Commit Graph

3251 Commits

Author SHA1 Message Date
toddouska ed80cf4f4d Merge pull request #2009 from JacobBarthelmeh/Testing
fix for some warnings and edge case build
2019-01-02 12:38:51 -08:00
toddouska 71bc571a8a Merge pull request #2000 from kojo1/EVP_CipherInit
EVP_CipherInit: allow NULL iv, key for openSSL compatibility
2019-01-02 12:04:38 -08:00
Jacob Barthelmeh a1459f6fec fix build when QSH is enabled and TLS 1.3 is enabled 2018-12-28 17:16:34 -07:00
David Garske 2351047409 Fixes for various scan-build reports. 2018-12-27 11:08:30 -08:00
David Garske 1eccaae25f Fix for DTLS async shrinking input buffer too soon and causing -308 (INCOMPLETE_DATA). 2018-12-27 11:07:32 -08:00
toddouska 697c99a9ec Merge pull request #1934 from dgarske/fix_alt_chain
Fixes and cleanups for processing peer certificates
2018-12-26 15:09:42 -08:00
Takashi Kojo f97696a546 AesSetKey_ to AesSetKey_ex 2018-12-26 13:52:41 +09:00
Takashi Kojo 0c828d14a0 Name conficted. filter out with NO_AES 2018-12-24 17:27:41 +09:00
Takashi Kojo ae09fbe8a2 EVP_CipherInit: allow NULL iv for openSSL compatibility 2018-12-24 12:00:21 +09:00
Jacob Barthelmeh 6191cb1927 free internal OCSP buffers 2018-12-21 12:30:49 -07:00
David Garske 9733076fe0 Fixes and cleanups for processing peer certificates:
* Fix with `WOLFSSL_ALT_CERT_CHAINS` to resolve issue with using a trusted intermediate to validate a partial chain. With the alt cert chain enabled a CA may fail with only `ASN_NO_SIGNER_E` and the connection is allowed if the peer's certificate validates to a trusted CA. Eliminates overly complex 1 deep error alternate chain detection logic. Resolves ZD 4525.
* Refactor and cleanup of ProcessPeerPerts to combine duplicate code and improve code commenting.
* Fix for CA path len check in `ParseCertRelative` to always check for self-signed case (was previously only in NO_SKID case).
* Improvement to include self-signed flag in the DecodedCert struct.
2018-12-21 08:20:04 -08:00
David Garske 3e31115654 Merge pull request #1993 from JacobBarthelmeh/Testing
Release Testing
2018-12-20 16:19:17 -08:00
Jacob Barthelmeh d3274e28e8 fix for hash types with fips windows opensslextra build 2018-12-20 14:22:35 -07:00
Jacob Barthelmeh 5d2d370bd5 fix for scan-build warning 2018-12-20 11:40:20 -07:00
Jacob Barthelmeh 164a762088 fix afalg/cryptodev + opensslextra build 2018-12-20 10:52:17 -07:00
Sean Parkinson eba11e097a Fix HelloRetryRequest to be sent immediately and not grouped 2018-12-20 16:41:38 +10:00
Jacob Barthelmeh fc926d3c61 fixes from infer testing 2018-12-19 11:56:29 -07:00
toddouska 4068975190 Merge pull request #1983 from dgarske/x509small_verifycb
Include current cert as X509 in verify callback for small build
2018-12-18 15:40:00 -08:00
toddouska 0a6732ee67 Merge pull request #1979 from SparkiDev/tls_sh_tlsx_parse
Fix TLS 1.2 and below ServerHello TLSX_Parse to pass in message type
2018-12-18 15:39:12 -08:00
toddouska 4a170c0399 Merge pull request #1971 from SparkiDev/tls13_old_hello
Don't expect old ClientHello when version is TLS 1.3
2018-12-18 15:38:44 -08:00
toddouska f1c62f191d Merge pull request #1941 from ejohnstown/rekey
Server Side Secure Renegotiation
2018-12-18 15:38:16 -08:00
David Garske 443dbf251b Fix to supply the X509 current_cert in the verify callback with OPENSSL_EXTRA_X509_SMALL defined or ./configure --enable-opensslextra=x509small. 2018-12-17 13:02:14 -08:00
Sean Parkinson c628562ee7 Fix the Old ClientHello detection with TLS 1.3 with new state
Put the clientState into CLIENT_HELLO_RETRY (new state) when waiting for
second ClientHello.
Chrome sends change_cipher_spec message, for reasons of compatability,
which meets the requirements of the Old ClientHello detection when state
of client is NULL.
2018-12-13 17:06:00 +10:00
Sean Parkinson f90e5601ad Fix TLS 1.2 and below ServerHello TLSX_Parse to pass in message type 2018-12-13 16:12:53 +10:00
John Safranek f715d9179c Add check for buffer size versus pad size in DoCertificateStatus() 2018-12-12 12:48:30 -08:00
Sean Parkinson c844b1c253 ALPN is returned in ServerHello when downgrading from TLS 1.3
TLS 1.3 Specification has extension returned in EncryptedExtensions.
