Commit Graph

2084 Commits

Author SHA1 Message Date
David Garske c7645a42a7 Merge pull request #4320 from anhu/liboqs_keyshare_updated
WolfSSL support for OQS's implementation of NIST Round 3 KEMs as TLS 1.3 groups
2021-08-27 17:42:25 -07:00
Kareem 9a438ce289 liboqs integration using keyshare/supported_groups extensions in TLS 1.3 2021-08-27 13:56:53 -04:00
Sean Parkinson db8f4e4f19 Jenkins nighlty fixes
wolfSSL_Rehandshake(): don't set 'ret' unless HAVE_SESSION_TICKET
defined (otherwise compiler will complain:  warning: Value stored to
'ret' is never read)

AES GCM streaming: fix 64-bit word version to compile and pass testing
Use '--enable-aesgcm=word' to get the word32 or word64 implementation
depending on the availabilty of 64-bit type.
2021-08-27 08:46:39 +10:00
John Safranek cb3f42482b Merge pull request #4332 from dgarske/zd12791
Improve CRL error codes
2021-08-25 13:57:46 -07:00
David Garske 700b1c56c1 Improve CRL error codes. Add --enable-crl=io option. ZD 12791 2021-08-24 11:12:12 -07:00
John Safranek 9c541568fc Merge pull request #4313 from SparkiDev/rsa_vfy_only
SP RSA verify only: fix to compile
2021-08-23 14:42:56 -07:00
Sean Parkinson dbb03cb5a3 SP RSA verify only: fix to compile
Configurations:
./configure --disable-asn --disable-filesystem --enable-cryptonly
--disable-dh --disable-sha224 --disable-ecc CFLAGS=-DWOLFSSL_PUBLIC_MP
--enable-rsavfy --enable-sp=small2048 --enable-sp-math

./configure --disable-asn --disable-filesystem --enable-cryptonly
--disable-dh --disable-sha224 --disable-ecc CFLAGS=-DWOLFSSL_PUBLIC_MP
--enable-rsavfy --enable-sp=2048 --enable-sp-math

./configure --disable-asn --disable-filesystem --enable-cryptonly
--disable-dh --disable-sha224 --disable-ecc CFLAGS=-DWOLFSSL_PUBLIC_MP
--enable-rsavfy --enable-sp=small2048 --enable-sp-math-all

./configure --disable-asn --disable-filesystem --enable-cryptonly
--disable-dh --disable-sha224 --disable-ecc CFLAGS=-DWOLFSSL_PUBLIC_MP
--enable-rsavfy --enable-sp=small2048 --enable-sp-math --enable-sp-asm

