Commit Graph

118 Commits

Author SHA1 Message Date
Daniel Pouzzner 49a680540c add constant time DH key agreement APIs:
* adds wc_DhAgree_ct().
* adds wolfSSL_DH_compute_key_padded(), using wc_DhAgree_ct() if available, with fallback fixup code.
* adds unit test coverage in api.c:test_wolfSSL_DH() for expected-success calls to wolfSSL_DH_compute_key() and wolfSSL_DH_compute_key_padded().
2024-09-09 16:24:07 -05:00
Daniel Pouzzner c81c9be9ce error code fixes:
* fix TLS layer to consistently use WOLFSSL_FATAL_ERROR for error retvals, rather than literal -1.
* add WC_NO_ERR_TRACE() wrapper around LENGTH_ONLY_E (it does not signify an error condition).
* refactor errcode handling for traceability in wolfSSL_DSA_do_sign(), wolfSSL_DH_size(), wolfSSL_EC_KEY_get_conv_form(), wolfSSL_d2i_DSA_SIG(), wolfSSL_DSA_do_sign(), SetDhInternal(), and wolfSSL_EC_KEY_get_conv_form().
2024-09-06 19:33:48 -05:00
Juliusz Sosinowicz 2c9a3c5c1c Missing libspdm features
- RsaFunctionPrivate: detect when only n,e,d are available
- wolfSSL_EVP_add_digest: return success
- wolfSSL_EVP_add_cipher: return success
- wolfSSL_BN_bin2bn: accept NULL data if len is 0 (checked in mp_read_unsigned_bin)
- wolfssl_read_bio: advance correct bio
- wolfSSL_X509_set_ext: return raw extension data for BASIC_CA_OID
- Implement
  - sk_X509_EXTENSION_free
  - d2i_EC_PUBKEY_bio
  - d2i_RSA_PUBKEY_bio
  - d2i_X509_REQ_INFO
  - X509_REQ_INFO_free
  - ASN1_TIME_set_string_X509
2024-09-02 10:01:12 +02:00
Juliusz Sosinowicz a6a40de249 init sssd support
- Refactor OCSP to separate IO callback
- wolfSSL_BIO_reset: fix return
- CheckCertCRL_ex: return CRL_CERT_DATE_ERR instead of ASN_AFTER_DATE_E
- CheckCertCRL_ex: return most relevant error code
- i2d/d2i APIs: correct parameters handling and return codes
- Custom ASN1 structures: major refactor to make it much more versatile
- Use WOLFSSL_ASSERT_SIZEOF_GE where applicable
- wolfSSL_EVP_SignFinal: implement ecc
- wolfSSL_EVP_VerifyFinal: implement ecc
- OBJ_NAME_do_all: bring closer to OpenSSL functionality
- Correct return of *_push api
- Implement:
  - OCSP_REQ_CTX API
  - d2i_ECPKParameters
  - wolfSSL_sk_insert
  - OCSP_parse_url
  - X509_STORE_set1_param
  - X509_get0_subject_key_id
  - X509_OBJECT_retrieve_by_subject
  - OCSP_sendreq_nbio
2024-08-16 17:22:41 +02:00
Daniel Pouzzner a75d520727 src/pk.c: fix a null deref (nullPointerRedundantCheck) in wolfSSL_RSA_GenAdd() added in d350ba6c41. 2024-08-08 11:40:57 -05:00
Andras Fekete d350ba6c41 remove NULL test with XFREE arguments with dereference 2024-08-06 10:44:59 -04:00
Andras Fekete d6a7187538 Programmatically remove NULL test with { XFREE() } 2024-08-06 10:37:43 -04:00
Andras Fekete d7a0f49906 Programmatically remove NULL test before XFREE 2024-08-06 10:20:45 -04:00
Sean Parkinson caab2c2dca SSL loading of keys/certs: testing and fixes
Added tests to cover ssl_load.c functions.
Fixes from testing.
pk.c: renamed wolfssl_dh_load_key to wolfssl_dh_load_params as it
doesn't handle keys - just parameters.
2024-07-26 11:43:10 +10:00
JacobBarthelmeh 31a6a2bf59 update copyright to 2024 2024-07-19 13:15:05 -06:00
Sean Parkinson fea7a89b86 Coverity fixes
pk.c:
	EncryptDerKey - setting wrong ret value on allocation failure.
	wolfssl_rsa_generate_key_native - now checks e is a valid long
before passing in.
	Fix formatting.

