wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2026-01-30 12:12:14 +01:00
Code Issues Packages Projects Releases Wiki Activity
8,909 Commits 12 Branches 184 Tags
aba726fcd301f771786891ffe1635a672947376d
Commit Graph

1436 Commits

Author SHA1 Message Date
toddouska
aba726fcd3 Merge pull request #2004 from embhorn/prf_move 
Moving PRF to wolfcrypt
 2019-01-18 08:53:13 -08:00
David Garske
8fb7892013 Merge pull request #2040 from ejohnstown/fix-checks 
Fix Checks
 2019-01-17 12:54:25 -08:00
John Safranek
f6240e5558 Fix Checks 
1. In the client, check the return code on wolfSSL_CTX_SetMinDhKey_Sz() as it is checked in the server. (Resolves issue #2037.)
2. In HashOutput(), check that the hsHashes exists for the session before hashing. (Resolves issue #2038.)
 2019-01-17 09:52:00 -08:00
David Garske
91573735b1 Merge pull request #2036 from ejohnstown/fragsz 
TLS Record Fragment Size Check Change
 2019-01-17 08:56:45 -08:00
John Safranek
5e03ac13f6 TLS Record Fragment Size Check Change 
Fixed a potential bug with respect to processing fragmented handshake
messages. If a handshake message is fragmented across multiple TLS
records and the last fragment's record has the next handshake message in
it, we would throw a buffer error instead of processing the next
message. Changed this so it will finish the handshake message and return
out to process the next message. Also changed the handling of the
handshake message to follow the calling pattern.
 2019-01-16 15:53:57 -08:00
Eric Blankenhorn
02ff19a6c4 Moving PRF to wolfcrypt 2019-01-16 17:23:49 -06:00
John Safranek
d5b06f93fd Merge pull request #2031 from SparkiDev/sec_reneg_chrome 
Changes to secure renegotiation for TLS 1.3 and Chrome
 2019-01-16 12:00:08 -08:00
toddouska
5d262e9123 Merge pull request #2027 from dgarske/fix_buildopts 
Fixes for various build options and warnings
 2019-01-16 10:32:19 -08:00
Sean Parkinson
b2e4c86028 Changes to secure renegotiation for TLS 1.3 and Chrome 2019-01-15 09:47:23 -08:00
Jacob Barthelmeh
6ac384793f memory management with OCSP requests 2019-01-14 09:49:50 -07:00
David Garske
cfc66dab47 Fix compiler complaints when using Curve25519. 2019-01-11 21:16:13 -08:00
Jacob Barthelmeh
26ae39a217 check if secure renegotiation struct available 2019-01-04 13:22:34 -07:00
Jacob Barthelmeh
a00eaeb877 add ocsp stapling test and initialize values 2019-01-04 13:16:47 -07:00
David Garske
2351047409 Fixes for various scan-build reports. 2018-12-27 11:08:30 -08:00
David Garske
1eccaae25f Fix for DTLS async shrinking input buffer too soon and causing -308 (INCOMPLETE_DATA). 2018-12-27 11:07:32 -08:00
toddouska
697c99a9ec Merge pull request #1934 from dgarske/fix_alt_chain 
Fixes and cleanups for processing peer certificates
 2018-12-26 15:09:42 -08:00
Jacob Barthelmeh
6191cb1927 free internal OCSP buffers 2018-12-21 12:30:49 -07:00
David Garske
9733076fe0 Fixes and cleanups for processing peer certificates: 
* Fix with `WOLFSSL_ALT_CERT_CHAINS` to resolve issue with using a trusted intermediate to validate a partial chain. With the alt cert chain enabled a CA may fail with only `ASN_NO_SIGNER_E` and the connection is allowed if the peer's certificate validates to a trusted CA. Eliminates overly complex 1 deep error alternate chain detection logic. Resolves ZD 4525.
* Refactor and cleanup of ProcessPeerPerts to combine duplicate code and improve code commenting.
* Fix for CA path len check in `ParseCertRelative` to always check for self-signed case (was previously only in NO_SKID case).
