memcached support: add required functions/defines.
Fix running unit test when defining DEBUG_WOLFSSL_VERBOSE without OPENSSL_EXTRA.
Break out session_id_context APIs into separate option WOLFSSL_SESSION_ID_CTX, so they can be used without OPENSSL_EXTRA.
Make wolfSSL_ERR_get_error and wolfSSL_CTX_set_mode available for memcached.
Add --enable-memcached.
Include required defines for memcached.
Revert unit test fix, no longer needed.
Add Github actions test for memcached. Stop defining DEBUG_WOLFSSL_VERBOSE for memcached.
Add auto retry to writes.
Memcached CI: correct libevent package name.
Memcached CI: Add pkgconfig path for Github CI wolfSSL prefix.
memcached: Fix WOLFSSL_OP_NO_RENEGOTIATION going outside of int bounds, add LD_LIBRARY_PATH for memcached CI test.
memcached CI: Use correct path for wolfSSL
memcached: Add required perl dependency for SSL tests
memcached: Update to 1.6.22
memcached: actually test tls
memcached: Update wolfSSL_SSL_in_before to be side agnostic.
tests/api.c: when NO_SHA, omit test_wolfSSL_CertManagerCheckOCSPResponse() and test_wolfSSL_CheckOCSPResponse() (both use static artifacts with SHA1 name and key hashes).
This exercises the fragmenting of ClientHello via large post-quantum key share.
./configure --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtls \
--enable-dtls13 --with-liboqs
- DTLS 1.3 pqc support
- Add --enable-dtls-frag-ch option to enable CH fragmenting
- Send an alert when we get an empty keyshare with a cookie present to not allow for multiple HRR in one connection
- Only update the DTLS window when we have successfully processed or stored a message
- Call ssl->chGoodCb as soon as we have processed a verified full or fragmented ClientHello cookie
- Regen CRL's as most of them are expired
- certs/crl/extra-crls/ca-int-cert-revoked.pem: CRL that revokes certs/intermediate/ca-int-cert.pem signed by certs/ca-cert.pem
- Add CheckCertCRL_ex API to not depend on DecodedCert
- CheckCertCRLList: accept raw serial or hashed version to work with Signers
- Add XELEM_CNT to simplify pre-proc element counting
- CheckCertCRLList: check all entries in case a single issuer has multiple CRL's loaded
- test_multiple_crls_same_issuer: testing two different certificates forcing the client to check both CRL's from the same issuer
- CRL_Entry
- use a lock instead of a mutex to allow multiple threads to access the same list simultaneously
- add a verifyMutex when doing verification so that we don't have to release the crlLock
- Add allocation and free functions for CRL_Entry
- DupCRL_Entry: simplify copying by copying all static fields in one memcpy
- Use unions for type punning in xor API
- Initialise potentially uninitialised variables
- Use `LL` suffix to specify a larger integer type
- Don't use `max` as it can shadow other definitions
Add support for compiling ASM for Thumb2
Add Curve25519 ASM for Thumb2
Limit assembly code compiled when Ed25519 not required.
Rework all assembly implementations to replace ge_*() functions instead
of having fe_ge_*() versions that take many parameters.
Get ARM32 inline asm working.
- wolfssl_ec_point_mul: fix parameters being passed into ec_mul2add
- Compile in compressed ecc key parsing for OPENSSLALL
- Improve debugging around compat layer ecc operations
- wolfSSL_BN_div: dv can be NULL
- Add spake like computation test
- Add CI krb5 testing
- Add timeouts to CI
tweak several #includes of settings.h to include types.h instead (all of these are for clarity, as types.h is indirectly included by later #includes), and add #include <wolfssl/wolfcrypt/types.h> where missing;
remove trailing semicolons from PRAGMA*() macro invocations as they are unneeded and can be harmful (inducing frivolous -Wdeclaration-after-statement etc.).
if ENABLED_LINUXKM_PIE, add -DWOLFSSL_NO_OCSP_ISSUER_CHECK to gate out backward dependency in asn.c;
if ENABLE_LINUXKM, don't error on FIPS without thread_ls_on;
for --enable-curl, set ENABLED_MD4="yes", and move --enable-md4 AC_ARG_ENABLE() clause up to a position adjacent to des3 handling;
scripts/sniffer-gen.sh: fix illegal exit code (SC2242);
src/internal.c: fix clang-analyzer-core.NonNullParamChecker in CreateTicket();
src/ocsp.c: fix readability-redundant-preprocessor;
src/tls.c: fix empty-body in TLSX_PskKeModes_Parse() and clang-diagnostic-unreachable-code-break in ALPN_Select();
tests/api.c: fix several clang-analyzer-core.NullDereference related to Expect*() refactor;
wolfcrypt/src/asn.c:
fix -Wconversions in DecodeAuthKeyId() and ParseCertRelative();
fix readability-redundant-declaration re GetCA() and GetCAByName();
gate inclusion of wolfssl/internal.h on !defined(WOLFCRYPT_ONLY);
wolfssl/internal.h: add macro-detection gating around GetCA() and GetCAByName() prototypes matching gates in wolfcrypt/src/asn.c;
tests/utils.c: in create_tmp_dir(), use one-arg variant of mkdir() if defined(__CYGWIN__) || defined(__MINGW32__).
Add support for cipher aliases DHE, EDH and EECDH.
Add define SSL_CTRL_GET_CHAIN_CERTS to help hitch and other programs detect SSL_CTX_get0_chain_certs is supported.
Add wolfSSL_get_locking_callback.
Allow using ECDHE+RSA cipher suites when ECDHE alias is used while in OpenSSL compatibility mode.
