Commit Graph

3167 Commits

Author SHA1 Message Date
Chris Conlon a7d5e6400d add support for PKCS7_TEXT flag to PKCS7_verify() 2022-03-15 10:21:22 -06:00
Daniel Pouzzner 4966eb7897 Merge pull request #4944 from douzzer/20220310-asn-template-EncodeExtensions-overrun
wolfcrypt/src/asn.c: fix buffer underrun in EncodeExtensions() and leak in ParseCRL_Extensions()
2022-03-13 21:21:07 -05:00
Sean Parkinson cdb45b12c5 Merge pull request #4884 from haydenroche5/i2d_x509_name_fix
Improve wolfSSL_i2d_X509_name.
2022-03-14 11:57:07 +10:00
Daniel Pouzzner fb0c9b2a66 ssl.c: use InitHandshakeHashes(), not FreeHandshakeHashes(), to reset ssl->hsHashes. 2022-03-11 16:26:24 -06:00
Daniel Pouzzner 82ab7bf32c ssl.c: fix hash state memory leaks in wolfSSL_clear() and wolfSSL_TicketKeyCb(). 2022-03-11 13:40:01 -06:00
Daniel Pouzzner 7602eef98f src/ssl.c: use strlcpy(), not strncpy(), to make string_fortified happy (else "error: ‘__builtin_strncpy’ specified bound 46 equals destination size"). 2022-03-11 08:15:44 -06:00
Sean Parkinson c3eab0dcdd Fixes from sanitizer build
Fix OID index in SetNameRdnItems for multi attributes.
Stop warning about strncpy to small.
Fix casting in ASN1_SIMPLE to use consistent type.
2022-03-11 14:27:50 +10:00
David Garske 570daa6a7f Enable support for STM32U585 and PQ on M4 2022-03-10 14:19:01 -05:00
Sean Parkinson 47895fe78d Merge pull request #4942 from dgarske/sp_math_opensslextra
Fixes to support building opensslextra with SP math
2022-03-10 08:53:21 +10:00
David Garske 141cf822f2 Merge pull request #4941 from douzzer/20220309-script-cleanup
20220309 script cleanup
2022-03-09 13:30:50 -08:00
Chris Conlon bcfe8bf2e2 Merge pull request #4933 from haydenroche5/x509_set_ext_ext_key_usage 2022-03-09 13:22:49 -07:00
David Garske 3a62857dbd Fixes to support building opensslextra with SP math. Disables some of the compatibility layer BN and ECC point handling. 2022-03-09 11:53:56 -08:00
Daniel Pouzzner abfc788389 script cleanup: use #!/bin/bash on all scripts that use "echo -e" (/bin/sh is sometimes a non-Bourne/non-POSIX shell, e.g. dash/ash, with no support for "echo -e"); fix whitespace. 2022-03-09 12:28:22 -06:00
Chris Conlon 70857f7b3c Merge pull request #4923 from miyazakh/set_bio
Set bio read/write flag obviously
2022-03-08 13:08:33 -07:00
David Garske 9b808bde20 Fixes for building with HAVE_EX_DATA no compat layer. 2022-03-07 17:20:58 -06:00
Hayden Roche 39d975a3c3 Add extended key usage support to wolfSSL_X509_set_ext. 2022-03-07 15:20:01 -08:00
Hideki Miyazaki a572c19268 set bio flag obviously
fix nightly Qt test
2022-03-06 07:41:36 +09:00
David Garske 3839b0e675 Fixes for building wolfSSL along side openssl. 2022-03-04 12:06:24 -08:00
Jacob Barthelmeh aa18209c99 free buffer since pkey struct makes its own copy 2022-03-02 09:59:21 -07:00
Jacob Barthelmeh b03233a35e handle free'ing up items in fail case 2022-03-01 15:24:53 -07:00
Jacob Barthelmeh 45ff8af026 refactor PKCS12 parse key creation 2022-03-01 14:49:59 -07:00
Juliusz Sosinowicz 92bd5a4076 Merge pull request #4891 from dgarske/multi_test 2022-02-28 15:28:39 +01:00
Sean Parkinson f3df4400d5 Merge pull request #4886 from dgarske/zd13745
Adds CSR userId support in subject name
2022-02-28 10:15:41 +10:00
Chris Conlon 870ff5b352 Merge pull request #4890 from miyazakh/objinfo
fix to use EXT_KEY_USAGE_OID in object_info
2022-02-25 16:02:48 -07:00
David Garske a2381ba954 Adds CSR userId support in subject name. Minor build fixes for ASN template. 2022-02-25 14:22:59 -08:00
David Garske 821fd3c898 Peer review fixes. Check idSz and add comment about session variable use. 2022-02-25 11:38:05 -08:00
David Garske a39a1c1d87 More fixups from cppcheck and clang-tidy. 2022-02-25 10:03:17 -08:00
Hayden Roche c33ae4c245 Improve wolfSSL_i2d_X509_NAME and wolfSSL_i2d_X509_NAME_canon.
Like other i2d functions, these functions should be able to take a NULL output
parameter and return the necessary output buffer size. This commit adds this
ability. This commit also removes some redundant code in wolfSSL_i2d_X509_NAME.
2022-02-24 14:48:52 -08:00
David Garske 6e24e21d5a Fix for heap pointer in wolfSSL_DupSession. 2022-02-24 12:56:39 -08:00
David Garske 2b794f03c1 Fixes for multi-test pass. Breaks from PR #4807. 2022-02-24 11:48:40 -08:00
Hideki Miyazaki de81447b2d fix to use EXT_KEY_USAGE_OID in object_info 2022-02-24 15:18:32 +09:00
David Garske 0824a64c92 Merge pull request #4807 from julek-wolfssl/stunnel-5.61
stunnel 5.61 support
2022-02-23 09:41:51 -08:00
Juliusz Sosinowicz fb943a2f23 Rebase and make wolfSSL_CTX_up_ref always available
`wolfSSL_CTX_up_ref` is a small and potentially useful API for users so it doesn't need to be restricted only to the compatibility layer. The reference counting mechanisms are always available anyway. This just exposes the functionality to the user.
2022-02-23 09:55:52 +01:00
Juliusz Sosinowicz 617eda9d44 Fix misc memory issues
- Make `InternalTicket` memory alignment independent
2022-02-23 09:47:34 +01:00
Juliusz Sosinowicz b402102e58 Add backwards compatibility for wolfSSL_get_session
