Commit Graph

2982 Commits

Author SHA1 Message Date
Juliusz Sosinowicz 29f51b6245 CheckcipherList: Check Cipher minor to detect TLS 1.3 ciphersuite 2024-09-18 10:35:29 +02:00
Juliusz Sosinowicz 4a26af0dfa dtls 1.3: Add cid size to output buffer length 2024-09-18 10:35:29 +02:00
Juliusz Sosinowicz 6d5fefde4a dtls 1.3: Check header length before copying 2024-09-18 10:35:29 +02:00
jordan 7faed6cded X509 attribute cert (acert) support. 2024-09-13 08:03:55 -05:00
Daniel Pouzzner c81c9be9ce error code fixes:
* fix TLS layer to consistently use WOLFSSL_FATAL_ERROR for error retvals, rather than literal -1.
* add WC_NO_ERR_TRACE() wrapper around LENGTH_ONLY_E (it does not signify an error condition).
* refactor errcode handling for traceability in wolfSSL_DSA_do_sign(), wolfSSL_DH_size(), wolfSSL_EC_KEY_get_conv_form(), wolfSSL_d2i_DSA_SIG(), wolfSSL_DSA_do_sign(), SetDhInternal(), and wolfSSL_EC_KEY_get_conv_form().
2024-09-06 19:33:48 -05:00
Daniel Pouzzner e708ef3b56 Merge pull request #7946 from gasbytes/fix-conversion
Fix conversion in ssl* files and in internal.c
2024-09-06 16:13:55 -05:00
Reda Chouk 73786112ec review addressed 2024-09-05 20:55:00 +02:00
Daniel Pouzzner a3fea482db Merge pull request #7914 from julek-wolfssl/gh/7825
Fix failing test_dtls_frag_ch
2024-09-04 19:35:06 -05:00
Daniel Pouzzner 806df85477 backfill more missing WC_NO_ERR_TRACE()s on error code operands, and refactor away the obsolete GEN_MEM_ERR macro mechanism in wolfcrypt/src/ecc.c. 2024-09-03 17:44:11 -05:00
Reda Chouk a80a2cdcff Addressed type conversion error in internal.c 2024-09-03 16:26:32 +02:00
Daniel Pouzzner 126df1d9ee src/internal.c: in wolfSSL_ERR_reason_error_string(), return "unknown error number" when error==0 and !OPENSSL_EXTRA, to avoid provoking clang-analyzer-optin.core.EnumCastOutOfRange. 2024-08-30 14:32:56 -05:00
Juliusz Sosinowicz b67fd6f29c Fix failing test_dtls_frag_ch
- Add option to disable ECH
- InitSuites: clean up DTLS paths
- wolfSSL_parse_cipher_list: remove WOLFSSL_MAX_SUITE_SZ setting
- wolfSSL_parse_cipher_list: add rationale for keeping ciphersuites
- test_dtls_frag_ch: ECH and ciphersuites were pushing the ClientHello message over the fragmentation limit. Disabling ECH and limiting ciphersuites fixes the test.
2024-08-30 09:56:52 +02:00
Daniel Pouzzner 2dcd04668b src/internal.c: in wolfSSL_ERR_reason_error_string(), restore handling for -WOLFSSL_X509_V_ERR_*, but separated from handling for the proper wolfSSL_ErrorCodes. 2024-08-29 21:28:02 -05:00
Daniel Pouzzner 255465a757 src/internal.c: in wolfSSL_ERR_reason_error_string(), remove handling for -WOLFSSL_X509_V_ERR_*, and make corresponding changes in wolfssl/error-ssl.h and tests/api.c. 2024-08-29 20:02:42 -05:00
Daniel Pouzzner 17870d4159 src/internal.c: in wolfSSL_ERR_reason_error_string(), add missing error string for SCR_DIFFERENT_CERT_E.
wolfssl/ssl.h, wolfssl/error-ssl.h, wolfssl/wolfcrypt/error-crypt.h, wolfcrypt/src/error.c, and src/internal.c:
* fix values of WOLFSSL_ERROR_SSL and WOLFSSL_ERROR_WANT_X509_LOOKUP to match OpenSSL values;
* move legacy CyaSSL compat layer error codes from ssl.h to error-ssl.h and renumber them to conform to existing sequence;
* move enum IOerrors from ssl.h to error-ssl.h to get picked up by support/gen-debug-trace-error-codes.sh;
* add to enum wolfSSL_ErrorCodes negative counterparts for several positive error return constants;
* include error-ssl.h from ssl.h;
* add label (wolfCrypt_ErrorCodes) to error-crypt.h enum, and in wc_GetErrorString(), use switch ((enum wolfCrypt_ErrorCodes)error) to activate switch warnings for missing enums;
* in wolfSSL_ERR_reason_error_string(), use switch((enum wolfSSL_ErrorCodes)error) to activate switch warnings for missing enums;
* in ssl.h, add special-case WOLFSSL_DEBUG_TRACE_ERROR_CODES macros for WOLFSSL_FAILURE;
* in error-crypt.h, add missing WOLFSSL_API attribute to wc_backtrace_render(); and
* harmonize gating of error codes, ssl.h / error-ssl.h / internal.c:wolfSSL_ERR_reason_error_string() / api.c:error_test().

