This function was just freeing the stack object itself of GENERAL_NAMES with
wolfSSL_sk_free, but this doesn't free the data in the items of the stack. The
fix is to replace wolfSSL_sk_free with wolfSSL_sk_GENERAL_NAME_free.
1. In api.c, change the name of the devId global to testDevId.
2. In api.c, for the SNI test, some of the pointers were multiply
typecast eventually to `void **`. An older compiler didn't like
that. Just use void pointer.
Fix handling of counter to support incrementing across all bytes in
ARM32 crypto asm.
Added test cases for wrapping of counter when 2 blocks are being
encrypted to check assembly alternative path.
Verifying gnerated ECC signature in TLS handshake code to mitigate when
an attacker can gain knowledge of the private key through fault
injection in the signing process.
Requires WOLFSSL_CHECK_SIG_FAULTS to be defined.
Fix handling of counter to support incrementing across all bytes in ARM
crypto asm.
Added test cases for wrapping of counter.
Extracted ARM ASM for AES-CTR.
Use ASM to created encrypted temporary block.
- PR #5486 had test failures in tls13.test and quit unit.test
- the extension was no longer added in SessionTicket messages
- added extra parameter to clarify how the TLSX is used
- Optimize memory usage. Write directly to ssl->session->ticket in CreateTicket() and use a hash to make sure the InternalTicket was encrypted.
- DoClientTicket does not fatally error out anymore. Errors in the ticket result in the ticket being rejected instead.
OpenSSL compat expects ASN_SELF_SIGNED_E when a self signed cert can't be verified. This is useful when translating the error with GetX509Error into a X509_V_ERR_* error.
- add wolfSSL_CTX_curve_is_disabled() and wolfSSL_curve_is_disabled()
to have common checks on wether a curve has been disabled by user
- add macros returning 0 for above function when OPENSSL_EXTRA is not
defined, enabling use without #fidef check
- add macros for checking if named groups are in a certain range
WOLFSSL_NAMED_GROUP_IS_FFHDE()
WOLFSSL_NAMED_GROUP_IS_PQC()
Fixed QuicTransportParam_free() use without case when compiling
with c++.
* PSA: set AES key bits, define PSA_ALG_NONE/PSA_KEY_ID_NULL if needed
* Zephyr: add TimeNowInMilliseconds() for tls13.c, clock_settime() for test.c, update CMakeLists.txt
* Skip including unistd.h for Zephyr in benchmark.c
* Zephyr: update README, add nRF5340dk support to wolfssl_test sample app
* Zephyr: add wolfCrypt benchmark sample app
* Zephyr: add nRF5340 support to tls_thread sample app
* PSA: use specific hash algo with psa_sign/verify_hash()
* Zephyr: add support for PSA Crypto API with PK callbacks to wolfssl_tls_threaded sample app
* Zephyr: add new files to zephyr/include.am
fix TLS version gating in tests/quic.c;
fix gating in src/ssl.c for wolfSSLv2_client_method() and wolfSSLv2_server_method();
reorganize prototypes in wolfssl/ssl.h for wolf*_method*() to group systematically by protocol version and gate correctly on support for that version in the build.
- new internal field for keeping early data enabled status,
as QUIC does not call SSL_write_early_data() itself.
- using read_/write_early_data() methods in QUIC handshake
when early data is enabled. This triggers the internals
that emit the proper early data indication handlings.
Also:
* added HAVE_FALCON guards as needed.
* corrected minor falcon bugs as I found them.
* handling OID sum collision between DILITHIUM_LEVEL5 and DILITHIUM_AES_LEVEL3
Tested with the following commands:
examples/server/server -v 4 -l TLS_AES_256_GCM_SHA384 \
-c ~/tmp/dilithium_aes_level5_entity_cert.pem \
-k ~/tmp/dilithium_aes_level5_entity_key.pem \
-A ~/tmp/dilithium_aes_level5_root_cert.pem --pqc P521_KYBER_LEVEL5
examples/client/client -v 4 -l TLS_AES_256_GCM_SHA384 \
-c ~/tmp/dilithium_aes_level5_entity_cert.pem \
-k ~/tmp/dilithium_aes_level5_entity_key.pem \
-A ~/tmp/dilithium_aes_level5_root_cert.pem --pqc P521_KYBER_LEVEL5
with permutations of SHAKE,AES variants and levels 2,3,5
Support wolfSSL_CTX_set1_curves_list being available when X25519 and/or
X448 only defined.
Don't recognize X25519 or X448 if corresponding define is not set.
Enable test in api.c.
Add support for parsing and verifying certificates with RSA-PSS
signatures. Including check PSS parameters in key with those in
signature algorithm.
Add support for parsing private RSA PSS key.
Add support for parsing public RSA PSS key.
added numerous missing _SMALL_STACK code paths (PK objects on the stack);
in settings.h, enable WOLFSSL_SMALL_STACK_STATIC by default when WOLFSSL_SMALL_STACK is defined (NO_WOLFSSL_SMALL_STACK_STATIC to override);
fixes for unsafe strcat()s in tests/quic.c;
fix for unsafe macro WOLFSSL_IS_QUIC();
fix to exclude quic from enable-all when enable-linuxkm (quic needs opensslextra, and opensslextra currently only works in-kernel in cryptonly builds);
fix for signed/unsigned clash in wolfSSL_quic_receive().
In test with ngtcp2 example client using openssl, session resumption
against a QUIC wolfssl server failed. The error was tracked down to
wolfSSL believing EaryData needs to be handled and returning SUCCESS
from wolfSSL_SSL_do_handshake() after the server Finished had been
sent.
However the handshake was not complete and ngtcp2 invoked the
post_handshake processing for new data arriving from the client.
This failed a check in post processing that the ssl->handShakeState
actually was HANDSHAKE_DONE.
The workaround in this PR repeats do_handshake until the ssl
state acually says it is complete. This way, session resumption works.
Either this alternative do_handshake() is merged for QUIC protocol
hanlders. Or we need to fix the 'normal' do_handshake() to no return
SUCCESS when early data is expected on a QUIC WOLFSSL.
use camel case not underscores in variable names;
restore use of const int variables for buffer sizes in several spots (for ease of smallstack code paths should they be needed);
use more MISRAish flow control in X509PrintSignature().
also, capture the retval from several more snprintf()s to pass directly to wolfSSL_BIO_write(), avoiding frivolous strlen()s.
fix various possible buffer overruns;
fix various runtime-error-driven memory leaks;
various refactors for efficiency, clarity, and safety, including refactors to eliminate unsafe XSTRNCAT() calls.
wc_CertNew() and wc_CertFree() is for use by ABI type aplications, and
others, for having wolfCrypt perform the new/free of the certification
structure w/o the application needing too, and more importantly, needing
to contain knowledge of the structure.
We have users who need to debug errors coming out of libwolfssl in production,
where --enable-debug isn't an option. Our error queue implementation is the
solution, but our usage of WOLFSSL_ERROR isn't consistent. This commit greatly
expands our usage of WOLFSSL_ERROR. There are too many error cases to tackle
all at once, and not all error cases are particularly meaningful or likely to be
hit in regular operation of the library. I've tried to focus on errors that
users are likely to hit, and I've chosen to ignore things like the mountain of
BUFFER_E and BAD_FUNC_ARG cases (for the most part). I've also tried to expand
WOLFSSL_ERROR usage in files where we haven't been using it historically
(e.g. aes.c), so the pattern is now there for other developers to follow. In
order to prevent these additions from exploding the size of libwolfssl, they're
all behind a new macro, WOLFSSL_ERROR_VERBOSE. If WOLFSSL_VERBOSE_ERRORS is
defined, WOLFSSL_ERROR_VERBOSE just maps to WOLFSSL_ERROR.
- can be reverted to previous style by defining NO_TLSX_PSKKEM_PLAIN_ANNOUNCE
- QUIC interop testing reveals that at least QUIC stacks refrain from
issuing session tickets unless the ClientHello shows this extension.
The call to FreeAsyncCtx after SendBuffered was added to clean up state when we are ready to advance state. If we do not advance state, then clean up should be handled in the relevant state.
The error is due to the message triggered by the processing of the
message (Connect()->SendTls13Certificate/SendTls13CertificateVerify/SendTls13Verify). Consider
the message processed to avoid double processing.
- Modify all existing tests to return an int. This moves us in the direction of
being able to return error/success from a test rather than just calling abort
when something fails. Also, all tests now have the same signature, so they can
easily be members of an array of test cases.
- Wrap each test in a TEST_CASE struct, which just stores a pointer to the test
function and the name of the test, for now. In the future, other metadata can
be added (e.g. should this test be run/skipped) to TEST_CASE, if desired.
- Modify all tests to return 0 on success. Right now, this doesn't do us much
good because the failure mechanism isn't returning some value != 0, it's
abort.
- Add TestSetup and TestCleanup functions that run before and after each test,
respectively. The former does nothing right now, and the latter clears the
error queue, if the error queue is compiled in.
During post-handshake authentication async code mistakes connect() error code
with the error code of DoTls13CertificateRequest and wrongly rewinds the buffer.
The bug was never triggered because of side effects of ShrinkBuffer (removed in
40cb6e0853)
wolfSSL_ERR_get_error and wolfSSL_ERR_peek_error_line_data should return the
earliest error in the queue (i.e. the error at the front), but prior to this
commit, they returned the latest/most recent one instead.
