db3873ff40
Merge pull request #7172 from bandi13/fixUninitVar
...
Fix compilation errors about uninitialized variables
2024-01-26 08:32:41 -07:00
578735e06c
Merge pull request #7169 from julek-wolfssl/gh/7160
...
BIO_BIO: BIO_{write|read} on a BIO pair should wrap around ring buffer
2024-01-25 12:08:10 -08:00
4971b9a567
Fix compilation errors about uninitialized variables
...
When compiling with '--enable-all CFLAGS=-Og' there were a ton of errors that needed fixing.
2024-01-25 09:49:30 -05:00
4f1d777090
BIO_BIO: BIO_{write|read} on a BIO pair should wrap around ring buffer
...
- BIO_nread0 should return 0 when no data to read and -2 when not initialized
2024-01-25 13:46:45 +01:00
00f4afb5ea
fix strict-aliasing rules warning
2024-01-24 12:37:16 +09:00
eb1fff3ad3
Merge pull request #7141 from julek-wolfssl/zd/17249
...
EarlySanityCheckMsgReceived: version_negotiated should always be checked
2024-01-22 12:18:57 -08:00
0c150d2391
Merge pull request #7150 from dgarske/getenv
...
Fix build with `NO_STDIO_FILESYSTEM` and improve checks for `XGETENV`
2024-01-22 08:33:24 -08:00
76550465bd
Fixes build with `NO_STDIO_FILESYSTEM` defined.
2024-01-19 12:49:53 -08:00
6b8280f663
Merge pull request #7144 from bandi13/20240119-codesonar
...
20240119 codesonar
2024-01-19 09:35:02 -08:00
a3a7012c81
Merge pull request #7136 from jpbland1/x509-new-ex
...
add heap hint support for a few of the x509 functions
2024-01-19 09:29:47 -08:00
7069a1805a
Avoid "Use after free"
...
Warning 544767.5627232
2024-01-19 10:47:38 -05:00
f6ef146149
EarlySanityCheckMsgReceived: version_negotiated should always be checked
...
Multiple handshake messages in one record will fail the MsgCheckBoundary() check on the client side when the client is set to TLS 1.3 but allows downgrading.
--> ClientHello
<-- ServerHello + rest of TLS 1.2 flight
Client returns OUT_OF_ORDER_E because in TLS 1.3 the ServerHello has to be the last message in a record. In TLS 1.2 the ServerHello can be in the same record as the rest of the server's first flight.
2024-01-19 14:57:35 +01:00
9be390250d
Adding support for dual key/signature certificates. ( #7112 )
...
Adding support for dual key/signature certificates with X9.146. Enabled with `--enable-dual-alg-certs` or `WOLFSSL_DUAL_ALG_CERTS`.
2024-01-18 13:20:57 -08:00
41ea1109ec
update uses of wolfSSL_X509_new and wolfSSL_X509_d2i
...
where heap doesn't require a new ex function or struct field to avoid size increase
2024-01-17 18:46:24 -05:00
11029127df
Merge pull request #7119 from JacobBarthelmeh/crl
...
support for RSA-PSS signatures with CRL
2024-01-16 15:23:16 -08:00
b140f93b17
refactor sigParams allocation and adjust test file name
2024-01-16 14:41:24 -07:00
06a32d3437
Merge pull request #7097 from lealem47/removeUserCrypto
...
Remove user-crypto functionality and Intel IPP support
2024-01-09 17:33:28 -08:00
cd07e32b13
update crl files and add in compat support for RSA-PSS
2024-01-08 16:38:11 -08:00
d58acef895
add RSA-PSS CRL test case
2024-01-05 14:47:53 -08:00
5bdcfaa5d0
server: allow reading 0-RTT data after writing 0.5-RTT data
2024-01-04 13:19:44 +01:00
e175004f85
Fix Infer Uninitialized Values.
2024-01-02 12:16:20 -06:00
837452b1ca
Remove user-crypto functionality and Intel IPP support
2023-12-27 12:24:19 -07:00
e65e9f11c7
fixes for clang -Wunreachable-code-aggressive (-Wunreachable-code/clang-diagnostic-unreachable-code in src/ssl.c:wolfSSL_CTX_load_verify_buffer_ex() and -Wunreachable-code/clang-diagnostic-unreachable-code-return in api.c:myCEKwrapFunc()).
