dcaa218ed8
Merge pull request #4927 from cconlon/upRef
2022-03-18 18:10:36 -07:00
2637e5e361
Merge pull request #4926 from cconlon/namePrintRFC5523
2022-03-18 15:53:07 -07:00
a79daa5ea8
Merge pull request #4959 from haydenroche5/asn1_time_diff_bug
...
Fix bug in wolfSSL_ASN1_TIME_diff.
2022-03-18 14:28:23 -07:00
582f0d82e4
address review feedback for PKCS7 compat additions
2022-03-18 12:07:44 -06:00
1fd090d094
Update `wolfSSL_get_session` docs
...
Recommend using `wolfSSL_get1_session` and `NO_SESSION_CACHE_REF` for session resumption purposes. `wolfSSL_get_session` should not be used unless to inspect the current session object.
2022-03-17 12:56:28 +01:00
6e6aa5b0c1
Fix bug in wolfSSL_ASN1_TIME_diff.
...
This function should not error out if one of the passed in times is the Unix
epoch. This amounts to erroring out when the XMKTIME returns < 0, rather than
<= 0.
2022-03-15 10:52:05 -07:00
6762cd90da
add tests for PKCS7_sign(), PKCS7_final(), SMIME_write_PKCS7()
2022-03-15 10:21:22 -06:00
a7d5e6400d
add support for PKCS7_TEXT flag to PKCS7_verify()
2022-03-15 10:21:22 -06:00
4966eb7897
Merge pull request #4944 from douzzer/20220310-asn-template-EncodeExtensions-overrun
...
wolfcrypt/src/asn.c: fix buffer underrun in EncodeExtensions() and leak in ParseCRL_Extensions()
2022-03-13 21:21:07 -05:00
cdb45b12c5
Merge pull request #4884 from haydenroche5/i2d_x509_name_fix
...
Improve wolfSSL_i2d_X509_name.
2022-03-14 11:57:07 +10:00
82ab7bf32c
ssl.c: fix hash state memory leaks in wolfSSL_clear() and wolfSSL_TicketKeyCb().
2022-03-11 13:40:01 -06:00
9fff321e3e
address PR review feedback on EVP_PKEY changes
2022-03-11 10:11:02 -07:00
47895fe78d
Merge pull request #4942 from dgarske/sp_math_opensslextra
...
Fixes to support building opensslextra with SP math
2022-03-10 08:53:21 +10:00
e1da313b91
EVP_PKEY_copy_parameters: add support for EVP_PKEY_DH
2022-03-09 14:34:09 -07:00
3a62857dbd
Fixes to support building opensslextra with SP math. Disables some of the compatibility layer BN and ECC point handling.
2022-03-09 11:53:56 -08:00
67cc8ed482
tests/api.c: fix test_wolfSSL_BIO_Qt_usecase() "function declaration isn’t a prototype".
2022-03-09 12:27:19 -06:00
70857f7b3c
Merge pull request #4923 from miyazakh/set_bio
...
Set bio read/write flag obviously
2022-03-08 13:08:33 -07:00
f71be0546c
addressed review comments
2022-03-08 18:20:30 +09:00
f49983b3b3
EVP_PKEY_keygen: add DH keygen support, fixes to EVP_PKEY_set1/get1_DH
2022-03-07 16:32:23 -07:00
85f85cc76a
add DH_up_ref() and unit test
2022-03-07 16:32:22 -07:00
76014260f6
add EC_KEY_up_ref() and unit test
2022-03-07 16:31:09 -07:00
9b808bde20
Fixes for building with `HAVE_EX_DATA` no compat layer.
2022-03-07 17:20:58 -06:00
6bc3b7fc9d
addressed jenkins failure
2022-03-06 07:41:37 +09:00
a572c19268
set bio flag obviously
...
fix nightly Qt test
2022-03-06 07:41:36 +09:00
930a3d85e1
add support to X509_NAME_print_ex() for RFC5523 basic escape
2022-03-04 17:19:33 -07:00
3839b0e675
Fixes for building wolfSSL along side openssl.
2022-03-04 12:06:24 -08:00
e1829e614d
Merge pull request #4820 from haydenroche5/evp_pkey_paramgen
...
Add wolfSSL_EVP_PKEY_paramgen to the compatibility layer.
2022-03-04 11:49:21 -07:00
59970d94f5
Merge pull request #4908 from dgarske/tick_pad
...
Fix for padding in session tickets
2022-03-03 08:20:35 +10:00
119f2d2651
Fix for padding in session tickets. Adds padding based on `WOLFSSL_GENERAL_ALIGNMENT`. Increases `enc_len` to 32-bit. Related to PR #4887
2022-03-01 15:40:57 -08:00
45ff8af026
refactor PKCS12 parse key creation
2022-03-01 14:49:59 -07:00
1aff4399d1
Merge pull request #4899 from dgarske/kcapi
...
Improvements to KCAPI support
2022-03-01 08:52:55 +10:00
92bd5a4076
Merge pull request #4891 from dgarske/multi_test
2022-02-28 15:28:39 +01:00
f3df4400d5
Merge pull request #4886 from dgarske/zd13745
...
Adds CSR userId support in subject name
2022-02-28 10:15:41 +10:00
cc2eb0ab71
KCAPI Testing fixes.
2022-02-25 15:16:55 -08:00
870ff5b352
Merge pull request #4890 from miyazakh/objinfo
...
fix to use EXT_KEY_USAGE_OID in object_info
2022-02-25 16:02:48 -07:00
a2381ba954
Adds CSR userId support in subject name. Minor build fixes for ASN template.
2022-02-25 14:22:59 -08:00
a39a1c1d87
More fixups from cppcheck and clang-tidy.
2022-02-25 10:03:17 -08:00
c33ae4c245
Improve wolfSSL_i2d_X509_NAME and wolfSSL_i2d_X509_NAME_canon.
...
Like other i2d functions, these functions should be able to take a NULL output
parameter and return the necessary output buffer size. This commit adds this
ability. This commit also removes some redundant code in wolfSSL_i2d_X509_NAME.
2022-02-24 14:48:52 -08:00
de81447b2d
fix to use EXT_KEY_USAGE_OID in object_info
2022-02-24 15:18:32 +09:00
51d66877f7
Add wolfSSL_EVP_PKEY_paramgen to the compatibility layer.
...
Currently, it only supports ECC, which is all we need it for for the OpenSplice
port we're working on. In the ECC case, all it needs to do is set the group
appropriately. The logic is very similar to `wolfSSL_EVP_PKEY_keygen`, minus
the final step of actually generating the key.
2022-02-23 13:59:15 -08:00
0824a64c92
Merge pull request #4807 from julek-wolfssl/stunnel-5.61
...
stunnel 5.61 support
2022-02-23 09:41:51 -08:00
b402102e58
Add backwards compatibility for `wolfSSL_get_session`
...
Before this pull request, `wolfSSL_get_session` always returned a pointer to the internal session cache. The user can't tell if the underlying session hasn't changed before it calls `wolfSSL_set_session` on it. This PR adds a define `NO_SESSION_CACHE_REF` (for now only defined with `OPENSSL_COMPATIBLE_DEFAULTS`) that makes wolfSSL only return a pointer to `ssl->session`. The issue is that this makes the pointer returned non-persistent ie: it gets free'd with the `WOLFSSL` object. This commit leverages the lightweight `ClientCache` to "increase" the size of the session cache. The hash of the session ID is checked to make sure that the underlying session hasn't changed.
2022-02-23 09:47:34 +01:00
ceff401269
Fixes for Jenkins tests
...
- Move test to `HAVE_IO_TESTS_DEPENDENCIES`
- Implement `wolfSSL_trust_peer_cert`
- have{cipher} options weren't being set with only RSA enabled
2022-02-23 09:47:34 +01:00
91b08fb691
Allocate `ssl->session` separately on the heap
...
- Refactor session cache access into `AddSessionToCache` and `wolfSSL_GetSessionFromCache`
2022-02-23 09:47:34 +01:00
1d712d47ba
Access to session cache is now atomic
...
- Adding and getting sessions to and from the local cache is now atomic.
- The new internal `wolfSSL_GetSessionFromCache` requires a destination object to be supplied when retrieving from the cache so that items can be retrieved independently from the cache. For most existing calls, the destination is `ssl->session`.
-`PREALLOC_SESSION_TICKET_LEN` defines how much memory is temporarily allocated for the ticket if it doesn't fit in the static session buffer.
2022-02-23 09:47:34 +01:00
afca455cda
stunnel 5.61 support
...
- New/Implemented API
- `SSL_has_pending`
- `wolfSSL_CertManagerLoadCRLFile`
- `wolfSSL_LoadCRLFile`
- `wolfSSL_CTX_LoadCRLFile`
- `wolfSSL_CTX_add_session`
- Calling chain certificate API (for example `wolfSSL_CTX_use_certificate_chain_file`) no longer requires an actual chain certificate PEM file to be passed in as input. `ProcessUserChain` error in `ProcessBuffer` is ignored if it returns that it didn't find a chain.
- Add `WOLFSSL_TICKET_HAVE_ID` macro. When defined tickets will include the original session ID that can be used to lookup the session in internal cache. This is useful for fetching information about the peer that doesn't get sent in a resumption (such as the peer's certificate chain).
- Add `ssl->ticketSessionID` field because `ssl->session.sessionID` is used to return the "bogus" session ID sent by the client in TLS 1.3
- `OPENSSL_COMPATIBLE_DEFAULTS` changes
- Define `WOLFSSL_TRUST_PEER_CERT` and certificates added as CA's will also be loaded as trusted peer certificates
- Define `WOLFSSL_TLS13_MIDDLEBOX_COMPAT`
- Seperate `internalCacheOff` and `internalCacheLookupOff` options to govern session addition and lookup
- `VerifyServerSuite` now determines if RSA is available by checking for it directly and not assuming it as the default if static ECC is not available
- `WOLFSSL_SESSION` changes
- `ssl->extSession` added to return a dynamic session when internalCacheOff is set
- `ssl->session.refPtr` made dynamic and gets free'd in `SSL_ResourceFree`
- If `SSL_MODE_AUTO_RETRY` is set then retry should only occur during a handshake
- `WOLFSSL_TRUST_PEER_CERT` code now always uses `cert->subjectHash` for the `cm->tpTable` table row selection
- Change some error message names to line up with OpenSSL equivalents
- Run `MatchSuite` again if certificate setup callback installed and successful
- Refactor clearing `ASN_NO_PEM_HEADER` off the error queue into a macro
- `wolfSSL_get_peer_certificate` now returns a duplicated object meaning that the caller needs to free the returned object
- Allign `wolfSSL_CRYPTO_set_mem_functions` callbacks with OpenSSL API
- `wolfSSL_d2i_PKCS12_bio` now consumes the input BIO. It now supports all supported BIO's instead of only memory BIO.
- stunnel specific
- Always return a session object even if we don't have a session in cache. This allows stunnel to save information in the session external data that will be transfered to new connections if the session is reused
- When allocating a dynamic session, always do `wolfSSL_SESSION_set_ex_data(session, 0, (void *)(-1)`. This is to mimic the new index callback set in `SSL_SESSION_get_ex_new_index`.
- Fix comment in `wolfSSL_AES_cbc_encrypt`
- Trusted peer certificate suite tests need to have CRL disabled since we don't have the issuer certificate in the CA store if the certificates are only added as trusted peer certificates.
tested
2022-02-23 09:47:34 +01:00
d33b787993
BIO: move APIs out of ssl.c
...
Get configuration working: --enable-all CFLAGS=-DNO_BIO
2022-02-23 14:11:30 +10:00
15d0dd258a
Add cert test for UID name component
2022-02-15 14:05:46 +01:00
562fcd3916
Implement FIPS_mode and FIPS_mode_set in the compat layer.
