Commit Graph

5509 Commits

Author SHA1 Message Date
John Safranek e67bbf7526 1. Add flag to DH keys when using safe parameters.
2. The LN check is skipped when using safe parameters.
3. Enable all FFDHE parameter sets when building for FIPS 140-3.
2021-10-26 20:24:25 -05:00
John Safranek 7f64fc4efb Move the TLSv1.3 KDF into wolfCrypt with the other KDFs. 2021-10-26 20:24:25 -05:00
John Safranek 38064bb396 Add HMAC-SHA2-512 to the TLSv1.2 PRF. 2021-10-26 20:24:25 -05:00
John Safranek c7ea896759 Add prototype for the ssh-kdf test in the wolfCrypt test. 2021-10-26 20:24:24 -05:00
John Safranek de4af35f89 KDF Update
1. Move wolfSSH's KDF into wolfCrypt.
2021-10-26 20:24:24 -05:00
John Safranek a49125e613 FIPS KDF Update
1. Copied the TLSv1.2 PRF into hmac.c since it uses it and the TLSv1.3
   HKDF is in there as well.
2. Added guard around the old TLS PRF so that it switches in correctly
   for older FIPS builds only.
2021-10-26 20:24:24 -05:00
John Safranek df859d30f3 FIPS 140-3
1. Change the internal version number for the FIPS 140-3 changes as v4.
2. Insert v3 as an alias for FIPS Ready.
3. Use the correct directory for the FIPS old files sources. (For local
   testing of 140-3 builds.)
4. Change back the check for the FIPS version in internal.c for
   EccMakeKey().
2021-10-26 20:24:24 -05:00
John Safranek f1bd79ac50 FIPS 140-3
1. Added enable option for FIPS 140-3 in configure script.
2. Modify DES3 source to disallow DES3 for the new option.
3. Added the new constants to fips_test.h.
4. Added some new test functions.
5. Added API for doing the POST.
6. Added a processing state for the CASTs.
7. Delete some unused prototypes from FIPS test API.
2021-10-26 20:24:24 -05:00
Chris Conlon 5810e45cb7 fix CAVP selftest v2 build error in test.c 2021-10-26 10:33:05 -06:00
Sean Parkinson 905683c98c Merge pull request #4496 from dgarske/sniffer_keywatch
Fix for sniffer key watch callback
2021-10-26 09:55:17 +10:00
Sean Parkinson 6070981366 Merge pull request #4490 from dgarske/static_mem_unittest
Add CTX static memory API unit tests
2021-10-26 09:52:14 +10:00
David Garske aa72f0685d Merge pull request #4499 from SparkiDev/dec_ku_len
KeyUsage dcoding: Ensure data length is 1 or 2
2021-10-25 15:11:18 -07:00
David Garske 517225e135 Merge pull request #4497 from cconlon/authInfo
fix nid2oid/oid2nid for oidCertAuthInfoType
2021-10-25 09:29:09 -07:00
Sean Parkinson 8e6c6e7757 KeyUsage dcoding: Ensure data length is 1 or 2 2021-10-25 09:22:31 +10:00
David Garske bf2b13939f Merge pull request #4329 from kaleb-himes/OE22-Porting-Changes
Oe22 porting changes
2021-10-22 16:16:26 -07:00
Chris Conlon 402ee29163 fix nid2oid/oid2nid for oidCertAuthInfoType 2021-10-22 16:53:18 -06:00
David Garske e4da9c6f48 Fix for sniffer key callback. Fix for building sniffer without RSA. Fix for wolfCrypt test cert ext without RSA. 2021-10-22 14:29:06 -07:00
kaleb-himes 5859779ddf Check-in non-FIPS specific porting changes for OE22
Fix no new line

