Commit Graph

8375 Commits

Author SHA1 Message Date
Juliusz Sosinowicz e3a612300b Initial ASCON hash256 and AEAD128 support based on NIST SP 800-232 ipd
Implemented based on the NIST Initial Public Draft "NIST SP 800-232 ipd". Testing based on KAT's available at https://github.com/ascon/ascon-c. Added configuration for testing in github action.
2025-01-29 11:02:47 +01:00
David Garske ed390e472d Merge pull request #8373 from julek-wolfssl/libimobiledevice-1.3.0
Changes for libimobiledevice 860ffb
2025-01-27 07:52:06 -08:00
Juliusz Sosinowicz 89aba661fc Changes for libimobiledevice 860ffb 2025-01-27 12:56:49 +01:00
Daniel Pouzzner b41d46a158 src/ssl.c and src/ssl_load.c: fix syntax flubs in WOLFSSL_DILITHIUM_FIPS204_DRAFT paths. 2025-01-25 10:11:25 -06:00
Daniel Pouzzner e6b87c2e54 src/ssl.c: work around false positive from scan-build in wolfSSL_writev(), long ago annotated with PRAGMA_GCC("GCC diagnostic ignored \"-Wmaybe-uninitialized\"").
wolfcrypt/src/misc.c: fix typo, max_size_t_() -> max_size_t().
2025-01-24 17:55:55 -06:00
Daniel Pouzzner 91aad90c59 wolfssl/internal.h and src/internal.c:
change Buffers.prevSent and .plainSz from int to word32;

change SendData() sz arg from int sz to size_t sz;

add asserts in SendData() and ReceiveData() to prevent sz > INT_MAX (assuring no overflow internally or in the returned int).

wolfssl/ssl.h and src/ssl.c:

change WOLFSSL_BUFFER_INFO.length from unsigned int to word32 (no functional change, just for consistency);

add wolfSSL_write_internal(), refactor wolfSSL_write() to call it, and fix wolfSSL_write_ex() to take size_t sz, not int sz.
2025-01-24 17:16:08 -06:00
Daniel Pouzzner 1b338abb2d fix wolfSSL_read_ex() prototype with size_t sz, not int sz, for consistency with OpenSSL;
fix internal functions wolfSSL_read_internal() and ReceiveData() to likewise accept size_t sz;

add negative sz checks where needed to other functions that call wolfSSL_read_internal() and ReceiveData();