tests/api.c:
* add error_test() adapted from wolfcrypt/test/test.c, checking all error strings for expected presence/absence and length, called from existing test_wolfSSL_ERR_strings().
* in post_auth_version_client_cb(), add missing !NO_ERROR_STRINGS gating.

add numerous WC_NO_ERR_TRACE()s to operand error code uses, cleaning up error traces in general, and particularly when WOLFSSL_DEBUG_TRACE_ERROR_CODES_ALWAYS.
* crypto lib (36),
* crypto test&benchmark (20),
* TLS lib (179),
* examples (122),
* linuxkm (3),
* tests/api.c (2272).
2024-08-29 14:22:56 -05:00
Daniel Pouzzner b178138d83 src/internal.c: in wolfSSL_ERR_reason_error_string(), add missing error string for SCR_DIFFERENT_CERT_E, and de-gate error strings previously gated on HAVE_HTTP_CLIENT.
tests/api.c: add error_test() adapted from wolfcrypt/test/test.c, checking all error strings for expected presence/absence and length, called from existing test_wolfSSL_ERR_strings().

wolfssl/ssl.h, wolfssl/error-ssl.h, and wolfssl/wolfcrypt/error-crypt.h:
* move several negative error return codes from ssl.h to error-ssl.h,
* renumber them to conform to existing sequence, and
* include error-ssl.h from ssl.h;
* add special-case WOLFSSL_DEBUG_TRACE_ERROR_CODES macros for WOLFSSL_FAILURE;
* add missing WOLFSSL_API attribute to wc_backtrace_render().

add numerous WC_NO_ERR_TRACE()s to operand error code uses, cleaning up error traces in general, and particularly when WOLFSSL_DEBUG_TRACE_ERROR_CODES_ALWAYS.
* crypto lib (36),
* crypto test&benchmark (20),
* TLS lib (179),
* examples (122),
* linuxkm (3),
* tests/api.c (2272).
2024-08-28 23:05:04 -05:00
Reda Chouk 7d2ca8db5f addressing review:
- added unit test;
- formatting;
2024-08-22 21:30:57 +02:00
Reda Chouk 2356bec909 no magic values 2024-08-22 21:30:57 +02:00
Reda Chouk db64d36f00 properly handling the shutdown when multiple ones go on EAGAIN back to
back.
2024-08-22 21:30:56 +02:00
Sean Parkinson e99bbf9429 Merge pull request #7875 from douzzer/20240814-debug-trace-errcodes-MP
20240814-debug-trace-errcodes-MP
2024-08-22 10:10:45 +10:00
Daniel Pouzzner 1a0bf421bd Merge pull request #7781 from julek-wolfssl/sssd
init sssd support
2024-08-21 19:05:08 -05:00
Daniel Pouzzner 0da78a7ee2 move several MP error codes from wolfssl/wolfcrypt/sp_int.h, wolfssl/wolfcrypt/tfm.h, and wolfssl/wolfcrypt/integer.h, to wolfssl/wolfcrypt/error-crypt.h, harmonizing their names and numbers.
wolfssl/wolfcrypt/error-crypt.h: add WC_FIRST_E.

wolfcrypt/src/error.c: add MP error code strings.

wolfssl/error-ssl.h: add WOLFSSL_FIRST_E and WOLFSSL_LAST_E.

wolfcrypt/test/test.c: update error_test() for new error code layout, refactoring the "missing" check.