2022-02-10 13:14:05 -08:00
74408e3ee3
fixes for whitespace, C++ warnings, and LLVM 15 clang-tidy defects/carps:
...
* whitespace in src/ssl.c, tests/api.c, wolfssl/openssl/fips_rand.h.
* clang-analyzer-core.StackAddressEscape from llvm-15 clang-tidy, in tests/suites.c:execute_test_case().
* bugprone-suspicious-memory-comparison from llvm-15 clang-tidy, in src/internal.c:DoSessionTicket() and src/ssl.c:wolfSSL_sk_push().
2022-02-08 15:20:22 -06:00
4c8f0709fc
Merge pull request #4720 from dgarske/fips_compat
2022-02-07 09:56:24 -07:00
f9ff551992
Fix for OpenSSL x509_NAME_hash mismatch
2022-02-04 16:59:51 -08:00
28d3292a16
Merge pull request #4811 from haydenroche5/dh_get_2048_256
...
Add DH_get_2048_256 to compatibility layer.
2022-02-02 12:12:34 -08:00
c629c3fcaa
Add DH_get_2048_256 to compatibility layer.
2022-02-02 07:59:17 -08:00
641576390d
wolfSSL_BIO_dump() and wolfSSL_OBJ_obj2txt() rework
...
wolfSSL_BIO_dump(): fix output format and make iterative
wolfSSL_OBJ_obj2txt(): make iterative, test and rework.
2022-02-02 12:43:06 +10:00
59ea65bad3
Merge pull request #4809 from haydenroche5/asn1_int
2022-02-01 13:44:32 -07:00
99799a3e3e
Merge pull request #4806 from anhu/kill_idea
...
Purge IDEA cipher
2022-02-01 12:27:55 -08:00
24a2ed7e9e
Merge pull request #4780 from dgarske/ipsec_racoon
2022-01-31 15:10:58 -08:00
9ea40f3a9c
Purge IDEA cipher
2022-01-31 15:29:25 -05:00
6b71289ae1
Add new ASN1_INTEGER compatibility functions.
...
This commit adds:
- wolfSSL_i2d_ASN1_INTEGER
- wolfSSL_d2i_ASN1_INTEGER
- wolfSSL_ASN1_INTEGER_cmp
2022-01-29 17:01:16 -08:00
b957a6e872
Purge Rabbit cipher
2022-01-28 13:13:53 -05:00
80ae237852
Fixes for building with ipsec-tools/racoon and openvpn:
...
* Fix for `EVP_CIPHER_CTX_flags`, which mapped to a missing function (broke openvpn)
* Added stack of name entries for ipsec/racoon support.
* Added `X509_STORE_CTX_set_flags` stub.
* Added PKCS7 NID types.
* Improved FIPS "SHA" logic in `test_wolfSSL_SHA`
* Added some uncommon NID type definitions.
* Expose the DH `DH_set_length` and `DH_set0_pqg` with OPENSSL_ALL
2022-01-28 09:21:03 -08:00
19042023f4
MD5 vs. FIPS 140-3: fix gating so that unit.test succeeds when --enable-fips=v5 --enable-md5 (HMAC-MD5 is non-FIPS in 140-3, but even in a FIPS 140-3 build, the non-FIPS API can be accessed directly by #undef'ing wc_Hmac*()).
2022-01-27 18:37:29 -06:00
2955d7339e
remove a debugging printf, fix whitespace/indentation, and add a comment re gethostbyname_r buffer size.
2022-01-21 13:00:22 -06:00
6a56d3e131
jumbo patch of fixes for clang-tidy gripes (with some bug fixes).
...
defect/gripe statistics:
configured --enable-all --enable-sp-math-all --enable-intelasm
with LLVM 13 clang-tidy -checks=readability-*,bugprone-*,misc-no-recursion,misc-misplaced-const,misc-redundant-expression,misc-unused-parameters,misc-unused-using-decls,-clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling,-clang-analyzer-optin.performance.Padding,-readability-braces-around-statements,-readability-function-size,-readability-function-cognitive-complexity,-bugprone-suspicious-include,-bugprone-easily-swappable-parameters,-readability-isolate-declaration,-readability-magic-numbers,-readability-else-after-return,-bugprone-reserved-identifier,-readability-suspicious-call-argument,-bugprone-suspicious-string-compare,-bugprone-branch-clone,-misc-redundant-expression,-readability-non-const-parameter,-readability-redundant-control-flow,-readability-misleading-indentation,-bugprone-narrowing-conversions,-bugprone-implicit-widening-of-multiplication-result
[note these figures don't reflect additional defects fixed in this commit for --enable-smallstack, --enable-fips, --enable-async, --enable-asn=template, and --enable-fastmath, and --disable-fastmath]
pre-patch warning count per file, with suppressions:
clang-analyzer-security.insecureAPI.strcpy 6 wolfssl/tests/suites.c
clang-analyzer-security.insecureAPI.strcpy 2 wolfssl/testsuite/testsuite.c
bugprone-suspicious-missing-comma 3 wolfssl/examples/server/server.c
bugprone-suspicious-missing-comma 3 wolfssl/examples/client/client.c
readability-redundant-preprocessor 2 wolfssl/wolfcrypt/src/asn.c
readability-redundant-preprocessor 1 wolfssl/wolfcrypt/src/rsa.c
readability-redundant-preprocessor 9 wolfssl/src/ssl.c
readability-redundant-preprocessor 2 wolfssl/src/tls13.c
readability-redundant-preprocessor 18 wolfssl/tests/api.c
readability-redundant-preprocessor 3 wolfssl/src/internal.c
readability-redundant-preprocessor 10 wolfssl/wolfcrypt/test/test.c
readability-named-parameter 1 wolfssl/wolfcrypt/benchmark/benchmark.c
readability-named-parameter 7 wolfssl/src/internal.c
readability-named-parameter 1 wolfssl/wolfcrypt/src/ecc.c
readability-named-parameter 1 wolfssl/testsuite/testsuite.c
readability-named-parameter 11 wolfssl/wolfcrypt/src/ge_operations.c
misc-no-recursion 3 wolfssl/src/ssl.c
readability-uppercase-literal-suffix 4 wolfssl/wolfcrypt/src/asn.c
readability-uppercase-literal-suffix 1 wolfssl/src/ssl.c
readability-uppercase-literal-suffix 13 wolfssl/wolfcrypt/benchmark/benchmark.c
bugprone-too-small-loop-variable 1 wolfssl/wolfcrypt/src/rsa.c
bugprone-too-small-loop-variable 2 wolfssl/wolfcrypt/src/sha3.c
bugprone-too-small-loop-variable 4 wolfssl/wolfcrypt/src/idea.c
bugprone-signed-char-misuse 2 wolfssl/src/ssl.c
bugprone-signed-char-misuse 3 wolfssl/wolfcrypt/src/sp_int.c
bugprone-signed-char-misuse 3 wolfssl/examples/client/client.c
bugprone-macro-parentheses 19 wolfssl/wolfcrypt/src/aes.c
bugprone-macro-parentheses 109 wolfssl/wolfcrypt/src/camellia.c
bugprone-macro-parentheses 1 wolfssl/src/tls.c
bugprone-macro-parentheses 3 wolfssl/wolfcrypt/src/md4.c
bugprone-macro-parentheses 2 wolfssl/wolfcrypt/src/asn.c
bugprone-macro-parentheses 26 wolfssl/wolfcrypt/src/blake2b.c
bugprone-macro-parentheses 257 wolfssl/wolfcrypt/src/sha3.c
bugprone-macro-parentheses 15 wolfssl/src/ssl.c
bugprone-macro-parentheses 1 wolfssl/wolfcrypt/src/sha.c
bugprone-macro-parentheses 8 wolfssl/tests/api.c
bugprone-macro-parentheses 4 wolfssl/wolfcrypt/src/sp_int.c
bugprone-macro-parentheses 6 wolfssl/wolfcrypt/benchmark/benchmark.c
bugprone-macro-parentheses 38 wolfssl/wolfcrypt/src/hc128.c
bugprone-macro-parentheses 12 wolfssl/wolfcrypt/src/md5.c
bugprone-macro-parentheses 10 wolfssl/wolfcrypt/src/sha256.c
bugprone-macro-parentheses 4 wolfssl/wolfcrypt/test/test.c
bugprone-macro-parentheses 3 wolfssl/wolfcrypt/src/ecc.c
bugprone-macro-parentheses 2 wolfssl/tests/suites.c
bugprone-macro-parentheses 4 wolfssl/wolfcrypt/src/cpuid.c
bugprone-macro-parentheses 26 wolfssl/wolfcrypt/src/blake2s.c
bugprone-macro-parentheses 24 wolfssl/wolfcrypt/src/sha512.c
bugprone-macro-parentheses 3 wolfssl/wolfcrypt/src/poly1305.c
bugprone-macro-parentheses 24 wolfssl/wolfcrypt/src/ripemd.c
readability-inconsistent-declaration-parameter-name 1 wolfssl/src/internal.c
readability-inconsistent-declaration-parameter-name 1 wolfssl/testsuite/testsuite.c
pre-patch warning count summaries, with suppressions:
clang-analyzer-security.insecureAPI.strcpy 8
bugprone-suspicious-missing-comma 6
readability-redundant-preprocessor 45
readability-named-parameter 21
misc-no-recursion 3
readability-uppercase-literal-suffix 18
bugprone-too-small-loop-variable 7
bugprone-signed-char-misuse 8
bugprone-macro-parentheses 601
readability-inconsistent-declaration-parameter-name 2
pre-patch warning count summaries, without suppressions:
clang-analyzer-security.insecureAPI.strcpy 8
bugprone-branch-clone 152
readability-non-const-parameter 118
bugprone-suspicious-missing-comma 6
bugprone-suspicious-include 52
readability-magic-numbers 22423
readability-redundant-preprocessor 45
readability-named-parameter 21
readability-function-cognitive-complexity 845
readability-else-after-return 398
bugprone-implicit-widening-of-multiplication-result 595
readability-function-size 21
readability-isolate-declaration 1090
misc-redundant-expression 2
bugprone-narrowing-conversions 994
misc-no-recursion 3
readability-uppercase-literal-suffix 18
bugprone-reserved-identifier 56
readability-suspicious-call-argument 74
bugprone-too-small-loop-variable 7
bugprone-easily-swappable-parameters 437
bugprone-signed-char-misuse 8
readability-misleading-indentation 94
bugprone-macro-parentheses 601
readability-inconsistent-declaration-parameter-name 2
bugprone-suspicious-string-compare 495
readability-redundant-control-flow 20
readability-braces-around-statements 11483
clang-analyzer-valist.Uninitialized 1
clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling 3502
2022-01-21 01:25:48 -06:00
7adbf59f22
Merge pull request #4767 from anhu/kill_hc128
...
Get rid of HC-128
2022-01-19 12:20:18 -08:00
e745de657f
Merge pull request #4761 from haydenroche5/time_cb
...
Add time callback functionality.
2022-01-18 16:49:19 +10:00
1b0926a3b8
Add time callback functionality.
...
This commit adds `wolfSSL_SetTimeCb` and `wolfSSL_time`. The former allows the
user to override the function wolfSSL uses to get the current time,
`wolfSSL_time`. If set, `wolfSSL_time` uses that function. If not set,
`wolfSSL_time` uses the `XTIME` macro by default. This functionality is needed
for the port of chrony to wolfSSL. chrony is an NTP implementation that uses
GnuTLS by default. For TLS, chrony uses the time it computes in place of the
default system time function.
2022-01-17 17:49:51 -08:00
c2860cb311
Get rid of HC-128
2022-01-17 18:11:54 -05:00
d38c5003d0
Merge pull request #4762 from ejohnstown/old-gcc
...
Old Compiler Warning Cleanup (GCC 4.0.2)
2022-01-17 09:44:44 -08:00
b68b14b499
Merge pull request #4724 from embhorn/zd13462
...
