We can omit either the CeritificateStatus message or the appropriate extension when we can not provide the OCSP staple that the peer is asking for. Let peer decide if it requires stapling and error out if we don't send it.
tests/api.c: modify test_wc_CmacFinal() to use wc_CmacFinalNoFree() except for the final call.
wolfcrypt/src/aes.c:
* fix wc_AesEaxEncryptAuth() and wc_AesEaxDecryptAuth() to call wc_AesEaxFree() only if wc_AesEaxInit() succeeded.
* fix wc_AesEaxInit() to free all resources on failure.
* revert wc_AesEaxEncryptFinal() and wc_AesEaxDecryptFinal() changes, then change wc_CmacFinal() calls in them to wc_CmacFinalNoFree() calls.
* wc_AesEaxFree(): add wc_CmacFree() calls.
* followup to https://github.com/wolfSSL/wolfssl/pull/7009 "20231128-misc-fixes" and https://github.com/wolfSSL/wolfssl/pull/7011 "Add missing wc_AesInit calls."
* adds WC_DEBUG_CIPHER_LIFECYCLE, which embeds asserts in low-level AES implementations for proper usage of wc_AesInit() and wc_AesFree().
* fixes native CMAC, AES-EAX, and AES-XTS implementations to assure resource release.
* adds missing wc_AesXtsInit() API, and adds a new wc_AesXtsSetKey_NoInit().
* fixes misspellings in EVP that unconditionally gated out AES-OFB and AES-XTS.
* fixes misspellings in EVP that unconditionally gated out AES-CBC and AES-CFB code in wolfSSL_EVP_CIPHER_CTX_cleanup_cipher().
* openssl compat AES low level cipher API has no counterpart to wc_AesFree(), so these compat APIs will now be gated out in configurations where they would otherwise leak memory or file descriptors (WOLFSSL_AFALG, WOLFSSL_DEVCRYPTO, WOLF_CRYPTO_CB, etc.). A new macro, WC_AESFREE_IS_MANDATORY, is defined in wolfcrypt/aes.h to streamline this dependency.
* fixes 40 missing EVP_CIPHER_CTX_cleanup()s and 11 wc_AesFree()s in src/ssl.c, src/ssl_crypto.c, tests/api.c, and wolfcrypt/test/test.c.
memcached support: add required functions/defines.
Fix running unit test when defining DEBUG_WOLFSSL_VERBOSE without OPENSSL_EXTRA.
Break out session_id_context APIs into separate option WOLFSSL_SESSION_ID_CTX, so they can be used without OPENSSL_EXTRA.
Make wolfSSL_ERR_get_error and wolfSSL_CTX_set_mode available for memcached.
Add --enable-memcached.
Include required defines for memcached.
Revert unit test fix, no longer needed.
Add Github actions test for memcached. Stop defining DEBUG_WOLFSSL_VERBOSE for memcached.
Add auto retry to writes.
Memcached CI: correct libevent package name.
Memcached CI: Add pkgconfig path for Github CI wolfSSL prefix.
memcached: Fix WOLFSSL_OP_NO_RENEGOTIATION going outside of int bounds, add LD_LIBRARY_PATH for memcached CI test.
memcached CI: Use correct path for wolfSSL
memcached: Add required perl dependency for SSL tests
memcached: Update to 1.6.22
memcached: actually test tls
memcached: Update wolfSSL_SSL_in_before to be side agnostic.
tests/api.c: when NO_SHA, omit test_wolfSSL_CertManagerCheckOCSPResponse() and test_wolfSSL_CheckOCSPResponse() (both use static artifacts with SHA1 name and key hashes).
This exercises the fragmenting of ClientHello via large post-quantum key share.
./configure --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtls \
--enable-dtls13 --with-liboqs
- DTLS 1.3 pqc support
- Add --enable-dtls-frag-ch option to enable CH fragmenting
- Send an alert when we get an empty keyshare with a cookie present to not allow for multiple HRR in one connection
- Only update the DTLS window when we have successfully processed or stored a message
- Call ssl->chGoodCb as soon as we have processed a verified full or fragmented ClientHello cookie
- Regen CRL's as most of them are expired
- certs/crl/extra-crls/ca-int-cert-revoked.pem: CRL that revokes certs/intermediate/ca-int-cert.pem signed by certs/ca-cert.pem
- Add CheckCertCRL_ex API to not depend on DecodedCert
- CheckCertCRLList: accept raw serial or hashed version to work with Signers
- Add XELEM_CNT to simplify pre-proc element counting
- CheckCertCRLList: check all entries in case a single issuer has multiple CRL's loaded
- test_multiple_crls_same_issuer: testing two different certificates forcing the client to check both CRL's from the same issuer
- CRL_Entry
- use a lock instead of a mutex to allow multiple threads to access the same list simultaneously
- add a verifyMutex when doing verification so that we don't have to release the crlLock
- Add allocation and free functions for CRL_Entry
- DupCRL_Entry: simplify copying by copying all static fields in one memcpy
- Use unions for type punning in xor API
- Initialise potentially uninitialised variables
- Use `LL` suffix to specify a larger integer type
- Don't use `max` as it can shadow other definitions
Add support for compiling ASM for Thumb2
Add Curve25519 ASM for Thumb2
Limit assembly code compiled when Ed25519 not required.