* Improvement to include self-signed flag in the DecodedCert struct.
 2018-12-21 08:20:04 -08:00
Jacob Barthelmeh
fc926d3c61 fixes from infer testing 2018-12-19 11:56:29 -07:00
toddouska
4068975190 Merge pull request #1983 from dgarske/x509small_verifycb 
Include current cert as X509 in verify callback for small build
 2018-12-18 15:40:00 -08:00
toddouska
0a6732ee67 Merge pull request #1979 from SparkiDev/tls_sh_tlsx_parse 
Fix TLS 1.2 and below ServerHello TLSX_Parse to pass in message type
 2018-12-18 15:39:12 -08:00
toddouska
f1c62f191d Merge pull request #1941 from ejohnstown/rekey 
Server Side Secure Renegotiation
 2018-12-18 15:38:16 -08:00
David Garske
443dbf251b Fix to supply the X509 current_cert in the verify callback with OPENSSL_EXTRA_X509_SMALL defined or ./configure --enable-opensslextra=x509small. 2018-12-17 13:02:14 -08:00
Sean Parkinson
f90e5601ad Fix TLS 1.2 and below ServerHello TLSX_Parse to pass in message type 2018-12-13 16:12:53 +10:00
John Safranek
f715d9179c Add check for buffer size versus pad size in DoCertificateStatus() 2018-12-12 12:48:30 -08:00
Sean Parkinson
ab03f9291b Make RsaUnPad constant time when Block Type 2 message 2018-12-06 08:36:49 +10:00
John Safranek
b145aab6b2 Server Side Renegotiation 
1. Fix testing issue with a client using the SCSV cipher suite to indicate desire for renegotiation.
2. Add indication to both the server and client examples that the renegotiation was successful.
 2018-12-05 13:08:24 -08:00
John Safranek
69436b6d41 Server Side Secure Renegotiation 
1. Fix spelling typo in a comment.
2. Correct the server's check of its secure renegotiation extension.
 2018-12-05 13:08:24 -08:00
John Safranek
0abf7c4997 Server Side Secure Renegotiation 
1. Add the server side renegotiation flag to the secure renegotiation option.
2. Changed the AddEmptyNegotiationInfo so it doesn't create an extension, just adds a reply if SCR is enabled.
3. Fix the server's reaction to the client sending the SCR extension.
 2018-12-05 13:08:24 -08:00
John Safranek
175c91ab4e Server Side Secure Renegotiation 
1. Fix an incorrect function entry log string.
2. Restart the server's accept state assuming the client hello was
received when the client initiates renegotiation.
 2018-12-05 13:08:24 -08:00
John Safranek
d168d60ade Server Side Secure Renegotiation 
1. Add enables to the example server for turning on secure renegotiation.
2. Add encryption assists to the handhshake message handler functions.
3. Add a hello request message function. Includes handshake timing pre/postambles.
 2018-12-05 13:08:24 -08:00
John Safranek
a55f11cdd8 DHE Speed Up 
1. Also apply the setting to the client side.
2. Updated the server and client command line options to use "-2" for disabling the DHE check.
 2018-12-03 13:56:14 -08:00
John Safranek
ff1a1dc5d5 DHE Speed Up 
When loading DH domain parameters into a CTX, test the prime
immediately. When loading them into a session, test the prime right
before using it during the handshake. Sessions that get their prime from
their context do not need to test their prime. Added a function to
disable testing the prime in a session. The goal is to speed up testing
as every single test case loads DH parameters whether they are used or
not.