Improve param checks of enc
2022-01-16 15:35:54 -08:00
15f501358d
Merge pull request #4716 from julek-wolfssl/issue-4592
...
Verification: Domain check should only be performed on leaf certs
2022-01-17 08:40:14 +10:00
001469589b
Old Compiler Warning Cleanup (GCC 4.0.2)
...
Fixed a lot of shadowed global values. Some were prototype and function
declaration parameter name conflicts. Some conflicted with typenames.
Some conflicted with globals in libc.
2022-01-14 17:43:21 -08:00
2cf21a3f69
Old Compiler Warning Cleanup (GCC 4.0.2)
...
ecc.c,api.c: Initialize some variables to fix warning for possible
uninitialized variable use.
2022-01-14 17:33:49 -08:00
31e84d82b8
Domain check should only be performed on leaf certs
...
- Refactor `*_set_verify` functions into common logic
- NULL protect `wolfSSL_X509_VERIFY_PARAM_set1_host` and add debug info
2022-01-14 18:16:42 +01:00
355b5821b2
WOLFSSL_SESSION_EXPORT: fixes for scan-build complaints (deadcode.DeadStores) building --enable-all --enable-sessionexport.
2022-01-08 11:43:56 -06:00
f74831a7da
Improve param checks of enc
2022-01-06 09:12:18 -06:00
96e1f77c32
Adds compatibility FIPS DRBG API's and test cases.
2022-01-04 15:13:06 -08:00
7edc916057
wolfcrypt/wolfssl: tests: adding missing wc_Aes*Free()
...
In some Aes implementation this may leak resources
2021-12-30 20:30:33 +01:00
930cad649e
Fix to resolve possible memory leak with DSA `wc_DsaPublicKeyDecode` in API unit test when used with `HAVE_WOLF_BIGINT`.
2021-12-28 16:34:54 -08:00
569c066fab
Improve TLS client side session cache references to provide option for not returning an internal session cache pointer. Now use `wolfSSL_get1_sesson` for reference logic, that requires calling `wolfSSL_SESSION_free`. To disable this feature use `NO_SESSION_CACHE_REF`.
2021-12-23 14:25:45 -08:00
57d2555ac8
Merge pull request #4695 from douzzer/20211222-fips-config-update-and-fix-test_RsaDecryptBoundsCheck
...
fips config update and test-driven cleanup
2021-12-23 10:38:36 -08:00
9892f1f2d5
Merge pull request #4679 from dgarske/fips_ecc_pct
2021-12-23 10:27:51 -07:00
b0a5b16068
api.c: fix logic in test_RsaDecryptBoundsCheck().
2021-12-22 17:32:36 -06:00
38214bd083
Disable the FIPS consistency checks in ECC and DH for key generation by default.
2021-12-22 10:06:19 -08:00
9d137668c7
Merge pull request #4675 from julek-wolfssl/openssh-8.8
...
Fix macro name conflicts with openssh
2021-12-22 08:31:36 -08:00
8435eb4644
Add `WC_` namespace to variable handling defines
2021-12-22 12:16:02 +01:00
dd9b1afb72
Remove magic numbers from `WOLFSSL_ASN_TEMPLATE` code ( #4582 )
...
* pkcs8KeyASN and other misc asn fixes
- Test fixes for testing with `USE_CERT_BUFFERS_1024`
* intASN
* bitStringASN
* objectIdASN
* algoIdASN
* rsaKeyASN
* pbes2ParamsASN
* pbes1ParamsASN
* pkcs8DecASN
* p8EncPbes1ASN
* rsaPublicKeyASN
* dhParamASN
* dhKeyPkcs8ASN
* dsaKeyASN
* dsaPubKeyASN
- Add `wc_SetDsaPublicKey` without header testing
* dsaKeyOctASN
* rsaCertKeyASN
* eccCertKeyASN
* rdnASN
* certNameASN
* digestInfoASN
* otherNameASN
* altNameASN
* basicConsASN
* crlDistASN
* accessDescASN
* authKeyIdASN
* keyUsageASN
* keyPurposeIdASN
* subTreeASN
* nameConstraintsASN
* policyInfoASN
* certExtHdrASN
* certExtASN
* x509CertASN
* reqAttrASN
* strAttrASN
* certReqASN
* eccPublicKeyASN
* edPubKeyASN
* ekuASN
* nameASN
* certExtsASN
* sigASN
* certReqBodyASN_IDX_EXT_BODY
* dsaSigASN
* eccSpecifiedASN
* eccKeyASN
* edKeyASN
* singleResponseASN
* respExtHdrASN
* ocspRespDataASN
* ocspBasicRespASN
* ocspResponseASN
* ocspNonceExtASN
* ocspRequestASN
* revokedASN
* crlASN
* pivASN
* pivCertASN
* dateASN
* `wc_SetDsaPublicKey` was not including `y` in the sequence length
* All index names changed to uppercase
* Shorten names in comments
* Make sure extensions have sequence header when in cert gen
* Fix/refactor size calc in `SetNameEx`
* Pad blocks for encryption
* Add casting for increased enum portability
* Use stack for small ASN types
2021-12-22 11:28:01 +10:00
bf37845e2d
Merge pull request #4680 from JacobBarthelmeh/certs
...
update certificate expiration dates and fix autorenew
2021-12-22 08:48:35 +10:00
c0f8fd5f5d
update certificate dates and fix autorenew
2021-12-20 16:04:05 -08:00
7d4c13b9a4
--with-liboqs now defines HAVE_LIBOQS and HAVE_PQC
...
AKA: The Great Rename of December 2021
2021-12-20 11:48:03 -05:00
ce4f436d0f
Merge pull request #4587 from SparkiDev/dis_algs_fix_1
...
Disable algorithms: fixes
2021-12-19 20:12:30 -08:00
21a5a571e8
Fix `test_wolfSSL_BIO_should_retry` test
...
When `OPENSSL_COMPATIBLE_DEFAULTS` is defined then `SSL_MODE_AUTO_RETRY` is set on context creation. For this test we need to clear this mode so that the `WOLFSSL_CBIO_ERR_WANT_READ` can propagate up to the user.
2021-12-17 12:32:25 +01:00
dec78169bf
Merge pull request #4658 from julek-wolfssl/apache-2.4.51
...
Add Apache 2.4.51 support
2021-12-16 08:52:10 -08:00
e78f7f734e
Add Apache 2.4.51 support
...
- Define `OPENSSL_COMPATIBLE_DEFAULTS` and `WOLFSSL_NO_OCSP_ISSUER_CHECK` for Apache config
- Fix `SSL_set_timeout` to match OpenSSL signature
- Implement `pkey` in `X509_INFO`
- Detect attempt to connect with plain HTTP
- Implement `wolfSSL_OCSP_request_add1_nonce`
- Set `ssl->cipher.bits` when calling `wolfSSL_get_current_cipher`
- Use custom flush method in `wolfSSL_BIO_flush` when set in BIO method
- Set the TLS version options in the `ssl->options` at the end of ClientHello parsing
- Don't modify the `ssl->version` when in a handshake (`ssl->msgsReceived.got_client_hello` is set)
- `wolfSSL_get_shutdown` returns a full bidirectional return when the SSL object is cleared. `wolfSSL_get_shutdown` calls `wolfSSL_clear` on a successful shutdown so if we detect a cleared SSL object, assume full shutdown was performed.
2021-12-16 12:39:38 +01:00
5172130287
add wc_GetPubKeyDerFromCert(), get pub key DER from DecodedCert
2021-12-15 11:04:52 -07:00
92d207a1cd
Add wc_d2i_PKCS12_fp to parse a PKCS #12 file directly in wolfCrypt.
2021-12-13 15:28:34 -08:00
355b779a3e
feature gating tweaks to better support --disable-rsa --disable-dh --disable-dsa. also a whitespace fix in ssl.c.
2021-12-11 14:08:04 -06:00
6764e7c15f
Make wolfCrypt ASN cert parsing functionality public.
...
Currently, the `ParseCert` function is only available if `WOLFSSL_ASN_API` is
defined to `WOLFSSL_API`. The only way to achieve this without enabling the
compatibility layer is to define `WOLFSSL_TEST_CERT`. There are users defining
this so that they can parse certs with wolfCrypt, even though this doesn't seem
to be the original intent of the define. This commit adds the function
`wc_ParseCert` to the public wolfCrypt API. It's simply a wrapper around
`ParseCert`. Similarly, this commit adds `wc_InitDecodedCert` and
`wc_FreeDecodedCert` to the public API, which are wrappers around
`InitDecodedCert` and `FreeDecodedCert`, respectively.
2021-12-10 10:43:28 -08:00
6da0cc1ced
Merge pull request #4600 from dgarske/cust_oid
...
Support for Custom OID in subject and CSR request extension
2021-12-09 11:24:30 +10:00
b4c6140b64
Merge pull request #4442 from julek-wolfssl/kerberos
...
Add Kerberos 5 support
2021-12-02 09:07:34 -08:00
5c172ca955
Merge pull request #4622 from douzzer/fix-wolfsentry-build
...
wolfsentry fixes re HAVE_EX_DATA and wolfsentry_sockaddr
2021-12-01 08:16:07 -08:00
d06ada2ccc
Merge pull request #4610 from julek-wolfssl/nginx-1.21.4
...
Add support for Nginx 1.21.4
2021-12-01 22:27:12 +10:00
aac1b406df
Add support for Nginx 1.21.4
...
- Add KEYGEN to Nginx config
- Check for name length in `wolfSSL_X509_get_subject_name`
- Refactor `wolfSSL_CONF_cmd`
- Implement `wolfSSL_CONF_cmd_value_type`
- Don't forecfully overwrite side
- `issuerName` should be `NULL` since the name is empty
2021-12-01 09:49:52 +01:00
3f65916f3a
HAVE_EX_DATA: fix wolfssl/ssl.h and tests/api.c to build -DHAVE_EX_DATA but -UOPENSSL_EXTRA.
2021-11-30 23:39:16 -06:00
b69a1c860c
Merge pull request #3996 from cconlon/pkcs7_detachedhash
...
adjust PKCS7_VerifySignedData to correctly verify precomputed content hash with detached signature
2021-11-30 12:46:46 -08:00
7524ededd3
Support for Custom OID in subject and CSR request extension:
...
* Adds new build option `WOLFSSL_CUSTOM_OID` for supplying a custom OID in a CSR
* Fixes in ASN template CSR generation.
* Fix to allow calling `wc_Ed25519PublicKeyToDer` and `wc_Ed448PublicKeyToDer` with NULL output buffer to get length only.
* Refactor of the certificate subject name encoding.
* Refactor of the OID's to consolidate.
* Improvements to the Domain Component API unit test.
ZD 12943
2021-11-23 09:51:13 -08:00
1d7b2de074
Code review changes
2021-11-22 11:48:31 +01:00
3da810cb1b
Implement OpenSSL API's
...
- `OBJ_DUP`
- `i2d_PKCS7`
- `BN_rshift1
- `BN_rshift` testing
- Add `--enable-krb`
2021-11-22 11:47:58 +01:00
e7c5f137be
Implement `BN_rand_range`
2021-11-22 11:45:27 +01:00
ccbe184434
Implement CTS
...
Ciphertext stealing on top of CBC is implemented with `wolfSSL_CRYPTO_cts128_encrypt` and `wolfSSL_CRYPTO_cts128_decrypt` APIs
2021-11-22 11:45:27 +01:00
fa662c2ab1
`AES_cbc_encrypt` `enc` parameter flipped. 1 = encrypt 0 = decrypt
...
This change makes the `enc` parameter of `AES_cbc_encrypt` consistent with OpenSSL. This commit flips the meaning of this parameter now.
