Commit Graph

7714 Commits

Author SHA1 Message Date
JacobBarthelmeh 5f9ed54aaa Merge pull request #7451 from SparkiDev/test_fixes_1
Fixes from configuration testing
2024-04-19 10:43:31 -06:00
JacobBarthelmeh 9242f611b2 Merge pull request #7449 from lealem47/nginx_stubs
Adding stubs required for latest nginx
2024-04-19 10:38:17 -06:00
Sean Parkinson 97d560d9af Fixes from configuration testing
asn1.c: Allow sample to build without coding (base64 decoding).

set_curves_list(): function for ECC, Ed25519, Ed448 but this block of
code is ECC only. Fixed #ifdef protection.

wolfSSL_CTX_set1_curves_list and wolfSSL_set1_curves_list also available
when Curve25519/Curve448 compiled in but not ECC.
2024-04-19 08:40:19 +10:00
Lealem Amedie 7a7af18887 Guard with OPENSSL_EXTRA instead of WOLFSSL_NGINX 2024-04-18 16:33:37 -06:00
JacobBarthelmeh fe671f72e1 Merge pull request #7435 from SparkiDev/ssl_misc_fixup
ssl_misc.c: wolfssl_file_len() protection
2024-04-18 14:36:38 -06:00
Daniel Pouzzner e48f06bd53 fixes for WOLFSSL_DUAL_ALG_CERTS: "cannot take address of bit-field ‘altKeyType’" and "‘altPrivateKeyType’" in ProcessBufferTryDecode(), "‘heap’ undeclared" in ProcessBufferCertAltPublicKey(), "‘consumed’ undeclared" in ProcessFile(), "‘keySz’ undeclared" in wolfSSL_CTX_use_PrivateKey_Id(). 2024-04-18 13:49:44 -05:00
Lealem Amedie a1cf316630 Adding stubs required for latest nginx 2024-04-18 12:28:31 -06:00
JacobBarthelmeh 41f31f4635 Merge pull request #7440 from douzzer/20240417-fix-LoadSystemCaCertsWindows
20240417-fix-LoadSystemCaCertsWindows
2024-04-17 15:47:48 -06:00
Daniel Pouzzner 6e3a9d5447 src/ssl_load.c: in LoadSystemCaCertsWindows(), fix flub introduced in 8e9810e87e. 2024-04-17 13:24:26 -05:00
Sean Parkinson 593cb77e51 ssl_misc.c: wolfssl_file_len() protection
wolfssl_file_len is now used by wolfssl_read_file_static() which is
compiled in with less restrictions.
Fix #ifdef protection.
2024-04-17 22:44:13 +10:00
Daniel Pouzzner 3df11e7eab fixes for cppcheck uninitvar src/pk.c (false positives) and nullPointerRedundantCheck in src/ssl_load.c (true positive). 2024-04-17 01:00:41 -05:00
Sean Parkinson 8e9810e87e ssl.c: Move functions out to separate files
Moved E[CD][25519||448] APIs to pk.c
Move public key PEM APIs to pk.c.
Move wolfSSL loading and using of private keys and certificates to
ssl_load.c
Move PKCS#7 and PKCS#12 APIs to ssl_p7p12.c.
Move session and session cache APIs to ssl_sess.c.
Other minor fixes.
2024-04-16 10:30:59 +10:00
JacobBarthelmeh 3742c4dd57 Merge pull request #7413 from gojimmypi/PR-PlatformIO-FreeRTOS
Modify PlatformIO FreeRTOS include path, settings.h
2024-04-12 14:32:55 -06:00
JacobBarthelmeh 8b656d5a5f Merge pull request #7295 from kaleb-himes/SRTP-KDF-FS
SRTP-KDF FS Preview
2024-04-11 13:41:05 -06:00
gojimmypi b1261f5471 Modify PlatformIO FreeRTOS include path, settings.h 2024-04-11 07:46:35 -07:00
JacobBarthelmeh a8415a7926 Merge pull request #7367 from mrdeep1/hello_verify_request
Support DTLS1.3 downgrade when using PSK
2024-04-09 16:17:59 -06:00
kaleb-himes ef2a636610 Expose additional features of opensslall in a compliant way 2024-04-09 09:48:33 -06:00
kaleb_himes 81f5ac7f6c SRTP-KDF FS Preview 2024-04-09 09:48:33 -06:00
Sean Parkinson d96e5ec589 No match cipher suite alert type change
TLS 1.0/1.1/1.2 specifications require the of a return a handshake
failure alert when no cipher suites match.
TLS 1.3 specification requires the return of a "handshake_failure" or
"insufficient_security" fatal alert.