 2018-11-29 17:04:04 -08:00
toddouska
f11809aa62 Merge pull request #1923 from JacobBarthelmeh/Testing 
cast to resolve warning, check size of time_t, and check for null tes…
 2018-11-21 10:17:23 -08:00
Sean Parkinson
95bd340de5 Add support for more OpenSSL APIs 
Add support for PEM_read and PEM_write
Add OpenSSL PKCS#7 signed data support
Add OpenSSL PKCS#8 Private key APIs
Add X509_REQ OpenSSL APIs
 2018-11-20 07:54:24 +10:00
Jacob Barthelmeh
0f4a06594e cast to resolve warning, check size of time_t, and check for null test case 2018-11-12 16:02:33 -07:00
toddouska
8689cc6a04 Merge pull request #1922 from SparkiDev/tls_pad_fix 
Fix for checking of TLS padding when padding byte value > msg len
 2018-11-12 13:20:35 -08:00
Sean Parkinson
61c7be669b Fix for checking of TLS padding when padding byte value > msg len 2018-11-12 17:37:34 +10:00
David Garske
b3d5999be9 Fix for unused variables with --disable-rsa --enable-tls13 case in InitSuites. 2018-11-08 15:54:06 -08:00
David Garske
f6093e1e0d Fixes to remove DH prime checks for server side DH parameters. 2018-10-30 15:51:47 -07:00
David Garske
f4b0261ca7 Fix to not do prime test on DH key the server loaded. Now it will only do the prime test on the peer's provided public DH key using 8 miller rabbins. Refactored the fast math miller rabin function to reuse mp_int's, which improved peformance for mp_prime_is_prime_ex from 100ms to 80ms. Normal math mp_prime_is_prime_ex is ~40ms (as-is). Added test for wc_DhSetCheckKey. 2018-10-30 11:20:07 -07:00
David Garske
d21603334b Added build option USE_ECDSA_KEYSZ_HASH_ALGO to alter the hash algorithm selection for ecc_dsa_sa_algo. With this build option we try and choose a hash algorithm digest size that matches the ephemeral key size, if not found then will match on next highest. We've seen cases with some Windows based TLS client's where they do not properly support hashing a smaller ephemeral key with a larger hash digest size (such as P-256 key and SHA512 hash). 2018-10-25 09:19:35 -07:00
David Garske
c268829b68 Fix bug with SendClientKeyExchange and ifdef logic for ecdhe_psk_kea, which was preventing ECDHE-PSK from working if HAVE_CURVE25519 was defined. Disabled broken downgrade test in test-tls13-down.conf (@SpariDev will need to investigate). Various spelling fixes. 2018-10-19 13:21:56 -07:00
David Garske
a0608151cf Fix for the WOLFSSL_NONBLOCK_OCSP case to reset the error code as well. 2018-10-12 11:20:13 -07:00
David Garske
fc77ed068c Fix for verify callback to not report override when there is no error. Cleanup of the myVerify example callback return code handling. 2018-10-12 10:45:20 -07:00
David Garske
fec726f10a Fix for async issue with receiving multiple TLS records (server_key_exchange and server_hello_done) in same packet, which may miss call to DoHandShakeMsgType -> HashInput because ssl->error is still marked pending WC_PENDING_E. 2018-10-12 10:39:40 -07:00
toddouska
0b78b75530 Merge pull request #1860 from dgarske/tls_either_side 
Methods cleanup and new DTLS "either" side methods
 2018-10-12 07:35:17 -07:00
David Garske
1d7c4f96fa Fix windows build warning with side data type mismatch. 2018-10-04 16:10:50 -07:00
David Garske
bbdb17975c Adds build option WOLFSSL_EITHER_SIDE for deferring the "side" of the TLS session until first connect or accept. Added the DTLS generic v1.0 and v1.2 methods for "either" side. Added "either" methods unit tests. Added "either" -v e support to example client/server. Fix to expose wolfSSL_use_certificate_file and wolfSSL_use_PrivateKey_file without OPENSSL_EXTRA. Cleanup of the methods for (void)heap and log messages. Spelling fixes. 2018-10-04 15:47:50 -07:00
David Garske
680a863054 Added support for building with certificate parsing only. ./configure --enable-asn=nocrypt. Added new API for parsing PIV format certificates wc_ParseCertPIV with WOLFSSL_CERT_PIV build option. Added wc_DeCompress_ex with ability to decompress GZIP. Moved the ZLIB error codes into wolfCrypt. 2018-10-02 15:18:56 -07:00