Change comment style in testsuite.c

Add include for proper socket header in wolfio.h

Add dc_log_printf support to benchmark application

Pull in changes for examples

Refector NETOS check in test.c

Fix format and remove settings used only for validation testing

Implement peer review feedback

Address last items noted in peer review

Add new README to include.am

Adjust comment style on TODO

Gate changes in client and server properly

Add static on customer feedback

Fix settings include

Update latest peer feedback
2021-10-22 15:01:14 -06:00
John Safranek d83d16af59 Merge pull request #4483 from julek-wolfssl/cov-reports 2021-10-22 13:07:57 -07:00
David Garske 229f0d5fd1 Merge pull request #4485 from JacobBarthelmeh/certs
Improve permitted alternate name logic in certificate ASN handling
2021-10-22 11:59:16 -07:00
David Garske 4c0527490d Fixes for API unit test with WOLFSSL_NO_ASN_STRICT. Fix spelling error. 2021-10-22 09:59:16 -07:00
Fabio Utzig 29f4f09e6c Fix MMCAU_SHA256 type warnings
Fix warnings in the usage of MMCAU_SHA256 routines, where digest is
expected to be `uint32_t*`, but is defined as `word32*`, which results
in:

```
expected 'uint32_t *' {aka 'long unsigned int *'} but argument is of
type 'word32 *' {aka 'unsigned int *'}
```