src/internal.c: use WC_FIRST_E and WC_LAST_E  in wolfSSL_ERR_reason_error_string().

src/ssl.c: fix wolfSSL_ERR_GET_REASON() to identify in-range error codes using WC_FIRST_E, WC_LAST_E, WOLFSSL_FIRST_E, and WOLFSSL_LAST_E.

sp_int.h: provide for WOLFSSL_DEBUG_TRACE_ERROR_CODES, and refactor MP error codes as enums, for consistency with other error codes.

wolfcrypt/src/ecc.c: fix 2 identicalInnerCondition's.
2024-08-20 14:09:06 -05:00
Juliusz Sosinowicz a6a40de249 init sssd support
- Refactor OCSP to separate IO callback
- wolfSSL_BIO_reset: fix return
- CheckCertCRL_ex: return CRL_CERT_DATE_ERR instead of ASN_AFTER_DATE_E
- CheckCertCRL_ex: return most relevant error code
- i2d/d2i APIs: correct parameters handling and return codes
- Custom ASN1 structures: major refactor to make it much more versatile
- Use WOLFSSL_ASSERT_SIZEOF_GE where applicable
- wolfSSL_EVP_SignFinal: implement ecc
- wolfSSL_EVP_VerifyFinal: implement ecc
- OBJ_NAME_do_all: bring closer to OpenSSL functionality
- Correct return of *_push api
- Implement:
  - OCSP_REQ_CTX API
  - d2i_ECPKParameters
  - wolfSSL_sk_insert
  - OCSP_parse_url
  - X509_STORE_set1_param
  - X509_get0_subject_key_id
  - X509_OBJECT_retrieve_by_subject
  - OCSP_sendreq_nbio
2024-08-16 17:22:41 +02:00
Colton Willey 65d7c6a533 Do not overwrite cert in wolfSSL_set_SSL_CTX if one is already set, remove unreachable frees. 2024-08-14 17:07:20 -07:00
Colton Willey 15abea7f20 Use 1 instead of TRUE 2024-08-14 13:19:43 -07:00
Colton Willey 337cddfd90 Rework implementation to use existing weOwnCert logic 2024-08-14 13:13:25 -07:00
Colton Willey ef500c2e62 Add new option to always copy cert buffer for each SSL object 2024-08-13 13:32:25 -07:00
Daniel Pouzzner 84b91d0e1e Merge pull request #7841 from mrdeep1/dtls_downgrade_cid
Support DTLS1.3 downgrade when server supports CID
2024-08-09 15:30:20 -05:00
Daniel Pouzzner 763ced668e fixes for defects identified by cppcheck and clang-tidy on --enable-debug builds: null deref in tests/api.c:load_pem_key_file_as_der(), redundant declarations in wolfcrypt/benchmark/benchmark.c, and numerous unchecked XSNPRINTF()s in wolfcrypt/src/logging.c and src/internal.c. 2024-08-08 09:00:42 -05:00
Daniel Pouzzner 0ab1f1969d Merge pull request #7828 from miyazakh/zd18141_ocspv2multi
Sever side checks OCSP even if it uses v2 multi
2024-08-07 17:40:23 -05:00
Jon Shallow f1c918c261 Support DTLS1.3 downgrade when server supports CID
With --enable-dtlscid, a client sending a Client Hello to a DLTS1.2
server that supports CID, the server provides the appropriate CID and
assumes that CID has been negotiated.

However, in the case of MbedTLS, it then rejects packets that do not
match its expected CID from the client - as wolfSSL no longer sends
the CID as it is not DTLS1.2.

https://datatracker.ietf.org/doc/html/rfc9147#section-4

If a Connection ID is negotiated, then it MUST be contained in all datagrams.

This fix drops the CID if a Hello Verify Request is received, so the
second Client Hello does not include the CID.

https://datatracker.ietf.org/doc/html/rfc6347#section-4.2.1

When responding to a HelloVerifyRequest, the client MUST use the same
parameter values (version, random, session_id, cipher_suites,
compression_method) as it did in the original ClientHello.