Add more alerts for hitch.
SSL_CM should use the CTX's x509_store_pt if available.
Add support for SSL_CERT_FILE and SSL_CERT_DIR. Load default OpenSSL TLS 1.3 ciphers when using OPENSSL_COMPATIBLE_DEFAULTS.
Use wolfSSL_sk_X509_new_null to allocate WOLFSSL_STACK in wolfSSL_CTX_get_extra_chain_certs. Previous approach of malloc'ing without setting type/memsetting was leading to a segfault.
Add --enable-hitch.
hitch: Add unit tests for new APIs, fix a couple of issues uncovered by unit testing.
Correct behavior of wolfSSL_BIO_set_mem_buf for BIO_CLOSE/NOCLOSE and update unit test accordingly.
Add Github action test for hitch.
Split out certificate manager APIs into ssl_certman.c.
ssl.c includes ssl_certman.c
Better test coverage.
Minor fixes.
wolfSSL_X509_chain_up_ref calls XFREE with name->heap but name may be
NULL. Check for NULL first.
- nginx: add necessary defines and function
- Implement Certificate Authorities for TLS 1.3
- Implement secret logging for TLS 1.3. Can be used for example with:
./configure CPPFLAGS="-DWOLFSSL_SSLKEYLOGFILE -DSHOW_SECRETS -DHAVE_SECRET_CALLBACK -DWOLFSSL_SSLKEYLOGFILE_OUTPUT='\"/tmp/secrets\"'"
- Implement session context checking for tickets
- Check for authorized responder in OCSP basic response
- Fix handling call to ocsp->statusCb
- compat: Translate SOCKET_PEER_CLOSED_E to WOLFSSL_ERROR_SYSCALL
- Fix wolfSSL_CTX_set_session_cache_mode
- WOLFSSL_SESS_CACHE_OFF means nothing should be on
- WOLFSSL_SESS_CACHE_NO_INTERNAL turns off only the internal cache
- Respect ssl->options.internalCacheOff
- Implement SSL_SESSION_set_time
- wolfSSL_SSL_in_init: fix detection for TLS 1.3
- Fix handling call to ssl->alpnSelect
- SendTls13NewSessionTicket: always generate new ID
- When we send a new ticket for the same session (for example we resumed a connection and are sending a new ticket so that the client can resume in the future), we need to generate a new ID so that we don't overwrite the old session in the cache. Overwriting the session results in the `diff` calculation in `DoClientTicketCheck()` producing the wrong value and failing to resume.
Add nginx github action test
- Fix memory leaks
- wolfSSL_OCSP_basic_verify: implement OCSP_TRUSTOTHER flag
- AKID: implement matching on issuer name and serial number
- ocsp: check for a chain match for OCSP responder
- Split CreateTicket into CreateTicket and SetupTicket
- SendCertificateStatus: free response.buffer
- Use heap hint when allocating responseBuffer
- Remove responseBuffer from internal API's that don't use it anywhere
Address PR comments + other cleanup
Addressing PR comments
Minor change
Make sure the last line gets output as well
Add in ARIA SHA256 session to internal structure
Add in ARIA SHA384 session to internal structure
Add necessary function for ARIA to extract key
Fix unit tests
Rename HAVE_ARIAGCM to HAVE_ARIA
Move aria.* to wolfcrypt/port/aria
Separate out aria-crypt init functions
Adding in ECC+SHA callbacks
Avoid using AC_CHECK_FILE
Rename Aria to wc_Aria
Don't need special cases
Addressing PR comments
Code cleanup
C89 support
Remove TODO
Add documentation about buffer size
Clean up header files
Use ARIA_DEVID by default if available
Dummy update call to make MagicCrypto happy
Fix for detecting what algo type to use
Documentation
Use the appropriate sign/verify
Collect MagicCrypto functions together (and avoid leaks)
Fall back on other implementations on failure
Fix issue when compiling without CRYPTOCB
Addressing PR comments
Better cleanup
Addressing PR comments
Cleaner exit in case of error
- move the testsuite file helps into a new tests/utils.c file so that they can be used across all tests
- dump the raw TLS stream when WOLFSSL_DUMP_MEMIO_STREAM is defined so that it can be examined in Wireshark
Add support for:
- SM2 elliptic curve and SM2 sign/verify
- SM3 digest
- SM4 cipher with modes ECB/CBC/CTR/GCM/CCM
Add APIs for SM3 and SM4.
Add SM2 sign and verify APIs.
Add support for SM3 in wc_Hash and wc_Hmac API.
Add support for SM3 and SM4 through EVP layer.
Add support for SM2-SM3 certificates. Support key ID and name hash being
with SHA-1/256 or SM3.
Add support for TLS 1.3 cipher suites: TLS-SM4-GCM-SM3, TLS-SM4-CCM-SM3
Add support for TLS 1.2 SM cipher suite: ECDHE-ECDSA-SM4-CBC-SM3
Add support for SM3 in wc_PRF_TLS.
Add SM2-SM3 certificates and keys. Generated with GmSSL-3.0.0 and
OpenSSL.
Importing an EC point ordinate with one being zero will result in
different errors based on different implementations. Check both known
error codes.
Benchmark usage fixed.
Juliusz Sosinowicz
jordan
JacobBarthelmeh
Eric Blankenhorn
Kareem
Daniel Pouzzner
Stanislav Klima
Sean Parkinson
David Garske
Andras Fekete
Brett
Anthony Hu
Anthony Hu
Dimitri Papadopoulos
gojimmypi
TakayukiMatsuo
Juliusz Sosinowicz
Lealem Amedie
Chris Conlon