In DoAlert, we were adding an error to the queue for all alerts. However, a
close_notify isn't really an error. This commit makes it so DoAlert only adds
errors to the queue for non-close_notify alerts. In ReceiveData, similarly, we
were adding an error to the queue when the peer sent a close_notify, as
determined by ssl->error == ZERO_RETURN. Now, we don't add an error in this
case.
Don't assume that the underlying medium of DTLS provides the full message in a
single operation. This is usually true for message-based socket (eg. using UDP)
and false for stream-based socket (eg. using TCP).
Commit changes:
- Do not error out if we don't have the full message while parsing the header.
- Do not assume that the record header is still in the buffer when decrypting
the message.
- Try to get more data if we didn't read the full DTLS header.
Improve not to use forward declaration struct definition
- include ssl.h rather than forward declaration struct to resolve struct name
- to include ssl.h, it needs to avoid cyclic reference for crypt structure. therefore, Sha and Aes definitions are moved to another header file
add wolfCrypt error codes IO_FAILED_E "Input/output failure" and SYSLIB_FAILED_E "System/library call failed";
tests/api.c and tests/unit.c: flush stdout for error message in Fail() macro, add fflush(stdout) after printf()s, print success message at end of unit_test(), and send several error messages to stderr instead of stdout;
wolfcrypt/test/test.c: add fallthrough macro definition of printf() that pairs it with fflush(stdout);
unit.h: in definition of macro AssertPtr(), add PRAGMA_GCC("GCC diagnostic ignored \"-Wpedantic\"");
sp_int.c: refactor several lingering instances of "if (0) { ... }" code pattern to #if 0 ... #endif.
From the man page
If sendto() is used on a connection-mode (SOCK_STREAM, SOCK_SEQPACKET) socket, the arguments dest_addr and
addrlen are ignored (and the error EISCONN may be returned when they are not NULL and 0), and the error
ENOTCONN is returned when the socket was not actually connected.
When in and out aren't the same pointer, for multiples of block size
input:
- generate the counters into the output buffer
- encrypt output buffer
- XOR in the input
Faster than encrypting a block at a time.
On raw import, don't import ordinates that are larger than the curve
size.
On export of compressed point, don't export ordinate if it is larger
than the curve size.
This fixes the following things:
* Memory leaks in SE050 SHA messages
* Add key to SE050 for ECC sign hash function
* Remove circular include
* Correct prototype for `se050_hash_final`
* A few defined check fixes
Choosing SP and SP math was resulting in only integer.c being used.
Fixed now.
Reorder realloc calls for memory logging to ensure scripts can match
allocate and free calls.
1. Rename _DtlsUpdateWindow() as wolfSSL_Dtls_UpdateWindow() and make
it public so it may be tested.
2. Rename the internal functions DtlsWindowUpdate(), DtlsWindowCheck(),
and DtlsUpdateWindowGTSeq() as _DtlsWindowUpdate() and
_DtlsWindowCheck(), and _DtlsUpdateWindowGTSeq().
3. When updating the DTLS sequence window, and the next sequence
number (lo) wraps to zero, increment the next sequence number (hi)
by 1.
4. Fix an off-by-one error that wrapped around when saving the
packet sequence number in the bit-field window.
5. Adding a test for wolfSSL_DtlsUpdateWindow() function. With many test
cases. It is set up in a table format with running check values.
6. Change location of incrementing the difference when calculating the
location for setting the bit.
7. Updated the check of the sequence difference in the GT scenario.
8. In the DTLS window update functions remove newDiff and just use diff.
9. Handle the cases where the DTLS window crosses the high order word
sequence number change.
10. Add a debug option to print out the state of the DTLS sequence number
window.
In defense against attack, assume the imported public key is not trusted
and check it matches the private key if set.
Added APIs that allow application to explicitly trust public key.
Original APIs default to not trusting public key.
don't enable sp-math-all asm gates when !ENABLED_ASM;
add --with-arm-target to allow selecting thumb or cortex in conjunction with a full --host tuple (e.g. --host=armv6zk-softfloat-linux-gnueabi --with-arm-target=thumb).
1. _WIN64 doesn't have 128-bit type but now can use 64-bit sp_int_digit
when assembly code snippets are being used.
2. Fix sp_div() to support values closer to maximum size.
3. Fix builds to work for more configurations.
4. Have ECC uncompressed code keep intermediate values in range of
maximum (x^3 calculation fixed).
5. Fix configuation.ac's check of FIPS for using signed SP Math All.
Default now not signed as intended.
When HAVE_OID_ENCODING is defined, the named curve OID is encoded rather
than the full OID.
Use SetCurve to get the OID encoding in ASN template implemenation.
FIPS v5-dev follows the non-FIPS default (now sp-math-all);
add -DWC_NO_CACHE_RESISTANT to AM_CFLAGS when $ENABLED_HARDEN != yes;
add ENABLED_BIGNUM sensor and use it in linuxkm math back end assert;
add configuration callout for "Side-channel Hardening" reporting value of $ENABLED_HARDEN.
fasthugemath means turn on fastmath
Use sp_int_digit and not sp_digit in sp_int.c.
test.c needs to use large static buffer when SP Math used like fastmath.
When building static memroy, SP math all without WOLFSSL_SP_NO_MALLOC is
a valid configuration.
Fix freeing of bigint in sp_int.c.
Cast x to a signed value to negate and then back to unsigned. (For
Windows builds.)
Remove warning about empty file on Windows about integer.obj.
Allow RSA verify only and RSA public only to be used with other public
key algorithms.
If building for FIPS, then older versions of RSA and ECC require SP Math
to support negative numbers.
Get old FIPS files building with SP int.
Disallow --enable-sp-math and --enable-sp-math-all.
When just --enable-sp-math on configuration line then disable SP Math
all.
Add a define WOLFSSL_CHECK_MEM_ZERO to turn on code that checks that
memory that must be zeroized before going out of use is zero.
Everytime sensitive data is put into a allocated buffer or stack buffer;
the address, its length and a name is stored to be checked later.
Where the stack buffer is about to go out of use, a call is added to
check that the required parts are zero.
wc_MemZero_Add() adds an address with length and name to a table of
addressed to be checked later.
wc_MemZero_Check() checks that the memory associated with the address is
zeroized where required.
mp_memzero_add() adds mp_int's data pointer with length and name to
table.
mp_memzero_check() checks that the data pointer is zeroized where
required.
Freeing memory will check the address. The length was prepended on
allocation.
Realloction was changed for WOLFSSL_CHECK_MEM_ZERO to perform an
allocate, check, copy, free.
This commits add some new options to examples/[server,client] to support testing
of DTLS v1.3.
client: add waitTicket option
If this option is used, the client will wait until it receives a sessionTicket
from the server. This is useful when testing DTLS retransmission.
client: add waitKeyUpdate option
When this option is set, the client waits until the UpdateKey message is
acknowledged by the server. This is useful to test DTLS retransmission logic
This way we can use wolfSSL_Peek() invoked with sz == 0 to process pending
records and, if none of this records is an application data record, we will not
block.
Introduce ACK and retransmission logic, encapsulated in a Dtls13RtxFsm
object. The retransmission or the sending of an ACK is scheduled by setting the
appropriate flag inside the Dtls13RtxFSM object but the actual writing on the
socket is deferred and done in wolfSSL_Accept/Connect.
* Retransmission
Each sent message is encapsulated in a Dtl13RtxRecord and saved on a list. If we
receive an ACK for at record, we remove it from the list so it will be not
retransmitted further, then we will retransmit the remaining
ones. Retransmission is throttled: beside link congestion, this also avoid too
many sequence numbers bounded with a record.
* ACK
For each received record we save the record sequence number, so we can send an
ACK if needed. We send an ACK either if explicitly needed by the flight or if we
detect a disruption.
Co-authored-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
This commit implements the core of the header parsing, building, and the sending
and receiving routines that handle fragmentation and defragmentation.
* In DTLSv1.3 the header used for protected messages is a variable-length header,
and it is described RFC9147 Section 4.
* Fragmentation happens after building the full message, if necessary. If the
underlying I/O can't send a fragment because of a WANT_WRITE error, the sending
of fragments will continue in the next invocation of
wolfSSL_connect/wolfSSL_accept/wolfSSL_write. In this case the message is saved
in a buffer inside the WolfSSL object.
* Defragmentation works like DTLSv1.2 defragmentation, and re-use
most of the same code.
* The Dtls13AddHeaders() function does not add the record layer header, but it
lefts space for it. It is eventually placed by BuildTls13Message() to allow
easier management of sequence numbers.
In DTLSv1.3, because of retransmission and reordering, we may need to encrypt or
decrypt records with older keys. As an example, if the server finished message
is lost, the server will need to retransmit that message using handshake traffic
keys, even if he already used the traffic0 ones (as, for example, to send
NewSessionTicket just after the finished message).
This commit implements a way to save the key bound to a DTLS epoch and setting
the right key/epoch when needed.
as word64 is not always available, introduce an abstract type and companion
operations. They use a word64 if available and fallback on word32[2] otherwise.
Also fixed some small errors during shutdown in benchmarks.
Tested with:
./configure --enable-psk CFLAGS=-DWOLFSSL_STATIC_PSK
make all check
./examples/benchmark/tls_bench
Adds support for embOS memory and mutex functions. Also adds support for
emNET's error codes, it uses a BSD compatible TCP/IP stack for network
functions.
There is no easy native way to detect that you are compiling with emNET
or embOS so these require the user to define WOLFSSL_EMBOS /
WOLFSSL_EMNET.
With PR 5170, I added logic that requires a EVP_CTRL_GCM_SET_IV_FIXED command be
issued before a EVP_CTRL_GCM_IV_GEN command. This matches OpenSSL's behavior.