ssl_load.c:
	ProcessBufferPrivPkcs8Dec - now checking password is not NULL
before zeroizing. Allocation may fail and ForceZero doesn't check for
NULL.
	Fix formatting.

tests/api.c:
	test_RsaSigFailure_cm - Check cert_sz is greater than zero
before use.
	send_new_session_ticket - assert that building the message
doesn't return error or 0.
	test_ticket_nonce_malloc - fix setting of medium and big to use
preprocessor. Fix big to be medium + 20.

asn.c:
	GetLength_ex - Fix type of bytes so that it can go negative.

sp_int.h:
	sp_clamp - add one to ii while it is a signed.
	Fix formatting.
2024-07-10 11:40:48 +10:00
Takashi Kojo 3d7583e743 Merge pull request #7684 from kojo1/pk-fix
Fix in pk.c
2024-06-26 11:33:38 +09:00
Takashi Kojo 72b6074b93 Fixes in pk.c 2024-06-26 08:47:41 +09:00
Takashi Kojo 2f379ed322 alloc a buff for NULL pointer 2024-06-18 09:41:11 +09:00
Daniel Pouzzner b3e8f0ad24 add --enable-debug-trace-errcodes, WOLFSSL_DEBUG_TRACE_ERROR_CODES, WC_ERR_TRACE(), WC_NO_ERR_TRACE(), support/gen-debug-trace-error-codes.sh. also add numerous deployments of WC_NO_ERR_TRACE() to inhibit frivolous/misleading errcode traces when -DWOLFSSL_DEBUG_TRACE_ERROR_CODES. 2024-06-08 16:39:53 -05:00
David Garske 3975af88cf Merge pull request #7191 from kojo1/ecpoint-h2p
Add EC_POINT_hex2point
2024-06-01 07:13:31 -07:00
Takashi Kojo bc2b184c98 Add EC_POINT_hex2point: zd #17090 2024-06-01 13:45:35 +09:00
jordan 040e0c956a Used codespell and fixed obvious typos. 2024-05-16 13:53:26 -05:00
Andras Fekete a59a3d109f Explicit cast 2024-05-14 11:03:20 -04:00
Sean Parkinson b7eca574bb SSL/TLS: blind private key DER
When WOLFSSL_BLIND_PRIVATE_KEY is defined, blind the private key DER
encoding so that stored private key data is always changing.
2024-05-14 09:47:51 +10:00
David Garske 4eab5267f1 Merge pull request #7511 from julek-wolfssl/ec-meth
Stub EC_KEY_METHOD
2024-05-13 09:22:23 -07:00
Andras Fekete c5773f5f26 Make the function flow better
Will return 0 on failure.
2024-05-10 15:56:56 -04:00
Andras Fekete f73a9f0d4f Fix function logic 2024-05-10 15:03:17 -04:00
Juliusz Sosinowicz 0f06faf3d4 Stub EC_KEY_METHOD 2024-05-08 16:37:30 +02:00
Daniel Pouzzner 3df11e7eab fixes for cppcheck uninitvar src/pk.c (false positives) and nullPointerRedundantCheck in src/ssl_load.c (true positive). 2024-04-17 01:00:41 -05:00
Sean Parkinson 8e9810e87e ssl.c: Move functions out to separate files
Moved E[CD][25519||448] APIs to pk.c
Move public key PEM APIs to pk.c.
Move wolfSSL loading and using of private keys and certificates to
ssl_load.c
Move PKCS#7 and PKCS#12 APIs to ssl_p7p12.c.
Move session and session cache APIs to ssl_sess.c.
Other minor fixes.
2024-04-16 10:30:59 +10:00
kaleb-himes ef2a636610 Expose additional features of opensslall in a compliant way 2024-04-09 09:48:33 -06:00
