Commit Graph

2594 Commits

Author SHA1 Message Date
Jacob Barthelmeh 9dcc48c8f7 update copyright to 2023 2022-12-30 17:12:11 -07:00
Anthony Hu b3e99348cd Purge the AES variant of Dilithium 2022-12-27 14:37:47 -05:00
David Garske 135b9f0566 Merge pull request #5915 from julek-wolfssl/dtls-remove-realloc-dep
DtlsMsgCombineFragBuckets: Remove realloc dependency
2022-12-22 17:01:31 -08:00
Juliusz Sosinowicz 2fe6555fcf DtlsMsgCombineFragBuckets: Remove realloc dependency 2022-12-20 13:53:03 +01:00
Juliusz Sosinowicz 53b2be06d3 DtlsMsgPoolSend: Use correct sendSz
pool->sz is the size without the record header. The handshake header is present already.

Reproducible with
  ./udp_proxy -p 12345 -s 127.0.0.1:11111 -x 1:3 -S server
or
  ./udp_proxy -p 12345 -s 127.0.0.1:11111 -x 1:3 -S server
and
  ./examples/server/server -l ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305 -u -i
  ./examples/client/client -l ECDHE-RSA-AES256-GCM-SHA384 -u -R -p 12345 -i
2022-12-19 17:07:37 +01:00
Stefan Eissing dccabc60a5 Disabling TLSv1.2 session tickets when WOLFSSL_OP_NO_TICKET is being set.
There seems to have been a misunderstanding that WOLFSSL_OP_NO_TICKET would only disable tickets
for TLS version lower than 1.2. But it includes 1.2 as well.
2022-12-16 09:29:44 +01:00
David Garske a1e883b43d Merge pull request #5875 from JacobBarthelmeh/Compatibility-Layer
fix for handling DEFAULT:... cipher suite list
2022-12-12 14:43:50 -08:00
Sean Parkinson 9ab8867b42 TLS: detect duplicate known extensions
TLS specification requires that there not be more than one extension of
the same type in a given extension block. E.g. ClientHello
2022-12-12 08:35:04 +10:00
JacobBarthelmeh 8b296877ab fix for handling DEFAULT:... cipher suite list 2022-12-10 14:53:43 -08:00
Marco Oliverio af00c89f18 dtls v1.2: stateless support WOLFSSL_DTLS_NO_HVR_ON_RESUME 2022-12-01 16:30:54 +00:00
Marco Oliverio cc7dad3ee6 dtls v1.2: support stateless client hello processing 2022-12-01 16:30:54 +00:00
Marco Oliverio 5bc86b8c2c fix: dtls: always use version DTLS 1.0 in HelloVerifyRequest
see rfc6347 section 4.2.1
2022-12-01 16:30:54 +00:00
Marco Oliverio 4fa1b9dd0a fix: AddRecordHeader: use correct minor when using DTLS 2022-12-01 16:30:54 +00:00
Marco Oliverio 173208728a fix: tls13: hash using right version when downgrading 2022-12-01 16:30:54 +00:00
Marco Oliverio 2c35d7f9d2 fix: formatting and typos
dtls: fix debug message when downgrading

internal.c: fix typo
2022-12-01 16:30:53 +00:00
Stefan Eissing e5cfd96609 QUIC API support in OpenSSL compat layer, as needed by HAProxy integration.
- adding patch for HAProxy, see dod/QUIC.md, based on current master.
      For documentaton purposes, since HAProxy does not accept PRs. To be
      removed once forwarded to the project.
2022-12-01 10:12:35 +01:00
Sean Parkinson cf8ea5c606 Merge pull request #5812 from ejohnstown/crl-ocsp
OCSP/CRL
2022-11-24 12:42:17 +10:00
John Safranek 88f3570fe4 OCSP/CRL
Added comments for the usage of OCSP_WANT_READ used with the CRL I/O
callback.
2022-11-23 16:35:10 -08:00
John Safranek 909fd726cd OCSP/CRL
Fixing issue #3070. When the OCSP responder returns an unknown exception,
continue through to checking the CRL. Before, it was setting the flag
to check CRL, then clearing it because of the exception.
2022-11-23 10:50:12 -08:00
Anthony Hu f3546b50fd Conform to pre-existing pattern. 2022-11-23 17:58:12 +00:00
Anthony Hu 6190666108 Support for Analog Devices MAXQ1080 and MAXQ1065 2022-11-23 11:57:31 -05:00
Daniel Pouzzner 6f98a5b271 src/internal.c: in VerifyServerSuite(), narrow condition and fix return value in error check added in 647ce794dd. 2022-11-18 22:21:08 -06:00
David Garske bd7b442df3 Merge pull request #5796 from tmael/mem_err
Propagate malloc returning NULL up the call stack
2022-11-16 12:45:42 -08:00
Tesfa Mael 2a2cf5671e Move error check in CompareSuites 2022-11-16 09:29:24 -08:00
Tesfa Mael 647ce794dd unmask malloc returning NULL 2022-11-16 09:25:25 -08:00
jordan 81ed2a60b4 Support ASN1/DER CRLs in LoadCertByIssuer.
This fixes hash based dir lookup of ASN1/DER CRLs in OpenSSL
compatible API. The function wolfSSL_X509_load_crl_file is
called with entry->dir_type, rather than hardcoded filetype.

A new test crl was added, and existing crl 0fdb2da4.r0 was
reorganized to a new dir.

