Commit Graph

2612 Commits

Author SHA1 Message Date
Sean Parkinson f6da3a26ac Ref counting: rework for static analysers
When always reference counting APIs always return 0 don't check return
value for error.
Reference decrement set isZero to false on error.
2023-02-03 10:13:32 +10:00
Sean Parkinson 447991a9c2 Merge pull request #5949 from JacobBarthelmeh/Testing
add pragram around sanity check for vcpkg build warning
2023-02-02 10:34:14 +10:00
Sean Parkinson 53dfcd00e2 Ref count: change to use wolfSSL_Ref
Data structures changed:
WOLFSSL_CERT_MANAGER, WOLFSSL_CTX, WOLFSSL_SESSION, WOLFSSL_X509,
WOLFSSL_X509, WOLFSSL_EVP_PKEY, WOLFSSL_BIO, WOLFSSL_X509_STORE
2023-01-23 16:29:12 +10:00
tmael 9d73c197e6 Move X509_V errors from enums to defines for HAProxy CLI (#5901)
* Move X509_V errors to openssl/ssl.h

* Have X509_V define errors in wolfssl/ssl.h

* Refactor X509_V errors

* Add wolfSSL_SESSION_set1_id_*

* Fix overlong line
2023-01-20 17:50:26 -08:00
JacobBarthelmeh fc19aed8c8 Merge pull request #5623 from dgarske/hpke
Adds support for TLS v1.3 Encrypted Client Hello (ECH) and HPKE (Hybrid Public Key Encryption)
2023-01-19 10:03:28 -07:00
David Garske 6b6ad38e4f Adds support for TLS v1.3 Encrypted Client Hello (ECH) draft-ietf-tls-esni) and HPKE (Hybrid Public Key Encryption) RFC9180. 2023-01-18 11:37:27 -08:00
David Garske 41c35b1249 Fix line length and whitespace issues. Fix macro argument missing parentheses. 2023-01-18 11:10:19 -08:00
Juliusz Sosinowicz 50cb3a7b8c Address code review 2023-01-18 09:55:33 -08:00
Juliusz Sosinowicz 281bb32edf DtlsMsgCreateFragBucket: heap param might be unused 2023-01-18 09:55:33 -08:00
Juliusz Sosinowicz a58e83847e Don't allocate Suites object on renegotiation 2023-01-18 09:55:33 -08:00
Juliusz Sosinowicz 2f63fdc6ce Allocate CTX->suites in InitSSL when not already allocated 2023-01-18 09:55:33 -08:00
Juliusz Sosinowicz 5b8026899b Refactor SigAlgs to use a custom struct that can override ssl->suites 2023-01-18 09:55:32 -08:00
Juliusz Sosinowicz e431688ca6 ssl->suites: use ssl->ctx->suites when possible
- Allocate ssl->suites when necessary for the WOLFSSL object to have its own instance. Use AllocateSuites() to allocate the object.
- Move cipher negotiation options from Suites into Options

ZD15346
2023-01-18 09:55:32 -08:00
Juliusz Sosinowicz b01e42a96c Merge pull request #5970 from ejohnstown/dtls-seq
DTLS Handshake Sequence
2023-01-16 07:39:53 -08:00
John Safranek af379f0a0f DTLS Handshake Sequence
The DTLS server needs to save the message_seq number of the client
hello for use in both the hello verify request in the stateless start
and for the server hello. Move the stashing of the value earlier in
DoClientHello(). (Issue #5224)
2023-01-12 20:43:05 -08:00
JacobBarthelmeh 99a489dec3 improve test and handling of public key type cipher suite string 2023-01-06 09:53:51 -08:00
JacobBarthelmeh a3e085f204 very basic support for public key types in cipher list string with '+' 2023-01-04 10:49:18 -08:00
JacobBarthelmeh 114471d6cf add pragram around sanity check for vcpkg build warning 2023-01-03 15:23:43 -08:00
Jacob Barthelmeh 9dcc48c8f7 update copyright to 2023 2022-12-30 17:12:11 -07:00
Anthony Hu b3e99348cd Purge the AES variant of Dilithium 2022-12-27 14:37:47 -05:00
David Garske 135b9f0566 Merge pull request #5915 from julek-wolfssl/dtls-remove-realloc-dep
DtlsMsgCombineFragBuckets: Remove realloc dependency
2022-12-22 17:01:31 -08:00
Juliusz Sosinowicz 2fe6555fcf DtlsMsgCombineFragBuckets: Remove realloc dependency 2022-12-20 13:53:03 +01:00
Juliusz Sosinowicz 53b2be06d3 DtlsMsgPoolSend: Use correct sendSz
pool->sz is the size without the record header. The handshake header is present already.