./configure --disable-asn --disable-filesystem --enable-cryptonly
--disable-dh --disable-sha224 --disable-ecc CFLAGS=-DWOLFSSL_PUBLIC_MP
--enable-rsavfy --enable-sp=2048 --enable-sp-math --enable-sp-asm
2021-08-20 13:16:58 +10:00
John Safranek e7ef48d2b7 Merge pull request #3869 from SparkiDev/asn1_template
ASN1 Template: stricter and simpler DER/BER parsing/construction
2021-08-19 12:47:04 -07:00
Daniel Pouzzner 3226e69649 --enable-linuxkm-pie (FIPS Linux kernel module) (#4276)
* Adds `--enable-linuxkm-pie` and associated infrastructure, to support FIPS mode in the Linux kernel module.
* Adds `tests/api.c` missing (void) arglist to `test_SSL_CIPHER_get_xxx()`.
2021-08-19 09:15:52 -07:00
Sean Parkinson d486b89c61 ASN1 Template: stricter and simpler DER/BER parsing/construction
Reduce debug output noise
2021-08-19 11:32:41 +10:00
John Safranek 63fde01e32 Merge pull request #4311 from haydenroche5/rsyslog
Make improvements for rsyslog port.
2021-08-18 16:55:32 -07:00
Hayden Roche c16127d9ab Make improvements for rsyslog port.
- Remove FP_MAX_BITS and RSA_MAX_BITS definitions from rsyslog config. A user
configuring wolfSSL for rsyslog support should set them as they see fit (i.e.
based on the key sizes they need to support).
- After testing with wolfSSL FIPS, I discovered that some functions were missing
from the compatibility layer that rsyslog needs. Notably wolfSSL_DH_generate_key
and wolfSSL_DH_set0_pqg. These were gated out of compilation based on HAVE_FIPS.
However, they only need to be compiled out if WOLFSSL_DH_EXTRA is defined. This
is because these functions call SetDhInternal, which calls wc_DhImportKeyPair
if WOLFSSL_DH_EXTRA is defined. wc_DhImportKeyPair isn't available in the FIPS
module's dh.c. So, these functions can exist in the FIPS build provided
WOLFSSL_DH_EXTRA isn't defined. This commit accounts for this scenario.
2021-08-17 08:19:43 -07:00
Daniele Lacamera 490eeb4003 Support for IoT-Safe with TLS demo 2021-08-16 13:13:30 -07:00
Hayden Roche bbb514fa6d Add support for rsyslog.
- Add an --enable-rsyslog option to configure.ac.
- Add a few missing `WOLFSSL_ERROR` calls that were expected by rsyslog unit
  tests.
- Add better documentation around `WOLFSSL_SHUTDOWN_NOT_DONE` and define it to
  be 0 (rather than 2) when `WOLFSSL_ERROR_CODE_OPENSSL` is defined. This is in
  accordance with OpenSSL documentation. Without this change, rsyslog was
  failing to do the bidirectional shutdown properly because it was checking the
  shutdown return value against 0. I'm keeping the old value when
  `WOLFSSL_ERROR_CODE_OPENSSL` isn't defined because it's part of the public
  wolfssl interface (it's in ssl.h).
2021-08-13 23:24:28 -07:00
Juliusz Sosinowicz 7dea1dcd39 OpenResty 1.13.6.2 and 1.19.3.1 support
# New or Updated APIs
- wolfSSL_get_tlsext_status_type
- wolfSSL_X509_chain_up_ref
- wolfSSL_get0_verified_chain
- SSL_CTX_set_cert_cb
- SSL_certs_clear
- SSL_add0_chain_cert ssl_cert_add0_chain_cert
- SSL_add1_chain_cert ssl_cert_add1_chain_cert
- sk_X509_NAME_new_null
- SSL_CTX_set_cert_cb
- SSL_set0_verify_cert_store
- SSL_set_client_CA_list

