wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2026-02-01 09:49:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
14,546 Commits 12 Branches 184 Tags
fc7533fe5e51bf263d8bb557566452dd33ac96fe
Commit Graph

2083 Commits

Author SHA1 Message Date
Juliusz Sosinowicz
fc7533fe5e Code review changes 2021-07-06 16:14:25 +02:00
Juliusz Sosinowicz
1acf906612 Code review changes 2021-07-06 15:39:23 +02:00
Juliusz Sosinowicz
6dfc702364 Correct serverDH_Pub length on renegotiation 
On a renegotiation the serverDH_Pub buffer may be too short. The previous DhGenKeyPair call may have generated a key that has a shorter binary representation (usually by one byte). Calling DhGenKeyPair with this shorter buffer results in a WC_KEY_SIZE_E error.
 2021-07-06 15:39:23 +02:00
Juliusz Sosinowicz
1b6b16c2c3 HaProxy 2.4-dev18 support 
*This patch is dependent on https://github.com/wolfSSL/wolfssl/pull/3871 because proto version selection logic is refactored in that pull request.*
This patch contains the following changes:
- Enable more options with `--enable-haproxy`
- Compatibility layer additions
    - `STACK_TYPE_X509_OBJ`
    - `OCSP_id_cmp`
    - `X509_STORE_get0_objects`
    - `X509V3_EXT_nconf_nid`
    - `X509V3_EXT_nconf`
    - `X509_chain_up_ref`
    - `X509_NAME_hash`
    - `sk_X509_NAME_new_null`
    - `X509_OBJECT_get0_X509`
    - `X509_OBJECT_get0_X509_CRL`
    - `ASN1_OCTET_STRING_free`
    - `X509_LOOKUP_TYPE`
    - `OSSL_HANDSHAKE_STATE`
- New `OPENSSL_COMPATIBLE_DEFAULTS` define will set default behaviour that is compatible with OpenSSL
    - WOLFSSL_CTX
        - Enable all compiled in protocols
        - Allow anonymous ciphers
        - Set message grouping
        - Set verify to SSL_VERIFY_NONE
- In `SetSSL_CTX`, don't change `send` and `recv` callback if currently using `BIO`
- `ssl->peerVerifyRet`
    - Return first that occured
    - Set correct value on date error
    - Set revoked error on OCSP or CRL error
    - Save value in session and restore on resumption
    - Add to session serialization
- With `OPENSSL_EXTRA`, send an alert on invalid downgrade attempt
- Handle sni callback `SSL_TLSEXT_ERR_NOACK`
- Add `WOLFSSL_VERIFY_DEFAULT` option for `wolfSSL_CTX_set_verify` and `wolfSSL_set_verify` to allow resetting to default behaviour
 2021-07-06 15:39:23 +02:00
Elms
75e807abc6 Fixes for gcc-10 and -fsanitize=undefined for rabbit.c 
* One introduced in #4156
* One from previous commit in this PR
 2021-06-30 22:20:17 -07:00
Elms
56d879f422 address scan-build issues for clang 6 and 10 2021-06-30 21:58:30 -07:00
Elms
dc7beab784 address errors with -fsanitize=undefined 
- fix null dereferences or undefined `memcpy` calls
 - fix alignment in `myCryptoDevCb`
 - fix default dtls context assignment
 - add align configure option to force data alignment

TESTED:
 `./configure CFLAGS=-fsanitize=undefined\ -DWOLFSSL_GENERAL_ALIGNMENT=1 --enable-all`
 2021-06-30 21:58:30 -07:00
Sean Parkinson
f56bf3d8ee TLS: Get DH anon working TLS 1.2 and below 
Send the server DH parameters in ServerKeyExchange.
./configure '--enable-anon' '--disable-rsa' '--enable-oldtls'
 2021-06-29 10:29:39 +10:00
John Safranek
5437883da7 Merge pull request #4164 from dgarske/async_frag 
Fix for async with fragmented packets
 2021-06-25 08:33:50 -07:00
Sean Parkinson
dab6724059 Regression fixes: more configurations 
./configure --disable-rsa --disable-ecc --disable-dh --enable-curve25519
&& make
./configure --disable-aescbc --disable-chacha --disable-poly1305
--disable-coding && make
 2021-06-25 15:23:51 +10:00
David Garske
45ef68d5c7 Fix for async with fragmented packets where inline crypto could be overwritten on reprocessing fragment. FIxes unit tests with --enable-all --enable-asynccrypt. Minor cleanup for line length and free verify RSA buffer sooner. 
