Add mp_to_unsigned_bin_len_ct() which puts a number into a buffer with
padding in constant time.
Call mp_to_unsigned_bin_len_ct() in RSA when encoding result of
exponentiation.
For SHA256 using NEON on ARM32, change vmov instruction that is moving
from scalar to general-purpose register to have explicit size (32 bits).
May be needed by some compilers.
SM2 named curve value is specified in specification.
Values 0-14 aren't used, so, those bits in disabledCurves are used for
values over 31.
Add range checks.
This exercises the fragmenting of ClientHello via large post-quantum key share.
./configure --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtls \
--enable-dtls13 --with-liboqs
- DTLS 1.3 pqc support
- Add --enable-dtls-frag-ch option to enable CH fragmenting
- Send an alert when we get an empty keyshare with a cookie present to not allow for multiple HRR in one connection
- Only update the DTLS window when we have successfully processed or stored a message
- Call ssl->chGoodCb as soon as we have processed a verified full or fragmented ClientHello cookie
Optimised assembly of AES-XTS for Aarch64 and ARM32 using hardware
crypto instructions.
Aarch64 has loop unrolling.
Update aes.c to not have AES-XTS implementation when assembly
compilable.
Update test of AES-XTS to check expected cipher text of partial block
encryption.
We should always read MTU + EXTRA so that we capture the entire message and are able to correctly decrypt the entire datagram. A smaller MTU also breaks larger handshake messages sent during a connection like secure renegotiation in DTLS 1.2 (confirmed) and post-handshake messages in DTLS 1.3 (suspected).
- Call wolfSSL_CTX_free on ssl->initial_ctx so that it decrements the counter and free's the object
- Clean up where ssl->initial_ctx is free'd. It only needs to be free'd when the ssl object is being free'd
- Regen CRL's as most of them are expired
- certs/crl/extra-crls/ca-int-cert-revoked.pem: CRL that revokes certs/intermediate/ca-int-cert.pem signed by certs/ca-cert.pem
- Add CheckCertCRL_ex API to not depend on DecodedCert
- CheckCertCRLList: accept raw serial or hashed version to work with Signers
- Add XELEM_CNT to simplify pre-proc element counting
When using custom curves, only use the first 22 values with the prime to
calculate Legendre symbol. The known curves work and defeats long running
times when non-prime values are passed in.
- Need to call fs_file_t_init() before calling fs_open()
- 0 is a valid POSIX socket number
- Include stdio.h when needed to simplify macro logic
- Define Zephyr specific macros in CMakeLists.txt to make for a better user experience
By default, wolfcrypt PKCS11 interface accesses tokens in read-only
mode. In some cases, we might want to build the client with write
permissions, i.e. when initializing tokens via C_InitToken().
The WOLFSSL_PKCS11_RW_TOKENS option, if present, allows write access to
PKCS11 tokens.
WOLFSSL_SP_ARM_ARCH no longer used.
Using WOLFSSL_ARM_ARCH instead.
Change umaal check to only available with WOLFSSL_ARM_ARCH > 6.
SAKKE mont_reduce with umaal not using correct registers at end.
Thumb2/ARM32: use umaal instruction to speed up mulitplication, squaring
and reduction. umaal not always available so use umlal instead.
Implementations for architectures less than 4 still kept - no umull.
Cleanup point arithmetic to not take shortcuts.
Make masking for constant time faster.
Add alternate asm for different compilers.
Get ARMv4 and ARMv6 compiling.
Remove whitespace at end of lines.
- CheckCertCRLList: check all entries in case a single issuer has multiple CRL's loaded
- test_multiple_crls_same_issuer: testing two different certificates forcing the client to check both CRL's from the same issuer
- CRL_Entry
- use a lock instead of a mutex to allow multiple threads to access the same list simultaneously
- add a verifyMutex when doing verification so that we don't have to release the crlLock
- Add allocation and free functions for CRL_Entry
- DupCRL_Entry: simplify copying by copying all static fields in one memcpy
- Use unions for type punning in xor API
- Initialise potentially uninitialised variables
- Use `LL` suffix to specify a larger integer type
- Don't use `max` as it can shadow other definitions
Add support for compiling ASM for Thumb2
Add Curve25519 ASM for Thumb2
Limit assembly code compiled when Ed25519 not required.