Rework all assembly implementations to replace ge_*() functions instead
of having fe_ge_*() versions that take many parameters.
Get ARM32 inline asm working.
- wolfssl_ec_point_mul: fix parameters being passed into ec_mul2add
- Compile in compressed ecc key parsing for OPENSSLALL
- Improve debugging around compat layer ecc operations
- wolfSSL_BN_div: dv can be NULL
- Add spake like computation test
- Add CI krb5 testing
- Add timeouts to CI
tweak several #includes of settings.h to include types.h instead (all of these are for clarity, as types.h is indirectly included by later #includes), and add #include <wolfssl/wolfcrypt/types.h> where missing;
remove trailing semicolons from PRAGMA*() macro invocations as they are unneeded and can be harmful (inducing frivolous -Wdeclaration-after-statement etc.).
if ENABLED_LINUXKM_PIE, add -DWOLFSSL_NO_OCSP_ISSUER_CHECK to gate out backward dependency in asn.c;
if ENABLE_LINUXKM, don't error on FIPS without thread_ls_on;
for --enable-curl, set ENABLED_MD4="yes", and move --enable-md4 AC_ARG_ENABLE() clause up to a position adjacent to des3 handling;
scripts/sniffer-gen.sh: fix illegal exit code (SC2242);
src/internal.c: fix clang-analyzer-core.NonNullParamChecker in CreateTicket();
src/ocsp.c: fix readability-redundant-preprocessor;
src/tls.c: fix empty-body in TLSX_PskKeModes_Parse() and clang-diagnostic-unreachable-code-break in ALPN_Select();
tests/api.c: fix several clang-analyzer-core.NullDereference related to Expect*() refactor;
wolfcrypt/src/asn.c:
fix -Wconversions in DecodeAuthKeyId() and ParseCertRelative();
fix readability-redundant-declaration re GetCA() and GetCAByName();
gate inclusion of wolfssl/internal.h on !defined(WOLFCRYPT_ONLY);
wolfssl/internal.h: add macro-detection gating around GetCA() and GetCAByName() prototypes matching gates in wolfcrypt/src/asn.c;
tests/utils.c: in create_tmp_dir(), use one-arg variant of mkdir() if defined(__CYGWIN__) || defined(__MINGW32__).
Add support for cipher aliases DHE, EDH and EECDH.
Add define SSL_CTRL_GET_CHAIN_CERTS to help hitch and other programs detect SSL_CTX_get0_chain_certs is supported.
Add wolfSSL_get_locking_callback.
Allow using ECDHE+RSA cipher suites when ECDHE alias is used while in OpenSSL compatibility mode.
Add more alerts for hitch.
SSL_CM should use the CTX's x509_store_pt if available.
Add support for SSL_CERT_FILE and SSL_CERT_DIR. Load default OpenSSL TLS 1.3 ciphers when using OPENSSL_COMPATIBLE_DEFAULTS.
Use wolfSSL_sk_X509_new_null to allocate WOLFSSL_STACK in wolfSSL_CTX_get_extra_chain_certs. Previous approach of malloc'ing without setting type/memsetting was leading to a segfault.
Add --enable-hitch.
hitch: Add unit tests for new APIs, fix a couple of issues uncovered by unit testing.
Correct behavior of wolfSSL_BIO_set_mem_buf for BIO_CLOSE/NOCLOSE and update unit test accordingly.
Add Github action test for hitch.
David Garske
Chris Conlon
Sean Parkinson
Juliusz Sosinowicz
JacobBarthelmeh
Daniel Pouzzner
jordan
Eric Blankenhorn
Kareem
Stanislav Klima
Andras Fekete
Brett
Anthony Hu
Anthony Hu
Dimitri Papadopoulos
gojimmypi
TakayukiMatsuo
Juliusz Sosinowicz
Lealem Amedie