gojimmypi 0775baa2e1 Introduce SHA256/SHA512 interleave, HAVE_DSA; revised ERROR_OUT, cleanup 2024-02-23 17:52:20 -08:00
Takashi Kojo 791c9e7aba Add EC_POINT_hex2point 2024-02-02 07:34:38 +09:00
Juliusz Sosinowicz 335c51987e openssh 9.6p1 fixes
- wolfSSL_DSA_set0_key: allow setting just the public key
- radix16: allow skipping the end of line whitespace
- Add openssh action
2024-02-01 11:39:56 +01:00
Lealem Amedie 837452b1ca Remove user-crypto functionality and Intel IPP support 2023-12-27 12:24:19 -07:00
Lealem Amedie dd55cdbea8 Initialize variables to NULL 2023-12-18 16:51:51 -07:00
Sean Parkinson 4870435604 RSA PSS OpenSSL compatibility verification: support AUTO
When wolfSSL_RSA_verify_PKCS1_PSS() called with RSA_PSS_SALTLEN_AUTO
(RSA_PSS_SALTLEN_MAX_SIGN) it wasn't using RSA_PSS_SALT_LEN_DISCOVER
when available.
2023-11-02 11:24:18 +10:00
David Garske 3cebf35b1b Cleanups for IDE/WIN10 user_settings.h to allow for FIPS 140-2 3389 cert. Fixed compiler warning with possible use of uninitialized data. 2023-10-12 12:04:51 -07:00
Dimitri Papadopoulos 6d9c85a762 Fix typos found by codespell 2023-07-27 23:38:44 +02:00
Juliusz Sosinowicz 4a175ba280 Updates for Kerberos 5 1.21.1
- wolfssl_ec_point_mul: fix parameters being passed into ec_mul2add
- Compile in compressed ecc key parsing for OPENSSLALL
- Improve debugging around compat layer ecc operations
- wolfSSL_BN_div: dv can be NULL
- Add spake like computation test
- Add CI krb5 testing
- Add timeouts to CI
2023-07-26 16:40:38 +02:00
JacobBarthelmeh 1285ae7816 Merge pull request #6506 from DimitriPapadopoulos/codespell
Fix typos found by codespell
2023-07-24 10:34:29 -06:00
David Garske f00b5c3a1e Merge pull request #6537 from SparkiDev/sm
SM2/SM3/SM4: Chinese cipher support
2023-07-04 10:03:37 -07:00
Dimitri Papadopoulos 50752f5a2b Fix typos found by codespell 2023-07-04 07:21:27 +02:00
Sean Parkinson e2424e6744 SM2/SM3/SM4: Chinese cipher support
Add support for:
 - SM2 elliptic curve and SM2 sign/verify
 - SM3 digest
 - SM4 cipher with modes ECB/CBC/CTR/GCM/CCM

Add APIs for SM3 and SM4.
Add SM2 sign and verify APIs.
Add support for SM3 in wc_Hash and wc_Hmac API.
Add support for SM3 and SM4 through EVP layer.
Add support for SM2-SM3 certificates. Support key ID and name hash being
with SHA-1/256 or SM3.
Add support for TLS 1.3 cipher suites: TLS-SM4-GCM-SM3, TLS-SM4-CCM-SM3
Add support for TLS 1.2 SM cipher suite: ECDHE-ECDSA-SM4-CBC-SM3
Add support for SM3 in wc_PRF_TLS.
Add SM2-SM3 certificates and keys. Generated with GmSSL-3.0.0 and
OpenSSL.
2023-07-04 13:36:28 +10:00
Juliusz Sosinowicz 8ab0050801 Init windows CRL monitor 2023-07-03 14:02:51 +02:00
Sean Parkinson e467112a93 Test api.c: change more tests to use Expect instead of Assert
Changed EXPECT_DECL to start of as TEST_SKIPPED.
Modified other EXPECT macros appropriately.
Change test functions to not use 'res' when EXPECT_DECL is used.

