Commit Graph

4845 Commits

Author SHA1 Message Date
Sean Parkinson 505514415d Merge pull request #3748 from JacobBarthelmeh/Testing
always check index into certs
2021-02-15 08:20:28 +10:00
Jacob Barthelmeh 0938a0055d always use MAX_CHAIN_DEPTH for args->certs buffer 2021-02-12 15:18:14 +07:00
toddouska f0ce6ada0f Merge pull request #3702 from guidovranken/zd11603
Prevent dangling pointer in TLSX_Cookie_Use
2021-02-11 12:31:02 -08:00
toddouska 80b9949052 Merge pull request #3739 from kaleb-himes/FusionRTOS-Porting-R3
Fusion RTOS porting round 3
2021-02-11 12:25:55 -08:00
toddouska 39cb84de25 Merge pull request #3697 from julek-wolfssl/openvpn-2.5-missing-stuff
OpenVPN master additions
2021-02-11 08:56:45 -08:00
Jacob Barthelmeh 90140fc5a4 always check index into certs 2021-02-11 21:50:51 +07:00
toddouska 032cc1645c Merge pull request #3713 from SparkiDev/tls_def_sess_ticket_cb
TLS Session Ticket: default encryption callback
2021-02-10 16:13:33 -08:00
toddouska 67b1280bbf Merge pull request #3545 from kabuobeid/smime
Added support for reading S/MIME messages via SMIME_read_PKCS7.
2021-02-10 15:59:32 -08:00
kaleb-himes 223ba43c2c Add debug message regarding failure 2021-02-10 12:15:43 -07:00
kaleb-himes 9e6ab4ab70 Address indendation, fix return on stub, remove warning 2021-02-10 11:26:29 -07:00
kaleb-himes 4c171524dd Address missed CloseSocket item and revert some white space changes 2021-02-10 09:14:54 -07:00
kaleb-himes 7e428f90f2 Revert zero return, to be handled in stand-alone PR 2021-02-10 05:31:57 -07:00
kaleb-himes 15f9902e94 Address new file issue by Jenkins and peer feedback on return val of time 2021-02-10 04:16:34 -07:00
Sean Parkinson 794cb5c7a9 TLS Session Ticket: default encryption callback
Encrypts with ChaCha20-Poly1305 or AES-GCM.
Two keys in rotation.
Key used for encryption until ticket lifetime goes beyond expirary
(default 1 hour). If key can still be used for decryption, encrypt with
other key.
Private random used to generate keys.
2021-02-10 14:31:54 +10:00
kaleb-himes 89b97a0fbf Implement peer feedback 2021-02-09 18:42:23 -07:00
toddouska f63f0ccb94 Merge pull request #3740 from SparkiDev/tls13_one_hrr_sh
TLS 1.3: Only allow one ServerHello and one HelloRetryRequest
2021-02-09 14:59:10 -08:00
toddouska 9a7aba265a Merge pull request #3716 from kaleb-himes/OE10_ACVP_OE13_ACVP_WPAA
OE10 and OE13 ACVP updates for armv8 PAA
2021-02-09 14:50:42 -08:00
Kaleb Himes 73d7709724 Update comment about location for porting changes. 2021-02-09 15:39:12 -07:00
kaleb-himes 6d23728a56 Fusion RTOS porting round 3 2021-02-09 15:33:06 -07:00
toddouska 250b59f8fd Merge pull request #3688 from julek-wolfssl/correct-cert-free
Use wolfSSL_X509_free to free ourCert
2021-02-09 12:41:12 -08:00
Chris Conlon 012841bba3 Merge pull request #3738 from embhorn/cmp_layer_high
Compatibility layer API
2021-02-09 08:33:41 -07:00
Chris Conlon 71b495c422 Merge pull request #3712 from miyazakh/RND_bytes
handle size greater than RNG_MAX_BLOCK_LEN
2021-02-09 08:26:30 -07:00
Sean Parkinson 4d70d3a3c4 TLS 1.3: Only allow one ServerHello and one HelloRetryRequest 2021-02-09 12:51:53 +10:00
Kareem Abuobeid a4e819c60a Added support for reading S/MIME messages via SMIME_read_PKCS7. 2021-02-08 17:14:37 -07:00
Sean Parkinson 3217c7afae Merge pull request #3732 from miyazakh/setverifydepth
issue callback when exceeding depth limit rather than error out
2021-02-09 09:51:45 +10:00
toddouska f14f1f37d2 Merge pull request #3673 from elms/ssl_api/get_verify_mode
SSL: add support for `SSL_get_verify_mode`
2021-02-08 15:40:19 -08:00
toddouska 58f9b6ec01 Merge pull request #3676 from SparkiDev/tls13_blank_cert
TLS 1.3: ensure key for signature in CertificateVerify
2021-02-08 15:27:05 -08:00
Eric Blankenhorn 6cff3f8488 Adding X509_LOOKUP_ctrl 2021-02-08 12:17:14 -06:00
Eric Blankenhorn 47b9c5b054 Adding X509_STORE_CTX API 2021-02-08 08:25:14 -06:00
Eric Blankenhorn de47b9d88a Adding X509_VERIFY_PARAM API 2021-02-08 08:25:14 -06:00
Hideki Miyazaki f13186827a issue callback when exceeding depth limit rather than error out 2021-02-08 11:01:45 +09:00
kaleb-himes 776964f7c7 OE10 and OE13 ACVP updates for armv8 PAA 2021-02-03 15:38:08 -07:00
Hideki Miyazaki 431e1c8ffe handle size greater than RNG_MAX_BLOCK_LEN 2021-02-03 12:23:36 +09:00
Juliusz Sosinowicz 542e0d79ec Jenkins Fixes
- explicit conversions
- not all curves available for wolfSSL_CTX_set1_groups_list
- group funcs depend on HAVE_ECC
- `InitSuites` after `ssl->suites` has been set
2021-02-02 12:06:11 +01:00
Juliusz Sosinowicz 921fd34876 Detect version even if not compiled in 2021-02-02 12:06:11 +01:00
Juliusz Sosinowicz 69dca4fd08 Rebase fixes
- wolfSSL_CTX_set1_groups_list and wolfSSL_set1_groups_list should use wolfSSL_CTX_set1_groups and wolfSSL_set1_groups respectively because it converts to correct groups representation
- Change to using "SHA1" as main name for SHA1
2021-02-02 12:06:11 +01:00
Juliusz Sosinowicz 46821196ab Fix call to wolfSSL_connect when in wolfSSL_connect_TLSv13
If a client is:
- TLS 1.3 capable
- calls connect with wolfSSL_connect_TLSv13
- on an WOLFSSL object that allows downgrading
then the call to wolfSSL_connect should happen before changing state to HELLO_AGAIN. Otherwise wolfSSL_connect will assume that messages up to ServerHelloDone have been read (when in reality only ServerHello had been read).

