Commit Graph

729 Commits

Author SHA1 Message Date
Sean Parkinson 284ebacc57 Merge pull request #4916 from JacobBarthelmeh/hsm
Add SECO use and expand cryptodev
2022-04-07 10:21:32 +10:00
Sean Parkinson 25aa0af260 ssl.c break out
Move the X509 API out of ssl.c into x509.c
2022-04-06 17:25:26 +10:00
JacobBarthelmeh a338b4c933 refactor SHA grew function, revert benchmark devid, increase SHA_CTX size, add AES ECB cryptocb test 2022-04-05 14:45:18 -07:00
Sean Parkinson 0fba16a394 Merge pull request #4998 from haydenroche5/get_conv_form
Add wolfSSL_EC_KEY_get_conv_form to compatibility layer.
2022-04-04 08:47:14 +10:00
Hayden Roche 880afe0d89 Add wolfSSL_EC_KEY_get_conv_form to compatibility layer. 2022-04-02 13:57:33 -07:00
David Garske bd0e222fec Merge pull request #5012 from julek-wolfssl/evp-enc-dec-block
Implement `EVP_EncodeBlock` and `EVP_DecodeBlock`
2022-04-01 12:24:23 -07:00
Juliusz Sosinowicz 6dffa8a13d Implement EVP_EncodeBlock and EVP_DecodeBlock 2022-04-01 13:29:40 +02:00
Daniel Pouzzner 773170464e undo changes to header files (see b7cecbacb) made to mollify clang-tidy's overly pedantic readability-avoid-const-params-in-decls -- keep declarations and definitions fully aligned, to mollify broken compilers. 2022-03-31 14:02:08 -05:00
Juliusz Sosinowicz 6dc86e7df1 Add support for --enable-ffmpeg 2022-03-28 12:47:19 +02:00
Juliusz Sosinowicz 29c0c9bf48 Rebase fixes 2022-03-24 13:41:50 +01:00
Juliusz Sosinowicz 98bc8402db Refactor memory BIO
- use the `WOLFSSL_BUF_MEM` struct to resize the internal memory buffer
- add a `WOLFSSL_BIO_RESIZE_THRESHOLD` define that will be used to determine how often to shrink the internal buffer. This should cut down on the number of free/malloc calls made significantly. This should help with our inefficient 1 byte reads in `loadX509orX509REQFromPemBio`.
- implement `wolfSSL_BUF_MEM_resize` which allows bi-directional buffer size manipulation
2022-03-24 12:16:59 +01:00
Juliusz Sosinowicz ae9b01c5b8 bind 9.18.0 fixes
- return `1` from `wolfSSL_BIO_set_mem_eof_return` instead of `0` for success
- bind requires ALPN
- `OPENSSL_COMPATIBLE_DEFAULT` defined for bind
- `WOLFSSL_ERROR_CODE_OPENSSL` defined when using compatibility layer
- return `bio->eof` on no pending data to read in memory BIO (defaults to `WOLFSSL_BIO_ERROR`)
- `flags` is no longer an input parameter in `wolfSSL_ERR_get_error_line_data`
- allow lazy parameter loading in `wolfSSL_DH_set0_key`
- implement reference counter in `WOLFSSL_EC_KEY`
- load serial number from `x509->serialNumber` if `x509->serial` is empty
2022-03-24 12:16:59 +01:00
JacobBarthelmeh c377a709e1 Merge pull request #4953 from cconlon/apiVersionDiff
More checks on OPENSSL_VERSION_NUMBER for API prototype differences
2022-03-21 16:59:06 -06:00
Juliusz Sosinowicz 9763030675 Merge pull request #4845 from cconlon/pkcs7compat 2022-03-21 15:26:37 +01:00
Hayden Roche dcaa218ed8 Merge pull request #4927 from cconlon/upRef 2022-03-18 18:10:36 -07:00
Hayden Roche 7ea6b73c7b Merge pull request #4928 from cconlon/compatCleanups 2022-03-18 16:23:56 -07:00
Chris Conlon ce514e6fc5 add PKCS7_sign, PKCS7_final, SMIME_write_PKCS7. add signer cert verify support to PKCS7_verify, support for PKCS7_TEXT, PKCS7_DETACHED, PKCS7_STREAM 2022-03-15 10:21:22 -06:00
Chris Conlon a7d5e6400d add support for PKCS7_TEXT flag to PKCS7_verify() 2022-03-15 10:21:22 -06:00
Chris Conlon f7c5c9f713 extra checks for OPENSSL_VERSION_NUMBER for API prototype differences 2022-03-15 09:41:51 -06:00
Chris Conlon 82c6f58eb0 define BIO_CTRL_SET, BIO_CTRL_GET 2022-03-11 09:53:56 -07:00
Chris Conlon 238072c84d map BIO_s_accept to BIO_s_socket for basic use 2022-03-11 09:53:56 -07:00
Daniel Pouzzner b2ae7f4230 wolfssl/openssl/asn1.h: in ASN1_SIMPLE(), use OFFSETOF() macro. 2022-03-11 07:59:08 -06:00
Sean Parkinson c3eab0dcdd Fixes from sanitizer build
Fix OID index in SetNameRdnItems for multi attributes.
Stop warning about strncpy to small.
Fix casting in ASN1_SIMPLE to use consistent type.
2022-03-11 14:27:50 +10:00
Daniel Pouzzner 031c97f835 Merge pull request #4931 from douzzer/20220307-early-data-and-c99-fixes
enable-earlydata vs enable-fips/enable-asynccrypt
2022-03-08 07:34:58 -06:00
David Garske 872ed28882 Merge pull request #4925 from kareem-wolfssl/nullSslMethod
Add SSL_R_NULL_SSL_METHOD_PASSED.
2022-03-07 15:36:56 -08:00
Chris Conlon 85f85cc76a add DH_up_ref() and unit test 2022-03-07 16:32:22 -07:00
Chris Conlon 76014260f6 add EC_KEY_up_ref() and unit test 2022-03-07 16:31:09 -07:00
David Garske 9b808bde20 Fixes for building with HAVE_EX_DATA no compat layer. 2022-03-07 17:20:58 -06:00
