Commit Graph

4605 Commits

Author SHA1 Message Date
Juliusz Sosinowicz 248dd12993 Enable RSA-PSS padding in EVP_Digest* API 2020-11-17 15:04:57 +01:00
David Garske b931b1bd4d Fix to not allow free for globally cached sessions. Resolves a false-positive scan-build warning. 2020-11-12 12:51:41 -08:00
John Safranek e996a7d15b Scan-Build Fixes
1. Fixed a couple possible 0 byte allocations.
2. Fixed a couple missed frees due to error conditions.
3. Fixed a possible double free.

To recreate:
    $ scan-build ./configure --disable-shared --enable-opensslextra=x509small --disable-memory
    $ scan-build ./configure --disable-shared --enable-opensslextra --disable-memory
2020-11-12 09:06:59 -08:00
David Garske c7bb602a30 Merge pull request #3482 from douzzer/scan-build-fixes-20201110
scan-build fixes -- 1 null deref, 34 unused results
2020-11-12 07:45:45 -08:00
toddouska d3e3b21c83 Merge pull request #3393 from dgarske/zd11104
Fix for TLS ECDH (static DH) with non-standard curves
2020-11-11 14:22:37 -08:00
Daniel Pouzzner 5fe1586688 fix 34 deadcode.DeadStores detected by llvm11 scan-build. 2020-11-11 13:04:14 -06:00
David Garske fcd73135f5 Merge pull request #3479 from tmael/ocsp_NULL
Check <hash> input parameter in GetCA
2020-11-10 14:46:05 -08:00
Daniel Pouzzner 958fec3b45 internal.c:ProcessPeerCerts(): fix a core.NullDereference detected by llvm9 and llvm11 scan-builds. 2020-11-10 16:40:28 -06:00
David Garske 8645e9754e Only set ssl->ecdhCurveOID if not already populated. 2020-11-10 09:47:38 -08:00
David Garske 1d531fe13b Peer review fixes. 2020-11-10 09:47:37 -08:00
David Garske 5de80d8e41 Further refactor the minimum ECC key size. Adds --with-eccminsz=BITS option. Fix for FIPSv2 which includes 192-bit support. If WOLFSSL_MIN_ECC_BITS is defined that will be used. 2020-11-10 09:47:37 -08:00
David Garske 6bd98afdd0 Only allow TLS ECDH key sizes < 160-bits if ECC_WEAK_CURVES is defined. 2020-11-10 09:47:37 -08:00
David Garske c697520826 Disable ECC key sizes < 224 bits by default. Added --enable-eccweakcurves or ECC_WEAK_CURVES to enable smaller key sizes. Currently this option is automatically enabled if WOLFSSL_MIN_ECC_BITS is less than 224-bits. 2020-11-10 09:47:36 -08:00
David Garske 62dca90e74 Fix for server-side reporting of curve in wolfSSL_get_curve_name if client_hello includes ffdhe, but ECC curve is used. 2020-11-10 09:47:36 -08:00
David Garske d7dee5d9e6 Fix for ECC minimum key size, which is 112 bits. 2020-11-10 09:47:36 -08:00
David Garske fb9ed686cb Fix for TLS with non-standard curves. The generted ECC ephemeral key did not use the same curve type as peer. Only the server was populating ssl->ecdhCurveOID. Now the curveOID is populated for both and as a fail-safe the peer key curve is used as default (when available). 2020-11-10 09:47:36 -08:00
David Garske bfb6138fc5 Merge pull request #3480 from douzzer/fix-sniffer-printf-null-Wformat-overflow
TraceSetNamedServer() null arg default vals; FIPS wc_MakeRsaKey() PRIME_GEN_E retries; external.test config dependencies
2020-11-10 09:37:36 -08:00
Daniel Pouzzner bd38124814 ssl.c: refactor wolfSSL_RSA_generate_key() and wolfSSL_RSA_generate_key_ex() to retry failed wc_MakeRsaKey() on PRIME_GEN_E when -DHAVE_FIPS, matching non-FIPS behavior, to eliminate exposed nondeterministic failures due to finite failCount. 2020-11-09 21:24:34 -06:00
toddouska 3050f28890 Merge pull request #3467 from cconlon/rc2vs
rc2.c to Visual Studio projects, fix warnings
2020-11-09 13:52:03 -08:00
David Garske f02c3aab2e Merge pull request #3475 from ejohnstown/nsup
Hush Unused Param Warning
2020-11-09 11:04:05 -08:00
David Garske 7e3efa3792 Merge pull request #3474 from douzzer/lighttpd-update-1.4.56
lighttpd support update for v1.4.56
2020-11-09 09:24:58 -08:00
Tesfa Mael a5caf1be01 Check for NULL 2020-11-09 08:45:48 -08:00
Daniel Pouzzner 22bcceb2d3 src/sniffer.c: guard against null arguments to TraceSetNamedServer(), to eliminate -Werror=format-overflow= warnings from gcc. 2020-11-06 17:40:12 -06:00
John Safranek 884a9b59ab Merge pull request #3461 from dgarske/fips_ready_wopensslextra
Fix for FIPS ready with openssl compat
2020-11-06 13:14:06 -08:00
toddouska b4e7f196df Merge pull request #3470 from SparkiDev/config_fix_3
TLS configurations fixes
2020-11-06 10:35:51 -08:00
John Safranek abd6f6ce18 Hush Unused Param Warning
Removed a guard check for NO_WOLFSSL_STUB from wolfSSL_X509_print_ex().
To recreate:

