Commit Graph

4454 Commits

Author SHA1 Message Date
John Safranek b36877c20b DTLS Flag
Fix an ifdef flag that should have been WOLFSSL_DTLS, not HAVE_DTLS.
2020-09-25 10:49:34 -07:00
toddouska 0e66f9d835 Merge pull request #3299 from dgarske/ocsp_certchain
Fix for possible NULL use if certChain not loaded and OCSP cert request called
2020-09-21 13:40:21 -07:00
toddouska 1274a01dc7 Merge pull request #3289 from dgarske/wpas_small
Fixes for building `--enable-wpas=small` with WPA Supplicant v2.7
2020-09-21 13:37:58 -07:00
toddouska 0f6d391ea1 Merge pull request #3295 from SparkiDev/tls13_p521
TLS 1.3: Fix P-521 algorithm matching
2020-09-21 13:36:48 -07:00
David Garske b4c964f729 Fix for possible NULL buffer use if certChain not loaded and OCSP cert request called. 2020-09-18 09:15:44 -07:00
David Garske d37adefe98 Fixes for edge case builds with certificate req/gen/ext without --enable-opensslextra. 2020-09-18 09:14:41 -07:00
David Garske 780e8a4619 Fixes for building --enable-wpas=small with WPA Supplicant v2.7. 2020-09-18 09:14:41 -07:00
Sean Parkinson d63ff07edc TLS 1.3: Fix P-521 algorithm matching
Digest size compared to key size - P521 has large key size.
Fixed to round down.
Added P-521 keys and certificates.
Added testing of P-521 keys and certificcates to unittest.
2020-09-18 10:51:55 +10:00
toddouska 85da1a1d0a Merge pull request #3271 from SparkiDev/tls13_peek
TLS 1.3: allow wolfSSL_peek() to return WANT_READ
2020-09-16 15:02:42 -07:00
toddouska a3fca7f593 Merge pull request #3247 from JacobBarthelmeh/Compatibility-Layer
Compatiblity Layer Fixes for serial number / ASN1 time / and order of name components
2020-09-16 14:53:51 -07:00
Juliusz Sosinowicz e34ccaf481 Fix window check
If `curLT` then diff needs to be decremented. For example: `diff` = 1 represents last packet so it would be the `window[idx] & (1 << 0)` bit of the window variable.
2020-09-09 23:27:49 +02:00
John Safranek 39b5448601 Merge pull request #3279 from dgarske/minor_fixes
Minor build fixes for typo and CMake
2020-09-08 16:45:52 -07:00
JacobBarthelmeh 58e03b2d26 Merge pull request #3272 from embhorn/zd10650
Check for non-blocking return code in BioSend
2020-09-08 14:25:16 -06:00
David Garske 6f5a7e87c5 Fix for CMake to only set ranlib arguments for Mac. Fix for stray typo of , -> ;. Fixes #3275 and Fixes #3278 2020-09-08 11:07:12 -07:00
Juliusz Sosinowicz ee2d051536 Fix failing nightly
Failed tests when configured with `./configure --enable-dtls --enable-opensslextra --enable-sessioncerts`. Valgrind discovered a use after free bug. Nulling session->peer fixes the issue.
2020-09-07 14:36:57 +02:00
Sean Parkinson 93bb12ce86 TLS 1.3: allow wolfSSL_peek() to return WANT_READ
When handshake message is processed in wolfSSL_peek() then return
WANT_READ from peek instead of blocking waiting for application data.