2023-12-22 14:12:13 -06:00
f2d573f01f
wolfssl/wolfcrypt/asn.h, src/ssl.c: add "ANONk" to enum Key_Sum, and use the new value in wolfSSL_get_sigalg_info(), fixing clang-analyzer-optin.core.EnumCastOutOfRange.
...
add suppressions in tests for expected clang-analyzer-optin.core.EnumCastOutOfRange's.
2023-12-19 18:14:29 -06:00
2ffc818c28
Merge pull request #7069 from douzzer/20231213-misc-fixes
...
20231213-misc-fixes
2023-12-14 15:18:12 -07:00
f6ef58dbc2
Merge pull request #7064 from philljj/fix_infer_issues
...
Fix issues from infer diff report.
2023-12-14 12:27:34 -07:00
16c6bd6846
examples/client/client.c and tests/api.c: add missing CloseSocket() calls.
2023-12-14 13:22:27 -06:00
d0aa80eb37
update example/test certs for end of year release
2023-12-13 16:41:59 -07:00
255086b7c8
fix API test warning, comparison of unsigned expression < 0 is always false
2023-12-13 16:41:59 -07:00
f222adf4c2
Fix issues from infer diff report.
2023-12-13 15:59:03 -06:00
a66137d2fe
Merge pull request #7062 from lealem47/leaks
...
Cleanup leaks in api.c and benchmark.c
2023-12-13 14:09:23 -07:00
5fd0470f76
Cleanup leaks in api.c and benchmark.c
2023-12-13 13:00:52 -07:00
56c7e5c675
Merge pull request #7054 from cconlon/sslAlpnSelectCb
...
Add wolfSSL_set_alpn_select_cb() for setting ALPN select callback on WOLFSSL session
2023-12-13 09:24:07 -08:00
269542ed96
add wolfSSL_set_alpn_select_cb() for WOLFSSL-level ALPN select callbacks
2023-12-13 09:16:44 -07:00
f12b61183b
Merge pull request #7029 from julek-wolfssl/zd/17108-fix
...
Additional TLS checks
2023-12-13 14:31:11 +10:00
493bb1760d
Add option to remove early sanity checks
2023-12-12 17:31:48 +01:00
51ba745214
ocsp: don't error out if we can't verify our certificate
...
We can omit either the CeritificateStatus message or the appropriate extension when we can not provide the OCSP staple that the peer is asking for. Let peer decide if it requires stapling and error out if we don't send it.
2023-12-12 14:49:52 +01:00
627310d26a
Additional TLS checks
...
- double check which messages need to be encrypted
- check msgs that have to be last in a record
ZD17108
2023-12-12 13:57:12 +01:00
cb6676fa27
Merge pull request #7030 from julek-wolfssl/gh/7000
...
Store ssl->options.dtlsStateful when exporting DTLS session
2023-12-11 09:39:54 -08:00
4ce4dd7479
Use correct size for memset
2023-12-11 14:30:54 +01:00
ac447d1afb
Merge pull request #7031 from douzzer/20231201-openssl-compat-fixes
...
20231201-openssl-compat-fixes
2023-12-08 17:25:53 -07:00
6c7b47e003
Store ssl->options.dtlsStateful when exporting DTLS session
2023-12-08 15:35:34 +01:00
6c8bf7be55
Merge pull request #6963 from julek-wolfssl/dynamic-certs-n-ciphers
...
Add API to choose dynamic certs based on client ciphers/sigalgs
2023-12-08 07:45:36 +10:00
fbe79d7317
Code review
2023-12-07 11:13:16 +01:00
106e39bd76
tests/api.c: in test_wc_CmacFinal(), don't use wc_CmacFinalNoFree() if FIPS <5.3.
2023-12-06 21:58:55 -06:00
b14aba48af
wolfcrypt/src/cmac.c: add wc_CmacFree(), revert wc_CmacFinal(), rename wc_CmacFinal() as wc_CmacFinalNoFree() removing its deallocation clauses, and add new wc_CmacFinal() that calls wc_CmacFinalNoFree() then calls wc_CmacFree() unconditionally, for compatibility with legacy client code (some of which may have previously leaked).