However, OpenSSL also clears the flag enabling EVP_CTRL_GCM_IV_GEN after
EVP_CTRL_GCM_SET_IV_FIXED if EVP_CipherInit is called with a NULL key.
Otherwise, the flag retains its value. We didn't mirror this logic, and that
caused problems in OpenSSH unit testing. This commit aligns our logic with
OpenSSL's and adds a regression test to test_evp_cipher_aes_gcm for this case.
* PKCS7 should use allocated buffer for RSA.
* PKCS7 small stack typo for `keyAlgArray` size in `wc_PKCS7_AddRecipient_KTRI`.
* Fix for use of `free`, which should be `XFREE` in api.c.
* Cleanup old RSA benchmarking MDK5/WINCE code no longer needed with `WC_DECLARE_ARRAY_DYNAMIC_DEC` and `WC_DECLARE_ARRAY_DYNAMIC_EXE`.
- Fix case where message grouping can make CheckAvailableSize return a WANT_WRITE
- CheckAvailableSize in tls13.c will not return a WANT_WRITE since it only does so for DTLS <=1.2
Testing:
./autogen.sh
./configure --enable-psk
make all check
$ ./examples/server/server -j -l ECDHE-PSK-AES128-GCM-SHA256
SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256
SSL curve name is SECP256R1
Client message: hello wolfssl!
$ ./examples/client/client -s -l ECDHE-PSK-AES128-GCM-SHA256
SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256
SSL curve name is SECP256R1
I hear you fa shizzle!
- Async I/O can be turned off with WOLFSSL_NO_ASYNC_IO
- WOLFSSL_ASYNC_IO functionality enabled in SendCertificateVerify() and SendServerKeyExchange() to allow safe re-entry into SendHandshakeMsg()
- Testing size of structs is refactored int WOLFSSL_ASSERT_SIZEOF_GE()
Discovered the AES-GCM flow using this command didn't work in our OpenSSH port.
This commit makes the behavior match OpenSSL and adds testing using known
OpenSSL-generated test vectors to prevent regressions. This was one of those
problems where two ends of a connection would work fine if they were both using
wolfSSL but not if one was using OpenSSL (i.e. OpenSSH interop with AES-GCM
was broken).
1. Add some OIDs used in the Federal PKI Policy Authority standard.
2. Added the SubjectDirectoryAttributes extension to certificate
parsing. (limited to country of citizenship)
3. Rename constant label SUBJECT_INFO_ACCESS to SUBJ_INFO_ACC_OID
4. Added the SubjectInfoAccess extension to certificate parsing.
(limited to one URL)
5. Add the SSH extended key usage flags.
6. Use some of the template changes on the new certificate items.
Change ldrd to either have even first register or change over to ldm
with even first register.
Ensure shift value in ORR instruction has a hash before it.
Don't index loads and stores by 256 or more - make them post-index.
div2 for P521 simplified.
Prior to this commit, if you wanted access to the Finished messages from a
handshake, you needed to turn on the compatibility layer, via one of
OPENSSL_ALL, WOLFSSL_HAPROXY, or WOLFSSL_WPAS. With this commit, defining any
of these causes WOLFSSL_HAVE_TLS_UNIQUE to be defined (a reference to the
tls-unique channel binding which these messages are used for) in settings.h.
This allows a user to define WOLFSSL_HAVE_TLS_UNIQUE to access the Finished
messages without bringing in the whole compat layer.
We should never encounter this bug under normal circumstances. But if we enter
processReplyEx with a wrongly `ssl->options.processReply` set to
`runProcessingOneMessage` we check that we have some data.
This is turned on when `WOLFSSL_HAVE_ISSUER_NAMES` is defined. This allows the
user to inspect various issuer name components (e.g. locality, organization,
etc.) by using these new fields in a `DecodedCert`.
Ignore packet if coming from a peer of a different size *or* from a different
peer. Avoid whole memcmp of sockaddr_in[6] struct because is not portable (there
are optional fields in struct sockaddr_in).
- Do UDP connect only with simulateWantWrite to accommodate macOS that doesn't like sendto being called on connected UDP sockets
- Call wolfSSL_dtls_get_current_timeout only on a DTLS connection
- WANT_WRITE could be returned in unexpected places. This patch takes care of that.
- Change state after SendBuffered only if in a sending state to begin with.
- Adapt client and server to simulate WANT_WRITE with DTLS
Fix the check to see if the cookie has key_share information or not (needed to
reconstruct the HelloRetryRequest). At the moment, it looks like we never send a
cookie without KeyShare extension. Indeed the HelloRetryRequest is sent only
because the client didn't provide a good KeyShareEntry in the first
ClientHello. When we will support DTLSv1.3, the HelloRetryRequest will be used
as a return-routability check and it may be sent without the KeyShare extension.
otherwise statement of the type:
if (condtion)
WOLFSSL_MSG("");
after preprocessing will become:
if (condition)
;
The empty body emits a warning from the compiler.
The wolfCrypt and wolfSSL Python wrappers are maintained in the
wolfCrypt-py and wolfSSL-py trees respectively. The duplicates in this
tree are stale. The content has been checked and any important changes
have been ported over to their respective trees.
This commit allows the examples to perform a bidirectional shutdown also when
using UDP. It is useful to test DTLS retransmission.
Signed-off-by: Marco Oliverio <marco@wolfssl.com>
Allow the user to register a session remove callback with wolfSSL_CTX_sess_set_remove_cb() that will be called when the session is about to be free'd or evicted from cache.
Implement div words for different platforms.
Use implementation not using a divide instruction unless
SP_DIV_WORD_USE_DIV or we know there is a div instruction.
Fix Thumb implementation of div word.
GCM: make borrow constant time.
AES-GCM decrypt: compare at end and constant time.
Random: array_add touchs all elements every time.
RSA-OAEP: look for padding byte in constant time (look at every byte in
array).
SP
- reduce conditional use (make them bit ops)
- Fix point adds to not use double when adding infinity to infinity
- Implement signed div as __divi3 is not constant time.
- Move check sof input variables to API.
Prior to this commit, these were guarded by OPENSSL_EXTRA ||
OPENSSL_EXTRA_X509_SMALL. Adding them into the struct for non-compatibility
layer builds only increases memory usage slightly and is useful for the user.
The test for certificate extensions requires both the test certs option
and the certificate generation option to run. The certs for the test are
generated by wolfCrypt. This disables the extensions test if
certificate generation is disabled.
CBIORecv/Send are only assigned once.
IOCB_ReadCtx/WriteCtx only assigned once.
BuildMessage checks output and input wiht sizeOnly every call - state
machine doesn't cache these.
Renamed alias_tbl variables to something unique.
Other cppcheck fixes.
Also reworked pem_read_bio_key().
* Fix wolfSSL_RSA_public_decrypt() return value to match Openssl
* Add support for EVP_PKEY_verify_init() and EVP_PKEY_verify()
* wpa_supplicant SAE public key functionality requires this function.
* Add DSA support for EVP_PKEY_sign/verify()
* Add ECDSA support for EVP_PKEY_sign/verify()
* Add tests for EVP_PKEY_sign_verify()
* Fix "siglen = keySz" at error cases
* Fix wolfSSL_DSA_do_sign() usage
1. Check wolfSSL_BN_num_bytes() return value
2. Check siglen size
3. Double the siglen
* Check return code of wolfSSL_i2d_ECDSA_SIG() in wolfSSL_EVP_DigestSignFinal()
* Add size calculations to `wolfSSL_EVP_PKEY_sign`
* Add size checks to wolfSSL_EVP_PKEY_sign before writing out signature
* Use wc_ecc_sig_size() to calculate ECC signature size
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
Co-authored-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
* Sniffer: Remove old restrictions for max strength, encrypt-then-mac and forcing openssl-extra.
* Fix bound warning with strncpy in sniffer.c.
* Fix for async DH issue.
* Fix for SP math all not initializing raw big int.
* Fix for array bounds warning with "-O3" on SetEccPublicKey.
* Fix a sniffer async edge case with TLS v1.2 static RSA and extended master.
* Improved the sniffer test script detection of features.
* Disable ECC custom curve test with Intel QuickAssist.
Passing in x=0 and y=0 meant to return ECC_INF_E.
Passing in x=0, y=not 0 or x=not 0, y=0 now checks whether the point is
valid and forces a return of BAD_FUNC_ARG when IS_POINT_E is returned
from check.
- Add support for ASN1_TIME_compare, DH_new_by_nid, OBJ_length, OBJ_get0_data,
and ChaCha20-Poly1305 and HKDF in the EVP layer.
- Map EC_POINT_get_affine_coordinates to
wolfSSL_EC_POINT_get_affine_coordinates_GFp and EC_POINT_set_affine_coordinates
to wolfSSL_EC_POINT_set_affine_coordinates_GFp.
- Add kdf.h compatibility header.
Curve25519: reduce to less than mod at end of curve25519, optimize to
not use imulq when andq can be used instead.
x86_64 Karatsuba Mul: Don't put add carry into overflow and then
continue adding zero. Overflow is lost.
* Fix include.am missing line
* Fix macros
* Add "static" keyword where needed
* Make compatible with MSP430 GCC
* Add MSP430 GCC Makefile
* Fix watchdog issue with GCC, also fixes IAR when large data model is
used
* Fix comment style
* Fix typo in RNG (makes it ever so slightly more random)
* Add example output to README
EC point add is a double if affine ordinates are the same.