Also, completes the stub wolfSSL_X509_LOOKUP_add_dir. A new
test function test_X509_LOOKUP_add_dir was added to tests/api.c
2022-11-11 15:13:00 -06:00
David Garske f4621a6807 Merge pull request #5786 from philljj/zd15125
Fix incorrect self signed error return.
2022-11-10 14:13:38 -08:00
jordan 5ad6ff23d5 Use local int lastErr instead of args->lastErr. 2022-11-10 13:46:51 -06:00
David Garske 57ae840f39 Fix for test_wolfSSL_sk_CIPHER_description incorrectly failing with TLS v1.3 NULL cipher. 2022-11-09 12:05:16 -08:00
jordan 961c696436 Fix incorrect self signed error return.
ASN_SELF_SIGNED_E was being overwritten with ASN_NO_SIGNER_E when
compiled with certreq and certgen.
2022-11-09 10:27:31 -06:00
Hayden Roche 4a917219f7 Merge pull request #5608 from SparkiDev/pk_c_rework_2 2022-11-04 13:32:36 -07:00
Sean Parkinson 4efba8f437 ForceZero fix: encryption fail and not EtM
Zeroizing of plaintext on encryption failure will use wrong size when
not using Encrypt-then-MAC. Size may go negative and cast to unsigned.
2022-10-31 09:14:16 +10:00
Sean Parkinson b1e37377a1 TLS performance fix: ForceZero minimization
Don't ForceZero the output buffer before free.
ForceZero it when encryption fails.

ShrinkInputBuffer needs to zeroize input buffer even if not currently
encrypting as it may be using the buffer on wolfSSL object reuse.

Fix SP to zeroize the whole buffer.

Fix DH to check cBuf when WOLFSSL_CHECK_MEM_ZERO defined.
2022-10-27 17:00:42 +10:00
Sean Parkinson dad62fc182 pk.c: rework DH API and improve PEM read/write
Reorganized the DH APIs into groups.
Reworked all DH APIs.
Improved testing of DH API.

Implemented wolfSSL_PEM_read_RSAPublicKey() and
wolfSSL_PEM_write_RSA_PUBKEY().
Fix public key PEM write implementations to use the correct
header/footer names.
Added support for "RSA PUBLIC KEY" in header and footer in DerToPemEx().

Reworked PEM read/write APIs to be independent. No longer create an EVP
to use common function - common functionality refectored out.
Similarly file APIs don't create a BIO and call the partner APIs.

Improved testing of PEM read/write APIs.

Generic read BIO from memory BIO now returns the buffer instead of
allocating memory and reading.
No longer reading chunks when a file BIO.

Added wolfssl_make_rng() to create or get get global random. All RSA and
DH APIs now use this. DH_generate_parameters() creates a random object
and use global on error rather than just using global random.

Changed implementations to use BIO_new_fp() instead of create a new BIO
and setting file pointer.
2022-10-26 10:28:20 +10:00
Stefan Eissing f1cf96846a Changing ALPN selection to a deterministic point in the handshake. 2022-10-19 15:25:52 +02:00
Daniel Pouzzner 895a2e1ac5 WOLFSSL_CALLBACKS codepaths: fixes for bugprone-unused-return-value, bugprone-macro-parentheses, readability-named-parameter, and clang-analyzer-deadcode.DeadStores 2022-10-18 13:34:42 -05:00
Lealem Amedie 327b66d3ed Miscellaneous fixes from scan-build and KDF refactor & small build fixes 2022-10-17 14:34:08 -07:00
David Garske 2c503a5b34 Merge pull request #5682 from JacobBarthelmeh/Testing
additional sanity checks on debug callback
2022-10-14 09:25:14 -07:00
jordan 06511a0f2e tiny fix for broken lowresource build option 2022-10-11 17:54:42 -05:00
JacobBarthelmeh 927f4c445d additional sanity checks on debug callback 2022-10-11 13:14:59 -07:00
Juliusz Sosinowicz b1f97c6bc0 Merge pull request #5652 from rizlik/send_alert_on_version_mismatch 2022-10-10 11:16:11 +02:00
Hayden Roche 47ccd924c2 Merge pull request #5657 from julek-wolfssl/dtls-1.2-stateless 2022-10-09 09:31:07 -07:00
Juliusz Sosinowicz 7f42792616 DTLS 1.2: Test stateless server connection 2022-10-06 18:53:13 +02:00
Marco Oliverio de6187f599 tls: send protocol_version fatal alert on version mismatch
see rfc5246 Appendix E
2022-10-05 20:29:23 +02:00
Juliusz Sosinowicz 354cd2ed50 DTLS 1.2: Reset state when sending HelloVerifyRequest 2022-10-04 16:22:59 +02:00
David Garske f9506dc05a Add small stack to DoClientHello Suites (360 bytes). Add small stack for DRBG health test. Refactor of the small stack into its own header, to allow easier use in other files. Minor build fixes. 2022-09-30 14:06:31 -07:00
David Garske bba3193f9c Merge pull request #5595 from haydenroche5/async_ticket_dec_fix
Handle WC_PENDING_E from ticketEncCb in DoClientTicket properly.
2022-09-29 14:41:35 -07:00
David Garske a5a9ab96e6 Merge pull request #5524 from rizlik/protocol_version_alerts
Dtls13: improvements
2022-09-29 10:59:06 -07:00
Sean Parkinson 754d274d8c Merge pull request #5593 from rizlik/ticket_nonce_size
tls13: support ticketNonce with size bigger than MAX_TICKET_NONCE_SZ
2022-09-29 08:11:22 +10:00
Marco Oliverio 56d6087749 tls13: support ticketNonce bigger than MAX_TICKET_NONCE_SZ
to enable it, use WOLFSSL_TICKET_NONCE_MALLOC define
2022-09-28 19:54:14 +02:00