Commit Graph

2084 Commits

Author SHA1 Message Date
Juliusz Sosinowicz 1b6b16c2c3 HaProxy 2.4-dev18 support
*This patch is dependent on https://github.com/wolfSSL/wolfssl/pull/3871 because proto version selection logic is refactored in that pull request.*
This patch contains the following changes:
- Enable more options with `--enable-haproxy`
- Compatibility layer additions
    - `STACK_TYPE_X509_OBJ`
    - `OCSP_id_cmp`
    - `X509_STORE_get0_objects`
    - `X509V3_EXT_nconf_nid`
    - `X509V3_EXT_nconf`
    - `X509_chain_up_ref`
    - `X509_NAME_hash`
    - `sk_X509_NAME_new_null`
    - `X509_OBJECT_get0_X509`
    - `X509_OBJECT_get0_X509_CRL`
    - `ASN1_OCTET_STRING_free`
    - `X509_LOOKUP_TYPE`
    - `OSSL_HANDSHAKE_STATE`
- New `OPENSSL_COMPATIBLE_DEFAULTS` define will set default behaviour that is compatible with OpenSSL
    - WOLFSSL_CTX
        - Enable all compiled in protocols
        - Allow anonymous ciphers
        - Set message grouping
        - Set verify to SSL_VERIFY_NONE
- In `SetSSL_CTX`, don't change `send` and `recv` callback if currently using `BIO`
- `ssl->peerVerifyRet`
    - Return first that occured
    - Set correct value on date error
    - Set revoked error on OCSP or CRL error
    - Save value in session and restore on resumption
    - Add to session serialization
- With `OPENSSL_EXTRA`, send an alert on invalid downgrade attempt
- Handle sni callback `SSL_TLSEXT_ERR_NOACK`
- Add `WOLFSSL_VERIFY_DEFAULT` option for `wolfSSL_CTX_set_verify` and `wolfSSL_set_verify` to allow resetting to default behaviour
2021-07-06 15:39:23 +02:00
Sean Parkinson 6694775d4b Changes to compile without XTREAM_ALIGN
Use macro to load 32 bits from input parameters key in hc128.c and input
in rabbit.c
Also fix warning about string copy.
2021-06-30 21:58:30 -07:00
Elms dc7beab784 address errors with -fsanitize=undefined
- fix null dereferences or undefined `memcpy` calls
 - fix alignment in `myCryptoDevCb`
 - fix default dtls context assignment
 - add align configure option to force data alignment

TESTED:
 `./configure CFLAGS=-fsanitize=undefined\ -DWOLFSSL_GENERAL_ALIGNMENT=1 --enable-all`
2021-06-30 21:58:30 -07:00
Sean Parkinson 8592053856 Regression test fixes
./configure --enable-all --disable-rsa
./configure --disable-chacha --disable-asm
./configure --disable-rsa --disable-ecc --disable-dh --enable-curve25519
--enable-cryptonly (and ed25519, curve448, ed448)
./configure --disable-tls13 --enable-psk --disable-rsa --disable-ecc
--disable-dh C_EXTRA_FLAGS=-DWOLFSSL_STATIC_PSK
./configure --disable-oldtls --enable-psk -disable-rsa --disable-dh
-disable-ecc --disable-asn C_EXTRA_FLAGS=-DWOLFSSL_STATIC_PSK
--enable-lowresource --enable-singlethreaded --disable-asm
--disable-errorstrings --disable-pkcs12 --disable-sha3 --disable-sha224
--disable-sha384 --disable-sha512 --disable-sha --disable-md5
-disable-aescbc --disable-chacha --disable-poly1305 --disable-coding
Various build combinations with WOLFSSL_SP_MATH and WOLFSSL_SP_MATH_ALL
2021-06-25 09:18:06 +10:00
Brian Aker 2d497d1cf5 Fix for make distcheck, maintainer-clean, to allow distribution builds.
This the second pass at this after seeing how fips is added to tree in later phases.
This allow autoreconf to be directly called which allows the Makefile to rebuild when seeing that changes have been ( having an autogen.sh is older convention which left to history in the way autotools are invoked )
This fixes "make distcheck" and "make maintainer-clean" which are required by most distributions packaging systems.