Fix AVX2 implementation of mod inv to do conversion from 26 bits in
32-bit registers to 64 bits in 64-bit registers. Also handle negative
value.
RSA OAEP: loop down to last byte. Must have a separator.
Div for x86_64: fix to have all 1s when high word equals divisor.
Allow Chachac20-Poly1305 to take an empty msg.
Allow AES-SIV to have an empty nonce.
Don't allow the length to be malleable. Must use the smallest number of
bytes to represent value.
ECDSA and DSA signature values are positive.
Add Sha512-224 and Sha512-256 OIDs.
ASN template - ensure the ECDSA/DSA signature uses all data.
Curve25519/Curve448 - WOLFSSL_ECDHX_SHARED_NOT_ZERO means shared secret
can't be 0.
Curve25519/Curve448 - check public value is less than order.
ECC - x or y may be zero but not both.
Ed25519/Ed448 - check S is less than order.
Ed448 - ge_p3_dbl can be simplified for ASM.
Prime check (integer.c/tfm.c/sp_int.c): Don't allow negative values and
make sure random candidate doesn't have bits higher than those in a set
when bits not a multiple of 8.
RSA: support Sha512-224 and Sha512-256.
RSA: Fix check for invalid in decryption. Affects plaintexts 256 bytes
and longer.
RSA: Don't allow base be larger than modulus.
RSA: Check small ciphertext (1 or 0) on decrypt when not using OAEP.
RSA: WOLFSSL_RSA_DECRYPT_TO_0_LEN allows decrypted value to be 0.
SP math all: fix div to handle large a and d when checking size of
remainder.
SP math all: set sign of result in sp_mod_2d()
Added a test for the TLSv1.3 KDF to the wolfcrypt test. It uses 6
different test cases from the CAVP tests. A set of 8 session keys are
generated using multiple exporters.
Prior to this commit, this function used XMKTIME (mktime) to convert the
passed in WOLFSSL_ASN1_TIMEs to Unix timestamps. On platforms where time_t is
32 bits long, times after the year 2038 can't be represented with this type. To
fix this, we need to not use XMKTIME. With this commit, the static function
time2epoch is added to ssl.c, which uses the date time information to compute
seconds since the Unix epoch without the use of mktime. It returns the seconds
as a long long. This is sufficient to make the function work for years > 2038 on
the platform of the user who discovered this problem in the first place (Yocto
Linux on ARMv7).
- Previously, this function would round up the requested bits to the next
multiple of 8. With this commit, the function returns a number of exactly the
number of bits requested, which is the same behavior as OpenSSL. This problem
was discovered by a user using the compatibility layer with OpenSSH's ssh-keygen
utility.
- This function now respects the top and bottom parameters.
- Improved unit testing.
# Description
This is a replacement to https://github.com/wolfSSL/wolfssl/pull/4989, per the [comment](https://github.com/wolfSSL/wolfssl/pull/4989#issuecomment-1080998040)
Overhauled `win_setup.bat` for more robust and flexible install of wolfSSL to ESP-IDF `component` directory.
Functionally, there are no significant changes. However this version:
- more verbose output
- show directories used
- more error checking
- check for existing wolfSSL component; prompt to purge or update
- save and optionally re-use `config.h` and `user_settings.h`
- optionally target an alternate ESP-IDF path (useful for VisualGDB)
- offer tips and reminders upon completion
# Testing
Tested on Windows 10 with both ESP-IDF command prompt and stand-alone DOS prompt (e.g. for VisualGDB)
# Checklist
- [ ] added tests
- [ ] updated/added doxygen
- [ ] updated appropriate READMEs
- [ ] Updated manual and documentation
cc: @dgarske
Change Karatsuba implementations for x86_64.
Fix ECC code to better handle corner cases.
Add 'lower' versions of functions wehn an input is known to be less than m.
Add mont_add/dbl/tpl/sub for P384.
Change ECC point add to be cache-attack resistant.
Change mod_exp to be cache-attack resistant.
src/internal.c: use XMEMCMP(), not ==, to compare array elements (fixes conflict of 74408e3ee3 vs 617eda9d44);
fix spelling of NAMEDGROUP_LEN (was NAMEDGREOUP_LEN);
src/ssl.c: in CheckcipherList() and wolfSSL_parse_cipher_list(), use XMEMCPY(), not XSTRNCPY(), to avoid (benign) -Wstringop-truncation;
scripts/sniffer-tls13-gen.sh: fix for shellcheck SC2242 (exit 1, not -1).
`WOLFSSL_ERROR_CODE_OPENSSL` breaks ABI compatiblity due to changing the expected return code. Let's only do this when building with the full compatibility layer.
- use the `WOLFSSL_BUF_MEM` struct to resize the internal memory buffer
- add a `WOLFSSL_BIO_RESIZE_THRESHOLD` define that will be used to determine how often to shrink the internal buffer. This should cut down on the number of free/malloc calls made significantly. This should help with our inefficient 1 byte reads in `loadX509orX509REQFromPemBio`.
- implement `wolfSSL_BUF_MEM_resize` which allows bi-directional buffer size manipulation
- return `1` from `wolfSSL_BIO_set_mem_eof_return` instead of `0` for success
- bind requires ALPN
- `OPENSSL_COMPATIBLE_DEFAULT` defined for bind
- `WOLFSSL_ERROR_CODE_OPENSSL` defined when using compatibility layer
- return `bio->eof` on no pending data to read in memory BIO (defaults to `WOLFSSL_BIO_ERROR`)
- `flags` is no longer an input parameter in `wolfSSL_ERR_get_error_line_data`
- allow lazy parameter loading in `wolfSSL_DH_set0_key`
- implement reference counter in `WOLFSSL_EC_KEY`
- load serial number from `x509->serialNumber` if `x509->serial` is empty
* Adds stateful handling of DH shared secret computation in `SetupKeys`.
* Improved the decrypt handling to use internal functions and avoid generating alerts on failures.
* Fix for sniffer resume due to missing `sessionIDSz` broken in #4807.
* Fix sniffer test cases to split resume (session_ticket) tests.
* Add `snifftest` list of build features so test script can gate running resume test.
* Change DTLS epoch size word16.
* Allow override of the `RECORD_SIZE` and `STATIC_BUFFER_LEN`.
* Remove endianness force from game build.
* Add `gmtime_s` option.
* Fix for macro conflict with `MAX_KEY_SIZE`.
* Expose functions `wolfSSL_X509_notBefore`, `wolfSSL_X509_notAfter`, `wolfSSL_X509_version` without `OPENSSL_EXTRA`.
Recommend using `wolfSSL_get1_session` and `NO_SESSION_CACHE_REF` for session resumption purposes. `wolfSSL_get_session` should not be used unless to inspect the current session object.
When WOLFSSL_PSK_MULTI_ID_PER_CS is defined, multiple identities can be
returned for a cipher suite.
The first byte of the identity is the count of identites that have been
seen so far for the cipher suite.
1. Add configure option to enable AMD's RDSEED.
2. Add seed parameters when building specifically for AMD using RDSEED.
3. Update the wolfCrypt test to play nice with the larger seed size.
This function should not error out if one of the passed in times is the Unix
epoch. This amounts to erroring out when the XMKTIME returns < 0, rather than
<= 0.
1. Remove the v3 FIPS build from configure and automake. This was for
the old FIPS Ready build, which is now fixed to the certificate 3389
configuration.
2. Remove AES-GCM, PKCS12, and SHA-3 from wolfRand build. They were
getting reenabled later in the configure.
The following config would fail `../configure --enable-opensslall CFLAGS="-DOPENSSL_COMPATIBLE_DEFAULTS" && make -j check`. This is because `test-fails.conf` `ECC no signer error` test expects a failure while the ECC CA was being added as a trusted cert due to `OPENSSL_COMPATIBLE_DEFAULTS`.
We defined these codes to values that didn't match those in OpenSSL. This is a
problem if a user is porting code from OpenSSL to wolfSSL that uses hardcoded
versions of these values. While the user's code should be fixed to not use
hardcoded values, we can make the port smoother by syncing the values up.
in scripts/tls13.test, use fips-compatible server-side cipher suite for "TLS v1.3 cipher suite mismatch" test, and modernize some syntax;
in configure.ac, omit earlydata from enable-all when asynccrypt, pending fix;
also in configure.ac, fix AC_CHECK_DECLS()-overriding-AC_CHECK_FUNCS() kludge, to fix CPPFLAGS=-std=c99 builds.
The pending check was forcing a `WOLFSSL_CBIO_ERR_WANT_WRITE` return even though the underlying socket was closed and `WOLFSSL_BIO_FLAG_READ|WOLFSSL_BIO_FLAG_RETRY` was not set. The `wolfSSL_BIO_ctrl_pending(ssl->biord) == 0` is old and I can't find a reason to keep checking it. I left it just in the case where there is output data pending.
Need to right shift number down when hash is more than 521 bits.
Previously handled at a byte level and now at bit level.
Always return err from sp_*_ecc_mulmod_add_only_*().
When ECC add and double points are public and only have SP
implementation, check that the point ordinates are the right size.
Like other i2d functions, these functions should be able to take a NULL output
parameter and return the necessary output buffer size. This commit adds this
ability. This commit also removes some redundant code in wolfSSL_i2d_X509_NAME.
cert_asn1_test was constructing a BER encoding of a certificate that
didn't have all the components. It was trying to test putting in a bad
OID in the certificate name.
The original ASN.1 parsing code stopped at the bad name. ASN.1 template
code does the whole structure and then digs into the name.
A complete certificate should have always been used.