...
tests/api.c: modify test_wc_CmacFinal() to use wc_CmacFinalNoFree() except for the final call.
wolfcrypt/src/aes.c:
* fix wc_AesEaxEncryptAuth() and wc_AesEaxDecryptAuth() to call wc_AesEaxFree() only if wc_AesEaxInit() succeeded.
* fix wc_AesEaxInit() to free all resources on failure.
* revert wc_AesEaxEncryptFinal() and wc_AesEaxDecryptFinal() changes, then change wc_CmacFinal() calls in them to wc_CmacFinalNoFree() calls.
* wc_AesEaxFree(): add wc_CmacFree() calls.
2023-12-06 16:55:57 -06:00
c6d6100136
Merge pull request #7010 from julek-wolfssl/dtls13-0.5-rtt
...
dtls13: Add support for 0.5-RTT data
2023-12-07 08:41:42 +10:00
689a82a622
fix AES-related code, in both crypto and TLS layers, for various uninitialized data and resource leak defects around wc_AesInit() and wc_AesFree():
...
* followup to https://github.com/wolfSSL/wolfssl/pull/7009 "20231128-misc-fixes" and https://github.com/wolfSSL/wolfssl/pull/7011 "Add missing wc_AesInit calls."
* adds WC_DEBUG_CIPHER_LIFECYCLE, which embeds asserts in low-level AES implementations for proper usage of wc_AesInit() and wc_AesFree().
* fixes native CMAC, AES-EAX, and AES-XTS implementations to assure resource release.
* adds missing wc_AesXtsInit() API, and adds a new wc_AesXtsSetKey_NoInit().
* fixes misspellings in EVP that unconditionally gated out AES-OFB and AES-XTS.
* fixes misspellings in EVP that unconditionally gated out AES-CBC and AES-CFB code in wolfSSL_EVP_CIPHER_CTX_cleanup_cipher().
* openssl compat AES low level cipher API has no counterpart to wc_AesFree(), so these compat APIs will now be gated out in configurations where they would otherwise leak memory or file descriptors (WOLFSSL_AFALG, WOLFSSL_DEVCRYPTO, WOLF_CRYPTO_CB, etc.). A new macro, WC_AESFREE_IS_MANDATORY, is defined in wolfcrypt/aes.h to streamline this dependency.
* fixes 40 missing EVP_CIPHER_CTX_cleanup()s and 11 wc_AesFree()s in src/ssl.c, src/ssl_crypto.c, tests/api.c, and wolfcrypt/test/test.c.
2023-12-05 15:58:09 -06:00
1857648d7d
Merge pull request #6976 from embhorn/gh6974
...
Fix build errors with dtls1.3 and no tls1.2
2023-12-04 14:53:35 -07:00
8c1ab783a1
Add missing wc_AesInit calls: small cleanup.
2023-11-29 18:02:45 -06:00
3edfcfe162
Jenkins fixes
2023-11-29 23:17:10 +01:00
9337cfbb16
Add wolfSSL_get_sigalg_info
2023-11-29 23:04:19 +01:00
7c2344c389
Add API to get information about ciphersuites
2023-11-29 23:04:19 +01:00
fbd8996949
Add API to choose dynamic certs based on client ciphers/sigalgs
2023-11-29 23:04:19 +01:00
3158e04863
Add missing wc_AesInit calls.
2023-11-29 12:54:28 -06:00
c87339e5c3
dtls13: Add support for 0.5-RTT data
2023-11-29 15:55:59 +01:00
5b3f5496f8
Merge pull request #6430 from kareem-wolfssl/memcached
...
Add memcached support.
2023-11-22 16:20:28 -07:00
7223b5a708
Fix spelling warnings
2023-11-22 12:34:56 -06:00
538ce14c62
Merge pull request #6953 from SKlimaRA/SKlimaRA/enable-ca-false
...
Enable encoding CA:FALSE with build flag
2023-11-20 15:03:14 -07:00
ca61034d22
Add memcached support.
...
memcached support: add required functions/defines.
Fix running unit test when defining DEBUG_WOLFSSL_VERBOSE without OPENSSL_EXTRA.
Break out session_id_context APIs into separate option WOLFSSL_SESSION_ID_CTX, so they can be used without OPENSSL_EXTRA.