The files previously touched by autogen.sh are now properly placed into autoconf.
The include files files are generated by configure. ( There is a note placed in configure.ac as to why and reference to the automake documention for this ). Append to file was done on purpose, touch cannot be in configure safetly. Normally autoheader would be used for this but since the include files are created out of tree, care has to be taken to not overwrite those file.
For the source files, they were moved into the coresponding automake file. It is safe to use touch in automake. Since files can optionally copied from elsewhere, they have to be listed in BUILT_SOURCES. They are written srcdir in order to allow make to do VPATH builds ( which is configure by make distcheck ).
To show fips files are preserved without having the actual fips files, a C style comment can be echoed into the files.
There are a few current, but outstanding issues.
1) config.h needs to be fixed configure.ac to use autoheader in order to allow configure to know to rebuilt depencies on its changes. ( Out of scope for this patch. )
2) verion.h checked into the tree and it is a built file. A make maintainer-clean followed by "git status --ignored" will confirm this. ( Out of scope for this patch )
3) autogen.sh has not been updated to reflect fixes. I believe that for this patch, it should be left alone and checked for regression in Jenkins by itself.
4) There is an out of date .spec file for building RPM which should be updated now that distcheck is working.
5) maintainer-clean should have rule added to remove build-aux testdriver.

This has been tested on current Ubuntu testing, OSX, Fedora 34, and Debian 10.

Additionaly "make distcheck" should be added to regression testing, along with "make maintainer-check".