Currently, it only supports ECC, which is all we need it for for the OpenSplice
port we're working on. In the ECC case, all it needs to do is set the group
appropriately. The logic is very similar to `wolfSSL_EVP_PKEY_keygen`, minus
the final step of actually generating the key.
`wolfSSL_CTX_up_ref` is a small and potentially useful API for users so it doesn't need to be restricted only to the compatibility layer. The reference counting mechanisms are always available anyway. This just exposes the functionality to the user.
Before this pull request, `wolfSSL_get_session` always returned a pointer to the internal session cache. The user can't tell if the underlying session hasn't changed before it calls `wolfSSL_set_session` on it. This PR adds a define `NO_SESSION_CACHE_REF` (for now only defined with `OPENSSL_COMPATIBLE_DEFAULTS`) that makes wolfSSL only return a pointer to `ssl->session`. The issue is that this makes the pointer returned non-persistent ie: it gets free'd with the `WOLFSSL` object. This commit leverages the lightweight `ClientCache` to "increase" the size of the session cache. The hash of the session ID is checked to make sure that the underlying session hasn't changed.
- Adding and getting sessions to and from the local cache is now atomic.
- The new internal `wolfSSL_GetSessionFromCache` requires a destination object to be supplied when retrieving from the cache so that items can be retrieved independently from the cache. For most existing calls, the destination is `ssl->session`.
-`PREALLOC_SESSION_TICKET_LEN` defines how much memory is temporarily allocated for the ticket if it doesn't fit in the static session buffer.
- New/Implemented API
- `SSL_has_pending`
- `wolfSSL_CertManagerLoadCRLFile`
- `wolfSSL_LoadCRLFile`
- `wolfSSL_CTX_LoadCRLFile`
- `wolfSSL_CTX_add_session`
- Calling chain certificate API (for example `wolfSSL_CTX_use_certificate_chain_file`) no longer requires an actual chain certificate PEM file to be passed in as input. `ProcessUserChain` error in `ProcessBuffer` is ignored if it returns that it didn't find a chain.
- Add `WOLFSSL_TICKET_HAVE_ID` macro. When defined tickets will include the original session ID that can be used to lookup the session in internal cache. This is useful for fetching information about the peer that doesn't get sent in a resumption (such as the peer's certificate chain).
- Add `ssl->ticketSessionID` field because `ssl->session.sessionID` is used to return the "bogus" session ID sent by the client in TLS 1.3
- `OPENSSL_COMPATIBLE_DEFAULTS` changes
- Define `WOLFSSL_TRUST_PEER_CERT` and certificates added as CA's will also be loaded as trusted peer certificates
- Define `WOLFSSL_TLS13_MIDDLEBOX_COMPAT`
- Seperate `internalCacheOff` and `internalCacheLookupOff` options to govern session addition and lookup
- `VerifyServerSuite` now determines if RSA is available by checking for it directly and not assuming it as the default if static ECC is not available
- `WOLFSSL_SESSION` changes
- `ssl->extSession` added to return a dynamic session when internalCacheOff is set
- `ssl->session.refPtr` made dynamic and gets free'd in `SSL_ResourceFree`
- If `SSL_MODE_AUTO_RETRY` is set then retry should only occur during a handshake
- `WOLFSSL_TRUST_PEER_CERT` code now always uses `cert->subjectHash` for the `cm->tpTable` table row selection
- Change some error message names to line up with OpenSSL equivalents
- Run `MatchSuite` again if certificate setup callback installed and successful
- Refactor clearing `ASN_NO_PEM_HEADER` off the error queue into a macro
- `wolfSSL_get_peer_certificate` now returns a duplicated object meaning that the caller needs to free the returned object
- Allign `wolfSSL_CRYPTO_set_mem_functions` callbacks with OpenSSL API
- `wolfSSL_d2i_PKCS12_bio` now consumes the input BIO. It now supports all supported BIO's instead of only memory BIO.
- stunnel specific
- Always return a session object even if we don't have a session in cache. This allows stunnel to save information in the session external data that will be transfered to new connections if the session is reused
- When allocating a dynamic session, always do `wolfSSL_SESSION_set_ex_data(session, 0, (void *)(-1)`. This is to mimic the new index callback set in `SSL_SESSION_get_ex_new_index`.
- Fix comment in `wolfSSL_AES_cbc_encrypt`
- Trusted peer certificate suite tests need to have CRL disabled since we don't have the issuer certificate in the CA store if the certificates are only added as trusted peer certificates.
tested
When exponent bit length is a multiple of the window size and the top
word has only window bits in it, then n is shifted down by an undefined
value (size of a word). The n value is not used after this.
Check for this condition and don't attempt to shift n.
Improve performance for ECC curves when all bits in words are used (mask
is 0).
On 64-bit platforms, improves performance for 256 and 384 bit curves.
On 32-bit platforms, improves performance for 224, 256, 384 bit curves.
Currently, wolfssl.vcxproj and IDE/WIN10/wolfssl-fips.vcxproj do not use the
same scheme for their output and intermediate directories. Further, across
configuration/platform combinations, wolfssl.vcxproj isn't consistent, either.
For example:
```
Release|x64
OutDir: $(SolutionDir)$(Platform)\$(Configuration)\
IntDir: $(Platform)\$(Configuration)\obj\
Release|Win32
OutDir: $(SolutionDir)$(Configuration)\
IntDir: $(Configuration)\obj\
```
This commit makes every configuration/platform combo for all Visual Studio
projects follow the same pattern:
```
OutDir: $(SolutionDir)$(Platform)\$(Configuration)\
IntDir: $(Configuration)\$(Platform)\$(ProjectName)_obj\
```
The `$(ProjectName)_obj` piece gets rid of a Visual Studio warning about not
mingling the intermediate objects of disparate builds.
** If not free’ing FP_ECC caches per thread by calling wc_ecc_fp_free there is a possible memory leak during TLS 1.3 handshakes which use ECC. Users are urged to confirm they are free’ing FP_ECC caches per thread if enabled to avoid this issue.
Release 5.5.0 of wolfSSL embedded TLS has bug fixes and new features including:
## Vulnerabilities
* [Low] Fault injection attack on RAM via Rowhammer leads to ECDSA key disclosure. Users doing operations with private ECC keys such as server side TLS connections and creating ECC signatures, who also have hardware that could be targeted with a sophisticated Rowhammer attack should update the version of wolfSSL and compile using the macro WOLFSSL_CHECK_SIG_FAULTS. Thanks to Yarkin Doroz, Berk Sunar, Koksal Must, Caner Tol, and Kristi Rahman all affiliated with the Vernam Applied Cryptography and Cybersecurity Lab at Worcester Polytechnic Institute for the report.
* [Low] In wolfSSL version 5.3.0 if compiled with --enable-session-ticket and the client has non-empty session cache, with TLS 1.2 there is the possibility of a man in the middle passing a large session ticket to the client and causing a crash due to an invalid free. There is also the potential for a malicious TLS 1.3 server to crash a client in a similar manner except in TLS 1.3 it is not susceptible to a man in the middle attack. Users on the client side with –enable-session-ticket compiled in and using wolfSSL version 5.3.0 should update their version of wolfSSL. Thanks to Max at Trail of Bits for the report and "LORIA, INRIA, France" for research on tlspuffin.
* [Low] If using wolfSSL_clear to reset a WOLFSSL object (vs the normal wolfSSL_free/wolfSSL_new) it can result in runtime issues. This exists with builds using the wolfSSL compatibility layer (--enable-opnesslextra) and only when the application is making use of wolfSSL_clear instead of SSL_free/SSL_new. In the case of a TLS 1.3 resumption, after continuing to use the WOLFSSH object after having called wolfSSL_clear, an application could crash. It is suggested that users calling wolfSSL_clear update the version of wolfSSL used. Thanks to Max at Trail of Bits for the report and "LORIA, INRIA, France" for research on tlspuffin.
* Potential DoS attack on DTLS 1.2. In the case of receiving a malicious plaintext handshake message at epoch 0 the connection will enter an error state reporting a duplicate message. This affects both server and client side. Users that have DTLS enabled and in use should update their version of wolfSSL to mitigate the potential for a DoS attack.