Reproducible with:

```
./examples/server/server -v 3 -l ECDHE-ECDSA-AES256-GCM-SHA384 -c ./certs/server-ecc.pem -k ./certs/ecc-key.pem -2
./examples/client/client -v 3 -l ECDHE-ECDSA-AES256-GCM-SHA384 -A ./certs/ca-ecc-cert.pem -F 6 -2
```
 2021-06-24 16:03:12 -07:00
David Garske
97ab1bb013 Merge pull request #4154 from SparkiDev/hmac_update_ct 
TLS hmac: handle truncated mac in Hmac_UpdateFinal_CT()
 2021-06-24 09:28:22 -07:00
Juliusz Sosinowicz
4eff3ff3dd Add a reason text for APP_DATA_READY 2021-06-23 13:43:56 +02:00
Sean Parkinson
5cf7e17820 TLS hmac: handle truncated mac in Hmac_UpdateFinal_CT() 2021-06-23 09:54:41 +10:00
John Safranek
a5852fe440 Merge pull request #4119 from julek-wolfssl/dtls-seq-num-refactor 
Refactor `dtls_expected_peer_handshake_number` handling
 2021-06-22 16:29:45 -07:00
Sean Parkinson
eccfb4f632 Merge pull request #4125 from dgarske/sniffer_etsi 
TLS: Fixes for sniffer and static ephemeral keys
 2021-06-23 09:17:13 +10:00
Chris Conlon
4b3bd3e384 Merge pull request #4049 from miyazakh/set_verifyDepth_3 
Set verify depth limit
 2021-06-22 10:23:43 -06:00
Chris Conlon
b050463dce Merge pull request #4059 from miyazakh/qt_unit_test 
fix qt unit test
 2021-06-22 10:12:48 -06:00
David Garske
67b87a8883 Merge pull request #4127 from douzzer/wolfsentry-client 
outbound connection filtering and wolfSentry integration
 2021-06-22 07:27:18 -07:00
David Garske
c4ea64b7fc Merge pull request #4140 from SparkiDev/set_sig_algs 2021-06-21 19:18:10 -07:00
Sean Parkinson
7224fcd9bc TLS: add support for user setting signature algorithms 2021-06-18 16:19:01 +10:00
Hideki Miyazaki
23fc810b3c added more context 2021-06-18 11:10:13 +09:00
Hideki Miyazaki
ddf2a0227f additional fix for set verify depth to be compliant with openssl limit 2021-06-18 11:00:51 +09:00
Hideki Miyazaki
2bbf7cc0fb addressed review comments 2021-06-18 10:49:24 +09:00
Daniel Pouzzner
93dfb4c7f4 add outbound connection filtering support to libwolfssl, add wolfSentry support to the test client, and add wolfSentry JSON config file support to the test client and server using --wolfsentry-config. 
also, add mygetopt_long() to wolfssl/test.h, and add --help and Japanese counterpart options to test client and server.
 2021-06-17 20:05:40 -05:00
Hideki Miyazaki
951de64e2c set PSK at the beginning 2021-06-18 07:59:35 +09:00
Hideki Miyazaki
976b6ae97c not push CA, revert error code when being OpensslExtra mode 2021-06-18 07:59:33 +09:00
Sean Parkinson
98ce4e901a TLS EtM: check all padding bytes are the same value 
Must be constant time so as not to provide an oracle.
That is, don't leak length of data and padding.
 2021-06-18 08:42:48 +10:00
David Garske
4bff3b6c69 Fix issue with WOLFSSL object copying CTX and object free'ing. Track ownership of the static key info. 2021-06-17 15:12:07 -07:00
Sean Parkinson
12c358bc30 Merge pull request #3979 from dgarske/tls13_async 
Asynchronous support for TLS v1.3 TLSX ECC/DH key generation and key agreement
 2021-06-15 10:02:19 +10:00
David Garske
831e1713f1 Merge pull request #4076 from TakayukiMatsuo/st_timeout 
Add session ticket timeout check in DoSessionTicket
 2021-06-14 13:44:32 -07:00
Juliusz Sosinowicz
1ee0c3a7fd Refactor dtls_expected_peer_handshake_number handling 
Moving the `dtls_expected_peer_handshake_number` value along has been moved to one location. It has also been changed to not keep state before a cookie exchange has been completed.
