Commit Graph

3067 Commits

Author SHA1 Message Date
John Safranek b68b14b499 Merge pull request #4724 from embhorn/zd13462
Improve param checks of enc
2022-01-16 15:35:54 -08:00
Sean Parkinson 15f501358d Merge pull request #4716 from julek-wolfssl/issue-4592
Verification: Domain check should only be performed on leaf certs
2022-01-17 08:40:14 +10:00
Juliusz Sosinowicz 31e84d82b8 Domain check should only be performed on leaf certs
- Refactor `*_set_verify` functions into common logic
- NULL protect `wolfSSL_X509_VERIFY_PARAM_set1_host` and add debug info
2022-01-14 18:16:42 +01:00
elms 336e595ebb Remove some lingering oldname return values 2022-01-11 17:09:52 -08:00
elms efe2cea8d1 TLS: Default secure renegotiation compatability
By default this change will have servers send the renegotiation info
extension, but not allow renegotiation. This is accordance with RFC 5746

From to RFC 5746:
> In order to enable clients to probe, even servers that do not support
> renegotiation MUST implement the minimal version of the extension
> described in this document for initial handshakes, thus signaling
> that they have been upgraded.

With openSSL 3.0 the default it not allow connections to servers
without secure renegotiation extension. See
https://github.com/openssl/openssl/pull/15127
2022-01-11 15:56:35 -08:00
David Garske 5910ada93d Merge pull request #4736 from douzzer/20220107-cppcheck-hygiene
cppcheck sweep
2022-01-10 12:52:22 -08:00
David Garske 6ce248e2f9 Improve documentation for wolfSSL_get1_session. Add wolfSSL specific naming on the internal session functions to avoid possible user conflicts. ZD13363 and ZD13487. 2022-01-10 07:47:19 -08:00
Daniel Pouzzner 56c28ff307 src/ssl.c: in wolfSSL_SESSION_has_ticket(), add (void)sess if !defined(HAVE_SESSION_TICKET), to fix -Wunused-parameter. 2022-01-08 02:39:50 -06:00
Daniel Pouzzner bb727d2ef2 src/ssl.c: fixes for cppcheck complaints: uselessAssignmentPtrArg autoVariables[not a defect; added suppression] invalidPrintfArgType_sint nullPointerRedundantCheck pointerSize 2022-01-08 00:28:09 -06:00
Eric Blankenhorn f74831a7da Improve param checks of enc 2022-01-06 09:12:18 -06:00
Daniel Pouzzner 54e9076c45 src/ssl.c: fix whitespace and heap reference in FreeSession() (re 569c066fab). 2021-12-24 01:16:32 -06:00
David Garske 02186dbd23 Fix for TLS v1.3 client session ticket resumption where the server opts to do a new handshake. Fix to make sure preMasterSz is valid. 2021-12-23 18:45:52 -08:00
Sean Parkinson 929174be6b Merge pull request #4667 from dgarske/zd13363
Improve TLS client side session cache references
2021-12-24 11:23:06 +10:00
David Garske 569c066fab Improve TLS client side session cache references to provide option for not returning an internal session cache pointer. Now use wolfSSL_get1_sesson for reference logic, that requires calling wolfSSL_SESSION_free. To disable this feature use NO_SESSION_CACHE_REF. 2021-12-23 14:25:45 -08:00
Daniel Pouzzner 7b5b1f5a4d src/ssl.c: refine integration of wolfCrypt_SetPrivateKeyReadEnable_fips(), started by 52754123d9: depend on fips 5.1+, and call as matched pair in wolfSSL_Init() and wolfSSL_Cleanup(). 2021-12-23 16:05:25 -06:00
David Garske a8605309c6 Merge pull request #4692 from haydenroche5/wolfssl_init_fipsv5
Call wc_SetSeed_Cb and wolfCrypt_SetPrivateKeyReadEnable_fips in wolfSSL_Init.
2021-12-23 09:28:36 -08:00
Hayden Roche 52754123d9 Call wc_SetSeed_Cb and wolfCrypt_SetPrivateKeyReadEnable_fips in wolfSSL_Init.
Additionally, remove wc_SetSeed_Cb calls applications (e.g. example client and
server), since they are now redundant.
2021-12-22 14:21:06 -08:00
Hayden Roche 646ceb259a Fix usage of SSL_OP_NO_COMPRESSION that was breaking wolfEngine.
Replace instances of SSL_OP_NO_COMPRESSION with WOLFSSL_OP_NO_COMPRESSION in
ssl.c. Only define SSL_OP_NO_COMPRESSION when using the compatibility layer.
Before these changes, wolfEngine builds were failing due to
SSL_OP_NO_COMPRESSION being defined in both wolfSSL and OpenSSL headers.
2021-12-22 10:23:51 -08:00
David Garske af0bcef0ef Merge pull request #4648 from embhorn/zd13365
Fix - wolfSSL_init should cleanup on failure of a component
2021-12-21 17:17:16 -08:00
Sean Parkinson bb306d14b7 Merge pull request #4643 from kareem-wolfssl/zd13328
Fix building with OPENSSL_EXTRA defined and NO_WOLFSSL_STUB not defined.
2021-12-21 08:02:17 +10:00
Anthony Hu 7d4c13b9a4 --with-liboqs now defines HAVE_LIBOQS and HAVE_PQC
AKA: The Great Rename of December 2021
2021-12-20 11:48:03 -05:00
David Garske ab9eda636a Merge pull request #4671 from lealem47/remove-n