Signed-off-by: Fabio Utzig <utzig@apache.org>
2021-10-22 09:51:14 -03:00
Sean Parkinson 6e7dee3283 Change to compare each name to each matching type in permittedNames list. 2021-10-22 10:57:11 +10:00
David Garske f17187aad9 Fixes for static memory testing. Fix clang memory sanitizer warnings. 2021-10-21 16:33:57 -07:00
Juliusz Sosinowicz 9386a882b9 #424
Refactor d2i key API to use common code
2021-10-21 14:25:06 +02:00
Juliusz Sosinowicz df1d817f1f #129 2021-10-21 14:22:54 +02:00
Juliusz Sosinowicz 1239a7f57d #96 2021-10-21 14:22:54 +02:00
Juliusz Sosinowicz 5bacc0c9ab In first |= op r always equals 0 2021-10-21 14:22:54 +02:00
Juliusz Sosinowicz 8e6759384c #40 2021-10-21 14:22:54 +02:00
Juliusz Sosinowicz 344a07051e #39 2021-10-21 14:22:54 +02:00
Sean Parkinson 817cd2f2a6 Merge pull request #4487 from haydenroche5/openssh
Make several changes to support OpenSSH 8.5p1.
2021-10-21 08:59:38 +10:00
Sean Parkinson ac3612bbef Merge pull request #4469 from dgarske/android_keystore
Support for Android KeyStore compatibility API's
2021-10-21 08:30:08 +10:00
Jacob Barthelmeh f57801c17b more name constraint test cases and adjust DNS base name matching to not require . 2021-10-20 14:25:02 -06:00
Hayden Roche 864f913454 Make several changes to support OpenSSH 8.5p1.
- Permit more wolfSSL_EC_POINT_* functions for FIPS builds. This requires one
workaround in wolfSSL_EC_POINT_mul where wc_ecc_get_generator isn't available.
- Permit more AES-GCM code in EVP code for FIPS v2 builds. It's unclear why this
code wasn't already available.
- Add EVP_CIPHER_CTX_get_iv to the compatibility layer.
- Clear any existing AAD in the EVP_CIPHER_CTX for AES-GCM when we receive the
EVP_CTRL_GCM_IV_GEN control command. OpenSSL does this, and OpenSSH is relying
on this behavior to use AES-GCM correctly.
- Modify ecc_point_test in testwolfcrypt so that it doesn't fail when doing a
FIPS build with HAVE_COMP_KEY defined.
2021-10-20 11:00:42 -07:00
Jacob Barthelmeh 3b73c6e3ae handle multiple permitted name constraints 2021-10-19 23:12:07 -06:00
Jacob Barthelmeh afee92e0cf bail out when a bad alt name is found in the list of alt names 2021-10-19 23:12:07 -06:00
David Garske e5caf5124c Merge pull request #4477 from luizluca/zero-terminate-constraints
ASN: zero-terminate name constraints strings
2021-10-19 21:16:46 -07:00
David Garske 892685ac59 Merge pull request #4472 from utzig/ksdk-port-koblitz
nxp: ksdk: add support for Koblitz curves
2021-10-19 21:14:38 -07:00
David Garske a145f3107d Merge pull request #4481 from SparkiDev/mod_exp_even
SP int: handle even modulus with exponentiation
2021-10-19 21:09:15 -07:00
David Garske 4e7ce45a8c Allow loading public key with PK callbacks also. 2021-10-19 17:04:18 -07:00
David Garske a03ed32380 Support for Android KeyStore compatibility API's:
* Adds `EVP_PKCS82PKEY` and `d2i_PKCS8_PRIV_KEY_INFO`.
* Adds `EVP_PKEY2PKCS8` and `i2d_PKCS8_PRIV_KEY_INFO`.
* Adds `ECDSA_verify`.
* Fix to allow `SHA256()` and `MD5()` with FIPSv2.
* Decouple crypto callbacks and hash flags
* Fix for possible use of uninitialized when building TLS bench without TLS v1.3.
* Fix for building with `NO_CHECK_PRIVATE_KEY`. Test `./configure --disable-pkcs12 --enable-opensslextra CFLAGS="-DNO_CHECK_PRIVATE_KEY"`.
* Fix to support `RSA_public_decrypt` for PKCSv15 only with FIPS.
* Cleanup `RSA_public_encrypt`, `RSA_public_decrypt` and `RSA_private_decrypt`.
* Added instructions for building wolfSSL with Android kernel.
2021-10-19 17:04:18 -07:00
Sean Parkinson f04380d624 Merge pull request #4475 from douzzer/fix-scan-build-UnreachableCode
scan-build LLVM-13 fixes and expanded coverage
2021-10-20 08:30:46 +10:00
Sean Parkinson d880403207 SP int: handle even modulus with exponentiation
Fix testing of mp_int to only call when implementation included.
2021-10-20 08:21:26 +10:00
Sean Parkinson 7f5a3a4e74 Merge pull request #4484 from dgarske/memtest
Fix for openssl test with --enable-memtest (also DH test build edge case)
2021-10-20 08:19:30 +10:00
Sean Parkinson 41eecd37e5 Merge pull request #4471 from embhorn/zd11886
Fix build errors with NO_BIO config
2021-10-20 08:06:42 +10:00
David Garske d297a06c25 Fix for wolfCrypt test with custom curves without Brainpool. Tested all changes on NXP K82 LTC. 2021-10-19 13:12:12 -07:00
David Garske 498884eadb Fix for missing dhKeyFile and dhKeyPubFile with file system enabled, WOLFSSL_DH_EXTRA and USE_CERT_BUFFERS_2048 set. 2021-10-19 13:06:37 -07:00
Daniel Pouzzner a5006d580c scan-build LLVM-13 fixes: sp_int.c: drop "&& defined(SP_DEBUG_VERBOSE)" from preprocessor gates around debugging printfs. 2021-10-18 21:46:09 -05:00
Daniel Pouzzner 816527e826 scan-build fixes: back out all "#ifndef __clang_analyzer__" wrappers added to suppress false and frivolous positives from alpha.deadcode.UnreachableCode, and rename new macro WC_UNUSED to WC_MAYBE_UNUSED to make its meaning more precisely apparent. build is still clean with -Wunreachable-code-break -Wunreachable-code-return under scan-build-13. 2021-10-18 21:46:09 -05:00
Daniel Pouzzner 62822be6ce scan-build LLVM-13 fixes and expanded coverage: add WC_UNUSED and PRAGMA_CLANG_DIAG_{PUSH,POP} macros; deploy "#ifndef __clang_analyzer__" as needed; fix violations and suppress false positives of -Wunreachable-code-break, -Wunreachable-code-return, and -enable-checker alpha.deadcode.UnreachableCode; expand scan-build clean build scope to --enable-all --enable-sp-math-all. 2021-10-18 21:46:09 -05:00