Kareem f162d7f530 Add SSL_R_NULL_SSL_METHOD_PASSED. 2022-03-04 15:11:09 -07:00
David Garske 3839b0e675 Fixes for building wolfSSL along side openssl. 2022-03-04 12:06:24 -08:00
Chris Conlon e1829e614d Merge pull request #4820 from haydenroche5/evp_pkey_paramgen
Add wolfSSL_EVP_PKEY_paramgen to the compatibility layer.
2022-03-04 11:49:21 -07:00
Juliusz Sosinowicz c7c3ee00bb Address code review
- Use functions instead of accessing `BIO` members
- Add `wolfSSL_BIO_method_type`
2022-03-03 10:09:41 +01:00
Hayden Roche 51d66877f7 Add wolfSSL_EVP_PKEY_paramgen to the compatibility layer.
Currently, it only supports ECC, which is all we need it for for the OpenSplice
port we're working on. In the ECC case, all it needs to do is set the group
appropriately. The logic is very similar to `wolfSSL_EVP_PKEY_keygen`, minus
the final step of actually generating the key.
2022-02-23 13:59:15 -08:00
Juliusz Sosinowicz 1d712d47ba Access to session cache is now atomic
- Adding and getting sessions to and from the local cache is now atomic.
  - The new internal `wolfSSL_GetSessionFromCache` requires a destination object to be supplied when retrieving from the cache so that items can be retrieved independently from the cache. For most existing calls, the destination is `ssl->session`.
  -`PREALLOC_SESSION_TICKET_LEN` defines how much memory is temporarily allocated for the ticket if it doesn't fit in the static session buffer.
2022-02-23 09:47:34 +01:00
Juliusz Sosinowicz afca455cda stunnel 5.61 support
- New/Implemented API
  - `SSL_has_pending`
  - `wolfSSL_CertManagerLoadCRLFile`
  - `wolfSSL_LoadCRLFile`
  - `wolfSSL_CTX_LoadCRLFile`
  - `wolfSSL_CTX_add_session`
- Calling chain certificate API (for example `wolfSSL_CTX_use_certificate_chain_file`) no longer requires an actual chain certificate PEM file to be passed in as input. `ProcessUserChain` error in `ProcessBuffer` is ignored if it returns that it didn't find a chain.
- Add `WOLFSSL_TICKET_HAVE_ID` macro. When defined tickets will include the original session ID that can be used to lookup the session in internal cache. This is useful for fetching information about the peer that doesn't get sent in a resumption (such as the peer's certificate chain).
  - Add `ssl->ticketSessionID` field because `ssl->session.sessionID` is used to return the "bogus" session ID sent by the client in TLS 1.3
- `OPENSSL_COMPATIBLE_DEFAULTS` changes
  - Define `WOLFSSL_TRUST_PEER_CERT` and certificates added as CA's will also be loaded as trusted peer certificates
  - Define `WOLFSSL_TLS13_MIDDLEBOX_COMPAT`
- Seperate `internalCacheOff` and `internalCacheLookupOff` options to govern session addition and lookup
- `VerifyServerSuite` now determines if RSA is available by checking for it directly and not assuming it as the default if static ECC is not available
- `WOLFSSL_SESSION` changes
  - `ssl->extSession` added to return a dynamic session when internalCacheOff is set
  - `ssl->session.refPtr` made dynamic and gets free'd in `SSL_ResourceFree`
- If `SSL_MODE_AUTO_RETRY` is set then retry should only occur during a handshake
- `WOLFSSL_TRUST_PEER_CERT` code now always uses `cert->subjectHash` for the `cm->tpTable` table row selection
- Change some error message names to line up with OpenSSL equivalents
- Run `MatchSuite` again if certificate setup callback installed and successful
- Refactor clearing `ASN_NO_PEM_HEADER` off the error queue into a macro
- `wolfSSL_get_peer_certificate` now returns a duplicated object meaning that the caller needs to free the returned object
- Allign `wolfSSL_CRYPTO_set_mem_functions` callbacks with OpenSSL API
- `wolfSSL_d2i_PKCS12_bio` now consumes the input BIO. It now supports all supported BIO's instead of only memory BIO.
- stunnel specific
  - Always return a session object even if we don't have a session in cache. This allows stunnel to save information in the session external data that will be transfered to new connections if the session is reused
  - When allocating a dynamic session, always do `wolfSSL_SESSION_set_ex_data(session, 0, (void *)(-1)`. This is to mimic the new index callback set in `SSL_SESSION_get_ex_new_index`.
- Fix comment in `wolfSSL_AES_cbc_encrypt`
- Trusted peer certificate suite tests need to have CRL disabled since we don't have the issuer certificate in the CA store if the certificates are only added as trusted peer certificates.
tested
2022-02-23 09:47:34 +01:00
Daniel Pouzzner 74408e3ee3 fixes for whitespace, C++ warnings, and LLVM 15 clang-tidy defects/carps:
* whitespace in src/ssl.c, tests/api.c, wolfssl/openssl/fips_rand.h.