Make wolfSSL_ERR_get_error and wolfSSL_CTX_set_mode available for memcached.
Add --enable-memcached.
Include required defines for memcached.
Revert unit test fix, no longer needed.
Add Github actions test for memcached. Stop defining DEBUG_WOLFSSL_VERBOSE for memcached.
Add auto retry to writes.
Memcached CI: correct libevent package name.
Memcached CI: Add pkgconfig path for Github CI wolfSSL prefix.
memcached: Fix WOLFSSL_OP_NO_RENEGOTIATION going outside of int bounds, add LD_LIBRARY_PATH for memcached CI test.
memcached CI: Use correct path for wolfSSL
memcached: Add required perl dependency for SSL tests
memcached: Update to 1.6.22
memcached: actually test tls
memcached: Update wolfSSL_SSL_in_before to be side agnostic.
2023-11-20 10:10:34 -07:00
6945093221
Merge pull request #6935 from SparkiDev/ssl_crypto_extract
...
ssl.c: Move out crypto compat APIs
2023-11-16 11:58:14 -07:00
7bbeadcf97
Fix build errors with dtls1.3 and no tls1.2
2023-11-15 10:37:09 -06:00
7569cfdff8
src/internal.c,src/wolfio.c: fallback to SHA256 when NO_SHA, in LoadCertByIssuer(), MicriumGenerateCookie(), uIPGenerateCookie(), and GNRC_GenerateCookie();
...
tests/api.c: when NO_SHA, omit test_wolfSSL_CertManagerCheckOCSPResponse() and test_wolfSSL_CheckOCSPResponse() (both use static artifacts with SHA1 name and key hashes).
2023-11-15 00:09:22 -06:00
be24d68e5d
Add EXTENDED_KEY_USAGE_free to OpenSSL compat layer.
2023-11-08 15:26:24 -06:00
76d89a0c15
unused variable
2023-11-08 11:09:05 +01:00
f518a8f7d5
new build flag WOLFSSL_ALLOW_ENCODING_CA_FALSE
2023-11-08 10:51:25 +01:00
54f2d56300
ssl.c: Move out crypto compat APIs
...
ssl_crypto.c contains OpenSSL compatibility APIS for:
- MD4, MD5, SHA/SHA-1, SHA2, SHA3
- HMAC, CMAC
- DES, DES3, AES, RC4
API implementations reworked.
Tests added for coverage.
TODOs for future enhancements.
2023-11-08 19:43:18 +10:00
4bbb0e3876
drafted ca false
2023-11-08 10:23:46 +01:00
ca694938fd
tests/api.c: update response vector in test_wolfSSL_CertManagerCheckOCSPResponse(), reflecting regenerated keys in certs/ocsp/.
2023-11-07 19:25:52 -06:00
c5e2f414ea
Merge pull request #6929 from julek-wolfssl/dtls13-early-data-server-side
...
dtls 1.3: allow to skip cookie exchange on resumption
2023-11-06 13:30:21 -07:00
c92d25816a
Merge pull request #6887 from julek-wolfssl/zd/16849
...
Implement untrusted certs in wolfSSL_X509_STORE_CTX_init
2023-11-06 10:13:43 -07:00
8c87920903
Address code review
2023-11-03 11:02:41 +01:00
96977d1480
Merge pull request #6900 from julek-wolfssl/zd/16868
...
EVP_EncodeBlock should not append a newline
2023-11-02 09:20:39 -06:00
21f34ef028
Merge pull request #6905 from bandi13/moreCodeSonarFixes
...
Don't nag about leaked resources
2023-11-01 14:46:02 -06:00
c920337f2f
Merge pull request #6891 from julek-wolfssl/zd/16849-i2d_x509
...
Advance pointer in wolfSSL_i2d_X509
2023-11-01 11:02:44 -06:00
026c4bcbc7
Merge pull request #6902 from dgarske/various_20231020
...
Fixes for PKCS w/out RSA and Cert/CSR signing with unknown OID
2023-11-01 10:58:10 -06:00
98843798c2
Merge pull request #6934 from SparkiDev/regression_fixes_8
...
Regression test fixes
2023-11-01 10:55:41 -06:00
0eab70f806
Regression test fixes
...
Fixes for different configurations and memory allocation failure
testing.