2021-11-22 11:45:27 +01:00
c3500fa24e
Merge pull request #4581 from miyazakh/max_earlydata
...
add get_max_eraly_data
2021-11-19 09:42:01 -07:00
5a72fee3df
Disable algorithms: fixes
...
WOLFSSL_PUBLIC_MP and disable algorithms didn't work because of api.c.
- mp_cond_copy not available unless ECC compiled in
- wc_export_int not available unless ECC compiled in
Enabling only DH and using SP with SP Math didn't work as the DH
parameters were too small.
sp_cmp is needed when only DH.
mp_set_int is was not available in SP math when RSA is not defined.
mp_set is close enough for the use cases.
Configure with SP and SP math but not RSA, DH and ECC didn't configure -
now default to small maths.
2021-11-19 16:56:33 +10:00
2841b5c93b
Merge pull request #3010 from kaleb-himes/ZD10203
...
Consistency in PP checking on use of WOLFSSL_CRYPTO_EX_DATA
2021-11-18 14:47:25 -08:00
7da0d524ff
add get_max_eraly_data
...
support set/get_max_eraly_data compatibility layer
2021-11-18 09:07:32 +09:00
4800db1f9d
Enable max/min int test even when non 64bit platform
...
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2021-11-18 06:58:21 +09:00
361975abbc
Refactor sk_*_free functions
...
Use a single `wolfSSL_sk_pop_free` and `wolfSSL_sk_free` function that free's the stack and optionally free's the node content as well.
2021-11-12 13:55:37 +01:00
6547bcb44c
Consistency in PP checking on use of WOLFSSL_CRYPTO_EX_DATA
2021-11-11 17:47:17 -07:00
bd0f6736c5
Merge pull request #4513 from masap/wpa_sup_dpp
...
Fix X509_PUBKEY_set() to show correct algorithm and parameters
2021-11-09 10:26:59 -08:00
0b4f34d62a
typographic cleanup: fix whitespace, remove unneeded UTF-8, convert C++ comment constructs to C.
2021-11-08 17:35:05 -06:00
ee39fd079f
Fix X509_PUBKEY_set() to show correct algorithm and parameters
...
When build with OpenSSL, trailing program outputs these messages.
algorithm: id-ecPublicKey
parameters: prime256v1
But with wolfSSL, X509_PUBKEY_get0_param() fails.
This patch fixes wolfSSL to display the same values as OpenSSL.
This program was extracted from wpa_supplicant in order to reproduce the
issue.
----------------
int main(void)
{
EVP_PKEY *pkey;
X509_PUBKEY *pub = NULL;
ASN1_OBJECT *ppkalg, *poid;
const ASN1_OBJECT *pa_oid;
const uint8_t *pk;
int ppklen, ptype;
X509_ALGOR *pa;
void *pval;
char buf[100];
const uint8_t data[] = {
0x30, 0x39, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a,
0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x22, 0x00, 0x03, 0x33, 0x6d, 0xb4, 0xe9, 0xab,
0xf1, 0x1c, 0x96, 0x87, 0x5e, 0x02, 0xcc, 0x92, 0xaf, 0xf6, 0xe1, 0xed, 0x2b, 0xb2, 0xb7, 0xcc,
0x3f, 0xd2, 0xb5, 0x4e, 0x6f, 0x20, 0xc7, 0xea, 0x2f, 0x3f, 0x42
};
size_t data_len = sizeof(data);
const uint8_t *p;
int res;
p = data;
pkey = d2i_PUBKEY(NULL, &p, data_len);
if (!pkey) {
fprintf(stderr, "d2i_PUBKEY() failed\n");
return -1;
}
if (EVP_PKEY_type(EVP_PKEY_id(pkey)) != EVP_PKEY_EC) {
fprintf(stderr, "invalid type\n");
EVP_PKEY_free(pkey);
return -1;
}
res = X509_PUBKEY_set(&pub, pkey);
if (res != 1) {
fprintf(stderr, "X509_PUBKEY_set() failed\n");
return -1;
}
res = X509_PUBKEY_get0_param(&ppkalg, &pk, &ppklen, &pa, pub);
if (res != 1) {
fprintf(stderr, "X509_PUBKEY_get0_param() failed\n");
return -1;
}
res = OBJ_obj2txt(buf, sizeof(buf), ppkalg, 0);
if (res < 0 || (size_t) res >= sizeof(buf)) {
fprintf(stderr, "OBJ_obj2txt() failed\n");
return -1;
}
fprintf(stdout, "algorithm: %s\n", buf);
X509_ALGOR_get0(&pa_oid, &ptype, (void *) &pval, pa);
if (ptype != V_ASN1_OBJECT) {
fprintf(stderr, "X509_ALGOR_get0() failed\n");
return -1;
}
poid = pval;
res = OBJ_obj2txt(buf, sizeof(buf), poid, 0);
if (res < 0 || (size_t) res >= sizeof(buf)) {
fprintf(stderr, "OBJ_obj2txt() failed\n");
return -1;
}
fprintf(stdout, "parameters: %s\n", buf);
X509_PUBKEY_free(pub);
EVP_PKEY_free(pkey);
return 0;
}
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2021-11-09 07:30:58 +09:00
478f57b347
Merge pull request #4535 from kareem-wolfssl/zd13165
...
Fix building with NO_ECC_KEY_EXPORT.
2021-11-08 11:11:53 -08:00
4fe17cc143
Merge pull request #4527 from julek-wolfssl/zd13097
...
Fix a heap buffer overflow with mismatched PEM structure ZD13097
2021-11-05 08:50:28 -07:00
ae84a2a326
Merge pull request #4293 from TakayukiMatsuo/set_min_proto
...
Add support for value zero as version parameter for SSL_CTX_set_min/max_proto_version
2021-11-04 14:59:34 -06:00
1faa9e66b6
Check `wolfSSL_BIO_read` return
2021-11-04 15:34:33 +01:00
60a86157c7
Fix building with NO_ECC_KEY_EXPORT.
2021-11-03 16:03:26 -07:00
23487a4532
Fix a heap buffer overflow with mismatched PEM structure ZD13097
2021-11-02 11:31:22 +01:00
6ba55edd50
fix async warnings
2021-10-29 14:37:39 -06:00
6b3ff9bae2
Merge pull request #4459 from julek-wolfssl/missing-ext
...
Add x509 name attributes and extensions to DER parsing and generation
2021-10-28 14:30:37 -07:00
6bb7e3900e
Merge pull request #4511 from JacobBarthelmeh/Testing
...
build fixes and PKCS7 BER encoding fix
2021-10-28 10:52:58 -07:00
8cba5dda17
Need to free x509 in tests
2021-10-28 14:50:53 +02:00
a738c16b2f
Can't have macros within macros
2021-10-28 14:50:53 +02:00
7d6f8ea255
Update wrong email in gen script
2021-10-28 14:50:53 +02:00
a6be157628
Gate new AKID functionality on `WOLFSSL_AKID_NAME`
2021-10-28 14:50:53 +02:00
d9af698aa4
Implement raw AKID with WOLFSSL_ASN_TEMPLATE
2021-10-28 14:50:53 +02:00
c162196b27
Add x509 name attributes and extensions to DER parsing and generation
...
- Postal Code
- Street Address
- External Key Usage
- Netscape Certificate Type
- CRL Distribution Points
- Storing full Authority Key Identifier information
- Add new certificates to `certs/test` for testing
- Update WOLFSSL_ASN_TEMPLATE to match new features
2021-10-28 14:50:53 +02:00
c16f0db1b5
Fixes for handling `WC_PENDING_E` async responses in API unit test and examples. Resolves all issues with `--enable-all --enable-asynccrypt --with-intelqa=`.
2021-10-27 15:08:39 -07:00
00249b70ae
fix for build with WOLFSSL_SGX
2021-10-27 13:22:45 -06:00
75df6508e6
Add a read enable for private keys when in FIPS mode.
2021-10-26 20:24:29 -05:00
c2c2e5b4f5
tests/api.c: post_auth_version_cb(): add missing gating on !NO_ERROR_QUEUE for wolfSSL_ERR_get_error() test.
2021-10-26 20:24:28 -05:00
a5c03f65e3
tests/api.c: fix test_CryptoCb_Func() to not attempt signing op on ephemeral ECC keys.
2021-10-26 20:24:28 -05:00
aa6ca43e91
api.c: skip test_wolfSSL_EVP_PBE_scrypt() when FIPS 140-3 (test uses impermissibly short HMAC key).
2021-10-26 20:24:27 -05:00
f1c1f76851
ssl.c: refactor wolfSSL_LH_strhash() to use SHA1 instead of MD5, to eliminate dependency on deprecated alg.
2021-10-26 20:24:27 -05:00
a935f2f86d
FIPS CAST Update
...
1. In the unit test, when checking the build options, also check for
FIPSv4 to make sure 2048-bit RSA is used.
2. In the standalone SHA-1 one step hash function, wc_InitSha() wasn't
getting called, so the FIPS flags didn't get checked. (It was using
wc_InitSha_ex() which bypasses the FIPS checks.)
2021-10-26 20:24:24 -05:00
4825534062
Merge pull request #4500 from cconlon/errorQueueFix
...
fix wc_ERR_print_errors_fp() unit test with NO_ERROR_QUEUE
2021-10-27 05:56:32 +07:00
9c665d7282
Merge pull request #4501 from embhorn/zd13114
...
Fix wolfSSL_ASN1_TIME_diff use of gmtime and 32-bit overflow
2021-10-26 10:47:59 -07:00
87baf7818e
Merge pull request #4505 from julek-wolfssl/fix-nids
...
Make NID's consistent v2
2021-10-26 10:29:42 -07:00
19feab7850
Fix wolfSSL_ASN1_TIME_diff use of gmtime and 32-bit overflow
2021-10-26 07:14:53 -05:00
48b304be00
Fix issues with `AIA_OCSP_OID` and `AIA_CA_ISSUER_OID`
2021-10-26 11:47:27 +02:00
348fec3d29
`wc_ClearErrorNodes` is a local API that is not exported for linking
2021-10-26 09:14:48 +02:00
57b9170ac0
Make NID's consistent
...
- `CTC_SHAwDSA` -> `NID_dsaWithSHA1`
- `CTC_SHA256wDSA` -> `NID_dsa_with_SHA256`
- `CTC_MD2wRSA` -> `NID_md2WithRSAEncryption`
- `CTC_MD5wRSA` -> `NID_md5WithRSAEncryption`
- `CTC_SHAwRSA` -> `NID_sha1WithRSAEncryption`
- `CTC_SHA224wRSA` -> `NID_sha224WithRSAEncryption`
- `CTC_SHA256wRSA` -> `NID_sha256WithRSAEncryption`
- `CTC_SHA384wRSA` -> `NID_sha384WithRSAEncryption`
- `CTC_SHA512wRSA` -> `NID_sha512WithRSAEncryption`
- `CTC_SHA3_224wRSA` -> `NID_RSA_SHA3_224`
- `CTC_SHA3_256wRSA` -> `NID_RSA_SHA3_256`
- `CTC_SHA3_384wRSA` -> `NID_RSA_SHA3_384`
- `CTC_SHA3_512wRSA` -> `NID_RSA_SHA3_512`
- `CTC_SHAwECDSA` -> `NID_ecdsa_with_SHA1`
- `CTC_SHA224wECDSA` -> `NID_ecdsa_with_SHA224`
- `CTC_SHA256wECDSA` -> `NID_ecdsa_with_SHA256`
- `CTC_SHA384wECDSA` -> `NID_ecdsa_with_SHA384`
- `CTC_SHA512wECDSA` -> `NID_ecdsa_with_SHA512`
- `CTC_SHA3_224wECDSA` -> `NID_ecdsa_with_SHA3_224`
- `CTC_SHA3_256wECDSA` -> `NID_ecdsa_with_SHA3_256`
- `CTC_SHA3_384wECDSA` -> `NID_ecdsa_with_SHA3_384`
- `CTC_SHA3_512wECDSA` -> `NID_ecdsa_with_SHA3_512`
- `DSAk` -> `NID_dsa`
- `RSAk` -> `NID_rsaEncryption`
- `ECDSAk` -> `NID_X9_62_id_ecPublicKey`
2021-10-26 09:14:25 +02:00
08d9b145d9
ED25519 and ED448 api.c tests: doesn't compile with --opensslcoexist
...