Reproducible with
  ./udp_proxy -p 12345 -s 127.0.0.1:11111 -x 1:3 -S server
or
  ./udp_proxy -p 12345 -s 127.0.0.1:11111 -x 1:3 -S server
and
  ./examples/server/server -l ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305 -u -i
  ./examples/client/client -l ECDHE-RSA-AES256-GCM-SHA384 -u -R -p 12345 -i
2022-12-19 17:07:37 +01:00
Stefan Eissing dccabc60a5 Disabling TLSv1.2 session tickets when WOLFSSL_OP_NO_TICKET is being set.
There seems to have been a misunderstanding that WOLFSSL_OP_NO_TICKET would only disable tickets
for TLS version lower than 1.2. But it includes 1.2 as well.
2022-12-16 09:29:44 +01:00
David Garske a1e883b43d Merge pull request #5875 from JacobBarthelmeh/Compatibility-Layer
fix for handling DEFAULT:... cipher suite list
2022-12-12 14:43:50 -08:00
Sean Parkinson 9ab8867b42 TLS: detect duplicate known extensions
TLS specification requires that there not be more than one extension of
the same type in a given extension block. E.g. ClientHello
2022-12-12 08:35:04 +10:00
JacobBarthelmeh 8b296877ab fix for handling DEFAULT:... cipher suite list 2022-12-10 14:53:43 -08:00
Marco Oliverio af00c89f18 dtls v1.2: stateless support WOLFSSL_DTLS_NO_HVR_ON_RESUME 2022-12-01 16:30:54 +00:00
Marco Oliverio cc7dad3ee6 dtls v1.2: support stateless client hello processing 2022-12-01 16:30:54 +00:00
Marco Oliverio 5bc86b8c2c fix: dtls: always use version DTLS 1.0 in HelloVerifyRequest
see rfc6347 section 4.2.1
2022-12-01 16:30:54 +00:00
Marco Oliverio 4fa1b9dd0a fix: AddRecordHeader: use correct minor when using DTLS 2022-12-01 16:30:54 +00:00
Marco Oliverio 173208728a fix: tls13: hash using right version when downgrading 2022-12-01 16:30:54 +00:00
Marco Oliverio 2c35d7f9d2 fix: formatting and typos
dtls: fix debug message when downgrading

internal.c: fix typo
2022-12-01 16:30:53 +00:00
Stefan Eissing e5cfd96609 QUIC API support in OpenSSL compat layer, as needed by HAProxy integration.
- adding patch for HAProxy, see dod/QUIC.md, based on current master.
      For documentaton purposes, since HAProxy does not accept PRs. To be
      removed once forwarded to the project.
2022-12-01 10:12:35 +01:00
Sean Parkinson cf8ea5c606 Merge pull request #5812 from ejohnstown/crl-ocsp
OCSP/CRL
2022-11-24 12:42:17 +10:00
John Safranek 88f3570fe4 OCSP/CRL
Added comments for the usage of OCSP_WANT_READ used with the CRL I/O
callback.
2022-11-23 16:35:10 -08:00
John Safranek 909fd726cd OCSP/CRL
Fixing issue #3070. When the OCSP responder returns an unknown exception,
continue through to checking the CRL. Before, it was setting the flag
to check CRL, then clearing it because of the exception.
2022-11-23 10:50:12 -08:00
Anthony Hu f3546b50fd Conform to pre-existing pattern. 2022-11-23 17:58:12 +00:00
Anthony Hu 6190666108 Support for Analog Devices MAXQ1080 and MAXQ1065 2022-11-23 11:57:31 -05:00
Daniel Pouzzner 6f98a5b271 src/internal.c: in VerifyServerSuite(), narrow condition and fix return value in error check added in 647ce794dd. 2022-11-18 22:21:08 -06:00
David Garske bd7b442df3 Merge pull request #5796 from tmael/mem_err
Propagate malloc returning NULL up the call stack
2022-11-16 12:45:42 -08:00
Tesfa Mael 2a2cf5671e Move error check in CompareSuites 2022-11-16 09:29:24 -08:00
Tesfa Mael 647ce794dd unmask malloc returning NULL 2022-11-16 09:25:25 -08:00
jordan 81ed2a60b4 Support ASN1/DER CRLs in LoadCertByIssuer.
This fixes hash based dir lookup of ASN1/DER CRLs in OpenSSL
compatible API. The function wolfSSL_X509_load_crl_file is
called with entry->dir_type, rather than hardcoded filetype.

A new test crl was added, and existing crl 0fdb2da4.r0 was
reorganized to a new dir.

Also, completes the stub wolfSSL_X509_LOOKUP_add_dir. A new
test function test_X509_LOOKUP_add_dir was added to tests/api.c
2022-11-11 15:13:00 -06:00
David Garske f4621a6807 Merge pull request #5786 from philljj/zd15125
Fix incorrect self signed error return.
2022-11-10 14:13:38 -08:00
jordan 5ad6ff23d5 Use local int lastErr instead of args->lastErr. 2022-11-10 13:46:51 -06:00
David Garske 57ae840f39 Fix for test_wolfSSL_sk_CIPHER_description incorrectly failing with TLS v1.3 NULL cipher. 2022-11-09 12:05:16 -08:00
jordan 961c696436 Fix incorrect self signed error return.
ASN_SELF_SIGNED_E was being overwritten with ASN_NO_SIGNER_E when
compiled with certreq and certgen.
2022-11-09 10:27:31 -06:00
Hayden Roche 4a917219f7 Merge pull request #5608 from SparkiDev/pk_c_rework_2 2022-11-04 13:32:36 -07:00
Sean Parkinson 4efba8f437 ForceZero fix: encryption fail and not EtM
Zeroizing of plaintext on encryption failure will use wrong size when
not using Encrypt-then-MAC. Size may go negative and cast to unsigned.
2022-10-31 09:14:16 +10:00