Before this pull request, `wolfSSL_get_session` always returned a pointer to the internal session cache. The user can't tell if the underlying session hasn't changed before it calls `wolfSSL_set_session` on it. This PR adds a define `NO_SESSION_CACHE_REF` (for now only defined with `OPENSSL_COMPATIBLE_DEFAULTS`) that makes wolfSSL only return a pointer to `ssl->session`. The issue is that this makes the pointer returned non-persistent ie: it gets free'd with the `WOLFSSL` object. This commit leverages the lightweight `ClientCache` to "increase" the size of the session cache. The hash of the session ID is checked to make sure that the underlying session hasn't changed.
2022-02-23 09:47:34 +01:00
Juliusz Sosinowicz ceff401269 Fixes for Jenkins tests
- Move test to `HAVE_IO_TESTS_DEPENDENCIES`
- Implement `wolfSSL_trust_peer_cert`
- have{cipher} options weren't being set with only RSA enabled
2022-02-23 09:47:34 +01:00
Juliusz Sosinowicz 91b08fb691 Allocate ssl->session separately on the heap
- Refactor session cache access into `AddSessionToCache` and `wolfSSL_GetSessionFromCache`
2022-02-23 09:47:34 +01:00
Juliusz Sosinowicz 1d712d47ba Access to session cache is now atomic
- Adding and getting sessions to and from the local cache is now atomic.
  - The new internal `wolfSSL_GetSessionFromCache` requires a destination object to be supplied when retrieving from the cache so that items can be retrieved independently from the cache. For most existing calls, the destination is `ssl->session`.
  -`PREALLOC_SESSION_TICKET_LEN` defines how much memory is temporarily allocated for the ticket if it doesn't fit in the static session buffer.
2022-02-23 09:47:34 +01:00
Juliusz Sosinowicz afca455cda stunnel 5.61 support
- New/Implemented API
  - `SSL_has_pending`
  - `wolfSSL_CertManagerLoadCRLFile`
  - `wolfSSL_LoadCRLFile`
  - `wolfSSL_CTX_LoadCRLFile`
  - `wolfSSL_CTX_add_session`
- Calling chain certificate API (for example `wolfSSL_CTX_use_certificate_chain_file`) no longer requires an actual chain certificate PEM file to be passed in as input. `ProcessUserChain` error in `ProcessBuffer` is ignored if it returns that it didn't find a chain.
- Add `WOLFSSL_TICKET_HAVE_ID` macro. When defined tickets will include the original session ID that can be used to lookup the session in internal cache. This is useful for fetching information about the peer that doesn't get sent in a resumption (such as the peer's certificate chain).
  - Add `ssl->ticketSessionID` field because `ssl->session.sessionID` is used to return the "bogus" session ID sent by the client in TLS 1.3
- `OPENSSL_COMPATIBLE_DEFAULTS` changes
  - Define `WOLFSSL_TRUST_PEER_CERT` and certificates added as CA's will also be loaded as trusted peer certificates
  - Define `WOLFSSL_TLS13_MIDDLEBOX_COMPAT`
- Seperate `internalCacheOff` and `internalCacheLookupOff` options to govern session addition and lookup
- `VerifyServerSuite` now determines if RSA is available by checking for it directly and not assuming it as the default if static ECC is not available
- `WOLFSSL_SESSION` changes
  - `ssl->extSession` added to return a dynamic session when internalCacheOff is set
  - `ssl->session.refPtr` made dynamic and gets free'd in `SSL_ResourceFree`
- If `SSL_MODE_AUTO_RETRY` is set then retry should only occur during a handshake
- `WOLFSSL_TRUST_PEER_CERT` code now always uses `cert->subjectHash` for the `cm->tpTable` table row selection
- Change some error message names to line up with OpenSSL equivalents
- Run `MatchSuite` again if certificate setup callback installed and successful
- Refactor clearing `ASN_NO_PEM_HEADER` off the error queue into a macro
- `wolfSSL_get_peer_certificate` now returns a duplicated object meaning that the caller needs to free the returned object
- Allign `wolfSSL_CRYPTO_set_mem_functions` callbacks with OpenSSL API
- `wolfSSL_d2i_PKCS12_bio` now consumes the input BIO. It now supports all supported BIO's instead of only memory BIO.
- stunnel specific
  - Always return a session object even if we don't have a session in cache. This allows stunnel to save information in the session external data that will be transfered to new connections if the session is reused
  - When allocating a dynamic session, always do `wolfSSL_SESSION_set_ex_data(session, 0, (void *)(-1)`. This is to mimic the new index callback set in `SSL_SESSION_get_ex_new_index`.
- Fix comment in `wolfSSL_AES_cbc_encrypt`
- Trusted peer certificate suite tests need to have CRL disabled since we don't have the issuer certificate in the CA store if the certificates are only added as trusted peer certificates.
tested
2022-02-23 09:47:34 +01:00
Sean Parkinson d33b787993 BIO: move APIs out of ssl.c
Get configuration working: --enable-all CFLAGS=-DNO_BIO
2022-02-23 14:11:30 +10:00
David Garske d834c50c85 Merge pull request #4858 from julek-wolfssl/ZD13611
Reported in ZD13611
2022-02-21 14:01:42 -08:00
John Safranek 041d300b2b Fix Small Memory Leaks
Found with the configuration running the unit test through valgrind.