Change SSL_FATAL_ERROR to WOLFSSL_FATAL_ERROR
2021-10-26 15:50:52 +10:00
a0c7c079b8
Revert "Make NID's consistent"
2021-10-25 21:57:28 -07:00
cdf72facbf
Merge pull request #4429 from julek-wolfssl/fix-nids
...
Make NID's consistent
2021-10-26 09:59:26 +10:00
6070981366
Merge pull request #4490 from dgarske/static_mem_unittest
...
Add CTX static memory API unit tests
2021-10-26 09:52:14 +10:00
a8b6304e19
add unit test for wc_PKCS7_VerifySignedData_ex() with detached signature and content digest only
2021-10-25 15:52:19 -06:00
eb0b6ca122
fix unit test for wc_ERR_print_errors_fp() when NO_ERROR_QUEUE is defined
2021-10-25 13:50:39 -06:00
402ee29163
fix nid2oid/oid2nid for oidCertAuthInfoType
2021-10-22 16:53:18 -06:00
d83d16af59
Merge pull request #4483 from julek-wolfssl/cov-reports
2021-10-22 13:07:57 -07:00
229f0d5fd1
Merge pull request #4485 from JacobBarthelmeh/certs
...
Improve permitted alternate name logic in certificate ASN handling
2021-10-22 11:59:16 -07:00
c027fffa92
Fix for CTX free heap hint issue. With openssl extra the `param` and `x509_store.lookup.dirs` are allocated at CTX init and if heap or static pool was used depends on `ctx->onHeapHint`. Added test case for this and inline code comment.
2021-10-22 11:58:02 -07:00
aad230a7e3
Restore a test case. Add a missing null-check.
2021-10-22 10:36:17 -07:00
4c0527490d
Fixes for API unit test with `WOLFSSL_NO_ASN_STRICT`. Fix spelling error.
2021-10-22 09:59:16 -07:00
0b6523d933
Rename pem_password_cb to wc_pem_password_cb.
...
Recently, we had a wolfEngine customer report a compilation error because
wolfSSL and OpenSSL both define the typedef pem_password_cb. The solution is to
namespace our typedef with the wc_ prefix. In order to not break existing code
that relies on wolfSSL providing pem_password_cb, if OPENSSL_COEXIST is not
defined, we define pem_password_cb as a macro that maps to wc_pem_password_cb.
2021-10-21 16:47:29 -07:00
b5f4a0c005
Improve API unit test to use `X509_NAME_get_sz` and make it widely available.
2021-10-21 16:42:19 -07:00
f17187aad9
Fixes for static memory testing. Fix clang memory sanitizer warnings.
2021-10-21 16:33:57 -07:00
785e37790a
Cleanup API test case debugging.
2021-10-21 12:35:06 -07:00
911d95e5e4
Add CTX static memory API unit tests. Expanded crypto callback TLS tests to older SSL/TLS and DTLS.
2021-10-21 11:47:00 -07:00
79b738b5a6
commit-test and jenkins fixes
2021-10-21 14:29:28 +02:00
4268763adb
`wc_ClearErrorNodes` is a local API that is not exported for linking
2021-10-21 13:47:55 +02:00
20473ba563
Make NID's consistent
...
- `CTC_SHAwDSA` -> `NID_dsaWithSHA1`
- `CTC_SHA256wDSA` -> `NID_dsa_with_SHA256`
- `CTC_MD2wRSA` -> `NID_md2WithRSAEncryption`
- `CTC_MD5wRSA` -> `NID_md5WithRSAEncryption`
- `CTC_SHAwRSA` -> `NID_sha1WithRSAEncryption`
- `CTC_SHA224wRSA` -> `NID_sha224WithRSAEncryption`
- `CTC_SHA256wRSA` -> `NID_sha256WithRSAEncryption`
- `CTC_SHA384wRSA` -> `NID_sha384WithRSAEncryption`
- `CTC_SHA512wRSA` -> `NID_sha512WithRSAEncryption`
- `CTC_SHA3_224wRSA` -> `NID_RSA_SHA3_224`
- `CTC_SHA3_256wRSA` -> `NID_RSA_SHA3_256`
- `CTC_SHA3_384wRSA` -> `NID_RSA_SHA3_384`
- `CTC_SHA3_512wRSA` -> `NID_RSA_SHA3_512`
- `CTC_SHAwECDSA` -> `NID_ecdsa_with_SHA1`
- `CTC_SHA224wECDSA` -> `NID_ecdsa_with_SHA224`
- `CTC_SHA256wECDSA` -> `NID_ecdsa_with_SHA256`
- `CTC_SHA384wECDSA` -> `NID_ecdsa_with_SHA384`
- `CTC_SHA512wECDSA` -> `NID_ecdsa_with_SHA512`
- `CTC_SHA3_224wECDSA` -> `NID_ecdsa_with_SHA3_224`
- `CTC_SHA3_256wECDSA` -> `NID_ecdsa_with_SHA3_256`
- `CTC_SHA3_384wECDSA` -> `NID_ecdsa_with_SHA3_384`
- `CTC_SHA3_512wECDSA` -> `NID_ecdsa_with_SHA3_512`
- `DSAk` -> `NID_dsa`
- `RSAk` -> `NID_rsaEncryption`
- `ECDSAk` -> `NID_X9_62_id_ecPublicKey`
2021-10-21 13:01:57 +02:00
12f86b020a
clean up test case memory and common name size
2021-10-20 17:13:34 -06:00
f57801c17b
more name constraint test cases and adjust DNS base name matching to not require .
2021-10-20 14:25:02 -06:00
6d2a5fab9b
Added test cases for `EVP_PKCS82PKEY` and `EVP_PKEY2PKCS8`.
2021-10-20 09:18:13 -07:00
e0e43b6a16
clean up test case
2021-10-19 23:12:07 -06:00
3b73c6e3ae
handle multiple permitted name constraints
2021-10-19 23:12:07 -06:00
afee92e0cf
bail out when a bad alt name is found in the list of alt names
2021-10-19 23:12:07 -06:00
de8798f4be
Fix API unit tests where DH 3072-bit is not enabled.
2021-10-19 17:04:18 -07:00
a03ed32380
Support for Android KeyStore compatibility API's:
...
* Adds `EVP_PKCS82PKEY` and `d2i_PKCS8_PRIV_KEY_INFO`.
* Adds `EVP_PKEY2PKCS8` and `i2d_PKCS8_PRIV_KEY_INFO`.
* Adds `ECDSA_verify`.
* Fix to allow `SHA256()` and `MD5()` with FIPSv2.
* Decouple crypto callbacks and hash flags
* Fix for possible use of uninitialized when building TLS bench without TLS v1.3.
* Fix for building with `NO_CHECK_PRIVATE_KEY`. Test `./configure --disable-pkcs12 --enable-opensslextra CFLAGS="-DNO_CHECK_PRIVATE_KEY"`.
* Fix to support `RSA_public_decrypt` for PKCSv15 only with FIPS.
* Cleanup `RSA_public_encrypt`, `RSA_public_decrypt` and `RSA_private_decrypt`.
* Added instructions for building wolfSSL with Android kernel.
2021-10-19 17:04:18 -07:00
f04380d624
Merge pull request #4475 from douzzer/fix-scan-build-UnreachableCode
...
scan-build LLVM-13 fixes and expanded coverage
2021-10-20 08:30:46 +10:00
41eecd37e5
Merge pull request #4471 from embhorn/zd11886
...
Fix build errors with NO_BIO config
2021-10-20 08:06:42 +10:00
c0b592ef82
Fix build error with WOLFSSL_USER_IO
2021-10-19 08:27:43 -05:00
e341291d99
scan-build LLVM-13 fixes: tests/api.c: fix -Wunused-but-set-variable for drive_len in test_wolfSSL_EVP_Cipher_extra() by removing the unused drive_len code.
2021-10-18 21:46:10 -05:00
816527e826
scan-build fixes: back out all "#ifndef __clang_analyzer__" wrappers added to suppress false and frivolous positives from alpha.deadcode.UnreachableCode, and rename new macro WC_UNUSED to WC_MAYBE_UNUSED to make its meaning more precisely apparent. build is still clean with -Wunreachable-code-break -Wunreachable-code-return under scan-build-13.
2021-10-18 21:46:09 -05:00
62822be6ce
scan-build LLVM-13 fixes and expanded coverage: add WC_UNUSED and PRAGMA_CLANG_DIAG_{PUSH,POP} macros; deploy "#ifndef __clang_analyzer__" as needed; fix violations and suppress false positives of -Wunreachable-code-break, -Wunreachable-code-return, and -enable-checker alpha.deadcode.UnreachableCode; expand scan-build clean build scope to --enable-all --enable-sp-math-all.
2021-10-18 21:46:09 -05:00
c07a7deec2
sanity check on q value with DSA sign
2021-10-18 10:17:49 -06:00
17e0249a26
Fixing NO_BIO and OPENSSL_ALL errrors
2021-10-14 16:03:52 -05:00
61bab6f68b
Fix test build errors with NO_BIO
2021-10-14 09:37:01 -05:00
63c9fa7a37
add check on bit length of q with DSA
2021-10-11 09:52:57 -06:00
a395305cab
Refactor API unit test named initializer code for `callback_functions`, to avoid older g++ build issues.
2021-10-08 14:04:21 -07:00
854512105f
Merge pull request #4314 from SparkiDev/libkcapi
...
KCAPI: add support for using libkcapi for crypto (Linux Kernel)
2021-10-07 21:23:05 -07:00
e0abcca040
KCAPI: add support for using libkcapi for crypto (Linux Kernel)
...
RSA, DH and ECC not testable as no Linux Kernel driver to use.
ECC implementation is customer specific.
2021-10-08 09:07:22 +10:00
dd6e4093b3
Merge pull request #4448 from JacobBarthelmeh/Compatibility-Layer
...
remove error queue from JNI build and set a default upper bound on it
2021-10-08 08:35:03 +10:00
9d2082f7e1
Fixes and improvements for crypto callbacks with TLS (mutual auth) ( #4437 )
...
* This PR resolves issues with using TLS client authentication (mutual auth) with crypto callbacks. The TLS client auth will not be sent without a private key being set. The solution is to allow setting a public key only if crypto callbacks is enabled and a devId is set.
* Fix to allow using crypto callbacks with TLS mutual authentication where a private key is not available.
* Fix for ED25519 sign when only a private key is loaded.
* Fix to enable crypto callbacks for ED25519 and Curve25519 in TLS by using the _ex init functions.
* Fix for wc_PemToDer return code where a PKCS8 header does not exist.
* Remove duplicate logs in DoCertificateVerify.
* Doxygen API updates: Added crypto callback help and updated use_PrivateKey with info about public key use.
* * Added crypto callback tests for TLS client and server with mutual auth for RSA, ECC and ED25519.
* Enhanced the API unit test TLS code to allow setting CA, cert and key.
* Revert ED25519 changes. Opt to calculate public key directly when required for signing in the TLS crypto callback test. Build configuration fixes.
* Fix to use proper devId in `ProcessBufferTryDecode`.
* Various build fixes due to changes in PR. G++ issue with `missing-field-initializers`. Unused api.c func with DTLS and session export. Duplicate `eccKeyPubFile` def.