    $ ./configure --enable-opensslextra CPPFLAGS="-DNO_WOLFSSL_STUB"
    $ make
2020-11-06 10:30:47 -08:00
toddouska f3d961b1b1 Merge pull request #3453 from dgarske/ZD11159
Fix for possible memory leak when overriding error for verify callback
2020-11-06 10:18:52 -08:00
Hayden Roche 2cad844d29 Merge pull request #3421 from dgarske/apache_httpd
Apache httpd w/TLS 1.3 support
2020-11-06 12:14:58 -06:00
David Garske 0d2e28ce80 Fix for error: unused function 'MonthStr' 2020-11-06 10:11:48 -08:00
Daniel Pouzzner 4030523eb5 ssl.c: remove duplicate definition of wolfSSL_CTX_check_private_key(). 2020-11-05 21:57:33 -06:00
Glenn Strauss 92c3296e13 preprocessor -DNO_BIO to omit OpenSSL BIO API 2020-11-05 20:40:43 -06:00
Glenn Strauss daca327ba3 expose (get|set)_(app|ex)_data with HAVE_EX_DATA
when OPENSSL_EXTRA_X509_SMALL is set
2020-11-05 20:40:43 -06:00
Glenn Strauss d01616a357 unhide some non-fs funcs hidden by NO_FILESYSTEM 2020-11-05 20:40:43 -06:00
Glenn Strauss f4e2db831e enable SNI_Callback for lighttpd 2020-11-05 20:40:43 -06:00
Glenn Strauss be7592fb43 implement wolfSSL_dup_CA_list()
wolfSSL_dup_CA_list() duplicates a WOLF_STACK_OF(WOLFSSL_X509_NAME)

(replaces stub function)
2020-11-05 20:40:43 -06:00
Glenn Strauss 503de43cbd build updates for lighttpd
Update configure.ac and various #ifdefs to enable WolfSSL to
build features for use by lighttpd.

Change signature of wolfSSL_GetVersion() to take const arg.
Pass (const WOLFSSL*) to wolfSSL_GetVersion() for use with
SSL_CTX_set_info_callback(), where OpenSSL callback takes (const SSL *)
2020-11-05 20:40:43 -06:00
David Garske 1dc7293b19 Fix the return code. openssl uses void on these, but let's go ahead and do a return code. 2020-11-05 09:31:12 -08:00
Daniel Pouzzner 5751319e00 fix various possibly spurious scan-build null deref reports. 2020-11-04 23:11:42 -06:00
Sean Parkinson 8a42ee7ffd TLS configurations fixes
--enable-leanpsk --disable-tls13:
    ensure WriteSEQ is defined when !WOLFSSL_NO_TLS12 (tls.c)

CFLAGS=-DWOLFSSL_NO_CLIENT_AUTH -disable-tls13"
TLS server was expecting certificate from peer when verifyPeer is
set. Fix with checks for !WOLFSSL_NO_CLIENT_AUTH.
2020-11-05 12:21:19 +10:00
David Garske 3b4ec74174 Fixes for openssl compatibility. Added SSL_CTX_set_post_handshake_auth and SSL_set_post_handshake_auth API's for enabling or disabling post handshake authentication for TLS v1.3. 2020-11-04 15:05:50 -08:00
David Garske eb19306f16 Merge pull request #3459 from haydenroche5/sniffer_fixes
Fix a couple of issues related to the sniffer.
2020-11-04 14:09:43 -08:00
Chris Conlon 6953049305 fix Visual Studio type conversion warnings 2020-11-04 11:11:40 -07:00
Hayden Roche 3b1c536418 Fix a couple of issues related to the sniffer.
- Fix an issue in sniffer.c where some pointer math was giving a warning.
- Fix an issue in snifftest.c where a local variable was never read.
- Ignore non-TCP/IP packets in snifftest.c. Fixes some tests with pcaps with
  other types of packets.
2020-11-04 10:46:11 -06:00
toddouska 9f9901e10e Merge pull request #3417 from douzzer/fix-ipv6-ocsp-tests
Fix ipv6 ocsp tests
2020-11-03 14:38:32 -08:00
David Garske d6b219bd38 Fix for ./configure --enable-fips=ready --enable-opensslextra. 2020-11-03 14:23:08 -08:00
David Garske 89c39dcfe5 Fix for possible memory leak when overriding error for verify callback on cert 0 (peer) if OPENSSL_EXTRA or OPENSSL_EXTRA_X509_SMALL and KEEP_PEER_CERT is not defined. 2020-11-02 12:04:56 -08:00
Chris Conlon 54fe98716d Merge pull request #3415 from kojo1/config-options
Config options
2020-10-30 11:55:11 -06:00
Daniel Pouzzner a5d96721ac wolfcrypt/src: remove wc_debug.c and move its contents to logging.c. 2020-10-28 17:28:05 -05:00
Daniel Pouzzner 1ba0883f4c introspection tweaks: rename wolfcrypt/src/debug.c to wolfcrypt/src/wc_debug.c; restore BUILD_WC_DEBUG gating for autotools inclusion of wc_debug.o and disable opportunistically when ENABLED_LEANTLS, ENABLED_LEANPSK, or ENABLED_LOWRESOURCE; add HAVE_WC_INTROSPECTION gate for libwolfssl_configure_args() and libwolfssl_global_cflags(). 2020-10-28 17:28:05 -05:00
Daniel Pouzzner 8be2d7690a add API functions libwolfssl_configure_args() and libwolfssl_global_cflags() to retrieve build parameters at runtime. 2020-10-28 17:28:01 -05:00