Commit Graph

4651 Commits

Author SHA1 Message Date
toddouska f31b41fcca Merge pull request #3495 from haydenroche5/httpd
Add OpenSSL compatibility functions for latest version of Apache httpd
2020-12-09 09:55:13 -08:00
toddouska 367f28b917 Merge pull request #3443 from SparkiDev/tls13_psk_no_dhe
TLS 1.3: PSK only
2020-12-09 09:45:34 -08:00
toddouska 7834dee991 Merge pull request #3503 from SparkiDev/dtls_mtu_write
DTLS MTU: check MTU on write
2020-12-09 09:42:44 -08:00
Hayden Roche 03c7e52f5f Add OpenSSL compatibility functions for Apache httpd's OCSP module. 2020-12-03 11:22:43 -06:00
Hayden Roche bca43654df Make changes to OCSP ASN code.
- Use OcspEntry in OcspResponse instead of CertStatus. OcspEntry is more
  analogous to an OCSP SingleResponse, which contains issuer name and key
  hashes. Correspondingly, remove these hashes from OcspResponse, since they'll
  now be stored per SingleResponse in an OcspEntry.
- Add a hashAlgoOID to OcspEntry (corresponds to hashAlgorithm in CertId in RFC
  6960). This makes OcspEntry more closely resemble an OCSP SingleResponse.
- Change WOLFSSL_OCSP_CERTID to map to OcspEntry. OcspEntry contains all the
  information that an OCSP CertID contains, and is a better fit than
  OcspRequest.
- Add a pointer to the raw CertId in an OCSP SingleResponse to OcspEntry, along
  with a size field to indicate how many bytes the CertId occupies. This will
  be used in an OpenSSL compatibility function, i2d_OCSP_CERTID, which yields
  the raw bytes of the CertId.
2020-12-03 11:22:43 -06:00
toddouska b4c7b5e6ce Merge pull request #3525 from SparkiDev/tls13_session
TLS 1.3: always add session when sending finished message
2020-12-02 13:47:38 -08:00
John Safranek 6fc64263f2 Merge pull request #3519 from julek-wolfssl/scr-timeout
Adapt wolfSSL_dtls_got_timeout to secure renegotiation usage
2020-11-30 11:40:35 -08:00
Sean Parkinson 22a8be412b TLS 1.3: always add session when sending finished message 2020-11-27 09:46:02 +10:00
John Safranek 4baf923218 Verify Callback Fix
1. Removed a flag set that would force all certificates in a chain
   to be verified. There was a compile time option to make that happen
   already.
2. Replace some options for some test failure test cases that were added
   and immediately removed.
(ZD 11292)
2020-11-24 11:46:10 -08:00
Juliusz Sosinowicz 95132b1c55 Make renegotiation information available outside of OPENSSL_EXTRA 2020-11-24 17:03:40 +01:00
Juliusz Sosinowicz 41d58465c0 Adapt wolfSSL_dtls_got_timeout to secure renegotiation usage
Reset DTLS stored messages on a FreeHandshakeResources call even if secure renegotiation is enabled. Without this, in a server initiated rehandshake, the server would keep old messages (ChangeCipherSpec and Finished) even when it sent a HelloRequest message.
2020-11-24 16:06:35 +01:00
John Safranek f5c2bef78f Merge pull request #3492 from julek-wolfssl/dtls-scr-optimizations
Save the HelloRequest message just like other handshake mesasges
2020-11-20 11:50:51 -08:00
Juliusz Sosinowicz 69bea008dd Save the HelloRequest message just like other handshake mesasges
Implement a timeout mechanism for non-blocking sockets
2020-11-20 11:41:19 +01:00
John Safranek 2d79e38436 Merge pull request #3485 from julek-wolfssl/dtls-scr-seq-correct-num
Fix overlapping sequence number error.
2020-11-19 14:19:13 -08:00
David Garske d4c59e369e Merge pull request #3335 from julek-wolfssl/RSA-PSS-padding-in-EVP_Digest-API
Enable RSA-PSS padding in EVP_Digest* API
2020-11-19 09:31:12 -08:00
Sean Parkinson 91d23d3f5a Implement all relevant mp functions in sp_int 2020-11-19 11:58:14 +10:00
toddouska aa9ed17afa Merge pull request #3512 from dgarske/openssl_pem
Fix for missing `wolfSSL_PEM_write_bio_PrivateKey` with WebRTC
2020-11-18 16:17:46 -08:00
toddouska ca281f976e Merge pull request #3493 from dgarske/zd11245
Sniffer fixes for handling TCP `out-of-range sequence number`
2020-11-18 16:14:09 -08:00
toddouska a280df1892 Merge pull request #3488 from kabuobeid/x509_objtxt_lname
Return long names instead of short names in wolfSSL_OBJ_obj2txt().
2020-11-18 16:10:46 -08:00
toddouska b0979f4225 Merge pull request #3476 from dgarske/sniffer_hrr
Fixes for TLS sniffer with v1.3 (HRR and Certs)
2020-11-18 16:07:11 -08:00
toddouska 3adeff672b Merge pull request #3472 from SparkiDev/pickhashsigalgo_rework
TLS PickHashSigAlgo: rework
2020-11-18 15:58:59 -08:00
toddouska dedde4c058 Merge pull request #3456 from JacobBarthelmeh/Certs
strict certificate version allowed from client
2020-11-18 15:55:50 -08:00
toddouska 9bde34ef5b Merge pull request #3438 from douzzer/harmonize-CCM8-cipher-names
add "CCM8" variants to cipher_names "CCM-8" ciphers, for OpenSSL compat
2020-11-18 15:52:52 -08:00
Sean Parkinson d8b58286d1 TLS 1.3: PSK only
Support building with only TLS 1.3 and PSK without code for (EC)DHE and
certificates.
Minimise build size for this configuration.
2020-11-19 09:21:24 +10:00
David Garske 4cfe5a1bc1 Fix for missing wolfSSL_PEM_write_bio_PrivateKey with WebRTC. If keygen or certgen is not specified this was incorrectly being excluded with opensslextra or opensslall. 2020-11-18 11:30:53 -08:00
Juliusz Sosinowicz a0a3a2b74c Review changes 2020-11-17 19:15:12 +01:00
Juliusz Sosinowicz b4754d5706 CAVP, Windows, and FIPS tests 2020-11-17 15:06:35 +01:00
Juliusz Sosinowicz d18e2d7386 Refactoring and use salt length discover if available 2020-11-17 15:06:35 +01:00
Juliusz Sosinowicz 248dd12993 Enable RSA-PSS padding in EVP_Digest* API 2020-11-17 15:04:57 +01:00
David Garske 4a790cd024 Fixes for building with --disable-ecc and --disable-dh. 2020-11-16 12:17:27 -08:00
Sean Parkinson a00c75c51b DTLS MTU: check MTU on write 2020-11-16 09:30:04 +10:00
Kareem Abuobeid da06ef8c3f Return long names instead of short names in wolfSSL_OBJ_obj2txt(). 2020-11-13 12:03:26 -07:00
David Garske f02cc650a2 Fixes for handling TCP out-of-range sequence number. 2020-11-12 16:09:09 -08:00
David Garske c7053e9a36 Fix scenario where FreeHandshakeResources is called and server hello is recevied and WOLFSSL arrays is NULL. 2020-11-12 16:09:00 -08:00
David Garske b931b1bd4d Fix to not allow free for globally cached sessions. Resolves a false-positive scan-build warning. 2020-11-12 12:51:41 -08:00
David Garske cdf44f6ff6 Pass static ephemeral keys for TLS v1.2 as well. 2020-11-12 09:18:24 -08:00
John Safranek e996a7d15b Scan-Build Fixes
1. Fixed a couple possible 0 byte allocations.
2. Fixed a couple missed frees due to error conditions.
3. Fixed a possible double free.