## New Feature Additions
* QUIC support added, for using wolfSSL with QUIC implementations like ngtcp2
* SE050 port additions and fixes
* Added support for Dilithium post quantum algorithm use with TLS
* Support for RSA-PSS signed certificates
* Support for Infineon AURIX IDE
* Add Zephyr support for nRF5340 with CryptoCell-312
## Enhancements
* Expanded ABI support by 50 APIs to include wolfCrypt and Certificates making a total of 113 ABIs controlled and maintained
* DTLS 1.3 partial support for ConnectionID as described by RFC9146 and RFC9147
* Added support for X509_CRL_print function
* Remove deprecated algorithms in Renesas cs+ project
* Support more build options disable/enable with i.MX CAAM build
* wolfSSL_CTX_set_options and wolfSSL_CTX_get_options functions added to non compatibility layer builds
* TFM: change inline x86 asm code to compile with clang
* Improvements to error queue and fix for behavior of wolfSSL_ERR_get_error
* scripts/makedistsmall.sh script added for creating a small source/header only package
* TLS 1.3: restrict extension validity by message, Extensions ServerName, SupportedGroups and ALPN must not appear in server_hello
* Add liboqs integration to CMake build system
* Adds wolfSSL_PEM_read_RSAPrivateKey() to the OpenSSL compatible API
* Added support for P384 pre-share in bundled example server
* Replace clz assembly instruction in ARM 32 builds when not supported
* Integrate chacha20-poly1305 into the EVP interface
* Additional validation that extensions appear in correct messages
* Allow SAN to be critical with ASN template build
* Support wolfSSL_CTX_set1_curves_list being available when X25519 and/or X448 only defined
* Adds wolfSSL_PEM_read_RSA_PUBKEY() to the OpenSSL compatible API
* Match OpenSSL self signed error return with compatibility layer build
* Added wolfSSL_dtls_create_peer and wolfSSL_dtls_free_peer to help with Python and Go wrappers for DTLS
## Fixes
* DTLS 1.3 asynchronous use case fixes
* Fix handling of counter to support incrementing across all bytes in ARM crypto asm
* Fixes for ED25519/ED448 private key with public key export (RFC8410)
* Fix for build with NO_TLS macro
* Fix for write dup function to copy over TLS version
* Fix to handle path lengths of 0 when checking certificate CA path lengths
* Fix for CMake not installing sp_int.h for SP math all
* When WOLFSSL_VALIDATE_ECC_IMPORT is defined ECC import validates private key value is less than order
* PSA crypto fixes
* Fix for not having default pkcs7 signed attributes
* DTLS socket and timeout fixes
* SP int: exptmod ensure base is less than modulus
* Fix for AddPacketInfo with WOLFSSL_CALLBACKS to not pass encrypted TLS 1.3 handshake messages to callbacks
* Fix for sniffer to ensure the session was polled before trying to reprocess it
# wolfSSL Release 5.4.0 (July 11, 2022)
Note:
** Future releases of wolfSSL will turn off TLS 1.1 by default
** Release 5.4.0 made SP math the default math implementation. To make an equivalent build as –disable-fastmath from previous versions of wolfSSL, now requires using the configure option –enable-heapmath instead.
Release 5.4.0 of wolfSSL embedded TLS has bug fixes and new features including:
## Vulnerabilities
* [High] Potential for DTLS DoS attack. In wolfSSL versions before 5.4.0 the return-routability check is wrongly skipped in a specific edge case. The check on the return-routability is there for stopping attacks that either consume excessive resources on the server, or try to use the server as an amplifier sending an excessive amount of messages to a victim IP. If using DTLS 1.0/1.2 on the server side users should update to avoid the potential DoS attack. CVE-2022-34293
* [Medium] Ciphertext side channel attack on ECC and DH operations. Users on systems where rogue agents can monitor memory use should update the version of wolfSSL and change private ECC keys. Thanks to Sen Deng from Southern University of Science and Technology (SUSTech) for the report.
* [Medium] Public disclosure of a side channel vulnerability that has been fixed since wolfSSL version 5.1.0. When running on AMD there is the potential to leak private key information with ECDSA operations due to a ciphertext side channel attack. Users on AMD doing ECDSA operations with wolfSSL versions less than 5.1.0 should update their wolfSSL version used. Thanks to professor Yinqian Zhang from Southern University of Science and Technology (SUSTech), his Ph.D. student Mengyuan Li from The Ohio State University, and his M.S students Sen Deng and Yining Tang from SUStech along with other collaborators; Luca Wilke, Jan Wichelmann and Professor Thomas Eisenbarth from the University of Lubeck, Professor Shuai Wang from Hong Kong University of Science and Technology, Professor Radu Teodorescu from The Ohio State University, Huibo Wang, Kang Li and Yueqiang Cheng from Baidu Security and Shoumeng Yang from Ant Financial Services Group.
* Support for using the new DTLSv1.3 protocol was added
* Enhancements to bundled examples for an event driven server with DTLS 1.3 was added
### Ports
* Update for the version of VxWorks supported, adding in support for version 6.x
* Support for new DPP and EAP-TEAP/EAP-FAST in wpa_supplicant
* Update for TSIP version support, adding support for version 1.15 for RX65N and RX72N
* Improved TSIP build to handle having the options WOLFSSL_AEAD_ONLY defined or NO_AES_CBC defined
* Added support for offloading TLS1.3 operations to Renesas RX boards with TSIP
### Misc.
* Constant time improvements due to development of new constant time tests
* Initial translation of API headers to Japanese and expansion of Japanese help message support in example applications
* Add support for some FPKI (Federal PKI) certificate cases, UUID, FASC-N, PIV extension for use with smart cards
* Add support for parsing additional CSR attributes such as unstructured name and content type
* Add support for Linux getrandom() when defining the macro WOLFSSL_GETRANDOM
* Add TLS 1.2 ciphersuite ECDHE_PSK_WITH_AES_128_GCM_SHA256 from RFC 8442
* Expand CAAM support with QNX to include i.MX8 boards and add AES-CTR support
* Enhanced glitching protection by hardening the TLS encrypt operations
## Math and Performance
### SP Math Additions
* Support for ARMv3, ARMv6 and ARMv7a
- Changes and improvements to get SP building for armv7-a
- Updated assembly for moving large immediate values on ARMv6
- Support for architectures with no ldrd/strd and clz
* Reworked generation using common asm ruby code for 32bit ARM
* Enable wolfSSL SP math all by default (sp_int.c)
* Update SP math all to not use sp_int_word when SQR_MUL_ASM is available
### SP Math Fixes
* Fixes for constant time with div function
* Fix casting warnings for Windows builds and assembly changes to support XMM6-15 being non-volatile
* Fix for div_word when not using div function
* Fixes for user settings with SP ASM and ED/Curve25519 small
* Additional Wycheproof tests ran and fixes
* Fix for SP math ECC non-blocking to always check `hashLen`
* Fix for SP math handling edge case with submod
## Improvements and Optimizations
### Compatibility Layer
* Provide access to "Finished" messages outside of compatibility layer builds
* Remove unneeded FIPS guard on wolfSSL_EVP_PKEY_derive
* Fix control command issues with AES-GCM, control command EVP_CTRL_GCM_IV_GEN
* Add support for importing private only EC key to a WOLFSSL_EVP_PKEY struct
* Add support for more extensions to wolfSSL_X509_print_ex
* Update for internal to DER (i2d) AIPs to move the buffer pointer when passed in and the operation is successful
* Return subject and issuer X509_NAME object even when not set
### Ports
* Renesas RA6M4 example update and fixes
* Support multi-threaded use cases with Renesas SCE protected mode and TSIP
* Add a global variable for heap-hint for use with TSIP
* Changes to support v5.3.0 cube pack for STM32
* Use the correct mutex type for embOS
* ESP-IDF build cleanup and enhancements, adding in note regarding ESP-IDF Version
* Support for SEGGER embOS and emNET
* Fix to handle WOLFSSL_DTLS macro in Micrium build
### Build Options
* Support for verify only and no-PSS builds updated
* Add the enable options wolfssh (mapped to the existing –enable-ssh)
* Remove WOLFSSL_ALT_NAMES restriction on notBefore/notAfter use in Cert struct
* Move several more definitions outside the BUILDING_WOLFSSL gate with linux kernel module build
* Modify --enable-openssh to not enable non-FIPS algos for FIPS builds
* Remove the Python wrappers from wolfSSL source (use pip install instead of using wolfSSL with Python and our separate Python repository)
* Add --enable-openldap option to configure.ac for building the OpenLDAP port
* Resolve DTLS build to handle not having –enable-hrrcookie when not needed
* Add an --enable-strongswan option to configure.ac for building the Strongswan port
* Improve defaults for 64-bit BSDs in configure
* Crypto only build can now be used openssl extra
* Update ASN template build to properly handle WOLFSSL_CERT_EXT and HAVE_OID_ENCODING
* Allow using 3DES and MD5 with FIPS 140-3, as they fall outside of the FIPS boundary
* Add the build option --enable-dh=const which replaces setting the macro WOLFSSL_DH_CONST and now conditionally link to -lm as needed
* Add the macro WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY which is used to verify hostname/ip address using alternate name (SAN) only and does not use the common name
* WOLFSSL_DTLS_NO_HVR_ON_RESUME macro added (off by default to favor more security). If defined, a DTLS server will not do a cookie exchange on successful client resumption: the resumption will be faster (one RTT less) and will consume less bandwidth (one ClientHello and one HelloVerifyRequest less). On the other hand, if a valid SessionID is collected, forged clientHello messages will consume resources on the server.
* Misc.
