Eric Blankenhorn
bb574d28b2
Support for more cert subject OIDs and raw subject access ( #1734 )
...
* Add businessCategory OID
* Raw subject support methods
* Support for jurisdiction OIDs
* Wrap in WOLFSSL_CERT_EXT
* Adding tests
2018-08-12 12:53:29 -07:00
David Garske
56974c099e
Improved the logic for WOLFSSL_ALWAYS_VERIFY_CB to be more explicit and updated comments.
2018-08-06 11:40:35 -07:00
David Garske
c4ea50b956
Fix for issue with using CopyDecodedToX509 again for existing X509 and freeing the altNames in original. Fix was to use the ssl->peerCert directly for the index 0 cert. Improvement to make sure ex_data is always populated. Added NULL arg check on wolfSSL_get_peer_certificate.
2018-08-06 11:40:35 -07:00
David Garske
7d39a897dc
Refactor of the verify callback to eliminate duplicate code and provide consistency with various build options. Documented build options and added code comments in new DoVerifyCallback function. Added documentation in test.h myVerify function for arguments and return code. Fix from commit da1ac36 which added current_cert to WOLFSSL_X509_STORE_CTX, but is only required for ASIO compatibility and is not used.
2018-08-06 11:40:35 -07:00
David Garske
30d6c0c1fc
Merge pull request #1737 from ejohnstown/ocsp-free
...
OCSP Free
2018-08-06 09:08:01 -07:00
toddouska
b88d60ecbb
Merge pull request #1665 from ejohnstown/mr
...
Prime Number Testing
2018-08-03 12:50:27 -07:00
JacobBarthelmeh
782ea74fbf
Merge pull request #1732 from kojo1/Ticket-4169-2
...
Ticket 4169: eliminate ssl->CBIORecv/Send overwritten in SSL_set_bio
2018-08-02 14:58:25 -06:00
John Safranek
c87d6b27e2
OCSP Free
...
Free the OCSP request when creating the response only if there is an error making the request.
2018-08-01 15:34:43 -07:00
Takashi Kojo
98f6ae16ca
copy cbioFlag from ctx to ssl
2018-08-02 04:48:39 +09:00
Takashi Kojo
96c1a567f0
#4169 : CBIO set flag to escape from overwritten in SSL_set_bio
2018-08-01 19:16:42 +09:00
David Garske
4eff7b641b
First pass at bugs found with ./scripts/memtest.sh. Fixes for NULL pointer checks, making sure free'd pointers are reset, making sure pointers are initialized and making sure memory is always free'd. Fix for TicketInit() which was using non-thread safe RNG and key_ctx. Fix for possible double free case in wolfSSL_PEM_read_X509_CRL.
2018-07-30 13:53:54 -07:00
Naruto TAKAHASHI
861fec1dc6
porting mynewt
2018-07-28 18:03:20 +09:00
John Safranek
4b8507813e
Prime Number Testing
...
1. Also disable the new prime test from TLS while using SELFTEST.
2018-07-27 13:34:38 -07:00
John Safranek
31f1692cbf
Prime Number Testing
...
1. Disable the new prime test from TLS while using FIPS or setting the flag WOLFSSL_OLD_PRIME_CHECK.
2018-07-26 16:01:08 -07:00
John Safranek
4b2a591a93
Prime Number Testing
...
1. Added calls to wc_DhSetCheckKey() on the client side of TLS.
2. Added an API test to the wolfCrypt test.
3. Fixed a bug in the prime test found with the API test. Misuse of tertiary operator.
2018-07-26 14:43:04 -07:00
toddouska
90367df13c
Merge pull request #1710 from SparkiDev/ed25519_only
...
Changes to build with X25519 and Ed25519 only
2018-07-25 14:24:03 -07:00
JacobBarthelmeh
74fbd06817
Merge pull request #1686 from cconlon/nucleus-update
...
Nucleus port and PB changes
2018-07-25 09:17:40 -06:00
toddouska
018573bcf3
Merge pull request #1695 from JacobBarthelmeh/Optimizations
...
add some macro guards for CipherRequires function
2018-07-24 11:51:03 -07:00
Sean Parkinson
6d3e145571
Changes to build with X25519 and Ed25519 only
...
Allows configurations without RSA, DH and ECC but with Curve25519
algorithms to work with SSL/TLS using X25519 key exchange and Ed25519
certificates.
Fix Ed25519 code to call wc_Sha512Free().
Add certificates to test.h and fix examples to use them.
2018-07-23 10:20:18 +10:00
Chris Conlon
7f19f914c0
create WOLFSSL_NUCLEUS_1_2 for older 1.2 version
2018-07-20 10:51:15 -06:00
toddouska
227e7cc8c7
Merge pull request #1690 from SparkiDev/tls_sha384_copy
...
Remove special case SHA-384 copy code
2018-07-18 09:37:50 -07:00
toddouska
436e774729
Merge pull request #1685 from SparkiDev/dh_max
...
Add support for maximum DH key size
2018-07-18 09:33:43 -07:00
Sean Parkinson
0236a293e4
Fix define protection to be ED25519 not ECC
2018-07-18 10:12:57 +10:00
Jacob Barthelmeh
7e5bf9b8a9
add some macro guards for CipherRequires function
2018-07-17 09:04:06 -06:00
Sean Parkinson
87f378efb5
Remove special case SHA-384 copy code
...
SHA-384 implementation has a GetHash API and TLS code uses it.