# Other Changes
- Ignore gdbinit
- Add api.c tests for new API
- Add `WOLFSSL_X509_STORE* x509_store_pt` to `WOLFSSL`
- Add macro to select the `WOLFSSL` specific store when available and the associated `WOLFSSL_CTX` store otherwise. Calls to `ssl->ctx->cm` and `ssl->ctx->x509_store*` were replaced by macros.
- NO-OP when setting existing store
- Add reference counter to `WOLFSSL_X509_STORE`
- Cleanup MD5 redundant declarations
- WOLFSSL_ERROR may map to nothing so make assignment outside of it
- refMutex fields are excluded with SINGLE_THREADED macro
- Chain cert refactor
- Make `wolfSSL_add0_chain_cert` and `wolfSSL_add1_chain_cert` not affect the context associated with the SSL object
- `wolfSSL_CTX_add1_chain_cert` now updates the `ctx->certChain` on success and stores the cert in `ctx->x509Chain` for later free'ing
2021-08-12 23:58:22 +02:00
David Garske cccb8f940a Merge pull request #4209 from julek-wolfssl/net-snmp
Add support for net-snmp
2021-08-12 13:06:21 -07:00
David Garske 93a1fe4580 Merge pull request #4205 from julek-wolfssl/wpas-include-extra-stuff
Include stuff needed for EAP in hostap
2021-08-12 11:17:23 -07:00
David Garske 9bbb32c352 Merge pull request #4295 from haydenroche5/stunnel_key_gen
Turn on key generation for --enable-stunnel.
2021-08-11 11:17:30 -07:00
elms d487916557 Merge pull request #4279 from haydenroche5/pkcs12
Cleanups for PKCS8 and PKCS12 macros (always support parsing PKCS8 header)
2021-08-10 18:37:33 -07:00
Hayden Roche 65a00d9430 Turn on key generation for --enable-stunnel. 2021-08-10 17:14:06 -07:00
David Garske 699728c70c Fix for PKCS12 with NO_ASN. 2021-08-04 17:37:05 -07:00
David Garske 45eddc68e2 Fix to always support parsing of the PKCS8 header. Improved macro logic for PKCS8 and PKCS12. Added --disable-pkcs8 option. Fix to enable PWDBASED and PKCS8 if PKCS12 is enabled. 2021-08-03 14:45:45 -07:00
Juliusz Sosinowicz 2bbd04f10f Implement BIO_new_accept and BIO_do_accept 2021-08-03 19:29:08 +02:00
Juliusz Sosinowicz 8b4345734e net-snmp support patch 2021-08-03 19:28:53 +02:00
Juliusz Sosinowicz 46b061c7bc Include stuff needed for EAP in hostap
Patch that includes the API needed for EAP in hostapd and wpa_supplicant
2021-08-03 17:52:50 +02:00
Hayden Roche dc7ae37f7a Make changes to support port of NTP from OpenSSL to wolfSSL. 2021-08-02 13:33:18 -07:00
David Garske 9f6a963c60 Merge pull request #4262 from haydenroche5/libssh2
Add support for libssh2.
2021-08-02 11:29:54 -07:00
Hayden Roche 279b0facb5 Add support for libssh2. 2021-08-02 05:54:08 -07:00
John Safranek a802c270e1 Merge pull request #4260 from dgarske/dep_rc4
RC4 Cipher Deprecation
2021-07-29 10:26:11 -07:00
David Garske 2c1fed8262 Fixes for edge case builds with openssl all. Improvements to the test_wolfSSL_PKCS8_d2i. Allow forceful disable of OCSP with ./configure --enable-opensslall --disable-ocsp. 2021-07-28 12:32:08 -07:00
David Garske 27b96753e2 Disable RC4 unless forcefully enabled with --enable-rc4 or if WOLFSSL_ALLOW_RC4 is specified. Related to issue #4248 2021-07-28 10:31:15 -07:00
David Garske d49d8a9286 Merge pull request #4204 from SparkiDev/ecies_sec1
ECIES: SEC.1 and ISO 18033 support
2021-07-27 09:43:53 -07:00
Sean Parkinson 31dde4706e ECIES: Support SEC 1 and ISO 18033
Default is SEC 1.
To use old ECIES implementation: --enable-eccencrypt=old or define
WOLFSSL_ECIES_OLD
To use ISO-18033 implememtation: --enable-eccencrypt=iso18033 or
define WOLFSSL_ECIES_ISO18033
Support passing NULL for public key into wc_ecc_decrypt().
Support not having public key in privKey passed into wc_ecc_encrypt() -
public key is calculated and stored in priKey.
Add decrypt KAT test for ECIES.
2021-07-27 09:30:53 +10:00
Chris Conlon ce7e1ef94a Merge pull request #4230 from douzzer/configure-max-bits-and-ex-data
configure options for max rsa/ecc bits and ex_data