* clang-analyzer-core.StackAddressEscape from llvm-15 clang-tidy, in tests/suites.c:execute_test_case().

* bugprone-suspicious-memory-comparison from llvm-15 clang-tidy, in src/internal.c:DoSessionTicket() and src/ssl.c:wolfSSL_sk_push().
2022-02-08 15:20:22 -06:00
David Garske 56c562a516 Fixes for building with ./configure --enable-opensslextra --enable-cryptonly CFLAGS="-DNO_HMAC" && make. Found this testing a customers configuration with latest. Also fixes some trailing whitespace. 2022-02-07 15:10:21 -08:00
Chris Conlon 4c8f0709fc Merge pull request #4720 from dgarske/fips_compat 2022-02-07 09:56:24 -07:00
Lealem Amedie f9ff551992 Fix for OpenSSL x509_NAME_hash mismatch 2022-02-04 16:59:51 -08:00
David Garske 17eee2ba0c Merge pull request #4817 from julek-wolfssl/ZD13495
ZD13495
2022-02-02 15:54:08 -08:00
David Garske 28d3292a16 Merge pull request #4811 from haydenroche5/dh_get_2048_256
Add DH_get_2048_256 to compatibility layer.
2022-02-02 12:12:34 -08:00
Juliusz Sosinowicz d5b294edc4 ZD13495
- `wolfSSLeay_version` now returns the version of wolfSSL
- `wolfssl/openssl/crypto.h` was not enveloped in a `extern "C"` wrapper
2022-02-02 17:38:36 +01:00
Hayden Roche c629c3fcaa Add DH_get_2048_256 to compatibility layer. 2022-02-02 07:59:17 -08:00
Chris Conlon 59ea65bad3 Merge pull request #4809 from haydenroche5/asn1_int 2022-02-01 13:44:32 -07:00
David Garske 99799a3e3e Merge pull request #4806 from anhu/kill_idea
Purge IDEA cipher
2022-02-01 12:27:55 -08:00
Anthony Hu 9ea40f3a9c Purge IDEA cipher 2022-01-31 15:29:25 -05:00
Hayden Roche 6b71289ae1 Add new ASN1_INTEGER compatibility functions.
This commit adds:

- wolfSSL_i2d_ASN1_INTEGER
- wolfSSL_d2i_ASN1_INTEGER
- wolfSSL_ASN1_INTEGER_cmp
2022-01-29 17:01:16 -08:00
David Garske 80ae237852 Fixes for building with ipsec-tools/racoon and openvpn:
* Fix for `EVP_CIPHER_CTX_flags`, which mapped to a missing function (broke openvpn)
* Added stack of name entries for ipsec/racoon support.
* Added `X509_STORE_CTX_set_flags` stub.
* Added PKCS7 NID types.
* Improved FIPS "SHA" logic in `test_wolfSSL_SHA`
* Added some uncommon NID type definitions.
* Expose the DH `DH_set_length` and `DH_set0_pqg` with OPENSSL_ALL
2022-01-28 09:21:03 -08:00
Daniel Pouzzner b7cecbacb2 update headers to resolve clang-tidy carping (mostly bugprone-macro-parentheses and readability-named-parameter). also disables MSC C4028 because incompatible with readability-avoid-const-params-in-decls. 2022-01-26 02:06:37 -06:00
David Garske eade8ecdf1 DTLS SRTP improvements. Added support for client to send list of profiles. Added support for more SRTP profiles. 2022-01-14 13:43:29 -08:00