Removing extra \n from WOLFSSL_LEAVE and WOLFSSL_ENTER
2021-12-17 14:04:42 -08:00
David Garske 97830b81d6 Merge pull request #4674 from anhu/uninitialized
Fix unitialized usage
2021-12-17 10:51:43 -08:00
Anthony Hu 9cc1624023 Fix unitialized usage 2021-12-17 11:55:08 -05:00
Lealem Amedie a79440b95a Removing extra \n from WOLFSSL_LEAVE and WOLFSSL_ENTER 2021-12-16 13:30:43 -07:00
Daniel Pouzzner f889916fae ssl.c: fix C++ invalid conversion in wolfSSL_sk_X509_INFO_value(). 2021-12-16 13:29:17 -06:00
David Garske dec78169bf Merge pull request #4658 from julek-wolfssl/apache-2.4.51
Add Apache 2.4.51 support
2021-12-16 08:52:10 -08:00
Eric Blankenhorn 44cc9e4824 Fix - wolfSSL_init should cleanup on failure of a component 2021-12-16 09:50:50 -06:00
Juliusz Sosinowicz afa6237f56 Add WOLFSSL_FORCE_AUTO_RETRY option: force retrying of network reads 2021-12-16 15:33:30 +01:00
Juliusz Sosinowicz 017d6cf464 Simplify error queue macros 2021-12-16 12:39:58 +01:00
Juliusz Sosinowicz e78f7f734e Add Apache 2.4.51 support
- Define `OPENSSL_COMPATIBLE_DEFAULTS` and `WOLFSSL_NO_OCSP_ISSUER_CHECK` for Apache config
- Fix `SSL_set_timeout` to match OpenSSL signature
- Implement `pkey` in `X509_INFO`
- Detect attempt to connect with plain HTTP
- Implement `wolfSSL_OCSP_request_add1_nonce`
- Set `ssl->cipher.bits` when calling `wolfSSL_get_current_cipher`
- Use custom flush method in `wolfSSL_BIO_flush` when set in BIO method
- Set the TLS version options in the `ssl->options` at the end of ClientHello parsing
- Don't modify the `ssl->version` when in a handshake (`ssl->msgsReceived.got_client_hello` is set)
- `wolfSSL_get_shutdown` returns a full bidirectional return when the SSL object is cleared. `wolfSSL_get_shutdown` calls `wolfSSL_clear` on a successful shutdown so if we detect a cleared SSL object, assume full shutdown was performed.
2021-12-16 12:39:38 +01:00
David Garske caf9024984 Merge pull request #4652 from douzzer/no-rsa-no-dh-no-dsa
WOLFSSL_ECC_NO_SMALL_STACK etc
2021-12-13 10:12:14 -08:00
Daniel Pouzzner 355b779a3e feature gating tweaks to better support --disable-rsa --disable-dh --disable-dsa. also a whitespace fix in ssl.c. 2021-12-11 14:08:04 -06:00
Anthony Hu 4c12f0be95 Only one call to wc_falcon_init() and comment on 300. 2021-12-10 16:40:41 -05:00
Anthony Hu 1d8ff70900 In d2iGenericKey(), if a falcon key is encountered, make a dummy pkey.
This allows apache-httpd to work without PQ-specific patch along with a previous
pull request.
2021-12-10 14:18:42 -05:00
Kareem 376be0f66a Fix building with OPENSSL_EXTRA defined and NO_WOLFSSL_STUB not defined. 2021-12-08 16:51:51 -07:00
Sean Parkinson d5c27fca7d Merge pull request #4626 from JacobBarthelmeh/certs
add human readable string of IP
2021-12-07 08:23:31 +10:00
Chris Conlon e45c33a771 Merge pull request #4624 from miyazakh/jenkins_qt_failure 2021-12-06 09:53:34 -07:00
Jacob Barthelmeh 1ec86ee4cc add human readable string of IP 2021-12-02 16:04:58 -07:00
David Garske b4c6140b64 Merge pull request #4442 from julek-wolfssl/kerberos
Add Kerberos 5 support
2021-12-02 09:07:34 -08:00
Hideki Miyazaki a5bd6cde8d fix nigtly jenkins Qt Job failure 2021-12-02 16:37:48 +09:00
Sean Parkinson d06ada2ccc Merge pull request #4610 from julek-wolfssl/nginx-1.21.4
Add support for Nginx 1.21.4
2021-12-01 22:27:12 +10:00
Juliusz Sosinowicz aac1b406df Add support for Nginx 1.21.4
- Add KEYGEN to Nginx config
- Check for name length in `wolfSSL_X509_get_subject_name`
- Refactor `wolfSSL_CONF_cmd`
- Implement `wolfSSL_CONF_cmd_value_type`
- Don't forecfully overwrite side
- `issuerName` should be `NULL` since the name is empty
2021-12-01 09:49:52 +01:00
David Garske a0300f7ab0 Fixes for ECDSA_Size. If group is unknown set to -1, otherwise defaults to first ECC index. Fix the signature size calculation to use our existing enum and calculation logic. ZD13303 2021-11-30 12:33:49 -08:00
David Garske 29517fd617 Merge pull request #4609 from danielinux/tls13_hkdf_callback
TLS 1.3: Add HKDF extract callback
2021-11-30 10:59:44 -08:00
Daniele Lacamera c3b1d9f9e7 Cosmetic and prototypes changes after reviewer's comments 2021-11-30 10:06:54 +01:00
Daniel Pouzzner a33ae21801 whitespace cleanups and portability/pedantic fixes 2021-11-29 23:58:39 -06:00
Chris Conlon 7221e06ff7 Merge pull request #4588 from miyazakh/sce_protect_mode_e2studio 2021-11-29 15:32:48 -07:00
Daniele Lacamera 57fb5453cb Support for HKDF Extract callback 2021-11-29 14:51:13 +01:00
Hideki Miyazaki fb4e39f00a addressed review comments prt1 2021-11-26 16:03:42 +09:00