Change alert sent from "illegal_parameter" to "handshake_failure".
2024-04-08 11:25:50 +10:00
Daniel Pouzzner d1efccd259 Merge pull request #7381 from dgarske/netdb_ioctl
Restore `HAVE_NETDB_H` and `HAVE_SYS_IOCTL_H` checks in the wolfio.c.
2024-04-05 16:02:21 -04:00
Daniel Pouzzner 7d66cc46ff Merge pull request #7375 from mrdeep1/fix_rpk
RPK: Define Certificates correctly for (D)TLS1.2
2024-04-05 15:48:25 -04:00
Anthony Hu cf2f58bfdf Merge pull request #7395 from douzzer/20240403-RPK-cleanups
20240403-RPK-cleanups
2024-04-05 13:43:15 -04:00
Daniel Pouzzner cdf2504612 fixes for non-portable (endian-sensitive) code patterns around word16 in TLS layer. 2024-04-05 10:42:05 -05:00
Daniel Pouzzner 747755b3c4 fixes for analyzer carps around HAVE_RPK:
fix clang-analyzer-deadcode.DeadStores in src/tls.c TLSX_ClientCertificateType_GetSize();

fix clang-analyzer-deadcode.DeadStores in tests/api.c test_tls13_rpk_handshake();

fix null pointer to XMEMCPY() in src/internal.c CopyDecodedName().
2024-04-04 00:15:01 -05:00
Daniel Pouzzner 8511b2dc6b ProcessBuffer(): in WOLFSSL_DUAL_ALG_CERTS code path, fall through without disrupting ret, if cert->sapkiOID and cert->sapkiLen are unset. 2024-04-03 13:54:57 -05:00
Anthony Hu 9bfab33726 Address comments from Jacob. 2024-04-03 09:04:28 -04:00
Daniel Pouzzner 2f3495f286 src/tls13.c: remove unreachable break in DoTls13CertificateVerify().
tests/api.c: fix various use-after-frees of file in do_dual_alg_root_certgen() and do_dual_alg_server_certgen().
2024-04-01 17:37:03 -04:00
Tobias Frauenschläger 136eaae4f1 Improvements to dual alg certificates
* Support for external keys (CryptoCb interface)
* Support for usage in mutual authentication
* better entity cert parsing
* Fix for Zephyr port to support the feature
* Check key support
* Proper validation of signatures in certificate chains
* Proper validation of peer cert with local issuer signature
	(alt pub key is cached now)
* Support for ECC & RSA as alt keys with PQC as primary
* Support for PQC certificate generation
* Better support for hybrid signatures with variable length signatures
* Support for primary and alternative private keys in a single
  file/buffer
* More API support for alternative private keys

Signed-off-by: Tobias Frauenschläger <t.frauenschlaeger@me.com>
2024-04-01 17:37:03 -04:00
David Garske da6a11d1d1 Restore HAVE_NETDB_H and HAVE_SYS_IOCTL_H checks in the wolfio.c. 2024-04-01 09:49:22 -07:00
Jon Shallow a0f3933881 Support (D)TLS1.3 downgrade when using PSK
DTLS Server:
examples/server/server -v3 -u -s

DTLS Client:
examples/client/client -vd -g -u -s

TLS Server:
examples/server/server -v3 -s

TLS Client:
examples/client/client -vd -g -s

Support checking for DTLS1.2 Hello Verify Request when using PSK.

Unset options.tls1_3 when handling a DTLS1.2 Hello Verify Request.