2018-07-17 08:16:46 +10:00
John Safranek
49fefe176e
DTLS and Atomic Encrypt Callback
...
When using the encrypt callback, the DTLS sequence number isn't incremented. Moved the increment to later in the BuildMessage() function.
2018-07-16 13:33:03 -07:00
toddouska
f0422bec41
Merge pull request #1681 from dgarske/pk_keygen
...
Added ECC and Curve25519 Key Generation PK callback support
2018-07-13 14:03:13 -07:00
Chris Conlon
eeb50099d9
initial Nucleus port with PB changes
2018-07-13 14:58:37 -06:00
toddouska
6c1778d373
Merge pull request #1669 from cconlon/mqxfixes
...
fixes for MQX classic 4.0 with IAR-EWARM
2018-07-13 11:59:28 -07:00
Sean Parkinson
ffc6cf4eb8
Add support for maximum DH key size
2018-07-13 17:36:42 +10:00
John Safranek
f7c5b27bfc
Merge pull request #1675 from toddouska/zero-error
...
make SOCKET_PEER_CLOSED_E consistent between read and 2 write cases
2018-07-12 12:53:48 -07:00
Chris Conlon
cadd556b3a
cast result of bitwise not back to original type to prevent compiler warnings
2018-07-12 13:46:55 -06:00
David Garske
81d13e15d5
Added ECC and Curve25519 Key generation callback support for HAVE_PK_CALLBACKS. The TLS server side ECDHE could not correctly handle PK callback based shared secret calculation using a hardware based generated key. Refactor internal functions to use the callback ctx getter API.
2018-07-12 11:52:54 -07:00
toddouska
23687f44bc
Merge pull request #1643 from ejohnstown/altnames
...
Subject Alt Name Matching
2018-07-11 13:20:58 -07:00
Todd Ouska
d639939a07
make SOCKET_PEER_CLOSED_E consistent between read and 2 write cases
2018-07-11 13:00:29 -07:00
Chris Conlon
0f2b5ca181
fixes for MQX classic 4.0 with IAR-EWARM
2018-07-11 10:54:24 -06:00
toddouska
376a4d3ca8
Merge pull request #1666 from dgarske/fix_always_verify
...
Fix for building with `WOLFSSL_ALWAYS_VERIFY_CB`
2018-07-09 11:13:28 -07:00
David Garske
9c2a5d2906
Further simplification of the PK verify wrapping to avoid malloc/free. Thanks Todd!
2018-07-06 16:21:43 -07:00
David Garske
85d58cbf8c
Fix for building with WOLFSSL_ALWAYS_VERIFY_CB.
2018-07-06 15:31:52 -07:00
David Garske
32f1b0a9c2
Added separate context for each SignatureCtx verify callback. Added missing ssl info to callback context.
2018-07-06 09:28:46 -07:00
David Garske
3cbcc872c1
Improved PK callback support for ConfirmSignature so certificate verification uses the callbacks. Retained wolfSSL/wolfCrypt isolation (I.E. no wolfSSL references from wolfCrypt).
2018-07-05 14:04:06 -07:00
toddouska
ae54bae2fa
Merge pull request #1654 from SparkiDev/tls13_stapling
...
TLS 1.3 OCSP Stapling
2018-07-03 12:56:28 -07:00
toddouska
9f35d211e0
Merge pull request #1644 from JacobBarthelmeh/Compatibility-Layer
...
add ca when getting chain from x509 store
2018-07-02 16:22:11 -07:00
John Safranek
adb3cc5a5a
Subject Alt Name Matching
...
1. Added certificates for localhost where the CN and SAN match and differ.
2. Change subject name matching so the CN is checked if the SAN list doesn't exit, and only check the SAN list if present.
3. Added a test case for the CN/SAN mismatch.
4. Old matching behavior restored with build option WOLFSSL_ALLOW_NO_CN_IN_SAN.
5. Add test case for a correct certificate.
Note: The test for the garbage certificate should fail. If you enable the old behavior, that test case will start succeeding, causing the test to fail.
2018-07-02 13:39:11 -07:00
Jacob Barthelmeh
201217bd97
casts for tls 1.3 windows warnings
2018-07-02 13:55:38 -06:00
Sean Parkinson
0bf3a89992
TLS 1.3 OCSP Stapling
...
Introduce support for OCSP stapling in TLS 1.3.
Note: OCSP Stapling v2 is not used in TLS 1.3.
Added tests.
Allow extensions to be sent with first certificate.
Fix writing out of certificate chains in TLS 1.3.
Tidy up the OCSP stapling code to remove duplication as much as
possible.
2018-07-02 16:59:23 +10:00
Jacob Barthelmeh
c2c209fb89
add ca when getting chain from x509 store
2018-06-27 14:09:32 -06:00
toddouska
5d767aa004
Merge pull request #1641 from ejohnstown/rename-inline
...
Rename INLINE
2018-06-27 09:34:41 -07:00
John Safranek
586874b997
Rename INLINE
...
1. Renamed the macro INLINE as WC_INLINE.
2. For FIPS and the "selftest" build, define INLINE as WC_INLINE. Allows the FIPS code to work unchanged.
2018-06-26 15:17:46 -07:00
David Garske
1cb5bbf8ea
Fixes for some async issues. Fixes an async issue with BuildMessage. Fixes for PKCS7 tests to not use async since it is not supported.
2018-06-22 09:30:25 -07:00