Sean Parkinson
f6da3a26ac
Ref counting: rework for static analysers
...
When always reference counting APIs always return 0 don't check return
value for error.
Reference decrement set isZero to false on error.
2023-02-03 10:13:32 +10:00
Sean Parkinson
447991a9c2
Merge pull request #5949 from JacobBarthelmeh/Testing
...
add pragram around sanity check for vcpkg build warning
2023-02-02 10:34:14 +10:00
Sean Parkinson
53dfcd00e2
Ref count: change to use wolfSSL_Ref
...
Data structures changed:
WOLFSSL_CERT_MANAGER, WOLFSSL_CTX, WOLFSSL_SESSION, WOLFSSL_X509,
WOLFSSL_X509, WOLFSSL_EVP_PKEY, WOLFSSL_BIO, WOLFSSL_X509_STORE
2023-01-23 16:29:12 +10:00
tmael
9d73c197e6
Move X509_V errors from enums to defines for HAProxy CLI ( #5901 )
...
* Move X509_V errors to openssl/ssl.h
* Have X509_V define errors in wolfssl/ssl.h
* Refactor X509_V errors
* Add wolfSSL_SESSION_set1_id_*
* Fix overlong line
2023-01-20 17:50:26 -08:00
JacobBarthelmeh
fc19aed8c8
Merge pull request #5623 from dgarske/hpke
...
Adds support for TLS v1.3 Encrypted Client Hello (ECH) and HPKE (Hybrid Public Key Encryption)
2023-01-19 10:03:28 -07:00
David Garske
6b6ad38e4f
Adds support for TLS v1.3 Encrypted Client Hello (ECH) draft-ietf-tls-esni) and HPKE (Hybrid Public Key Encryption) RFC9180.
2023-01-18 11:37:27 -08:00
David Garske
41c35b1249
Fix line length and whitespace issues. Fix macro argument missing parentheses.
2023-01-18 11:10:19 -08:00
Juliusz Sosinowicz
50cb3a7b8c
Address code review
2023-01-18 09:55:33 -08:00
Juliusz Sosinowicz
281bb32edf
DtlsMsgCreateFragBucket: heap param might be unused
2023-01-18 09:55:33 -08:00
Juliusz Sosinowicz
a58e83847e
Don't allocate Suites object on renegotiation
2023-01-18 09:55:33 -08:00
Juliusz Sosinowicz
2f63fdc6ce
Allocate CTX->suites in InitSSL when not already allocated
2023-01-18 09:55:33 -08:00
Juliusz Sosinowicz
5b8026899b
Refactor SigAlgs to use a custom struct that can override ssl->suites
2023-01-18 09:55:32 -08:00
Juliusz Sosinowicz
e431688ca6
ssl->suites: use ssl->ctx->suites when possible
...
- Allocate ssl->suites when necessary for the WOLFSSL object to have its own instance. Use AllocateSuites() to allocate the object.
- Move cipher negotiation options from Suites into Options
ZD15346
2023-01-18 09:55:32 -08:00
Juliusz Sosinowicz
b01e42a96c
Merge pull request #5970 from ejohnstown/dtls-seq
...
DTLS Handshake Sequence
2023-01-16 07:39:53 -08:00
John Safranek
af379f0a0f
DTLS Handshake Sequence
...
The DTLS server needs to save the message_seq number of the client
hello for use in both the hello verify request in the stateless start
and for the server hello. Move the stashing of the value earlier in
DoClientHello(). (Issue #5224 )
2023-01-12 20:43:05 -08:00
JacobBarthelmeh
99a489dec3
improve test and handling of public key type cipher suite string
2023-01-06 09:53:51 -08:00
JacobBarthelmeh
a3e085f204
very basic support for public key types in cipher list string with '+'
2023-01-04 10:49:18 -08:00
JacobBarthelmeh
114471d6cf
add pragram around sanity check for vcpkg build warning
2023-01-03 15:23:43 -08:00
Jacob Barthelmeh
9dcc48c8f7
update copyright to 2023
2022-12-30 17:12:11 -07:00
Anthony Hu
b3e99348cd
Purge the AES variant of Dilithium
2022-12-27 14:37:47 -05:00
David Garske
135b9f0566
Merge pull request #5915 from julek-wolfssl/dtls-remove-realloc-dep
...
DtlsMsgCombineFragBuckets: Remove realloc dependency
2022-12-22 17:01:31 -08:00
Juliusz Sosinowicz
2fe6555fcf
DtlsMsgCombineFragBuckets: Remove realloc dependency
2022-12-20 13:53:03 +01:00
Juliusz Sosinowicz
53b2be06d3
DtlsMsgPoolSend: Use correct sendSz
...
pool->sz is the size without the record header. The handshake header is present already.
Reproducible with
./udp_proxy -p 12345 -s 127.0.0.1:11111 -x 1:3 -S server
or
./udp_proxy -p 12345 -s 127.0.0.1:11111 -x 1:3 -S server
and
./examples/server/server -l ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305 -u -i
./examples/client/client -l ECDHE-RSA-AES256-GCM-SHA384 -u -R -p 12345 -i
2022-12-19 17:07:37 +01:00
Stefan Eissing
dccabc60a5
Disabling TLSv1.2 session tickets when WOLFSSL_OP_NO_TICKET is being set.
...