Server may send an alert if the client certificate is invalid.
The server also may send NewSesionTicket after client has sent finished
message.
To detect alert before handling application data, then the socket needs
to be checked for data. If the data is an alert then wolfSSL_peek() will
handle the alert, but if it is a NewSessionTicket then wolfSSL_peek()
will process it and block waiting for application data - so return
WANT_READ if no application data seen after processing handshake
message.
2020-09-07 08:30:24 +10:00
toddouska 7fd51cf9d9 Merge pull request #3267 from SparkiDev/no_client_auth
Get builds with WOLFSSL_NO_CLIENT_AUTH compiling and testing
2020-09-03 15:55:38 -07:00
toddouska 9901eb9272 Merge pull request #3249 from SparkiDev/tls13_early_data_fix
TLS 1.3 Early Data: fix
2020-09-03 14:49:39 -07:00
toddouska b3acd57de5 Merge pull request #3254 from dgarske/leaks
Fixes valgrind leak reports (related to small stack cache)
2020-09-02 10:44:49 -07:00
toddouska 9268de229a Merge pull request #3266 from dgarske/unit_test
Fix for DH compute key compatibility function failure
2020-09-02 10:23:23 -07:00
JacobBarthelmeh 914905f1bc Merge pull request #3193 from embhorn/zd10457_b
Fix CheckHostName matching
2020-09-02 10:36:02 -06:00
toddouska 6f56c3c800 Merge pull request #3204 from dgarske/ocsp_nonblock
Fix for OCSP response in non-blocking mode and testing script improvements
2020-09-01 15:56:52 -07:00
Jacob Barthelmeh fd2074da00 fix for order of components in issuer when using compatiblity layer api to generate cert 2020-09-01 09:27:45 -06:00
Sean Parkinson 89b9a77eca Get builds with WOLFSSL_NO_CLIENT_AUTH compiling and testing
Fix build for no client or server and no client auth.
Fix tests to detect when no client auth compiled and test is trying to
do client auth.
2020-09-01 15:27:46 +10:00
David Garske c587ff72d2 Fix for occasional unit.test failure in test_wolfSSL_EVP_PKEY_derive. 2020-08-31 14:04:51 -07:00
David Garske 28b2be37cd Merge pull request #3259 from ejohnstown/sniffer-no-oldtls
Sniffer without OldTls
2020-08-31 07:34:24 -07:00
Sean Parkinson db864be6a4 TLS 1.3 Early Data: fix
Will process early data packets now.
Added test to check output of server for early data being received.
2020-08-31 09:03:05 +10:00
Juliusz Sosinowicz c6d1d524fc HAVE_SESSION_TICKET can also be defined without TLS 1.2 2020-08-28 16:05:28 +02:00
David Garske 3e685fdb5b Fix for DTLS DoClientHello HMAC free (function has another exit point). 2020-08-27 10:02:15 -07:00
Jacob Barthelmeh ab52bcf43d add overried for max entries and certificate generation size 2020-08-26 19:22:57 -06:00
John Safranek 5b39976cc0 Sniffer without OldTls
1. Put a guard around the call to DeriveKeys() when building with
  --enable-sniffer --disable-oldtls. Disabling OldTls removes the
  DeriveKeys() function. Similar logic used in internal.c.
2020-08-26 16:47:44 -07:00
Eric Blankenhorn ea5c290d60 Fix CheckHostName matching 2020-08-26 14:03:17 -05:00
David Garske 6d5731b8e9 Fixes for HMAC_CTX cleanup not being called to free SHA2 resources with WOLFSSL_SMALL_STACK_CACHE. Added return code checking and cleanup for openssl_test. 2020-08-26 09:45:26 -07:00
David Garske 61545df606 Fix to make sure DTLS cookie HMAC free gets called. Note: This does not cover the many error case paths. 2020-08-26 09:41:26 -07:00
David Garske 14e1489365 Fix for SRP leaks with WOLFSSL_SMALL_STACK_CACHE 2020-08-26 09:41:09 -07:00
Jacob Barthelmeh bc58dde700 fix for serial number containing 0's and for RNG fail case 2020-08-26 00:03:39 -06:00
Jacob Barthelmeh ef9beaf271 adjust sanity check on serial number size to match fix 2020-08-24 18:15:05 -06:00
Jacob Barthelmeh c4a6fba591 fix for ASN1 time and serial number 2020-08-24 17:00:19 -06:00
David Garske 7ee2b61a5a Peer review feedback to also check EAGAIN and always have supported. 2020-08-24 08:18:25 -07:00
David Garske 085f55195a Fix for handling OCSP response in non-blocking mode. 2020-08-21 15:50:34 -07:00
David Garske 51c2960407 Added function comment for wolfSSL_i2a_ASN1_OBJECT. Added heap context for wolfSSL_CertManagerCheckOCSP 2020-08-21 15:47:02 -07:00
David Garske 5f059306fd Fix for case with ssl->error not being set. 2020-08-21 15:47:02 -07:00
David Garske 1d55b2f526 Fixes for several memory leaks related to HAVE_WOLF_BIGINT. 2020-08-20 14:25:06 -07:00
John Safranek 55632a0567 Two more out of order DTLS message fixes. 2020-08-18 17:54:25 -07:00
John Safranek 113753370d Long Test Fixes
1. Sniffer was trying to log a NULL pointer as a string. Logged a string instead.
2. Few misc fixes in ECC.
2020-08-18 17:54:25 -07:00
toddouska 028bddd7ab Merge pull request #3215 from ejohnstown/release-4.5.0
Release Update
2020-08-17 13:51:23 -07:00
John Safranek 3be7f3ea3a Reject DTLS application data messages in epoch 0 as out of order. 2020-08-14 17:21:39 -07:00
John Safranek 3f6861ee82 FIPS Ready Fix with ECC Timing Resistance
Commit 6467de5 added some timing resistance to ECC shared secret
agreement. It involved adding an RNG object to the ecc keys so
a random z value can be added to the mix. The older FIPS release
has ECC outside the boundary, so it uses the new ECC code. FIPSv2
has ECC inside the boundary, but all the TLS code checks for that
version of FIPS and leaves out the calls to the new functions as
it is using an older version of ecc.c. FIPS Ready uses the latest
version of ecc.c but compiles as FIPSv2. So, the code outside of
the crypto layer is treating ECC as FIPSv2 and not calling the new
functions, but the crypto layer assumes the RNG should be present,
and errs out on testing.
1. Added a separate option for FIPS Ready to the enable-fips
   configure option. `--enable-fips=ready`. It will treat FIPS
   Ready as the next kind of FIPS release. FIPS Ready will be
   treated like FIPS v3 in the build.
2. Changed the C preprocessor checks for FIPS version 2 to be
   checks for not version 2, with respect to ECC Timing Resistance
   and FIPS builds.
2020-08-14 10:54:55 -07:00
Eric Blankenhorn 7744f0d543 Check for non-blocking return code in BioSend 2020-08-13 15:33:20 -05:00
John Safranek 64084bcba2 Add a void to the empty parameter list for the function wolfSSL_SESSION_new(). 2020-08-13 13:18:29 -07:00