    % ./configure CFLAGS=-DNO_WOLFSSL_CIPHER_SUITE_TEST \
      --enable-all --disable-fastmath --enable-debug --disable-shared

1. ssl.c: In wolfSSL_DSA_generate_key(), we initialize (and allocate)
   all the parameters in the key (p, q, g, x, y), and then we generate a
   key, initializes (and allocates) x and y, again. mp_clear them
   first.
2. evp.c: When printing public keys, the temporary mp_int wasn't getting
   correctly freed.
3. evp.c: When printing public keys, modified the utility functions to
   return once with a do-while-0 loop.
2022-02-18 10:01:49 -08:00
elms 208c457348 tls13: fix to not send RENEGOTIATION_INFO ext
Introduced in PR #4742 to enable sending of extension in TLS1.2
without fully supporting secure renegotiation in accordance with
RFC 5746 4.3 https://datatracker.ietf.org/doc/html/rfc5746#section-4.3
2022-02-17 11:22:17 -08:00
Juliusz Sosinowicz 4e5380668c Reported in ZD13611
The `UID` name component could not be parsed if it appears in a subject or issuer name
2022-02-12 00:36:07 +01:00
Hayden Roche 562fcd3916 Implement FIPS_mode and FIPS_mode_set in the compat layer. 2022-02-10 13:14:05 -08:00
Daniel Pouzzner 74408e3ee3 fixes for whitespace, C++ warnings, and LLVM 15 clang-tidy defects/carps:
* whitespace in src/ssl.c, tests/api.c, wolfssl/openssl/fips_rand.h.

* clang-analyzer-core.StackAddressEscape from llvm-15 clang-tidy, in tests/suites.c:execute_test_case().

* bugprone-suspicious-memory-comparison from llvm-15 clang-tidy, in src/internal.c:DoSessionTicket() and src/ssl.c:wolfSSL_sk_push().
2022-02-08 15:20:22 -06:00
Daniel Pouzzner 3ee6e93590 Merge pull request #4838 from SparkiDev/g++_fix_4
Rework functions to avoid warning with g++
2022-02-08 10:20:58 -06:00
Daniel Pouzzner 1f69c52ce8 Merge pull request #4830 from dgarske/no_hmac
Fixes for building without HMAC
2022-02-07 22:26:38 -06:00
Sean Parkinson d2307186d9 Rework functions to avoid warning with g++ 2022-02-08 12:36:36 +10:00
David Garske 56c562a516 Fixes for building with ./configure --enable-opensslextra --enable-cryptonly CFLAGS="-DNO_HMAC" && make. Found this testing a customers configuration with latest. Also fixes some trailing whitespace. 2022-02-07 15:10:21 -08:00