Dropping the CID extension does not violate this.
2024-08-06 16:48:04 +01:00
Andras Fekete 3a83c33499 Fix compilation error 2024-08-06 11:44:32 -04:00
Andras Fekete f419e2351b Remove NULL test with 'ptr = NULL' at the end 2024-08-06 10:55:37 -04:00
Andras Fekete d350ba6c41 remove NULL test with XFREE arguments with dereference 2024-08-06 10:44:59 -04:00
Andras Fekete d6a7187538 Programmatically remove NULL test with { XFREE() } 2024-08-06 10:37:43 -04:00
Andras Fekete eb0c64d79a Remove NULL test when there is a dereference 2024-08-06 10:29:02 -04:00
Andras Fekete d7a0f49906 Programmatically remove NULL test before XFREE 2024-08-06 10:20:45 -04:00
Hideki Miyazaki c947fc8fda sever side checks OCSP even if it uses v2 multi 2024-08-06 13:01:56 +09:00
Daniel Pouzzner 9aa0742baa Merge pull request #7798 from dgarske/asn_macros
ASN macro simplification

merged with github CI tests failing due to unrelated upstream changes (same tests all previously succeeded on this PR, with only 25d14f1937 added in the meantime).

supplementary testing with `wolfssl-multi-test.sh ... super-quick-check` after rebase on then-current `master` 15e99c8eff.
2024-08-02 16:36:50 -05:00
Sean Parkinson dbf88e4c73 Merge pull request #7779 from rizlik/ocsp-dfree-fix
ocsp: don't free ocsp request if saved in ssl->ctx->certOcspRequest
2024-07-31 09:31:42 +10:00
David Garske 1d9b86e2b0 Fix for TLS v1.2 secret callback, incorrectly detecting bad master secret. API test cleanups (no sleep needed). 2024-07-30 11:54:17 -07:00
David Garske 20f7d6f9f4 ASN macro simplification. Added new --enable-asn=all and WOLFSSL_ASN_ALL option. Added granular macros for ASN features like: WOLFSSL_ASN_CA_ISSUER, WOLFSSL_ASN_PARSE_KEYUSAGE, WOLFSSL_ASN_TIME_STRING, WOLFSSL_OCSP_PARSE_STATUS. 2024-07-30 10:35:20 -07:00
Marco Oliverio 31380aca13 fixup! ocsp: don't free ocsp request if saved in ssl->ctx->certOcspRequest 2024-07-29 15:00:41 +00:00
Marco Oliverio bb60c58800 ocsp: don't free ocsp request if saved in ssl->ctx->certOcspRequest 2024-07-23 16:02:07 +00:00
JacobBarthelmeh 31a6a2bf59 update copyright to 2024 2024-07-19 13:15:05 -06:00
David Garske bd5586623a Merge pull request #7703 from SparkiDev/def_ticket_cbc_hmac
Default session ticket enc/dec: allow AES-CBC with HMAC
2024-07-19 07:41:27 -07:00
jordan 6a745518bc Misc cleanup: FreeX509 null pointer checks, and spelling cleanup. 2024-07-17 10:04:52 -05:00
Daniel Pouzzner 0a928ead3f address peer review around WOLFSSL_HAVE_BIO_ADDR:
refactor housekeeping for bio->bytes_read and bio->bytes_write, and add WOLFSSL_BIO_HAVE_FLOW_STATS gate;

add WOLFSSL_BIO_FLAG_RETRY housekeeping for WOLFSSL_BIO_SOCKET and WOLFSSL_BIO_DGRAM;

refactor WOLFSSL_BIO.peer_addr to be inline rather than a pointer;

add wolfSSL_set_mtu_compat() and wolfSSL_CTX_load_verify_locations_compat() implementations;

enable WOLFSSL_HAVE_BIO_ADDR and WOLFSSL_DTLS_MTU when OPENSSL_ALL.
2024-07-16 19:12:18 -05:00
Daniel Pouzzner 29ec038aa6 checkpoint: add WOLFSSL_BIO_ADDR, wolfSSL_BIO_ADDR_new(), wolfSSL_BIO_ADDR_free(), wolfSSL_BIO_ADDR_clear(), wolfIO_SendTo(), wolfIO_RecvFrom(); fix name of wolfSSL_BIO_s_datagram(). 2024-07-16 19:12:18 -05:00
Daniel Pouzzner 41efa0492c add ASN_ prefixes to ISSUER, SUBJECT, BEFORE, and AFTER enum constants defined in wolfssl/wolfcrypt/asn.h. 2024-07-16 19:12:18 -05:00