add min_size_t() and max_size_t() to misc.c/misc.h.
2025-01-24 16:16:43 -06:00
David Garske 20ae10fd8c Merge pull request #8360 from philljj/dual_alg_mldsa
Update ssl code for ML_DSA.
2025-01-24 11:55:04 -08:00
David Garske ba88a6454c Merge pull request #8331 from julek-wolfssl/bind-9.18.28
Bind 9.18.28 fixes
2025-01-24 11:37:26 -08:00
David Garske 2e87dfc207 Merge pull request #8345 from JacobBarthelmeh/python_update
Python update to 3.12.6
2025-01-24 11:37:10 -08:00
JacobBarthelmeh 69be9aa211 fix to not stomp on sz with XOF function, restore comment, remove early XFREE call 2025-01-24 11:40:53 -07:00
Juliusz Sosinowicz 829c2a022f Free'ing ctx->srp has to be reference counted as well 2025-01-24 18:39:11 +01:00
JacobBarthelmeh 8eb6b5a3e4 clang tidy unused parameter warning 2025-01-24 00:34:41 -07:00
JacobBarthelmeh 2526d91300 formating for line length and guard on access to EncryptedInfo struct 2025-01-23 23:56:28 -07:00
JacobBarthelmeh 9b04a4f8d1 account for correct return value of cipher stack push and clSuite use case after rebase 2025-01-23 17:47:24 -07:00
JacobBarthelmeh 41e00dc3c9 handle edge case with wolfSSL_write_ex and refactor wolfSSL_get_client_ciphers 2025-01-23 16:30:08 -07:00
JacobBarthelmeh 1e3d3ddec7 remove attempting to load a CRL with wolfSSL_CTX_load_verify_locations_ex 2025-01-23 16:30:08 -07:00
JacobBarthelmeh 8ca979f892 refactor clSuites internal use, and check return values with setting PARAMS 2025-01-23 16:30:08 -07:00
JacobBarthelmeh 86ed94f2e3 change return of stub functions to be failure, pass PEM password cb and user data along 2025-01-23 16:30:08 -07:00
JacobBarthelmeh fc563f2e20 cast data input to const and resolve overlong line length 2025-01-23 16:30:08 -07:00
JacobBarthelmeh da7543f65b fix for macro guard with QT build 2025-01-23 16:30:08 -07:00
JacobBarthelmeh 661f6b04a2 fix for macro guard on free of clSuites 2025-01-23 16:30:08 -07:00
JacobBarthelmeh 2812baf5a9 fix for memory leak with new wolfSSL_get_client_ciphers function 2025-01-23 16:30:08 -07:00
JacobBarthelmeh 418e63e448 fix for smallstack build 2025-01-23 16:30:08 -07:00
JacobBarthelmeh a9efd7358a resolve memory leak on error 2025-01-23 16:30:08 -07:00
JacobBarthelmeh 363ecd3756 add macro guards to account for alternate builds 2025-01-23 16:30:07 -07:00
JacobBarthelmeh c6974a921d fix for return values of write_ex/read_ex, propogate PARAMS, handle CRL with load_verify_locations, fix for get verified/unverified chain 2025-01-23 16:30:07 -07:00
JacobBarthelmeh 689c61cc7e adding implementation of wolfSSL_get_client_ciphers 2025-01-23 16:30:07 -07:00
JacobBarthelmeh d8a9aaad16 add key mismatch error 2025-01-23 16:30:07 -07:00
JacobBarthelmeh 7d374a2ca5 fix SSL_write_ex return value and build with extra trace debug 2025-01-23 16:30:07 -07:00
JacobBarthelmeh 3b23a05157 flush out x509 object stack deep copy and md get flag 2025-01-23 16:30:07 -07:00
JacobBarthelmeh f9e289881b stub out all functions needed for Python port update 2025-01-23 16:30:07 -07:00
Lealem Amedie eda98712d5 Fix for NO_REALLOC build crash 2025-01-23 16:14:45 -07:00
Lealem Amedie 49a74daebc Fix OPENSSL_ALL build with WOLFSSL_NO_REALLOC 2025-01-23 13:59:30 -07:00
jordan 2ef90b1f89 ML-DSA/Dilithium: update ssl code for ML_DSA final. 2025-01-23 15:33:26 -05:00
David Garske f61d276f3b Merge pull request #8362 from JacobBarthelmeh/copyright
update copyright date to 2025
2025-01-21 16:23:49 -08:00
JacobBarthelmeh d94c043b09 misc. spelling fixes 2025-01-21 16:18:28 -07:00
JacobBarthelmeh a4c58614b9 Merge pull request #8324 from julek-wolfssl/ntp-4.2.8p17
ntp 4.2.8p17 additions
2025-01-21 10:02:23 -08:00
JacobBarthelmeh 2c24291ed5 update copyright date 2025-01-21 09:55:03 -07:00
Juliusz Sosinowicz 88c6349837 quic_record_append: return correct code
0-return from quic_record_append is an error. `quic_record_complete(qr) || len == 0` is not an error condition. We should return as normal on success.

The issue is that passing in buffers with length 1 then 3 causes `qr_length` (in `quic_record_make`) to return 0. Then when `quic_record_append` gets called the `len` gets consumed by the first `if` and `len == 0` is true. This causes the error return which is not correct behaviour.

Reported in https://github.com/wolfSSL/wolfssl/issues/8156. Reproducing is a bit tricky. I couldn't get the docker to work.

First setup ngtcp2 as described in https://github.com/ngtcp2/ngtcp2/pkgs/container/ngtcp2-interop. The Relevant steps are (I tested with master/main branches of all libs):

```
$ git clone --depth 1 -b v5.7.4-stable https://github.com/wolfSSL/wolfssl
$ cd wolfssl
$ autoreconf -i
$ # For wolfSSL < v5.6.6, append --enable-quic.
$ ./configure --prefix=$PWD/build \
    --enable-all --enable-aesni --enable-harden --enable-keylog-export \
    --disable-ech
$ make -j$(nproc)
$ make install
$ cd ..
$ git clone --recursive https://github.com/ngtcp2/nghttp3
$ cd nghttp3
$ autoreconf -i
$ ./configure --prefix=$PWD/build --enable-lib-only
$ make -j$(nproc) check
$ make install
$ cd ..
$ git clone --recursive https://github.com/ngtcp2/ngtcp2
$ cd ngtcp2
$ autoreconf -i
$ # For Mac users who have installed libev with MacPorts, append
$ # LIBEV_CFLAGS="-I/opt/local/include" LIBEV_LIBS="-L/opt/local/lib -lev"
$ ./configure PKG_CONFIG_PATH=$PWD/../wolfssl/build/lib/pkgconfig:$PWD/../nghttp3/build/lib/pkgconfig \
    --with-wolfssl
$ make -j$(nproc) check
```