Other improvement possibilities:
A possible future improvement is to let autoconf handle build with optional out of dist files.
Modify fips configure.ac check to allow for an injection of comments into blank fips files in order to prove distribution of fips/non-fips builds.
Update git rules to use 'make maintainer-clean', 'autoreconf -if', 'make distcheck'.
2021-06-19 20:16:14 -07:00
David Garske 18fc1b7e63 Merge pull request #4006 from elms/refactor_pointer_manipulation 2021-06-17 16:37:03 -07:00
Elms 91f002235e make: --enable-memtest track and --enable-memtest=fail to force failure 2021-06-17 10:45:39 -07:00
Elms 3a885aba23 Refactor pointer manipulation to be independent of datatype width
Tested with `./configure CFLAGS="-DNO_64BIT" --disable-sha512
--disable-sha384 --enable-harden` on a 64-bit machine
2021-06-15 21:08:49 -07:00
Sean Parkinson ed14e593c7 ED25119 and SHAKE-256: fixes
SHAKE-256 is off by default now. Make sure WOLFSSL_SHAKE256 doesn't make
it into options.h.
Fix openssl.test usage of ed25519 certificates.
Add scripts that regenerate certificates
2021-06-11 10:13:31 +10:00
Kaleb Himes a27cdc538a Fix typo 2021-06-01 13:30:32 -06:00
Kaleb Himes 3a9c6ea924 fix FIPS v2 check ($ENABLED_FIPS not set for v2) 2021-06-01 13:29:39 -06:00
kaleb-himes 94831eadf1 Sync SHAKE256 default (disabled) with parent default edDSA448 (disabled) and remove WOLFSSL_NO_SHAKE256 flag 2021-06-01 11:38:17 -06:00
Jacob Barthelmeh efa478c121 add caam header files to make install 2021-05-15 15:42:50 +07:00
toddouska 54b17ba465 Merge pull request #3952 from julek-wolfssl/ZD12062
Using `--enable-chacha=noasm` wouldn't actually enable chacha
2021-04-23 15:55:10 -07:00
toddouska 91e90f7a98 Merge pull request #3604 from haydenroche5/stunnel
Make changes to get latest verison of stunnel (5.57) working with wolfSSL.
2021-04-23 15:41:22 -07:00
Daniel Pouzzner 40d5aad8fe configure.ac: improve dynamics of --enable-wolfsentry and --with-wolfsentry*, including existence-checking user-supplied paths. 2021-04-21 17:28:27 -05:00
Daniel Pouzzner c874d9259c configure.ac: add --with-wolfsentry option. 2021-04-21 03:19:35 -05:00
Daniel Pouzzner 23d8df720e remove WOLFSSL_NETWORK_INTROSPECTION code; add wolfSSL_X509_STORE_set_ex_data_with_cleanup(); refactor WOLFSSL_WOLFSENTRY_HOOKS code in server.c to use HAVE_EX_DATA/HAVE_EX_DATA_CLEANUP_HOOKS. 2021-04-20 23:59:58 -05:00
Daniel Pouzzner 1cbe696716 checkpoint: fully functioning demo via examples/server/ and unit.test (which produces a "filtered" error on a subtest when built --enable-wolfsentry). 2021-04-20 23:59:57 -05:00
Daniel Pouzzner ba2cc00e5d initial implementation of WOLFSSL_NETWORK_INTROSPECTION: --enable-network-introspection, struct wolfSSL_network_connection, wolfSSL_*_endpoints*(), NetworkFilterCallback_t, wolfSSL_*set_AcceptFilter(). 2021-04-20 23:59:57 -05:00
Hayden Roche 4cd3f2e826 Make changes to get latest verison of stunnel (5.57) working with wolfSSL. 2021-04-13 09:18:25 -05:00
Juliusz Sosinowicz d8dd69cf44 Using --enable-chacha=noasm wouldn't actually enable chacha 2021-04-08 12:46:05 +02:00
Daniel Pouzzner 5f6b618e71 configure.ac: add --enable-aescbc-length-checks and add it to --enable-all; api.c: fix expected error code in WOLFSSL_AES_CBC_LENGTH_CHECKS path of test_wc_AesCbcEncryptDecrypt(); aes.c: add explanatory comment on WOLFSSL_AES_CBC_LENGTH_CHECKS to top of file. 2021-03-26 14:04:25 -05:00
JacobBarthelmeh 13d81f1fb9 Merge pull request #3902 from dgarske/snicb
Fix for SNI recv callback
2021-03-24 15:34:35 +07:00
David Garske 9313d59479 Fix for SNI callback
* Fix for SNI callback on server to make sure the SNI data is stored even without setting a hostname. This makes sure the SNI extension is set when there is a registered SNI recv callback.
* Fix for Apache HTTPD to include `WOLFSSL_ALWAYS_KEEP_SNI`
2021-03-22 11:28:16 -07:00
toddouska 14b7d70ae4 Merge pull request #3846 from kabuobeid/builtinEngsRandMethod
Add wolfSSL_RAND_set_rand_method() and document ENGINE_load_builtin_engines()
2021-03-19 14:23:03 -07:00
toddouska a363077b1e Merge pull request #3841 from SparkiDev/aes_gcm_stream
AES GCM: implement streaming
2021-03-18 14:36:55 -07:00
David Garske 7760dcb43b Fixes and cleanups for the openssl compatibility layer RAND_ functions. For opensslextra=x509small don't include the RAND method code. Removed abandonded "ENABLED_SMALL" option in configure.ac. 2021-03-17 15:51:52 -07:00
Sean Parkinson 38d268dbbb fixup 2021-03-17 11:31:03 +10:00
Sean Parkinson 7f1e63e7f5 SP config: allow asm to be an SP options (--enable-sp=asm.yes) 2021-03-17 11:24:55 +10:00
Sean Parkinson 35659be06f AES GCM: implement streaming
Updated EVP layer to use streaming API when enabled.
Assembly for x64 updated to include streaming.
2021-03-16 16:39:49 +10:00
toddouska 5fd0950a3a Merge pull request #3654 from SparkiDev/sakke_eccsi
ECCSI and SAKKE: add support
2021-03-15 16:15:59 -07:00
Daniel Pouzzner 92854a5ddc configure.ac: advance AC_PREREQ from 2.63 (2008) to 2.69 (2012) to reflect current automated testing coverage, and to avoid intractable best-practice conflicts between 2.63 and 2.70 (2020); advance AM_INIT_AUTOMAKE from 1.11 (2009) to 1.14.1 (2013) to reflect current automated testing coverage; advance LT_PREREQ from 2.2 (2008) to 2.4.2 (2011) to reflect current automated testing coverage. 2021-03-12 13:49:29 -06:00
Sean Parkinson a55e94cf6f ECCSI and SAKKE: add support
Fixes for static code analysis included.
Added const to function parameters.
Zeroise some temporaries.
2021-03-12 09:31:22 +10:00
Daniel Pouzzner 771a7418ea fixes for compat with autoconf 2.70 and gcc-10: update m4/ax_pthread.m4 and m4/ax_tls.m4 from upstream, fix declaration syntax in tests/api.c, add AC_CANONICAL_TARGET in configure.ac, and fix two spots with bad quoting syntax in configure.ac and m4/ax_linuxkm.m4. also fix myriad whitespace flubs in api.c. 2021-03-11 17:29:12 -06:00
toddouska 72eebd6e75 Merge pull request #3795 from JacobBarthelmeh/CAAM
Addition of QNX CAAM driver
2021-03-10 15:04:21 -08:00
Hideki Miyazaki cd26444e01 addressed jenkins failure part1 2021-03-05 08:19:21 +09:00
toddouska 0a74fbf95f Merge pull request #3789 from fabiankeil/configure-accept-amd64
configure: When enabling --enable-sp-asm, accept host_cpu amd64
2021-03-04 11:11:13 -08:00
Jacob Barthelmeh 749425e1e8 first pre alpha code for QNX + CAAM
manual run of RNG init and JDKEK print