Unset options.tls1_3 when handling a (D)TLS1.2 Server Hello to stop
checking of Encrypted Client Hello

Requires ./configure --enable-all --enable-dtls13

Add in tests for DTLS1.3 and TLS1.3 downgrade when using PSK.
2024-03-29 18:04:30 +00:00
Daniel Pouzzner 038be95a4a wolfssl/wolfcrypt/types.h: add WC_SAFE_SUM_WORD32().
src/internal.c: mitigations for potential integer overflows in figuring allocation sizes.
2024-03-29 11:45:11 -05:00
Daniel Pouzzner 7e8c0156fe Merge pull request #7325 from dgarske/zephyr
Improve Zephyr support
2024-03-29 00:57:55 -04:00
Daniel Pouzzner 58462840c1 src/ssl.c: add missing cast in wolfSSL_GetSessionFromCache(). 2024-03-28 15:14:19 -05:00
Jon Shallow f2e6f49721 RPK: Define Certificates correctly for (D)TLS1.2
As per https://datatracker.ietf.org/doc/html/rfc7250#section-3 Figure 1,
the RPK is a single ASN.1_subjectPublicKeyInfo, whereas X509 certificates
etc. are transmitted as a certificate list (even if there is only 1).

This is for (D)TLS1.2 transfers, and this PR fixes this.

As per https://datatracker.ietf.org/doc/html/rfc8446#section-4.4.2 all
certificates (both RPK and Z509) are transferred using a certificate list.

Update examples client to support RPK certificates.

For testing:-
Server:
$ gnutls-serv --http --x509fmtder --priority NORMAL:+CTYPE-CLI-RAWPK:+CTYPE-SRV-RAWPK --rawpkfile certs/server-keyPub.der --rawpkkeyfile certs/server-key.der

Client:
$ examples/client/client -g -p 5556 -c certs/client-keyPub.der -k certs/client-key.der --rpk --files-are-der
2024-03-28 17:58:02 +00:00
gojimmypi 01ae240fe8 Initialize some Kyber variables 2024-03-25 14:08:47 -07:00
JacobBarthelmeh 85601311a2 rework library versioning 2024-03-21 04:02:28 +07:00
David Garske 50b1044c2f Merge pull request #7347 from JacobBarthelmeh/coverity2
Coverity Fixes QUIC
2024-03-18 09:04:09 -07:00
David Garske 85c22abe4e Fix for Zephyr TimeNowInMilliseconds. Resolves issue with TLS v1.3 server and session tickets time (uptime in sim < 1000 ms was being made 0). 2024-03-18 08:14:40 -07:00
JacobBarthelmeh d6b4b27cd1 CID 299893 out of bounds read with XMEMCMP 2024-03-18 16:42:15 +07:00
JacobBarthelmeh 44f3e4a3b7 CID 337219 allocation using untrusted size 2024-03-18 16:04:37 +07:00
JacobBarthelmeh 635d326812 CID 337232 sanity check on tainted scalar 2024-03-18 15:03:04 +07:00
David Garske 8d1714a307 Fix for PSK callback with OPENSSL_EXTRA to correctly handle the 0 length case. Thank you @miyazakh. Broken in #7302 2024-03-15 08:09:59 -07:00
David Garske 5dff8aa417 Merge pull request #7334 from SparkiDev/macosx_clang_15_asm_fix
MacOS X Intel ASM clang 15: fix asm to compile without warning
2024-03-14 10:10:42 -07:00
Daniel Pouzzner 3fd6af0cd2 Merge pull request #7283 from SparkiDev/lms
LMS: initial implementation
2024-03-14 01:48:57 -04:00
Sean Parkinson 3ba5dd3e6d MacOS X Intel ASM clang 15: fix asm to compile without warning
Don't use align when __APPLE__ is defined.
Make minimum alignment on variables in ASM 8 bytes (.p2align 3).

Fix x86 builds with ASM.
2024-03-14 11:42:12 +10:00
JacobBarthelmeh 9f240bb34c fix for warning of no stdint.h include with uintptr_t 2024-03-14 00:38:02 +07:00
JacobBarthelmeh 1e054b9613 Merge pull request #7302 from dgarske/pk_psk
Support for Public Key (PK) callbacks with PSK
2024-03-14 00:02:23 +07:00
jordan 0e15a2e83a Handle failed alloc in TLSX_Write. 2024-03-08 22:56:27 -06:00
David Garske 9fadcb2edc Merge pull request #7307 from bandi13/fixNightlyCrossworks
Fix nightly crossworks
2024-03-08 13:12:53 -08:00
David Garske 11303ab796 Support for Public Key (PK) callbacks with PSK in TLS v1.2 and TLS v1.3 (client and server). ZD 17383 2024-03-08 12:21:06 -08:00