 2021-06-14 15:51:04 +02:00
David Garske
2e4e65f518 Asynchronous support for TLS v1.3 TLSX ECC/DH key generation and key agreement 
* Added async support to `SendTls13ClientHello`, `DoTls13ServerHello` and `DoTls13ClientHello`.
* Cleanup of the example client/server use key share code.
* Fix some scan-build warnings.
ZD 12065
 2021-06-11 14:12:12 -07:00
TakayukiMatsuo
1a9b59b183 Add macro guard for LowResTimer 2021-06-11 11:58:55 +09:00
John Safranek
4e881a226a Merge pull request #4088 from julek-wolfssl/dtls-mtu-define 
Change magic number 100 bytes to an enum define
 2021-06-10 09:22:08 -07:00
Sean Parkinson
7e0c372e4c TLS 1.3 PSK: use the hash algorithm to choose cipher suite 
See RFC 8446: 4.2.11
With TLS 1.3 PSK callback, If the returned cipher suite isn't available,
use the hash from the cipher suite and choose from available list.
Require exact match when: WOLFSSL_TLS13_PSK_NO_MATCH_HASH

Alternative callback for client added that is passed a cipher suite
string. Called for each cipher suite that is to be negotiated.
If cipher suite to be used with PSK then return client identity.
Returning an identity based on cipher suite hash will result in
only one PSK extension being added per hash.
 2021-06-10 09:55:27 +10:00
David Garske
c6c7dfd5db Merge pull request #4053 from SparkiDev/cppcheck_fixes_6 
cppcheck: fixes from reviewing report
 2021-06-09 12:51:30 -07:00
David Garske
a6edff7bd5 Merge pull request #4017 from SparkiDev/not_ecc_pk_cb 
ECC: Disable ECC but have Curve25519/448 and PK callbacks fix
 2021-06-09 12:38:37 -07:00
Sean Parkinson
8ee1dda2f9 Merge pull request #4001 from dgarske/time_long 
Improve TLS v1.3 time rollover support and fixes for NO_ASN_TIME
 2021-06-08 11:17:55 +10:00
Juliusz Sosinowicz
588a424d8d Change magic number 100 bytes to an enum define 2021-06-04 11:27:57 +02:00
David Garske
21060afb80 Fix for building SP math only (small) with key generation. Fix for WOLFSSL_EXTRA. Fix for RSA without PSS. Fix for ed25519 spelling error. 2021-06-03 10:56:54 -07:00
TakayukiMatsuo
69cf5ef266 Chage to use WOLFSSL_SESSION.bornON instead of WOLFSSL_SESSION.timestamp to hold the ticket creation time. 2021-06-01 15:30:07 +09:00
TakayukiMatsuo
5f7477980c Add session ticket timeout check in DoSessionTicket 2021-06-01 00:09:50 +09:00
Sean Parkinson
6747055d46 TLS: fix build with no TLSv12 but PK callbacks 
./configure '--disable-tlsv12' '-enable-pkcallbacks'
Disable non-TLS13 cipher suite test as well.
 2021-05-21 10:59:23 +10:00
Sean Parkinson
2c6285ccba cppcheck: fixes from reviewing report 2021-05-20 17:55:06 +10:00
Chris Conlon
c75830e2e8 Merge pull request #4011 from miyazakh/set_verify_depth2 
fix out of bound access when peer's chain is greater than verifyDepth + 1
 2021-05-11 15:38:39 -06:00
John Safranek
a608b083b4 Take into account a new flag in the DTLS state export and import. 2021-05-10 09:33:38 -07:00
Sean Parkinson
8779c3a884 ECC: Disable ECC but have Curve25519/448 and PK callbacks fix 
Fix ed25519 certificates.
Tidy up testsuite.c
 2021-05-10 10:32:55 +10:00
Hideki Miyazaki
0539b99c86 fix boundary access when peer's chain is less than verifyDepth + 1 2021-05-06 14:54:16 +09:00
David Garske
f8ecd4b441 Fixes for building with NO_ASN_TIME. If used with TLS user must supply LowResTimer and TimeNowInMilliseconds. 2021-04-30 15:04:31 -07:00