Download and unzip https://github.com/user-attachments/files/17621329/failing.pcap.zip

From the ngtcp2 dir:

```
./examples/wsslserver 127.0.0.1 44433 /path/to/wolfssl/certs/server-key.pem /path/to/wolfssl/certs/server-cert.pem
```

Then run the following python script (`failing.pcap` has to be available in the running dir) (probably needs to be run as `sudo`):

```
from scapy.utils import rdpcap, PcapNgReader
from scapy.all import *
reader = PcapNgReader("failing.pcap")
for i in reader:
    p = i[IP]
    p.dport = 44433
    p.dst = "127.0.0.1"
    p[UDP].chksum=0
    p.display()
    send(p)
```

Then observe the log line:

```
I00000000 0xa48accb7b49ec1556ac7111c64d3a4572a81 frm tx 625216795 Initial CONNECTION_CLOSE(0x1c) error_code=CRYPTO_ERROR(0x100) frame_type=0 reason_len=0 reason=[]
```

You can also use `gdb` and place a break inside the following section in `wolfssl/src/quic.c`.

```
    if (quic_record_complete(qr) || len == 0) {
        return 0;
    }
```
2025-01-16 11:39:57 -08:00
Kareem 9f5c89ab4b Properly check for signature_algorithms from the client in a TLS 1.3 server.
The server was checking ssl->extensions which will always have an entry for TLSX_SIGNATURE_ALGORITHMS
as it is unconditionally added by TLSX_PopulateExtensions earlier in the DoTls13ClientHello function.
Instead, check args->clSuites->hashSigAlgoSz which is only set if signature_algorithms is found and parsed by TLSX_Parse.
2025-01-13 16:22:28 -07:00
Daniel Pouzzner d4c654205b Revert "quic_record_append: return correct code"
This reverts commit bc12dad041.

This commit broke builds that combine QUIC and PQ -- known failures are pq-all-valgrind-unittest, pq-hybrid-all-rpk, pq-hybrid-all-rpk-valgrind-unittest, quantum-safe-wolfssl-all-gcc-latest, quantum-safe-wolfssl-all-g++-latest, quantum-safe-wolfssl-all-fortify-source-asm, quantum-safe-wolfssl-all-fortify-source-asm-noasm, and quantum-safe-wolfssl-all-intelasm-sp-asm-valgrind.

Note that the unit.test asserts added by this commit fail both before and after reversion.
2025-01-10 17:38:02 -06:00
Daniel Pouzzner 7cd2fd3617 numerous fixes for memory errors reported by clang-tidy, most of them true positives, unmasked by CPPFLAGS=-DNO_WOLFSSL_MEMORY: clang-analyzer-unix.Malloc, clang-analyzer-core.NullDereference, clang-analyzer-core.uninitialized.Assign, clang-analyzer-core.UndefinedBinaryOperatorResult, and clang-analyzer-optin.portability.UnixAPI (re malloc(0)).
several fixes for defects reported by cppcheck:

wolfcrypt/src/ecc.c: fix for cppcheck oppositeInnerCondition from cppcheck-2.16.0 in _ecc_make_key_ex(), and fixes for related unhandled errors discovered by manual inspection;

wolfcrypt/test/test.c: fix XREALLOC call in memcb_test() to resolve cppcheck-detected memleak.
2025-01-10 14:30:42 -06:00
JacobBarthelmeh 21bdb76ede Merge pull request #8340 from julek-wolfssl/gh/8156
quic_record_append: return correct code
2025-01-10 12:08:27 -07:00
JacobBarthelmeh c977d627ed Merge pull request #8303 from night1rider/ZD-19038
Extended Master Secret Generation PK Callback
2025-01-10 10:53:26 -07:00
Juliusz Sosinowicz bc12dad041 quic_record_append: return correct code
0-return from quic_record_append is an error. `quic_record_complete(qr) || len == 0` is not an error condition. We should return as normal on success.