* Added crypto callback TLS tests at WOLFSSL object level. Fix for ED25519/ED448 with client mutual auth where the private key is not set till WOLFSSL object. Fix issues with `wolfSSL_CTX_GetDevId` where devId is set on WOLFSSL object. Enable the `_id` API's for crypto callbacks.
* Proper fix for `eccKeyPubFile` name conflict. Was causing RSA test to fail (expected DER, not PEM).
2021-10-07 11:12:06 +10:00
43ffe26133
Merge pull request #4430 from embhorn/zd12976
...
Add support for X9.42 header
2021-10-05 23:47:42 +07:00
b582e152ea
add test case max error queue size
2021-10-04 14:52:05 -06:00
1440b8966d
Add test for X9.42 parsing
2021-10-04 11:05:58 -05:00
774bc36603
Merge pull request #4061 from JacobBarthelmeh/sessionExport
2021-10-01 10:21:42 -07:00
98b1e93429
Merge pull request #4402 from JacobBarthelmeh/Compatibility-Layer
2021-09-30 15:53:58 -07:00
ed8b87306d
account for test case where psk and anon is off
2021-09-30 15:48:55 -06:00
cb4b57c5c7
add tls 1.3 test case
2021-09-30 10:08:47 -06:00
cf1ce3f073
Add get_default_cert_file/env() stubs, SSL_get/set_read_ahead(), SSL_SESSION_has_ticket/lifetime_hint() ( #4349 )
...
* add wolfSSL_X509_get_default_cert_file/file_env/dir/dir_env() stubs
* add SSL_get_read_ahead/SSL_set_read_ahead()
* add SSL_SESSION_has_ticket()
* add SSL_SESSION_get_ticket_lifetime_hint()
* address review feedback - comments, return values
* make SSL_get_read_ahead() arg const
* add unit tests for SESSION_has_ticket/get_ticket_lifetime_hint
* test for SESSION_TICKET_HINT_DEFAULT in api.c for wolfSSL_SESSION_get_ticket_lifetime_hint()
* fix variable shadow warning in api.c
2021-09-30 08:35:23 +10:00
95b9fae605
Add DIST_POINT compatibility functions ( #4351 )
...
* add DIST_POINT compatibility functions
* switch X509_LU_* from enum to define, prevent compiler type warnings
* refactoring, adding in comments, and formating
* refactoring and a memory leak fix
* cast return value for g++ warning
* refactor wolfSSL_sk_DIST_POINT_pop_free and remove NULL assign after free
* fix get next DIST_POINT node for free function
Co-authored-by: Jacob Barthelmeh <jacob@wolfssl.com>
2021-09-30 08:27:39 +10:00
707385724e
adjust macro guard around test cases
2021-09-29 13:28:20 -06:00
5f9f6fd9fa
add some test cases and use allocator
2021-09-29 12:02:26 -06:00
dd7b62d067
fix for use with idea enabled
2021-09-29 11:15:51 -06:00
ae47cb3bcd
update check on is TLS, update macro guard for test case
2021-09-28 16:57:30 -06:00
0e80923fb3
Unit tests for post-quantum groups.
...
Also, fixes for the things they caught such as:
- ssl->arrays->preMasterSecret is pre-allocated so copy into it instead of
moving ownership of buffer.
- server does not need to save the public key.
- in TLSX_KeyShare_Parse() don't call TLSX_KeyShare_Use() because its done in
TLSX_PopulateExtensions().
- in TLSX_KeyShare_Use(), the server generates the ciphertext while the client
generates the public key.
- in TLSX_PopulateExtensions(), prevent client from calling TLSX_KeyShare_Use()
because its already been done.
- Support longer curve/group names.
2021-09-28 17:16:44 -04:00
21181f2437
canned test was made without the wolfssl_idea enum on
2021-09-27 14:01:15 -06:00
8b456b90e0
add test case for tls export/import
2021-09-27 14:01:15 -06:00
2871fc670f
initial serialization of TLS session
2021-09-27 14:00:13 -06:00
3bdce348e9
Added `NID_pkcs9_contentType` and `ub_` to compatibility layer ( #4408 )
...
* Added `NID_pkcs9_contentType` and `ub_` values. ZD 11742
* Improve the API unit test. Also only include when `WOLFSSL_CERT_REQ` defined.
2021-09-27 08:21:53 +10:00
9e4ab9b638
Add BIO_up_ref(), PEM_read_DHparam(), EVP_MD_nid() ( #4348 )
...
* add BIO_up_ref
* add PEM_read_DHparams()
* add EVP_MD_nid()
* exclude PEM_read_DHparams when NO_FILESYSTEM defined
* review feedback: single threaded, indents, EVP_MD_nid
2021-09-27 08:20:37 +10:00
24e2eded1e
Add to the OpenSSL compatibility layer. ( #4404 )
...
- X509_get_extension_flags
- X509_get_key_usage
- X509_get_extended_key_usage
- ASN1_TIME_to_tm
- ASN1_TIME_diff
- PEM_read_X509_REQ
- ERR_load_ERR_strings
- BIO_ssl_shutdown
- BIO_get_ssl
- BIO_new_ssl_connect
- BIO_set_conn_hostname
2021-09-24 12:26:53 +10:00
33cb823148
Remove legacy NTRU and OQS ( #4418 )
...
* Remove NTRU and OQS
* Keep the DTLS serialization format backwards compatible.
* Remove n from mygetopt_long() call.
* Fix over-zealous deletion.
* Resolve problems found by @SparkiDev
2021-09-24 08:37:53 +10:00
e6e7795140
Make subj alt name order match openSSL ( #4406 )
2021-09-22 10:29:57 +10:00
df30a88dc6
Merge pull request #4414 from JacobBarthelmeh/devcrypto
...
update macro guard on SHA256 transform call
2021-09-21 10:03:51 -07:00
7ec7faddef
Merge pull request #4405 from anhu/truncating_last_char
...
Fix for `set1_curves_list` ignoring last character
2021-09-21 08:49:53 -07:00
ec21dd6d13
miscellaneous buildability fixes:
...
configure.ac: fix ed25519/sha512 dependency test to not misfire when ENABLED_32BIT;
wolfssl/wolfcrypt/curve{25519,448}.h: fix redundant typedefs of curve{25519,448}_key (fixes -Wpedantic warnings);
configure.ac: fix for "ISO C forbids an empty translation unit [-Werror=pedantic]", re wolfcrypt/src/sp_c{32,64}.c;
configure.ac: fixes for --enable-32bit versus pedantic "ISO C forbids an empty translation unit", including explicit exclusion of 32bit-incompatible algorithms from enable-all and enable-all-crypto sets;
tests/api.c: fixes for a couple inadequately gated SHA2 dependencies;
tests/api.c:test_wolfSSL_set_alpn_protos(): fix prototype missing (void);
wolfcrypt/src/misc.c and wolfssl/wolfcrypt/misc.h: fix ForceZero() definition and NO_INLINE prototype to not counterfactually constify the mem ptr, to avoid -Wmaybe-uninitialized from gcc11;
wolfcrypt/src/des3.c: drop obsolete register qualifier from declaration in DesSetKey(), for c++17 compatibility;
src/ssl.c:wolfSSL_BN_mod_word(): fix cast of arg2 to mp_mod_d().
2021-09-20 13:38:52 -05:00
1209908468
tests/api.c: fix key size in test_wc_ecc_shared_secret().
2021-09-20 10:27:13 -05:00
c733be728f
Trivial change to re-trigger jenkins.
2021-09-20 08:37:56 -04:00
9bd300e07d
AESNI in FIPS mode does not support zero length inputs ( #4411 )
...
* AESNI in FIPS mode does not support zero length inputs
* Update note to specifically note AESNI
2021-09-20 08:29:15 +10:00
f447e4c1fa
update macro guard on SHA256 transform call
2021-09-17 15:06:13 -07:00
79cc6be806
Make jenkins happy
2021-09-17 15:50:06 -04:00
f2bce42bbd
add function wolfSSL_CTX_get_max_proto_version and handling for edge cases
2021-09-16 01:01:38 -07:00
3503be2c13
Merge pull request #4362 from JacobBarthelmeh/wolfCLU
...
add wolfclu enable option and remove test macro guard
2021-09-15 13:57:50 -07:00
07656e371c
Parameter sanity check and a unit test.
2021-09-15 16:29:55 -04:00
4ad8b07c1c
`wolfSSL_PEM_write_bio_PUBKEY` needs to write only the public part ( #4354 )
...
* `wolfSSL_PEM_write_bio_PUBKEY` needs to write only the public part
The `wolfSSL_PEM_write_bio_PUBKEY` output can't contain the private portion of the key. This output could be used to distribute the public key and if it contains the private part then it gets leaked to others.
* Add heap hint to `wolfSSL_RSA_To_Der`
* Correct function name in logs
2021-09-15 17:34:43 +10:00
d9767207b7
call alpn selection call-back at server side only ( #4377 )
...
* call alpn selection call-back at server side only
* addressed review comment
* addressed jenkins failure
2021-09-15 10:02:18 +10:00
4d49ab6342
add store finished message on Tls13 ( #4381 )
...
* add to store finished message on Tls13
* addressed jenkins failure
* jenkins failures
sanity check for size before copying memory
* remove check of finishSz
* addressed review comments
2021-09-14 09:22:16 +10:00
649aa9c95f
Add error handling to wolfSSL_BIO_get_len ( #4385 )
2021-09-10 08:15:30 +10:00
51a2f9de17
return value convention on compatibility layer ( #4373 )
...
* return value convention
* addressed review comments
* addressed review comment part2
* fix jenkins failures
2021-09-07 08:15:08 +10:00
90116a2873
Add support for wolfSSL_EVP_PBE_scrypt ( #4345 )
2021-09-03 15:49:02 +10:00
a3ee84bf6d
Merge pull request #4355 from anhu/check_support_of_group
...
BUGFIX: Its possible to send a supported group that is not supported.
2021-09-02 20:03:32 -07:00
fd77cb8918
fix `wc_AesKeyWrap_ex` and `wc_AesKeyUnWrap_ex` bound checks ( #4369 )
...
RFC3394 in must be at least 2 64-bit blocks and output is one block longer.
On Unwrapping the input must then be a minimum of 3 64-bit blocks
2021-09-03 12:48:01 +10:00
c412d23b07
add wolfclu enable option
2021-09-02 16:46:38 -06:00
26c7592d4b
leantls only supports secp256r1.
2021-09-02 17:38:04 -04:00
56843fbefd
Add support for EVP_sha512_224/256 ( #4257 )
2021-09-02 14:05:07 +10:00
0d6d171fa4
BUGFIX; Its possible to sending a supported group that is not supported.
...
This change fixes that.
2021-09-01 10:54:52 -04:00
9b6cf56a6e
Expanded support for Curve25519/Curve448 and TLS v1.3 sniffer ( #4335 )
...
* Fixes for building with Ed/Curve25519 only. Fix for IoT safe demo to exit after running once. Added `WOLFSSL_DH_EXTRA` to `--enable-all` and `--enable-sniffer`. Cleanup uses of `==` in configure.ac. Various spelling fixes.
* Fix for sniffer with TLS v1.3 session tickets.
* Fix for ASN Template Ed25519 key export (missing version / not setting OID correctly).
* Add key import/export support for Curve25519/Curve448. Refactor of the 25519/448 ASN code to combine duplicate code.
* Refactor of Curve25519 code. Improved public key export to handle generation when only private is set. Improved private scalar buffer sizing.
* Fix for static ephemeral loading of file buffer.
* Added sniffer Curve25519 support and test case.
* Fix for sniffer to not use ECC for X25519 if both are set.
* Fix Curve448 public export when only private is set.
* Fix for `dh_generate_test` for small stack size.
* Reduce stack size use on new asymmetric DER import/export functions. Cleanup pub length calc.
* Fix invalid comment.