To recreate:
    $ scan-build ./configure --disable-shared --enable-opensslextra=x509small --disable-memory
    $ scan-build ./configure --disable-shared --enable-opensslextra --disable-memory
2020-11-12 09:06:59 -08:00
David Garske a53b734c83 Fix for client_hello keyshare with multiple entries. Fix for change_cipher_spec after finished. 2020-11-12 08:59:11 -08:00
David Garske ea21ddf540 Fix to only free existing key in SetStaticEphemeralKey if the incoming algorithm type has been specified. 2020-11-12 08:59:11 -08:00
David Garske 5cda549d00 Allow passing multiple keys (comma separated) with the sniffer test tool. This allows setting both DH and ECC static ephemeral keys. Do not fail on resume not found. 2020-11-12 08:59:11 -08:00
David Garske 720919198f Fix for Scan-buld and when building without ECC or DH. 2020-11-12 08:59:11 -08:00
David Garske 71d9f1e9bd Static ephemeral refactor to support loading both DHE and ECDHE keys. Added ability to specify key using snifftest input at run-time. Improved snifftest key loading for named keys and static ephemeral. 2020-11-12 08:59:11 -08:00
David Garske 1c87f3bdc1 Improve sniffer resume logic. 2020-11-12 08:59:10 -08:00
David Garske b74f0fb6b8 Fixes for sniffer with hello_retry_request. Fix for TLS v1.3 certificate processing. 2020-11-12 08:59:10 -08:00
David Garske c7bb602a30 Merge pull request #3482 from douzzer/scan-build-fixes-20201110
scan-build fixes -- 1 null deref, 34 unused results
2020-11-12 07:45:45 -08:00
Daniel Pouzzner 7850d71ccb add wolfSSL_get_cipher_suite_from_name(); add flags arg to GetCipherSuiteFromName(); fix GetCipherSuiteFromName() to prevent spurious substring matching; add SUITE_ALIAS() macros for use defining CipherSuiteInfo, and add CipherSuiteInfo.flags slot and associated logic, to allow alternative cipher names to be recognized; add "CCM8" cipher name variants wherever applicable, including the unit.test conf files, to recognize and test the OpenSSL variants; add tests in client_test() and server_test() to confirm correct forward and backward mapping of cipher names/aliases. 2020-11-11 22:47:47 -06:00
toddouska d3e3b21c83 Merge pull request #3393 from dgarske/zd11104
Fix for TLS ECDH (static DH) with non-standard curves
2020-11-11 14:22:37 -08:00
Daniel Pouzzner 5fe1586688 fix 34 deadcode.DeadStores detected by llvm11 scan-build. 2020-11-11 13:04:14 -06:00
Juliusz Sosinowicz d49038ae24 Fix overlapping sequence number error.
wolfSSL wants to use the same sequence number for the ServerHello as the ClientHello. This is an issue when this sequence number is already taken.
2020-11-11 15:35:05 +01:00
Jacob Barthelmeh 979216d595 add test case for rejecting version 2 x509 2020-11-11 18:57:09 +07:00