job ring does initial rng

is successful on some red key blob operations

caam red key blob test pass

ecdsa sign/verify

ecdsa ecdh/sign/verify with black secure key

ecdsa ecdh/sign/verify with black secure key

initial cmac addition

initial cmac addition

black blob encap

black keys with cmac

add invalidate memory

refactoring and clean up

more code cleanup

add files for dist and remove some printf's

remove unneeded macro guard

use resource manager
2021-03-03 18:45:40 +07:00
David Garske 4d8068a328 Merge pull request #3813 from douzzer/configure-autotools-boilerplate-at-the-top
configure.ac: put autotools boilerplate at the top
2021-03-02 09:22:09 -08:00
Sean Parkinson d805a5c681 SP int: get keygen working with SP math again
./configure --enable-sp --enable-sp-math --enable-keygen
2021-02-25 10:01:27 +10:00
Daniel Pouzzner 9be1e74dc3 configure.ac: move the autotools boilerplate/initializations back to the top, before --enable-distro and --enable-reproducible-build handling. 2021-02-24 17:04:33 -06:00
Daniel Pouzzner c201b6801c Merge pull request #3808 from lechner/enable-base64-with-all
Enable Base64 as part of --enable-all.
2021-02-24 14:39:20 -06:00
Daniel Pouzzner 764207a9f5 Merge pull request #3806 from elms/autoconf/oot_fips_check
configure: fix for FIPS out-of-tree builds
2021-02-24 14:38:26 -06:00
toddouska 94a23c1d48 Merge pull request #3646 from julek-wolfssl/nginx-1.19.6
Add support for Nginx 1.19.6
2021-02-24 12:21:51 -08:00
Elms 36ba2e134b configure: FIPS error and compatability cleanup
Use autotools macros for case and if. Simplify validation logic.
2021-02-24 08:53:50 -08:00
Felix Lechner ae28550667 Enable Base64 as part of --enable-all.
Part of an effort to standardize build options across distributions.

When building with all options, this includes Base64, a feature that
was requested in the past.

This commit passed Debian's Salsa CI pipeline [1] as part of a larger
commit streamlining the build options for distributions. [2]

A related pull request by douzzer activated reproducible builds for
distributions by default. [3]

Thanks to David Garske for his generous contributions to this commit!

[1] https://salsa.debian.org/lechner/wolfssl/-/pipelines/233601
[2] https://salsa.debian.org/lechner/wolfssl/-/blob/debian/master/debian/patches/standardize-distro-options.patch
[3] https://github.com/wolfSSL/wolfssl/commit/e30b3d35549ed4ec07cd63bfffc9ae80bf2a3b16
2021-02-23 19:46:56 -08:00
Daniel Pouzzner 9dadd02fb9 configure.ac move --enable-distro handling to top (preceding --enable-reproducible-build handling), and turn on reproducible-build by default when enable-distro; fix spelling error in reproducible-build help text. 2021-02-23 17:05:44 -06:00
Elms 47872224d8 configure: fix for FIPS out-of-tree builds
Check for fips files relative to source directory.
2021-02-23 14:17:35 -08:00
JacobBarthelmeh 0dfdf92ff7 Merge pull request #3784 from elms/cmake_curve_ed
configure: ED448 to enable SHA3 and SHAKE256 properly
2021-02-24 03:20:38 +07:00