Rework all assembly implementations to replace ge_*() functions instead
of having fe_ge_*() versions that take many parameters.
Get ARM32 inline asm working.
1. Remove the case block deciding if to checkout the wolfcrypt files or
not, it is redundant. Things are set up now where we don't need it.
2. Comment reflow.
Changes due to peer review:
3. Change the check for the temp mytag branches to use a git command
that provides an exact match, rather than a foulable grep check.
4. Change the fips repo file checkout to work the same way as the
wolfcrypt files. Each file in the copy list is tagged with its
revision.
1. Move the command line updatable variables to the beginning of the
script.
2. Reorder the OE names in the usage list.
3. Add the missing asm files.
4. Correct the regex for the fipsv2-OE-ready version name.
1. Remove the demo OE.
2. Update all OEs with the new file lists.
3. Merge OEs with same files and tags, and add a check for the
difference to optionally update that. For example, solaris is the
same file list and tags as linuxv2, but uses gmake instead of make.
1. Remove the demo variable presets. Actually use them in testing.
2. FIPS_REPO can be set to a local file path to speed up testing.
3. Add files missing from the demo OE checkout.
4. Add the fips-read OE files.
5. Add the quiet option to grep.
1. Add an optional initialized variable for the KEEP option and default
it to 'yes' temporarily.
2. Comment out all the descriptions for all the OEs except the test OE.
3. Update the copy FIPS file list format to have the file path and add
the tag to use for copying as the first item.
4. Merge the branch-creation and file checkout into one function. Remove
the local path changing.
5. Update and simplify the FIPS file copying function.
6. Remove the old copying code.
7. When updating the fipsv2-OE-ready version string, also check that
fips.c is non-zero.
8. Use explicit paths for files.
1. Add a test OE for trying out the new methods.
2. Add a temporary way to trigger using the new methods.
3. Add a function to check out different versions of files in the repo,
and only adding a new branch when needed.
4. Remove the old checkout code.
1. Whitespace changes.
2. Deleted the stm32l4 build. The fips-check-2.0.sh script handles it.
3. Removed the CAVP_SELFTEST_* variables, used the FIPS_OPTIONS for it.
4. Removed the v1 style code checkout. The current method works for all
available cases.
5. Removed the FIPS_CONFLICTS case rename case.
These typos could have been generated by some program, in which case
the program should be fixed instead. Yet the typos are inconcistent,
as if the output had been manually copied. Why is the output poorly
aligned?
Use seconds or s for seconds, consistently.
Use ops for operations, consistently. Unless you want the singular
op for operation, as the value is often < 2.
- wolfssl_ec_point_mul: fix parameters being passed into ec_mul2add
- Compile in compressed ecc key parsing for OPENSSLALL
- Improve debugging around compat layer ecc operations
- wolfSSL_BN_div: dv can be NULL
- Add spake like computation test
- Add CI krb5 testing
- Add timeouts to CI
src/internal.c:wolfSSL_DtlsUpdateWindow(): shiftTooManyBitsSigned and integerOverflowCond (true positive, fixed);
src/ssl.c:wolfSSL_GetSessionFromCache(): autoVariables (true positive, intentional and now suppressed);
wolfcrypt/src/asn.c: several uninitvars in EccSpecifiedECDomainDecode(), wc_EccPrivateKeyDecode(), DecodeSingleResponse(), and DecodeResponseData() (false positives due to bug in cppcheck short circuit eval analysis, mitigated by refactoring && expressions to nested-if constructs that are semantically identical);
src/ssl.c:wolfSSL_GetSessionFromCache(): nullPointer (false positive due to bug in cppcheck value flow analysis, workarounded).