2021-09-01 09:28:24 +10:00
4645a6917c
Merge pull request #4168 from JacobBarthelmeh/wolfCLU
...
function additions and fixes for expansion of wolfCLU
2021-08-30 13:42:50 -07:00
85df95e10d
Merge pull request #4324 from miyazakh/maxfragment
...
add set_tlsext_max_fragment_length support
2021-08-30 10:21:59 -07:00
0488caed4c
Merge pull request #4346 from cconlon/verifyPostHandshake
...
TLS 1.3: add support for WOLFSSL_VERIFY_POST_HANDSHAKE verify mode
2021-08-30 09:47:23 +10:00
070029fd08
add support for WOLFSSL_VERIFY_POST_HANDSHAKE verify mode
2021-08-27 14:49:47 -06:00
65cfef5337
fix for free with test case
2021-08-27 14:10:06 -06:00
83d39932bb
add test case for X509 EXTENSION set
2021-08-27 11:30:44 -06:00
8b79f77fb0
Merge pull request #4327 from JacobBarthelmeh/Compatibility-Layer-Part3
...
add implementation of AUTHORITY_INFO_ACCESS_free
2021-08-27 09:27:34 -07:00
21159659cf
add implementation of AUTHORITY_INFO_ACCESS_free
2021-08-26 14:48:12 -06:00
ef0fb6520d
Merge pull request #4283 from JacobBarthelmeh/Compatibility-Layer-Part2
...
couple more compatibility functions
2021-08-26 11:50:09 -07:00
b5d42eb773
Merge pull request #4318 from kojo1/i2d_RSA
...
arg type compatibility
2021-08-26 09:51:43 -06:00
77eff68b95
addressed review comment
2021-08-25 11:07:32 +09:00
3f2abef212
Merge pull request #4321 from haydenroche5/libimobiledevice
...
Make changes to support libimobiledevice.
2021-08-24 17:19:26 -07:00
3d8dc68266
free test case object
2021-08-24 10:59:38 -06:00
ff521a14e4
add test case and macro mapping
2021-08-24 10:59:38 -06:00
7ff1351971
Make changes to support libimobiledevice.
...
- `EVP_PKEY_assign_RSA` should store the private key in DER format, not the
public key.
- The last call to `infoCb` in `wolfSSL_BIO_write` should provide the length of
the data to write.
- We should be able to parse RSA public keys starting with BEGIN RSA PUBLIC KEY
and ending with END RSA PUBLIC KEY.
2021-08-24 08:52:43 -07:00
9c541568fc
Merge pull request #4313 from SparkiDev/rsa_vfy_only
...
SP RSA verify only: fix to compile
2021-08-23 14:42:56 -07:00
da6e8d394f
shift instead of multiply and add comment
2021-08-23 13:24:27 -06:00
8808e6a3ac
implement set_tlsext_max_fragment_length
2021-08-23 09:08:14 +09:00
10c5e33027
arg type compatibility
2021-08-20 15:21:06 +09:00
dbb03cb5a3
SP RSA verify only: fix to compile
...
Configurations:
./configure --disable-asn --disable-filesystem --enable-cryptonly
--disable-dh --disable-sha224 --disable-ecc CFLAGS=-DWOLFSSL_PUBLIC_MP
--enable-rsavfy --enable-sp=small2048 --enable-sp-math
./configure --disable-asn --disable-filesystem --enable-cryptonly
--disable-dh --disable-sha224 --disable-ecc CFLAGS=-DWOLFSSL_PUBLIC_MP
--enable-rsavfy --enable-sp=2048 --enable-sp-math
./configure --disable-asn --disable-filesystem --enable-cryptonly
--disable-dh --disable-sha224 --disable-ecc CFLAGS=-DWOLFSSL_PUBLIC_MP
--enable-rsavfy --enable-sp=small2048 --enable-sp-math-all
./configure --disable-asn --disable-filesystem --enable-cryptonly
--disable-dh --disable-sha224 --disable-ecc CFLAGS=-DWOLFSSL_PUBLIC_MP
--enable-rsavfy --enable-sp=small2048 --enable-sp-math --enable-sp-asm
./configure --disable-asn --disable-filesystem --enable-cryptonly
--disable-dh --disable-sha224 --disable-ecc CFLAGS=-DWOLFSSL_PUBLIC_MP
--enable-rsavfy --enable-sp=2048 --enable-sp-math --enable-sp-asm
2021-08-20 13:16:58 +10:00
e7ef48d2b7
Merge pull request #3869 from SparkiDev/asn1_template
...
ASN1 Template: stricter and simpler DER/BER parsing/construction
2021-08-19 12:47:04 -07:00
3226e69649
--enable-linuxkm-pie (FIPS Linux kernel module) ( #4276 )
...
* Adds `--enable-linuxkm-pie` and associated infrastructure, to support FIPS mode in the Linux kernel module.
* Adds `tests/api.c` missing (void) arglist to `test_SSL_CIPHER_get_xxx()`.
2021-08-19 09:15:52 -07:00
d486b89c61
ASN1 Template: stricter and simpler DER/BER parsing/construction
...
Reduce debug output noise
2021-08-19 11:32:41 +10:00
9a1233c04d
Merge pull request #4312 from julek-wolfssl/DH_set_length
...
Implement `DH_set_length`.
2021-08-18 16:42:38 -07:00
eaded189ff
Merge pull request #4310 from haydenroche5/dsa_fips
...
Don't run test_wolfSSL_DSA_SIG if HAVE_FIPS is defined.
2021-08-18 16:33:26 -07:00
8df65c3fa7
Merge pull request #4270 from dgarske/zd12586
...
Fixes for various PKCS7 and SRP build issues
2021-08-19 08:12:15 +10:00
c5f9e55567
Fixes for CMAC compatibility layer with AES CBC disabled. CMAC code cleanups. Fixes for "make check" with AES CBC disabled.
2021-08-18 11:30:18 -07:00
6237a7a00d
Merge pull request #4305 from TakayukiMatsuo/i2t
...
Add support for wolfSSL_i2t_ASN1_OBJECT
2021-08-18 10:37:08 -06:00
162f14aaf9
Implement `DH_set_length`.
2021-08-18 13:24:51 +02:00
d1e027b6fa
Fix for pedantic warning with pre-processor in macro.
2021-08-17 14:55:42 -07:00
89904ce82e
Fixes for building without AES CBC and support for PKCS7 without AES CBC.
2021-08-17 10:47:19 -07:00
a9b8b6d3de
Fix for PKCS7 heap hint in API unit test.
2021-08-17 10:46:53 -07:00
421be50cb8
Add support for wolfSSL_i2t_ASN1_OBJECT
2021-08-17 10:52:20 +09:00
95ab6ce4b8
Don't run test_wolfSSL_DSA_SIG if HAVE_FIPS is defined.
...
This test calls `wolfSSL_DSA_do_sign_ex` and `wolfSSL_DSA_do_verify_ex`, both
of which don't exist if `HAVE_FIPS` is defined.
2021-08-16 17:42:00 -07:00
d4391bd997
Parse distinguished names in `DoCertificateRequest`
...
The CA names sent by the server are now being parsed in `DoCertificateRequest` and are saved on a stack in `ssl->ca_names`.
2021-08-14 00:24:08 +02:00
647e007eea
Implement `wolfSSL_set_client_CA_list` and add 'HIGH' cipher suite
2021-08-14 00:24:08 +02:00
b2380069f0
Merge pull request #4261 from dgarske/rsa_der_pub
2021-08-13 13:36:01 -07:00
ca06694bfb
Merge pull request #4282 from miyazakh/SSL_CIPHER_xx
...
Add SSL_CIPHER_get_xxx_nid support
2021-08-13 13:48:31 -06:00
5235b7d1e6
Merge pull request #4291 from miyazakh/PARAM_set1_ip
...
Add X509_VERIFY_PARAM_set1_ip support
2021-08-13 13:45:33 -06:00
1acf64a782
Add support for value zero as version parameter for SSL_CTX_set_min/max_proto_version
2021-08-14 02:16:34 +09:00
ec4e336866
Merge pull request #4299 from haydenroche5/evp_pkey_dec_enc_improvements
...
Make improvements to wolfSSL_EVP_PKEY_encrypt and wolfSSL_EVP_PKEY_decrypt.
2021-08-13 08:10:20 -07:00
3be13f7358
Make improvements to wolfSSL_EVP_PKEY_encrypt and wolfSSL_EVP_PKEY_decrypt.
...
- Handle case where output buffer is NULL. In this case, passed in output buffer
length pointer should be given the maximum output buffer size needed.
- Add better debug messages.
2021-08-12 18:46:15 -07:00
7dea1dcd39
OpenResty 1.13.6.2 and 1.19.3.1 support
...
# New or Updated APIs
- wolfSSL_get_tlsext_status_type
- wolfSSL_X509_chain_up_ref
- wolfSSL_get0_verified_chain
- SSL_CTX_set_cert_cb
- SSL_certs_clear
- SSL_add0_chain_cert ssl_cert_add0_chain_cert
- SSL_add1_chain_cert ssl_cert_add1_chain_cert
- sk_X509_NAME_new_null
- SSL_CTX_set_cert_cb
- SSL_set0_verify_cert_store
- SSL_set_client_CA_list
# Other Changes
- Ignore gdbinit
- Add api.c tests for new API
- Add `WOLFSSL_X509_STORE* x509_store_pt` to `WOLFSSL`
- Add macro to select the `WOLFSSL` specific store when available and the associated `WOLFSSL_CTX` store otherwise. Calls to `ssl->ctx->cm` and `ssl->ctx->x509_store*` were replaced by macros.
- NO-OP when setting existing store
- Add reference counter to `WOLFSSL_X509_STORE`
- Cleanup MD5 redundant declarations
- WOLFSSL_ERROR may map to nothing so make assignment outside of it
- refMutex fields are excluded with SINGLE_THREADED macro
- Chain cert refactor
- Make `wolfSSL_add0_chain_cert` and `wolfSSL_add1_chain_cert` not affect the context associated with the SSL object
- `wolfSSL_CTX_add1_chain_cert` now updates the `ctx->certChain` on success and stores the cert in `ctx->x509Chain` for later free'ing
2021-08-12 23:58:22 +02:00
cccb8f940a
Merge pull request #4209 from julek-wolfssl/net-snmp
...
Add support for net-snmp
2021-08-12 13:06:21 -07:00
93a1fe4580
Merge pull request #4205 from julek-wolfssl/wpas-include-extra-stuff
...
Include stuff needed for EAP in hostap
2021-08-12 11:17:23 -07:00
d4b0ec0705
Merge pull request #4290 from TakayukiMatsuo/general
...
Add wolfSSL_GENERAL_NAME_print
2021-08-12 09:51:28 -06:00
517309724a
Add wolfSSL_GENERAL_NAME_print
2021-08-12 14:17:41 +09:00
fc4e4eacba
Merge pull request #4292 from kojo1/evp
...
EVP_CIPHER_CTX_set_iv_length
2021-08-11 16:13:26 -06:00
fdb6c8141e
Merge pull request #4274 from haydenroche5/pyopenssl
...
Add support for pyOpenSSL.
2021-08-10 11:49:07 -07:00
c0b085dd4a
EVP_CIPHER_CTX_set_iv_length
2021-08-08 14:49:28 +09:00
a066c48f55
fix jenkins failure
2021-08-07 11:13:41 +09:00
a851e13f1d
implemented X509_VERIFY_PARAM_set1_ip
2021-08-07 10:50:57 +09:00
1b2d57123f
tests/api.c: add missing (void) arg lists.
2021-08-05 15:30:33 -05:00
fab227411f
Free ECC cache per thread when used
2021-08-05 15:34:47 +02:00
1e491993ca
add a2i_IPADDRESS
2021-08-05 16:53:36 +07:00
67e773db91
implement SSL_CIPHER_xxxx
2021-08-05 09:42:55 +09:00
5465d40ee3
Attempt to move asn.c RSA API defs into asn_public.h, since ASN is not in FIPS boundary.