The issue is that passing in buffers with length 1 then 3 causes `qr_length` (in `quic_record_make`) to return 0. Then when `quic_record_append` gets called the `len` gets consumed by the first `if` and `len == 0` is true. This causes the error return which is not correct behaviour.

Reported in https://github.com/wolfSSL/wolfssl/issues/8156. Reproducing is a bit tricky. I couldn't get the docker to work.

First setup ngtcp2 as described in https://github.com/ngtcp2/ngtcp2/pkgs/container/ngtcp2-interop. The Relevant steps are (I tested with master/main branches of all libs):

```
$ git clone --depth 1 -b v5.7.4-stable https://github.com/wolfSSL/wolfssl
$ cd wolfssl
$ autoreconf -i
$ # For wolfSSL < v5.6.6, append --enable-quic.
$ ./configure --prefix=$PWD/build \
    --enable-all --enable-aesni --enable-harden --enable-keylog-export \
    --disable-ech
$ make -j$(nproc)
$ make install
$ cd ..
$ git clone --recursive https://github.com/ngtcp2/nghttp3
$ cd nghttp3
$ autoreconf -i
$ ./configure --prefix=$PWD/build --enable-lib-only
$ make -j$(nproc) check
$ make install
$ cd ..
$ git clone --recursive https://github.com/ngtcp2/ngtcp2
$ cd ngtcp2
$ autoreconf -i
$ # For Mac users who have installed libev with MacPorts, append
$ # LIBEV_CFLAGS="-I/opt/local/include" LIBEV_LIBS="-L/opt/local/lib -lev"
$ ./configure PKG_CONFIG_PATH=$PWD/../wolfssl/build/lib/pkgconfig:$PWD/../nghttp3/build/lib/pkgconfig \
    --with-wolfssl
$ make -j$(nproc) check
```

Download and unzip https://github.com/user-attachments/files/17621329/failing.pcap.zip

From the ngtcp2 dir:

```
./examples/wsslserver 127.0.0.1 44433 /path/to/wolfssl/certs/server-key.pem /path/to/wolfssl/certs/server-cert.pem
```

Then run the following python script (`failing.pcap` has to be available in the running dir) (probably needs to be run as `sudo`):

```
from scapy.utils import rdpcap, PcapNgReader
from scapy.all import *
reader = PcapNgReader("failing.pcap")
for i in reader:
    p = i[IP]
    p.dport = 44433
    p.dst = "127.0.0.1"
    p[UDP].chksum=0
    p.display()
    send(p)
```

Then observe the log line:

```
I00000000 0xa48accb7b49ec1556ac7111c64d3a4572a81 frm tx 625216795 Initial CONNECTION_CLOSE(0x1c) error_code=CRYPTO_ERROR(0x100) frame_type=0 reason_len=0 reason=[]
```

You can also use `gdb` and place a break inside the following section in `wolfssl/src/quic.c`.

```
    if (quic_record_complete(qr) || len == 0) {
        return 0;
    }
```
2025-01-08 18:53:43 +01:00
Daniel Pouzzner 78c4a04cac Merge pull request #8330 from dgarske/compat
Fix for SSL_set_mtu compat function return code
2025-01-07 10:52:59 -06:00
Juliusz Sosinowicz 40500e4f2b fixup! Implement wolfSSL_X509_STORE_set_default_paths 2025-01-07 10:56:34 +01:00
Daniel Pouzzner d6ead1b3e5 src/tls.c: fix possible null deref in TLSX_UseCertificateStatusRequestV2().
wolfcrypt/src/pkcs12.c: fix possible null deref in PKCS12_CoalesceOctetStrings(), and fix spelling of PKCS12_ConcatenateContent().
2025-01-07 00:00:48 -06:00
David Garske d6440be4a9 Fix for SSL_set_mtu -> wolfSSL_set_mtu_compat return code. Update comment for wolfSSL_is_init_finished indicating it works for TLS and DTLS. 2025-01-03 10:10:37 -08:00