2021-07-26 09:27:20 -06:00
Daniel Pouzzner 494e285cf1 configure.ac: add --with-max-rsa-bits, --with-max-ecc-bits, and --enable-context-extra-user-data[=#]; untabify and otherwise clean up whitespace; tweak api.c, ecc.h, rsa.h, and settings.h, for compatibility with new options. 2021-07-23 22:02:58 -05:00
Juliusz Sosinowicz 142ff6d885 Bind 9.11.22 2021-07-23 18:14:18 +02:00
Juliusz Sosinowicz 06ebcca913 Code review and mp_int memory leak fixes 2021-07-23 18:14:18 +02:00
Juliusz Sosinowicz b4fd737fb1 Bind 9.17.9 Support
- Add `--enable-bind` configuration option
- New compatibility API:
  - `RSA_get0_crt_params`
  - `RSA_set0_crt_params`
  - `RSA_get0_factors`
  - `RSA_set0_factors`
  - `RSA_test_flags`
  - `HMAC_CTX_get_md`
  - `EVP_MD_block_size`
  - `EC_KEY_check_key`
  - `o2i_ECPublicKey`
  - `DH_get0_key`
  - `DH_set0_key`
- Calling `EVP_MD_CTX_cleanup` on an uninitialized `EVP_MD_CTX` structure is no longer an error
- `DH_generate_parameters` and `DH_generate_parameters_ex` has been implemented
2021-07-23 18:14:12 +02:00
Sean Parkinson d372f097f7 SP C: change number of words for RSA/DH
Faster small code and fast code.
Allow fixed 4096-bit FFDHE parameters in benchmark.
Convert [u]int[32|64|128]*_t types to sp_[u]int[32|64|128].
Add a div for when top bits are all 1
WOLFSSL_SP_FAST_LARGE_CODE added to make mul_add function faster on
non-embedded platforms.
Change mod_exp window sizes for same performance but less memory.
P256 with c32 now 9 words instead of 10.
2021-07-22 13:12:31 +10:00
David Garske ede738b6e4 Merge pull request #4223 from SparkiDev/mem_usage_fixes_1
Memory allocation: fixes from memory usage generation
2021-07-21 08:20:09 -07:00
Sean Parkinson dc19ba2aa7 Memory allocation: fixes from memory usage generation
1. Configuration: If not fast math then don't set ALT_ECC_SIZE when
configuring.
2. ECC KeyShare: Key share entry's key was allocated with type
DYNAMIC_TYPE_PRIVATE_KEY, free with same type.
3. Ed25519: free the SHA-512 temporary object. WOLFSSL_SMALL_STACK_CACHE
builds have dynamicaly allocated data.
4. RSA: Don't keep allocating a new hash object in RsaMGF1 when compiled
with WOLFSSL_SMALL_STACK_CACHE.
2021-07-21 09:54:11 +10:00
JacobBarthelmeh aedd2a33db Merge pull request #4221 from douzzer/sanitizer-fixes-20210719
misc sanitizer fixes etc
2021-07-21 00:40:09 +07:00
Daniel Pouzzner fe94c36a7b configure.ac: fix wrong constructions in environment setup for ENABLED_REPRODUCIBLE_BUILD. 2021-07-19 18:31:13 -05:00
Hayden Roche 5507a07563 Add support for sblim-sfcb port. 2021-07-19 16:28:44 -07:00
Daniel Pouzzner 5e8da2348f ED: add --enable-ed25519-stream and --enable-ed448-stream to configure.ac, disabled by default, and add them to --enable-all and --enable-all-crypto lists, along with --enable-aesgcm-stream; report AES-GCM and ED* streaming API options in feature summary rendered at end;
refactor ED routines to pivot on WOLFSSL_ED*_PERSISTENT_SHA and WOLFSSL_ED*_STREAMING_VERIFY macros, with sha state in the key struct only when WOLFSSL_ED*_PERSISTENT_SHA, otherwise on the stack as before;

add ed*_hash_init() and ed*_hash_free() local helpers;

ED* peer review: fix line lengths, remove superfluous retval checks, tweaks for efficiency, and add ED448_PREHASH_SIZE to ed448.h.
2021-07-16 13:49:47 -05:00
JacobBarthelmeh fc6aa19eb8 Merge pull request #4200 from haydenroche5/tcpdump
Add support for tcpdump with wolfSSL.
2021-07-15 14:57:47 +07:00
JacobBarthelmeh 18399091ce Merge pull request #4012 from julek-wolfssl/haproxy
HaProxy 2.4-dev18 support
2021-07-14 15:46:04 +07:00
Jacob Barthelmeh 3bebcaaf54 bump version for dev 2021-07-13 04:18:52 +07:00
Hayden Roche 9f8e728672 Add support for tcpdump with wolfSSL. 2021-07-12 14:06:25 -07:00
JacobBarthelmeh 500a6c8b27 prepare for release 4.8.0 2021-07-08 12:02:40 -06:00