2018-12-11 19:01:49 +10:00
John Safranek dc82beea4e Mongoose Update
1. Add a couple more OpenSSL compatibility layer functions to the the HAVE_WEBSERVER option.
2018-12-10 11:28:32 -08:00
John Safranek bc4150af2c Mongoose Update
1. HAVE_WEBSERVER option turns on a couple more functions that MG is
using for client side authentication.
2. If using webserver, those functions return and error.
2018-12-10 11:28:32 -08:00
toddouska 6dfc723961 Merge pull request #1959 from SparkiDev/tls13_ems_down
Send EMS extension in ClientHello when downgradable from TLSv1.3
2018-12-06 07:42:55 -08:00
Sean Parkinson 1d5b99eecc Send EMS extension in ClientHello when downgradable from TLSv1.3 2018-12-06 09:41:22 +10:00
Sean Parkinson ab03f9291b Make RsaUnPad constant time when Block Type 2 message 2018-12-06 08:36:49 +10:00
John Safranek b145aab6b2 Server Side Renegotiation
1. Fix testing issue with a client using the SCSV cipher suite to indicate desire for renegotiation.
2. Add indication to both the server and client examples that the renegotiation was successful.
2018-12-05 13:08:24 -08:00
John Safranek ec76ab7e42 Server Side Renegotiation
1. Add an extra guard check around a call to SendHelloRequest() in the case where server renegotiation is disabled.
2. Replaced an accidental deletion of an include of the misc.h header for no inline builds.
2018-12-05 13:08:24 -08:00
John Safranek 69436b6d41 Server Side Secure Renegotiation
1. Fix spelling typo in a comment.
2. Correct the server's check of its secure renegotiation extension.
2018-12-05 13:08:24 -08:00
John Safranek 0abf7c4997 Server Side Secure Renegotiation
1. Add the server side renegotiation flag to the secure renegotiation option.
2. Changed the AddEmptyNegotiationInfo so it doesn't create an extension, just adds a reply if SCR is enabled.
3. Fix the server's reaction to the client sending the SCR extension.
2018-12-05 13:08:24 -08:00
John Safranek 175c91ab4e Server Side Secure Renegotiation
1. Fix an incorrect function entry log string.
2. Restart the server's accept state assuming the client hello was
received when the client initiates renegotiation.
2018-12-05 13:08:24 -08:00
John Safranek d168d60ade Server Side Secure Renegotiation
1. Add enables to the example server for turning on secure renegotiation.
2. Add encryption assists to the handhshake message handler functions.
3. Add a hello request message function. Includes handshake timing pre/postambles.
2018-12-05 13:08:24 -08:00
toddouska 74eadf556e Merge pull request #1946 from ejohnstown/dh-speedup
DHE Speed Up
2018-12-05 12:22:21 -08:00
Jacob Barthelmeh d90e66da80 remove restriction on max key size with wolfSSL_DH_generate_key 2018-12-04 16:20:31 -07:00
John Safranek a55f11cdd8 DHE Speed Up
1. Also apply the setting to the client side.
2. Updated the server and client command line options to use "-2" for disabling the DHE check.
2018-12-03 13:56:14 -08:00
John Safranek ff1a1dc5d5 DHE Speed Up
When loading DH domain parameters into a CTX, test the prime
immediately. When loading them into a session, test the prime right
before using it during the handshake. Sessions that get their prime from
their context do not need to test their prime. Added a function to
disable testing the prime in a session. The goal is to speed up testing
as every single test case loads DH parameters whether they are used or
not.
2018-11-29 17:04:04 -08:00
toddouska 8c0a55d43b Merge pull request #1939 from cconlon/selftestfix
exclude wolfSSL_EC_POINT_point2hex() in CAVP selftest build
2018-11-28 13:13:25 -08:00
toddouska 70305758d4 Merge pull request #1942 from SparkiDev/asn_trad_fix
Return ToTraditional API to original signature
2018-11-28 08:08:26 -08:00
toddouska 2827ef6a57 Merge pull request #1938 from SparkiDev/tls13_ext
Check for TLS 1.3 version in the method for extenstions.
2018-11-28 08:05:42 -08:00
Sean Parkinson 310ffd0045 Check for TLS 1.3 version in the method for extenstions.
During parsing of ClientHello, ServerHello and HelloRetryRequest, the
SSL object version may not be set to the negotiated version.
2018-11-28 14:59:43 +10:00
Sean Parkinson 918c769284 Return ToTraditional API to original signature 2018-11-28 12:27:57 +10:00
Chris Conlon a5e3b18252 exclude wolfSSL_EC_POINT_point2hex() in CAVP selftest build 2018-11-27 09:12:55 -08:00
toddouska 55bbffe3c6 Merge pull request #1932 from dgarske/maxfrag_reconf
Post-handshake max fragment size adjustment
2018-11-26 13:27:26 -08:00
toddouska 3afa9a3886 Merge pull request #1929 from ejohnstown/sniffer
Sniffer Updates
2018-11-26 13:24:31 -08:00
John Safranek 96b4ddad82 Sniffer Update
1. Collect the SSL Info capture into its own function.
2. Add a Trace function for the SSL Info.
3. When copying the IANA name for the cipher suite, use a strncpy
instead of a memcpy and cap the copy at the length of the destination.
Force a null terminator at the end of the destination, just in case.
4. Modify the snifftest to collect the SSL Info.
2018-11-21 11:29:28 -08:00