2021-08-04 17:42:46 -07:00
35a33b2f00
Add support for pyOpenSSL.
...
pyOpenSSL needs the OpenSSL function X509_EXTENSION_dup, so this commit adds
that to the compatibility layer. It also needs to be able to access the DER
encoding of the subject alt names in a cert, so that's added as well.
2021-08-04 14:08:43 -07:00
fdbe3f0ff1
Merge pull request #4258 from miyazakh/evp_md_do_all
...
add EVP_MD_do_all and OBJ_NAME_do_all support
2021-08-04 12:17:27 -06:00
d39893baa0
add ctx set msg callback
2021-08-04 16:49:01 +07:00
d64768abff
Merge pull request #4265 from miyazakh/ecc_pubkey
...
update der size in actual length
2021-08-03 16:41:36 -06:00
c7a6b17922
Need to free ecc cache
2021-08-03 19:29:08 +02:00
2bbd04f10f
Implement BIO_new_accept and BIO_do_accept
2021-08-03 19:29:08 +02:00
46b061c7bc
Include stuff needed for EAP in hostap
...
Patch that includes the API needed for EAP in hostapd and wpa_supplicant
2021-08-03 17:52:50 +02:00
dc7ae37f7a
Make changes to support port of NTP from OpenSSL to wolfSSL.
2021-08-02 13:33:18 -07:00
a5b55344b1
Merge pull request #2760 from kojo1/EVP-test
...
additional test on EVP_CipherUpdate/Final
2021-08-02 09:23:00 -07:00
0dc98b8299
Add support for EVP_shake128/256
2021-08-02 13:00:31 +09:00
bad9a973b4
remove hard tabs and other minor fixes
2021-07-30 07:07:40 +09:00
297ae23521
additional test on EVP_CipherUpdate/Final
2021-07-30 06:50:01 +09:00
c69d6d2491
Added public API `wc_RsaKeyToPublicDer_ex` to allow getting RSA public key without ASN.1 header (can return only seq + n + e). Related to PR #4068 . Cleanup documentation for RSA and wolfIO. Consolidate duplicate code in `wc_RsaPublicKeyDerSize`.
2021-07-29 09:27:50 -07:00
6f2853ef28
Merge pull request #4251 from dgarske/openssl_all
...
Fixes for edge case builds with openssl all
2021-07-29 08:58:22 -07:00
2b43052f36
update pkey sz in actual length
2021-07-29 23:28:10 +09:00
e333632ad0
add obj_name_do_all
2021-07-29 14:37:10 +09:00
2abf23cbc9
fix jenkins failure
2021-07-29 09:03:38 +09:00
b2b5d4e603
add evp_md_do_all
2021-07-29 08:59:26 +09:00
2c1fed8262
Fixes for edge case builds with openssl all. Improvements to the `test_wolfSSL_PKCS8_d2i`. Allow forceful disable of OCSP with `./configure --enable-opensslall --disable-ocsp`.
2021-07-28 12:32:08 -07:00
4da7fbb654
tests: use different IPv4 address in + add IPv6 SAN to generated cert
2021-07-28 09:36:21 +02:00
0d0dfc3f5e
Merge pull request #4238 from dgarske/xc32
...
Fixes for building with Microchip XC32 and ATECC
2021-07-28 09:33:01 +10:00
2dac9a2a81
Merge pull request #4228 from miyazakh/EVP_blake2xx
...
add EVP_blake2 compatibility layer API
2021-07-27 11:45:37 -06:00
d49d8a9286
Merge pull request #4204 from SparkiDev/ecies_sec1
...
ECIES: SEC.1 and ISO 18033 support
2021-07-27 09:43:53 -07:00
a92f03a11e
Fixes for building with Microchip XC32 and ATECC.
2021-07-27 08:20:20 -07:00
8c63701577
Merge pull request #4247 from SparkiDev/dhp_to_der_fix
...
OpenSSL API: DH params to der
2021-07-26 17:00:34 -07:00
31dde4706e
ECIES: Support SEC 1 and ISO 18033
...
Default is SEC 1.
To use old ECIES implementation: --enable-eccencrypt=old or define
WOLFSSL_ECIES_OLD
To use ISO-18033 implememtation: --enable-eccencrypt=iso18033 or
define WOLFSSL_ECIES_ISO18033
Support passing NULL for public key into wc_ecc_decrypt().
Support not having public key in privKey passed into wc_ecc_encrypt() -
public key is calculated and stored in priKey.
Add decrypt KAT test for ECIES.
2021-07-27 09:30:53 +10:00
028c056c55
Merge pull request #4213 from lealem47/leakFixes
...
Addressing possible leaks in ssl.c and api.c
2021-07-26 23:32:19 +07:00
ce7e1ef94a
Merge pull request #4230 from douzzer/configure-max-bits-and-ex-data
...
configure options for max rsa/ecc bits and ex_data
2021-07-26 09:27:20 -06:00
7d5271ed71
OpenSSL API: DH params to der
...
Fix calculation of length of encoding in ssl.c.
Fix encoding to check proper length in asn.c.
Fix tests to check for correct value (api.c).
2021-07-26 22:47:46 +10:00
27c49b1673
Merge pull request #4075 from julek-wolfssl/bind-dns
...
Bind 9.17.9 and 9.11.22 Support
2021-07-26 11:24:57 +07:00
494e285cf1
configure.ac: add --with-max-rsa-bits, --with-max-ecc-bits, and --enable-context-extra-user-data[=#]; untabify and otherwise clean up whitespace; tweak api.c, ecc.h, rsa.h, and settings.h, for compatibility with new options.
2021-07-23 22:02:58 -05:00
e8d636771f
Merge pull request #4231 from haydenroche5/des3-iv-fips
...
Use correct DES IV size when using FIPS v2.
2021-07-23 09:38:56 -07:00
10168e093a
Rebase fixes
2021-07-23 18:14:54 +02:00
142ff6d885
Bind 9.11.22
2021-07-23 18:14:18 +02:00
06ebcca913
Code review and mp_int memory leak fixes
2021-07-23 18:14:18 +02:00
b4fd737fb1
Bind 9.17.9 Support
...
- Add `--enable-bind` configuration option
- New compatibility API:
- `RSA_get0_crt_params`
- `RSA_set0_crt_params`
- `RSA_get0_factors`
- `RSA_set0_factors`
- `RSA_test_flags`
- `HMAC_CTX_get_md`
- `EVP_MD_block_size`
- `EC_KEY_check_key`
- `o2i_ECPublicKey`
- `DH_get0_key`
- `DH_set0_key`
- Calling `EVP_MD_CTX_cleanup` on an uninitialized `EVP_MD_CTX` structure is no longer an error
- `DH_generate_parameters` and `DH_generate_parameters_ex` has been implemented
2021-07-23 18:14:12 +02:00
94373781b2
C++ fix: cast from void* to X509_OBJECT*
2021-07-23 14:56:38 +10:00
ec180f3901
Use correct DES IV size when using FIPS v2.
2021-07-22 18:17:41 -07:00
6a3ff81f2d
use EVP_get_digestbyname
2021-07-22 08:17:55 +09:00
b4c61b4df9
add EVP_blake2xyyy
2021-07-22 08:17:54 +09:00
c544c19013
Merge pull request #4227 from miyazakh/ERR_lib_error_string
...
add ERR_lib_error_string compatibility layer API
2021-07-21 11:19:29 -06:00
83c6688bee
Merge pull request #4135 from dgarske/evp_set1_eckey
...
Fixes for handling PKCS8 ECC key with EVP PKEY
2021-07-22 00:17:11 +07:00
b76d44dad9
add ERR_lib_error_string
2021-07-21 10:31:00 +09:00
2014d39254
fixes for valgrind-detected leaks and undefined data accesses: wolfSSL_{SHA*,MD5}_Final (OpenSSL compat wrappers): call wc_*Free() on sha state that otherwise leaks when _SMALL_STACK_CACHE; test_wc_curve25519_shared_secret_ex(): properly initialize public_key.
2021-07-20 18:26:05 -05:00
762b384be2
Fixes for `-pedantic` errors.
2021-07-20 10:02:16 -07:00
fd52424dd5
Improvements to PKCS8 handling.
...
* Fixes for handling PKCS8 in keys with EVP PKEY. Resolves QT test issues. Replacement to PR #3925 .
* Improved code handling for PKCS 8 headers. Change PemToDer to not strip the PKCS8 header.
* Add support in the ECC/RSA/DH key import code to support detection / handling of the PKCS8 header.
* Fix for `wc_RsaKeyToDer` to be exposed with `OPENSSL_EXTRA`.
* Adds EVP PKCS8 test case for RSA and ECC.
* Refactor `test_wolfSSL_OPENSSL_hexstr2buf` to resolve g++ compiler warning.
* Added new `WOLFSSL_TRAP_MALLOC_SZ` build option to trap mallocs that are over a specified size.
2021-07-20 10:02:16 -07:00
77c9b36b5a
Merge pull request #4181 from dgarske/sniffer_keycb
...
Sniffer fixes and new sniffer key callback support
2021-07-19 13:26:17 -07:00
186ff2b365
make -DNO_ED25519_KEY_{IMPORT,EXPORT} buildable, and fix api.c and suites.c so that -DNO_ED*_KEY_{IMPORT,EXPORT} pass make check.
2021-07-16 23:07:28 -05:00
ac92204c15
make -DNO_ED448_KEY_{IMPORT,EXPORT} buildable
2021-07-16 18:21:30 -05:00
c97eff6e61
evp.c: add missing checks and logic in wolfSSL_EVP_CIPHER_CTX_ctrl(), and fix api.c:test_IncCtr() to exercise wolfSSL_EVP_CIPHER_CTX_ctrl() with EVP_CTRL_GCM_IV_GEN using an AES cipher, with thanks to Juliusz.
2021-07-16 15:30:23 -05:00
9b43e57ccf
ED: add streaming API to the ED verify routines: wc_ed*_verify_msg_init(), wc_ed*_verify_msg_update(), wc_ed*_verify_msg_final();
...
harmonize the ED448 API with the ED25519 API by making wc_ed448_verify_msg_ex() and wc_ed448_init_ex() public functions;
track devId and heap pointer in ed*_key.{devId,heap}, and pass them through to sha init functions;
add ed*_key.{sha,sha_clean_flag}, and ed*_hash_{reset,update,final} functions, and use them for all ED hashing ops, to support streaming API and for optimally efficient reuse for the preexisting ED calls;
add ed448_hash() akin to ed25519_hash(), and use it in place of wc_Shake256Hash(), for .sha_clean_flag dynamics.
add to wc_ed*_import_private_key() the ability to import the combined key generated by wc_ed*_export_private() without supplying the redundant public key;
add macro asserts near top of ed*.h to assure the required hash functions are available;
fix {NO,HAVE}_ED*_{SIGN,VERIFY};
wolfcrypt/test/test.c: add missing key initializations in ed*_test();
wolfcrypt/test/test.c: fix unaligned access in myDecryptionFunc() detected by -fsanitize=address,undefined.
2021-07-16 13:49:47 -05:00
73323e694f
Addressing possible leaks in ssl.c and api.c
2021-07-16 09:48:06 -06:00
Hayden Roche
David Garske
Chris Conlon
Juliusz Sosinowicz
Daniel Pouzzner
Sean Parkinson
Hideki Miyazaki
Jacob Barthelmeh
Juliusz Sosinowicz
Lealem Amedie
Anthony Hu
John Safranek
Eric Blankenhorn
Marco Oliverio
Masashi Honma
kaleb-himes
Kareem
Anthony Hu
TakayukiMatsuo
elms
Takashi Kojo
TakayukiMatsuo
Takashi Kojo
Per Allansson
Lealem Amedie