There seems to have been a misunderstanding that WOLFSSL_OP_NO_TICKET would only disable tickets
for TLS version lower than 1.2. But it includes 1.2 as well.
2022-12-16 09:29:44 +01:00
David Garske
a1e883b43d
Merge pull request #5875 from JacobBarthelmeh/Compatibility-Layer
...
fix for handling DEFAULT:... cipher suite list
2022-12-12 14:43:50 -08:00
Sean Parkinson
9ab8867b42
TLS: detect duplicate known extensions
...
TLS specification requires that there not be more than one extension of
the same type in a given extension block. E.g. ClientHello
2022-12-12 08:35:04 +10:00
JacobBarthelmeh
8b296877ab
fix for handling DEFAULT:... cipher suite list
2022-12-10 14:53:43 -08:00
Marco Oliverio
af00c89f18
dtls v1.2: stateless support WOLFSSL_DTLS_NO_HVR_ON_RESUME
2022-12-01 16:30:54 +00:00
Marco Oliverio
cc7dad3ee6
dtls v1.2: support stateless client hello processing
2022-12-01 16:30:54 +00:00
Marco Oliverio
5bc86b8c2c
fix: dtls: always use version DTLS 1.0 in HelloVerifyRequest
...
see rfc6347 section 4.2.1
2022-12-01 16:30:54 +00:00
Marco Oliverio
4fa1b9dd0a
fix: AddRecordHeader: use correct minor when using DTLS
2022-12-01 16:30:54 +00:00
Marco Oliverio
173208728a
fix: tls13: hash using right version when downgrading
2022-12-01 16:30:54 +00:00
Marco Oliverio
2c35d7f9d2
fix: formatting and typos
...
dtls: fix debug message when downgrading
internal.c: fix typo
2022-12-01 16:30:53 +00:00
Stefan Eissing
e5cfd96609
QUIC API support in OpenSSL compat layer, as needed by HAProxy integration.
...
- adding patch for HAProxy, see dod/QUIC.md, based on current master.
For documentaton purposes, since HAProxy does not accept PRs. To be
removed once forwarded to the project.
2022-12-01 10:12:35 +01:00
Sean Parkinson
cf8ea5c606
Merge pull request #5812 from ejohnstown/crl-ocsp
...
OCSP/CRL
2022-11-24 12:42:17 +10:00
John Safranek
88f3570fe4
OCSP/CRL
...
Added comments for the usage of OCSP_WANT_READ used with the CRL I/O
callback.
2022-11-23 16:35:10 -08:00
John Safranek
909fd726cd
OCSP/CRL
...
Fixing issue #3070 . When the OCSP responder returns an unknown exception,
continue through to checking the CRL. Before, it was setting the flag
to check CRL, then clearing it because of the exception.
2022-11-23 10:50:12 -08:00
Anthony Hu
f3546b50fd
Conform to pre-existing pattern.
2022-11-23 17:58:12 +00:00
Anthony Hu
6190666108
Support for Analog Devices MAXQ1080 and MAXQ1065
2022-11-23 11:57:31 -05:00
Daniel Pouzzner
6f98a5b271
src/internal.c: in VerifyServerSuite(), narrow condition and fix return value in error check added in 647ce794dd.
2022-11-18 22:21:08 -06:00
David Garske
bd7b442df3
Merge pull request #5796 from tmael/mem_err
...
Propagate malloc returning NULL up the call stack
2022-11-16 12:45:42 -08:00
Tesfa Mael
2a2cf5671e
Move error check in CompareSuites
2022-11-16 09:29:24 -08:00
Tesfa Mael
647ce794dd
unmask malloc returning NULL
2022-11-16 09:25:25 -08:00
jordan
81ed2a60b4
Support ASN1/DER CRLs in LoadCertByIssuer.
...
This fixes hash based dir lookup of ASN1/DER CRLs in OpenSSL
compatible API. The function wolfSSL_X509_load_crl_file is
called with entry->dir_type, rather than hardcoded filetype.
A new test crl was added, and existing crl 0fdb2da4.r0 was
reorganized to a new dir.
Also, completes the stub wolfSSL_X509_LOOKUP_add_dir. A new
test function test_X509_LOOKUP_add_dir was added to tests/api.c
2022-11-11 15:13:00 -06:00
David Garske
f4621a6807
Merge pull request #5786 from philljj/zd15125
...
Fix incorrect self signed error return.
2022-11-10 14:13:38 -08:00
jordan
5ad6ff23d5
Use local int lastErr instead of args->lastErr.
2022-11-10 13:46:51 -06:00
David Garske
57ae840f39
Fix for test_wolfSSL_sk_CIPHER_description incorrectly failing with TLS v1.3 NULL cipher.
2022-11-09 12:05:16 -08:00
jordan
961c696436
Fix incorrect self signed error return.
...
ASN_SELF_SIGNED_E was being overwritten with ASN_NO_SIGNER_E when
compiled with certreq and certgen.
2022-11-09 10:27:31 -06:00
Hayden Roche
4a917219f7
Merge pull request #5608 from SparkiDev/pk_c_rework_2
2022-11-04 13:32:36 -07:00
Sean Parkinson
4efba8f437
ForceZero fix: encryption fail and not EtM
...
Zeroizing of plaintext on encryption failure will use wrong size when
not using Encrypt-then-MAC. Size may go negative and cast to unsigned.
2022-10-31 09:14:16 +10:00