* Refactoring of some internal TLS functions to reduce the memory usage
* Make old less secure TimingPadVerify implementation available
* Add support for aligned data with clang LLVM
* Remove subject/issuer email from the list of alt. Email names in the DecodedCerts struct
* Zeroizing of pre-master secret buffer in TLS 1.3
* Update to allow TLS 1.3 application server to send session ticket
* Improve the sniffer asynchronous test case to support multiple concurrent streams
* Clean up wolfSSL_clear() and add more logging
* Update to not error out on bad CRL next date if using NO_VERIFY when parsing
* Add an example C# PSK client
* Add ESP-IDF WOLFSSL_ESP8266 setting for ESP8266 devices
* Support longer sigalg list for post quantum use cases and inter-op with OQS's OpenSSL fork
* Improve AES-GCM word implementation of GMULT to be constant time
* Additional sanity check with Ed25519/Ed448, now defaults to assume public key is not trusted
* Support PSK ciphersuites in benchmark apps
* FIPS in core hash using SHA2-256 and SHA2-384
* Add ability to store issuer name components when parsing a certificate
* Make the critical extension flags in DecodedCert always available
* Updates to the default values for basic constraint with X509’s
* Support using RSA OAEP with no malloc and add additional sanity checks
* Leverage async code paths to support WANT_WRITE while sending packet fragments
* New azsphere example for continuous integration testing
* Update RSA key generation function to handle pairwise consistency tests with static memory pools used
* Resolve build time warning by passing in and checking output length with internal SetCurve function
* Support DTLS bidirectional shutdown in the examples
* Improve DTLS version negotiation and downgrade capability
### General Fixes
* Fixes for STM32 Hash/PKA, add some missing mutex frees, and add an additional benchmark
* Fix missing return checks in KSDK ED25519 code
* Fix compilation warnings from IAR
* Fixes for STM32U5/H7 hash/crypto support
* Fix for using track memory feature with FreeRTOS
* Fixup XSTR processing for MICRIUM
* Update Zephyr fs.h path
* DTLS fixes with WANT_WRITE simulations
* Fixes for BER use with PKCS7 to have additional sanity checks and guards on edge cases
* Fix to handle exceptional edge case with TFM mp_exptmod_ex
* Fix for stack and heap measurements of a 32-bit build
* Fix to allow enabling AES key wrap (direct) with KCAPI
* Fix --enable-openssh FIPS detection syntax in configure.ac
* Fix to move wolfSSL_ERR_clear_error outside gate for OPENSSL_EXTRA
* Remove MCAPI project's dependency on zlib version
* Only use __builtin_offset on supported GCC versions (4+)
* Fix for c89 builds with using WOLF_C89
* Fix 64bit postfix for constants building with powerpc
* Fixed async Sniffer with TLS v1.3, async removal of `WC_HW_WAIT_E` and sanitize leak
* Fix for QAT ECC to gate use of HW based on marker
* Fix the supported version extension to always check minDowngrade
* Fix for TLS v1.1 length sanity check for large messages
* Fixes for loading a long DER/ASN.1 certificate chain
* Fix to expose the RSA public DER export functions with certgen
* Fixes for building with small version of SHA3
* Fix configure with WOLFSSL_WPAS_SMALL
* Fix to free PKCS7 recipient list in error cases
* Sanity check to confirm ssl->hsHashes is not NULL before attempting to dereference it
* Clear the leftover byte count in Aes struct when setting IV
# wolfSSL Release 5.3.0 (May 3rd, 2022)
Release 5.3.0 of wolfSSL embedded TLS has bug fixes and new features including:
## New Feature Additions
### Ports
* Updated support for Stunnel to version 5.61
* Add i.MX8 NXP SECO use for secure private ECC keys and expand cryptodev-linux for use with the RSA/Curve25519 with the Linux CAAM driver
* Allow encrypt then mac with Apache port
* Update Renesas TSIP version to 1.15 on GR-ROSE and certificate signature data for TSIP / SCE example
* Add IAR MSP430 example, located in IDE/IAR-MSP430 directory
* Add support for FFMPEG with the enable option `--enable-ffmpeg`, FFMPEG is used for recording and converting video and audio (https://ffmpeg.org/)
* Update the bind port to version 9.18.0
### Post Quantum
* Add Post-quantum KEM benchmark for STM32
* Enable support for using post quantum algorithms with embedded STM32 boards and port to STM32U585
### Compatibility Layer Additions
* Add port to support libspdm (https://github.com/DMTF/libspdm/blob/main/README.md), compatibility functions added for the port were:
- ASN1_TIME_compare
- DH_new_by_nid
- OBJ_length, OBJ_get0_data,
- EVP layer ChaCha20-Poly1305, HKDF
- EC_POINT_get_affine_coordinates
- EC_POINT_set_affine_coordinates
* Additional functions added were:
- EC_KEY_print_fp
- EVP_PKEY_paramgen
- EVP_PKEY_sign/verify functionality
- PEM_write_RSAPublicKey
- PEM_write_EC_PUBKEY
- PKCS7_sign
- PKCS7_final
- SMIME_write_PKCS7
- EC_KEY/DH_up_ref
- EVP_DecodeBlock
- EVP_EncodeBlock
- EC_KEY_get_conv_form
- BIO_eof
- Add support for BIO_CTRL_SET and BIO_CTRL_GET
* Add compile time support for the type SSL_R_NULL_SSL_METHOD_PASSED
* Enhanced X509_NAME_print_ex() to support RFC5523 basic escape
* More checks on OPENSSL_VERSION_NUMBER for API prototype differences
* Add extended key usage support to wolfSSL_X509_set_ext
* SSL_VERIFY_FAIL_IF_NO_PEER_CERT now can also connect with compatibility layer enabled and a TLS 1.3 PSK connection is used
* Improve wolfSSL_BN_rand to handle non byte boundaries and top/bottom parameters
* Changed X509_V_ERR codes to better match OpenSSL values used
* Improve wolfSSL_i2d_X509_name to allow for a NULL input in order to get the expected resulting size
* Enhance the smallstack build to reduce stack size farther when built with compatibility layer enabled
### Misc.
* Sniffer asynchronous support addition, handling of DH shared secret and tested with Intel QuickAssist
* Added in support for OCSP with IPv6
* Enhance SP (single precision) optimizations for use with the ECC P521
* Add new public API wc_CheckCertSigPubKey() for use to easily check the signature of a certificate given a public key buffer
* Add CSR (Certificate Signing Request) userId support in subject name
* Injection and parsing of custom extensions in X.509 certificates
* Add WOLF_CRYPTO_CB_ONLY_RSA and WOLF_CRYPTO_CB_ONLY_ECC to reduce code size if using only crypto callback functions with RSA and ECC
* Created new --enable-engine configure flag used to build wolfSSL for use with wolfEngine
* With TLS 1.3 PSK, when WOLFSSL_PSK_MULTI_ID_PER_CS is defined multiple IDs for a cipher suite can be handled
* Added private key id/label support with improving the PK (Public Key) callbacks
* Support for Intel QuickAssist ECC KeyGen acceleration
* Add the function wolfSSL_CTX_SetCertCbCtx to set user context for certificate call back
* Add the functions wolfSSL_CTX_SetEccSignCtx(WOLFSSL_CTX* ctx, void *userCtx) and wolfSSL_CTX_GetEccSignCtx(WOLFSSL_CTX* ctx) for setting and getting a user context
* wolfRand for AMD --enable-amdrand
## Fixes
### PORT Fixes
* KCAPI memory optimizations and page alignment fixes for ECC, AES mode fixes and reduction to memory usage
* Add the new kdf.c file to the TI-RTOS build
* Fix wait-until-done in RSA hardware primitive acceleration of ESP-IDF port
* IOTSafe workarounds when reading files with ending 0’s and for ECC signatures
### Math Library Fixes
* Sanity check with SP math that ECC points ordinates are not greater than modulus length
* Additional sanity checks that _sp_add_d does not error due to overflow
* Wycheproof fixes, testing integration, and fixes for AVX / AArch64 ASM edge case tests
* TFM fp_div_2_ct rework to avoid potential overflow
### Misc.
* Fix for PKCS#7 with Crypto Callbacks
* Fix for larger curve sizes with deterministic ECC sign
* Fixes for building wolfSSL alongside openssl using --enable-opensslcoexist
* Fix for compatibility layer handling of certificates with SHA256 SKID (Subject Key ID)
* Fix for wolfSSL_ASN1_TIME_diff erroring out on a return value of 0 from mktime
* Remove extra padding when AES-CBC encrypted with PemToDer
* Fixes for TLS v1.3 early data with async.
* Fixes for async disables around the DevCopy calls
* Fixes for Windows AES-NI with clang compiler
* Fix for handling the detection of processing a plaintext TLS alert packet
* Fix for potential memory leak in an error case with TLSX supported groups
* Sanity check on `input` size in `DecodeNsCertType`
* AES-GCM stack alignment fixes with assembly code written for AVX/AVX2
* Fix for PK callbacks with server side and setting a public key
## Improvements/Optimizations
### Build Options and Warnings
* Added example user settings template for FIPS v5 ready
* Automake file touch cleanup for use with Yocto devtool
* Allow disabling forced 'make clean' at the end of ./configure by using --disable-makeclean
* Enable TLS 1.3 early data when specifying `--enable-all` option
* Disable PK Callbacks with JNI FIPS builds
* Add a FIPS cert 3389 ready option, this is the fips-ready build
* Support (no)inline with Wind River Diab compiler
* ECDH_compute_key allow setting of globalRNG with FIPS 140-3
* Add logic equivalent to configure.ac in settings.h for Poly1305
* Fixes to support building opensslextra with SP math
* CPP protection for extern references to x86_64 asm code
* Updates and enhancements for Espressif ESP-IDF wolfSSL setup_win.bat
* Documentation improvements with auto generation
* Fix reproducible-build for working an updated version of libtool, version 2.4.7
* Fixes for Diab C89 and armclang
* Fix `mcapi_test.c` to include the settings.h before crypto.h
* Update and handle builds with NO_WOLFSSL_SERVER and NO_WOLFSSL_CLIENT
* Fix for some macro defines with FIPS 140-3 build so that RSA_PKCS1_PSS_PADDING can be used with RSA sign/verify functions
### Math Libraries
* Add RSA/DH check for even modulus
* Enhance TFM math to handle more alloc failure cases gracefully
* SP ASM performance improvements mostly around AArch64
* SP ASM improvements for additional cache attack resistance
* Add RSA check for small difference between p and q
* 6-8% performance increase with ECC operations using SP int by improving the Montgomery Reduction
### Testing and Validation
* All shell scripts in source tree now tested for correctness using shellcheck and bash -n
* Added build testing under gcc-12 and -std=c++17 and fixed warnings
* TLS 1.3 script test improvement to wait for server to write file
* Unit tests for ECC r/s zeroness handling
* CI server was expanded with a very “quiet” machine that can support multiple ContantTime tests ensuring ongoing mitigation against side-channel timing based attacks. Algorithms being assessed on this machine are: AES-CBC, AES-GCM, CHACHA20, ECC, POLY1305, RSA, SHA256, SHA512, CURVE25519.
