'ing mutex then trying to use it). 2021-10-05 13:46:42 -07:00
JacobBarthelmeh 43ffe26133 Merge pull request #4430 from embhorn/zd12976
Add support for X9.42 header
2021-10-05 23:47:42 +07:00
David Garske 310a75ff43 Merge pull request #4449 from SparkiDev/fix_1
X509 name: remove unused variable
2021-10-04 20:01:04 -07:00
David Garske 024c59a04c Merge pull request #4439 from SparkiDev/tls13_min_down_no_ext
TLS 1.3: Check min downgrade when no extensions in ServerHello
2021-10-04 16:39:29 -07:00
Sean Parkinson 152da35ca4 X509 name: remove unused variable 2021-10-05 09:06:10 +10:00
David Garske 0abbd9b1ec Merge pull request #4438 from ejohnstown/dtls-big
DTLS Related Fixes
2021-10-01 13:04:20 -07:00
John Safranek 774bc36603 Merge pull request #4061 from JacobBarthelmeh/sessionExport 2021-10-01 10:21:42 -07:00
Sean Parkinson 4473e9335e TLS 1.3: Check min downgrade when no extensions in ServerHello
TLS 1.3 ServerHello must have extensions, so server attempting to
downgrade, but min downgrade was not checked in that case.
2021-10-01 12:51:10 +10:00
John Safranek 98b1e93429 Merge pull request #4402 from JacobBarthelmeh/Compatibility-Layer 2021-09-30 15:53:58 -07:00
John Safranek b0de40d10a Forgive a DTLS session trying to send too much at once. (ZD12921) 2021-09-30 14:27:21 -07:00
Jacob Barthelmeh cb4b57c5c7 add tls 1.3 test case 2021-09-30 10:08:47 -06:00
Chris Conlon cf1ce3f073 Add get_default_cert_file/env() stubs, SSL_get/set_read_ahead(), SSL_SESSION_has_ticket/lifetime_hint() (#4349)
* add wolfSSL_X509_get_default_cert_file/file_env/dir/dir_env() stubs

* add SSL_get_read_ahead/SSL_set_read_ahead()

* add SSL_SESSION_has_ticket()

* add SSL_SESSION_get_ticket_lifetime_hint()

* address review feedback - comments, return values

* make SSL_get_read_ahead() arg const

* add unit tests for SESSION_has_ticket/get_ticket_lifetime_hint

* test for SESSION_TICKET_HINT_DEFAULT in api.c for wolfSSL_SESSION_get_ticket_lifetime_hint()

* fix variable shadow warning in api.c
2021-09-30 08:35:23 +10:00
Chris Conlon bcd6930581 Various OpenSSL compatibility expansion items, for Python 3.8.5 (#4347)
* make ASN1_OBJECT arg const in OBJ_obj2txt

* add ERR_LIB values to openssl/ssl.h

* add missing alert type definitions in openssl/ssl.h

* add definition for X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, no support

* define value for X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT

* use correct CRYPTO_THREADID arg type for wolfSSL_THREADID_set_callback callback

* add handshake type defines for compat layer message callback types

* define ASN1_R_HEADER_TOO_LONG for compatibility builds

* use correct return type for wolfSSL_THREADID_set_callback, remove Qt code no longer needed
2021-09-30 08:32:49 +10:00
Chris Conlon 95b9fae605 Add DIST_POINT compatibility functions (#4351)
* add DIST_POINT compatibility functions

* switch X509_LU_* from enum to define, prevent compiler type warnings

* refactoring, adding in comments, and formating

* refactoring and a memory leak fix

* cast return value for g++ warning

* refactor wolfSSL_sk_DIST_POINT_pop_free and remove NULL assign after free

* fix get next DIST_POINT node for free function

Co-authored-by: Jacob Barthelmeh <jacob@wolfssl.com>
2021-09-30 08:27:39 +10:00
Jacob Barthelmeh 5f9f6fd9fa add some test cases and use allocator 2021-09-29 12:02:26 -06:00
Jacob Barthelmeh ae47cb3bcd update check on is TLS, update macro guard for test case 2021-09-28 16:57:30 -06:00
Anthony Hu a55cedd357 Fixup in response to dgarske comments 2021-09-28 18:36:18 -04:00
Anthony Hu 0e80923fb3 Unit tests for post-quantum groups.
Also, fixes for the things they caught such as:

- ssl->arrays->preMasterSecret is pre-allocated so copy into it instead of
  moving ownership of buffer.
- server does not need to save the public key.
- in TLSX_KeyShare_Parse() don't call TLSX_KeyShare_Use() because its done in
  TLSX_PopulateExtensions().
- in TLSX_KeyShare_Use(), the server generates the ciphertext while the client
  generates the public key.
- in TLSX_PopulateExtensions(), prevent client from calling TLSX_KeyShare_Use()
  because its already been done.
- Support longer curve/group names.
2021-09-28 17:16:44 -04:00
John Safranek a4f927999f Merge pull request #4431 from haydenroche5/is_on_curve_fips
Don't compile wolfSSL_EC_POINT_is_on_curve for FIPS.
2021-09-28 09:42:08 -07:00
Hayden Roche 6a0bc995a0 Don't compile wolfSSL_EC_POINT_is_on_curve for FIPS.
This function uses wc_ecc_point_is_on_curve, which isn't in the current (v2)
FIPS module.
2021-09-27 16:08:04 -07:00
David Garske 847b8f9a1f Reduce openssl verbosity in BIO due to PEM_X509_INFO_read_bio reading 1 byte at a time. Remove duplicate PEM_X509_INFO_read_bio macro. (#4428) 2021-09-28 08:21:23 +10:00
Eric Blankenhorn 702ba65b1c Add support for X9.42 header 2021-09-27 15:37:11 -05:00
Jacob Barthelmeh 41f3a006ac sanity check on padding size imported 2021-09-27 14:01:15 -06:00
Jacob Barthelmeh 13478a94a8 sanity check on block size with block cipher type 2021-09-27 14:01:15 -06:00
Jacob Barthelmeh 8b456b90e0 add test case for tls export/import 2021-09-27 14:01:15 -06:00
Jacob Barthelmeh 1929024029 fix for getting export buffer size 2021-09-27 14:01:15 -06:00
Jacob Barthelmeh 64f53c4e1b fix macro name and make api public 2021-09-27 14:01:15 -06:00
Jacob Barthelmeh 22b6cc675a add import/export of peer info with tls 2021-09-27 14:01:15 -06:00
Jacob Barthelmeh 2871fc670f initial serialization of TLS session 2021-09-27 14:00:13 -06:00
David Garske 3bdce348e9 Added NID_pkcs9_contentType and ub_ to compatibility layer (#4408)
* Added `NID_pkcs9_contentType` and `ub_` values.  ZD 11742

* Improve the API unit test. Also only include when `WOLFSSL_CERT_REQ` defined.
2021-09-27 08:21:53 +10:00