2023-11-01 14:10:49 +10:00
aed715cb2c
dtls 1.3: allow to skip cookie exchange on resumption
...
tls 1.3: do cookie exchange when asked too even when found a matching cipher
2023-10-31 14:29:04 +01:00
0455224439
Fix build errors in API unit test without IO dependencies.
2023-10-30 17:04:36 -07:00
42c241dbbf
Avoid use of uninitialized array
2023-10-27 15:38:46 -04:00
8f60fb0053
Advance pointer in wolfSSL_i2d_X509
2023-10-24 10:25:06 +02:00
501299bc31
fix null pointer derefs in examples/pem/pem.c:pemApp_ReadFile() and tests/api.c:LoadPKCS7SignedDataCerts() detected by clang-tidy.
2023-10-21 13:34:04 -05:00
6887281361
Fix for `./configure --enable-pkcs7 --disable-rsa && make check`.
2023-10-20 16:27:54 -07:00
8cd6cd175d
EVP_EncodeBlock should not append a newline
2023-10-20 13:20:11 +02:00
d13d446c2e
Add missing guard
2023-10-19 20:05:59 +02:00
1ae248018f
Implement untrusted certs in wolfSSL_X509_STORE_CTX_init
2023-10-18 22:24:19 +02:00
3e9f8bc649
tests/api.c: gate test_wc_AesEaxVectors(), test_wc_AesEaxEncryptAuth(), and test_wc_AesEaxDecryptAuth(), on !FIPS || FIPS>=5.3.
...
wolfcrypt/src/eccsi.c: remove incorrect `(void)h` from eccsi_mulmod_base_add() in newly exposed WOLFSSL_SP_MATH code path.
2023-10-16 13:30:16 -05:00
c23559a91c
Merge pull request #6866 from bigbrett/aes-eax
...
Add more extensive AES EAX tests to api.c
2023-10-13 16:09:30 -06:00
87cffc8229
Added more extensive AES EAX tests to api.c
2023-10-13 11:38:16 -06:00
79a6e1eb04
Merge pull request #6808 from SparkiDev/sp_sm2
...
SP updates for SM2
2023-10-13 10:17:17 -06:00
0cc21a42f3
SP updates for SM2
...
Allow wolfSSL to build with SP implementations of SM2.
Updates to SP implementation of other code.
2023-10-13 08:14:15 +10:00
8ac72750bc
Fix linting issues
2023-10-09 12:54:11 +02:00
948d7ae761
keyLog_callback: flush the descriptor to make sure it is written out
2023-10-09 12:54:11 +02:00
bec87e525f
PQC TLS 1.3: test setting pqc with wolfSSL_CTX_set_groups
2023-10-09 12:54:11 +02:00
2c6c52078a
test_dtls13_frag_ch_pq: make sure kyber5 is used
2023-10-09 12:54:11 +02:00
f640fdf91f
Adding a post-quantum DTLS 1.3 test.
...
This exercises the fragmenting of ClientHello via large post-quantum key share.
./configure --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtls \
--enable-dtls13 --with-liboqs
2023-10-09 12:54:11 +02:00
85a596e54a
DTLS 1.3: allow fragmenting the second ClientHello message
...
- DTLS 1.3 pqc support
- Add --enable-dtls-frag-ch option to enable CH fragmenting
- Send an alert when we get an empty keyshare with a cookie present to not allow for multiple HRR in one connection
- Only update the DTLS window when we have successfully processed or stored a message
- Call ssl->chGoodCb as soon as we have processed a verified full or fragmented ClientHello cookie
2023-10-09 12:54:11 +02:00
5cb80ea898
Merge pull request #6847 from embhorn/zd16767
...
Fix wolfSSL_set_verify_result to use correct value
2023-10-06 16:52:32 -06:00
b329c0d5f4
Fix wolfSSL_set_verify_result to use correct value
2023-10-06 16:34:31 -05:00
JacobBarthelmeh
Andras Fekete
Juliusz Sosinowicz
Hideki Miyazaki
David Garske
Anthony Hu
John Bland
jordan
Lealem Amedie
Daniel Pouzzner
Chris Conlon
Sean Parkinson
Eric Blankenhorn
Kareem
Stanislav Klima
Brett
Anthony Hu