memory.c:
  wc_MemFailCount_Init(): don't declare variable after a statement

conf.c:
wolfSSL_TXT_DB_read(): free the whole WOLFSSL_TXT_DB on failure
instead of just the memory
wolfSSL_CONF_add_string(): pop the value added into section->value
(sk) if it can't be pushed onto conf->data
  wolfSSL_NCONF_load(): free the new value if it wasn't able to be added

ocsp.c:
  wolfSSL_OCSP_cert_to_id():
free the decoded certificate if parsing failed (is freed after use
otherwise)
free the certificate id on failure and make it NULL and continue
freeing other variables

pk.c:
wolfSSL_RSA_set0_crt_params(): set dmp1, dmq1 and iqmp fields to NULL
if setting the internal failed - returns error and caller needs to free
the passed in BNs
wolfSSL_RSA_set0_factors(): set p and q fields to NULL if setting the
internal failed - returns error and caller needs to free the passed in
BNs
wolfSSL_RSA_set0_key(): set n, e abd d fields to NULL if setting the
internal failed - returns error and caller needs to free the passed in
BNs

x509.c:
wolfSSL_X509_set_serialNumber(): explicit NULL
checkwolfSSL_X509_REQ_add1_attr_by_NID(): check whether push succeeded
and on failure free attribute

asn.c:
ConfirmSignature(): for DSA, allocate separately to ensure no leak on
memory allocation failure.

dh.c:
wc_DhGenerateParams(): ensure tmp and tmp2 are able to be cleared on
error

evp.c:
wolfSSL_EVP_PKEY_CTX_add1_hkdf_info(): fix realloc use to no leak on
failure
  wolfSSL_EVP_CIPHER_CTX_iv_length(): handle ctx being NULL.
2023-06-22 08:21:17 +10:00
JacobBarthelmeh 84979900a7 avoid use after free in error case 2023-06-07 15:13:13 -06:00
Sean Parkinson b62e0b7ceb Fix type conversion warnings by gcc 2023-06-01 14:21:41 +10:00
Lealem Amedie 98522fa39d Only clear last ASN_PEM_NO_HEADER error 2023-05-24 14:17:46 -06:00
Lealem Amedie 34c12789c9 CMake: add option to enable asio 2023-05-24 12:46:11 -06:00
Sean Parkinson d2afe9e5e0 Memory usage improvements
ECC: make private key field 'k' able to be smaller when ALT_ECC_SIZE is
defined.
WOLFSSL_SMALL_STACK_CACHE: allocate temps using new macros.
2023-05-04 10:26:57 +10:00
Sean Parkinson 673d72a2dc OpenSSL EC API: fix setting private key
wolfSSL_EC_KEY_set_private_key() should fail on obvious bad private key
values.
2023-04-24 17:59:32 +10:00
JacobBarthelmeh 9a0934161d fix for wpas build with x509 small 2023-04-13 10:38:12 -07:00
Daniel Pouzzner 3468750bae wolfcrypt/src/asn.c:
* refactor error-checking cascade in wc_PemCertToDer_ex() as in wc_PemPubKeyToDer_ex(),
 * refactor staticBuffer gating/dynamics in wc_PemPubKeyToDer_ex() as in wc_PemCertToDer_ex(),
 * and use IO_FAILED_E, not BUFFER_E, for I/O errors on the file handles, in both routines;

fix smallstack null pointer dereferences in src/pk.c:wolfSSL_RSA_GenAdd() and src/ssl.c:set_curves_list().
2023-04-06 14:31:53 -05:00