* Added new multi configuration windows builds to CI testing for greater testing coverage of windows use-cases
### Misc.
* Support for ECC import to check validity of key on import even if one of the coordinates (x or y) is 0
* Modify example app to work with FreeRTOS+IoT
* Ease of access for cert used for verifying a PKCS#7 bundle
* Clean up Visual Studio output and intermediate directories
* With TLS 1.3 fail immediately if a server sends empty certificate message
* Enhance the benchmark application to support multi-threaded testing
* Improvement for `wc_EccPublicKeyToDer` to not overestimate the buffer size required
* Fix to check if `wc_EccPublicKeyToDer` has enough output buffer space
* Fix year 2038 problem in wolfSSL_ASN1_TIME_diff
* Various portability improvements (Time, DTLS epoch size, IV alloc)
* Prefer status_request_v2 over status_request when both are present
* Add separate "struct stat" definition XSTATSTRUCT to make overriding XSTAT easier for portability
* With SipHash replace gcc specific ASM instruction with generic
* Don't force a ECC CA when a custom CA is passed with `-A`
* Add peer authentication failsafe for TLS 1.2 and below
* Improve parsing of UID from subject and issuer name with the compatibility layer by
* Fallback to full TLS handshake if session ticket fails
* Internal refactoring of code to reduce ssl.c file size
This example was designed to be used with the MSP430F5359/MSP430F5659 but can be ported to any similar MSP platform. It will take ~50KB of ROM space and a 8KB of statically allocated RAM (nearly half for constants).
The example runs at 8MHz and executes a benchmark of ECC key generations, shared secrets and 1KB ChaCha20/Poly1305 encryption.
At 8MHz the ECC steps will take 13-15 seconds each and 1000 iterations of ChaCha20/Poly1305 will take about 45 seconds.
## Hardware Setup
A basic development board / ISP combination will work fine, such as the MSP-TS430PZ100 series with the MSP-FET430 series programmer.
The example will output text via UART 1, on the MSP430 which is port 8 bits 2&3 (pins 60/61) on the MSP430F5359. The UART will run at 57600 baud.
In addition every second port 1 bit 1 will be toggled on/off (typically an LED would be here).
## IDE setup
When setting up the IDE, copy the wolfSSL source code to your project's directory and add all the .c and .h files from `wolfcrypt/src` to your project.
Use the `main.c` provided here and copy the `user_settings.h` file to the `wolfssl/wolfcrypt` subdirectory of wolfSSL.
You will need to set at least 700 bytes of stack, no heap is required. You will also need to change the "Library Configuration" to "Full DLIB" so the `printf()` functions work correctly.
Make sure to add the definition `WOLFSSL_USER_SETTINGS` to the preprocessor settings in your project to that `user_settings.h` is loaded in. You will also need to add the wolfSSL root directory to the "Additional include directories".
From here you can set any optimizer settings you need.
## MSP430 GCC Makefile
Also included is a `Makefile` for TI's GCC, when compiling with GCC the code size will be larger and the application will be ~2x slower.
To use this Makefile you will need [TI's MSP430 GCC](https://www.ti.com/tool/MSP430-GCC-OPENSOURCE) installed as well as `mspdebug` with the `libmsp430.so` accessible to it. You will need to edit the `Makefile` to set the `TI_COMPILER_PATH` to where you have installed this.
Once everything is in place you can run `make` to build it and `make install` to flash the MSP430 with it.
**Note**: this will not work with the much older version of MSP430 GCC that comes in Linux distribution repositories.
## Example Output
This is an example output for the demo application when compiled with IAR.
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
#include<wolfssl/wolfcrypt/settings.h>
#include<wolfssl/wolfcrypt/wc_port.h>
#include<wolfssl/wolfcrypt/types.h>
#include<wolfssl/wolfcrypt/random.h>
#include<wolfssl/wolfcrypt/ecc.h>
#include<wolfssl/wolfcrypt/curve25519.h>
#include<wolfssl/wolfcrypt/chacha20_poly1305.h>
#include<stdio.h>
#include<stdlib.h>
#include<stdint.h>
#include<msp430f5659.h>
/* Without __root on some of the functions, IAR's "Discard Unused Publics"
will optimze out some of the functions
*/
#if defined(__IAR_SYSTEMS_ICC__)
#define IAR_KEEP __root
#else
#define IAR_KEEP
#endif
#define ECC_256_BIT_FIELD 32 /* 256-bit curve field */
#define WOLF_GEN_MEM (2*1024)
#define CHACHA_TEST_LEN 1024
staticbytegWolfMem[WOLF_GEN_MEM];
staticbytegeneratedCiphertext[CHACHA_TEST_LEN];
staticbytegeneratedPlaintext[CHACHA_TEST_LEN];
#define MCLK_FREQ_MHZ 8 /* MCLK = 8MHz */
staticconstbytekey[]={
0x80,0x81,0x82,0x83,0x84,0x85,0x86,0x87,
0x88,0x89,0x8a,0x8b,0x8c,0x8d,0x8e,0x8f,
0x90,0x91,0x92,0x93,0x94,0x95,0x96,0x97,
0x98,0x99,0x9a,0x9b,0x9c,0x9d,0x9e,0x9f
};
staticconstbyteplaintext[]="Lorem ipsum dolor sit amet, consectetur adipiscing elit. Cras lacus odio, pretium vel sagittis ac, facilisis quis diam. Vivamus condimentum velit sed dolor consequat interdum. Etiam eleifend ornare felis, eleifend egestas odio vulputate eu. Sed nec orci nunc. Etiam quis mi augue. Donec ullamcorper suscipit lorem, vel luctus augue cursus fermentum. Etiam a porta arcu, in convallis sem. Integer efficitur elementum diam, vel scelerisque felis posuere placerat. Donec vestibulum sit amet leo sit amet tincidunt. Etiam et vehicula turpis. Phasellus quis finibus sapien. Sed et tristique turpis. Nullam vitae sagittis tortor, et aliquet lorem. Cras a leo scelerisque, convallis lacus ut, fermentum urna. Mauris quis urna diam. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Nam aliquam vehicula orci id pulvinar. Proin mollis, libero sollicitudin tempor ultrices, massa augue tincidunt turpis, sit amet aliquam neque nibh nec dui. Fusce finibus massa quis rutrum suscipit cras amet";
staticconstbyteiv[]={
0x07,0x00,0x00,0x00,0x40,0x41,0x42,0x43,
0x44,0x45,0x46,0x47
};
staticconstbyteaad[]={/* additional data */
0x50,0x51,0x52,0x53,0xc0,0xc1,0xc2,0xc3,
0xc4,0xc5,0xc6,0xc7
};
volatileunsignedintseconds;
IAR_KEEPunsignedintmsp430_time(long*x)
{
returnseconds;
}
staticvoidprint_secret(char*who,byte*s,intsLen)
{
inti;
printf("%ss' Secret: ",who);
for(i=0;i<sLen;i++){
printf("%02x",s[i]);
}
printf("\r\n");
}
/* This is a very crude RNG, do not use in production */
IAR_KEEPunsignedintmsp430_rnd(void)
{
unsignedintresult=TA0R^TA2R;
printf("Rand generated: %d\r\n",result);
returnresult;
}
staticvoiduart_init()
{
P8SEL|=BIT3+BIT2;
UCA1CTLW0=UCSWRST;/* Put eUSCI in reset */
UCA1CTLW0|=UCSSEL__SMCLK;/* CLK = SMCLK */
/* Baud Rate calculation
This was calculated to produce 115200 for a 16MHz clock, so it produces
fprintf(stderr,"ERROR: failed to load client certificate, "
"please check the buffer.\n");
util_Cleanup(sockfd,ctx,ssl);
return-1;
}
/* Create a WOLFSSL object */
if((ssl=wolfSSL_new(ctx))==NULL){
fprintf(stderr,"ERROR: failed to create WOLFSSL object\n");
util_Cleanup(sockfd,ctx,ssl);
return-1;
}
/* Attach wolfSSL to the socket */
wolfSSL_set_fd(ssl,sockfd);
/* Connect to wolfSSL on the server side */
if(wolfSSL_connect(ssl)!=SSL_SUCCESS){
fprintf(stderr,"ERROR: failed to connect to wolfSSL\n");
util_Cleanup(sockfd,ctx,ssl);
return-1;
}
/* Get length of message for server. */
printf("\nMessage for server: %s\n",msg);
len=strnlen(msg,sizeof(msg));
/* Send the message to the server */
if(wolfSSL_write(ssl,msg,(int)len)!=len){
fprintf(stderr,"ERROR: failed to write\n");
util_Cleanup(sockfd,ctx,ssl);
return-1;
}
/* Read the server data into our buff array */
memset(buff,0,sizeof(buff));
if(wolfSSL_read(ssl,buff,sizeof(buff)-1)==-1){
fprintf(stderr,"ERROR: failed to read\n");
util_Cleanup(sockfd,ctx,ssl);
return-1;
}
/* Print to stdout any data the server sends */
printf("Server Reply: %s\n",buff);
/* Cleanup and return */
util_Cleanup(sockfd,ctx,ssl);
return0;/* Return reporting a success */
}
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