Enable keying material for OpenVPN
2021-02-02 12:06:11 +01:00
Juliusz Sosinowicz ff43d39015 GCC complains about empty if 2021-02-02 12:06:11 +01:00
Juliusz Sosinowicz 5d5d2e1f02 Check that curves in set_groups functions are valid 2021-02-02 12:06:11 +01:00
Juliusz Sosinowicz c18701ebe7 Implement RFC 5705: Keying Material Exporters for TLS 2021-02-02 12:06:11 +01:00
Juliusz Sosinowicz fdde2337a4 Add static buffer to wolfSSL_ERR_error_string
Add ED448 and ED25519 to wolfssl_object_info
Add more error messages
2021-02-02 12:06:11 +01:00
Juliusz Sosinowicz 6ed45a23d9 Fix getting cipher suites in compat layer 2021-02-02 12:06:11 +01:00
Juliusz Sosinowicz 294e46e21a Set options when creating SSL 2021-02-02 12:06:11 +01:00
Juliusz Sosinowicz 3494218d98 Implement missing functionality for OpenVPN 2.5 2021-02-02 12:06:11 +01:00
Hayden Roche fc845da9f0 Fix issue with DoHandShakeMsgType/ShrinkInputBuffer when encryption is on (e.g.
during renegotiation).

This issue was brought to light by ZD 10911. When encryption is on (indicated
by the return value of IsEncryptionOn), DoHandShakeMsgType will finish up by
incrementing the input buffer index past the padding and MAC (if encrypt-then-
mac is enabled). In ProcessReply, if there are more messages to be read, the
index is decremented back before the padding and MAC. The issue arises when
ShrinkInputBuffer is called in between and copies data from the dynamic input
buffer to the static one. That function will get called with the index post-
increment, and thus the padding and MAC won't get copied into the static buffer,
which isn't what we want, since ProcessReply is going to decrement the index
since it thinks the padding and MAC are still there. This commit makes it so
the padding and MAC get included in the call to ShrinkInputBuffer when
encryption is on.
2021-01-28 15:37:00 -06:00
Guido Vranken 3da6b8364e Prevent dangling pointer in TLSX_Cookie_Use
ZD 11603
2021-01-28 18:53:35 +01:00
Jacob Barthelmeh bbcb98a8f7 fix for tested x509 small build 2021-01-27 23:00:24 +07:00
John Safranek d0e2566ad8 Merge pull request #3679 from julek-wolfssl/dtls-window
Correct old DTLS msg rcv update
2021-01-26 12:20:59 -08:00
Juliusz Sosinowicz 3d4f836c00 Correctly insert out of order msgs to queue 2021-01-26 15:12:08 +01:00
Juliusz Sosinowicz 4da9ade290 Use wolfSSL_X509_free to free ourCert 2021-01-26 11:32:05 +01:00