add it to the list of non-fatal errors so that a socket close alert wont be sent out but the caller still won't block and will instead get OCSP_WANT_READ as an error back from wolfSSL_connect
so that the re-run of DoHandShakeMsgType knows not to hash the certificate twice and won't send an alert to the server as it was when OCSP_WANT_READ instead of setting ret to 0
tweak several #includes of settings.h to include types.h instead (all of these are for clarity, as types.h is indirectly included by later #includes), and add #include <wolfssl/wolfcrypt/types.h> where missing;
remove trailing semicolons from PRAGMA*() macro invocations as they are unneeded and can be harmful (inducing frivolous -Wdeclaration-after-statement etc.).
if ENABLED_LINUXKM_PIE, add -DWOLFSSL_NO_OCSP_ISSUER_CHECK to gate out backward dependency in asn.c;
if ENABLE_LINUXKM, don't error on FIPS without thread_ls_on;
for --enable-curl, set ENABLED_MD4="yes", and move --enable-md4 AC_ARG_ENABLE() clause up to a position adjacent to des3 handling;
scripts/sniffer-gen.sh: fix illegal exit code (SC2242);
src/internal.c: fix clang-analyzer-core.NonNullParamChecker in CreateTicket();
src/ocsp.c: fix readability-redundant-preprocessor;
src/tls.c: fix empty-body in TLSX_PskKeModes_Parse() and clang-diagnostic-unreachable-code-break in ALPN_Select();
tests/api.c: fix several clang-analyzer-core.NullDereference related to Expect*() refactor;
wolfcrypt/src/asn.c:
fix -Wconversions in DecodeAuthKeyId() and ParseCertRelative();
fix readability-redundant-declaration re GetCA() and GetCAByName();
gate inclusion of wolfssl/internal.h on !defined(WOLFCRYPT_ONLY);
wolfssl/internal.h: add macro-detection gating around GetCA() and GetCAByName() prototypes matching gates in wolfcrypt/src/asn.c;
tests/utils.c: in create_tmp_dir(), use one-arg variant of mkdir() if defined(__CYGWIN__) || defined(__MINGW32__).
mp_exptmod_base_2() uses Montogmery method and does not support even
modulus. Added check.
mp_exptmod_fast() uses Montogmery method when odd not when dr > 0.
Comment updated at call.
Reduce value of zero doesn't work for mp_reduece_2k. Changed setup of
use to check for zero and won't use it. Other methods won't work either.
Add support for cipher aliases DHE, EDH and EECDH.
Add define SSL_CTRL_GET_CHAIN_CERTS to help hitch and other programs detect SSL_CTX_get0_chain_certs is supported.
Add wolfSSL_get_locking_callback.
Allow using ECDHE+RSA cipher suites when ECDHE alias is used while in OpenSSL compatibility mode.
Add more alerts for hitch.
SSL_CM should use the CTX's x509_store_pt if available.
Add support for SSL_CERT_FILE and SSL_CERT_DIR. Load default OpenSSL TLS 1.3 ciphers when using OPENSSL_COMPATIBLE_DEFAULTS.
Use wolfSSL_sk_X509_new_null to allocate WOLFSSL_STACK in wolfSSL_CTX_get_extra_chain_certs. Previous approach of malloc'ing without setting type/memsetting was leading to a segfault.
Add --enable-hitch.
hitch: Add unit tests for new APIs, fix a couple of issues uncovered by unit testing.
Correct behavior of wolfSSL_BIO_set_mem_buf for BIO_CLOSE/NOCLOSE and update unit test accordingly.
Add Github action test for hitch.
This also adds new keys for SPHINCS+. The reason is that SPHINCS+
was updated to 3.1 in liboqs (open-quantum-safe/liboqs/pull/1420),
and old keys are incompatible with the new implementation.
Keys were generated using the oqs-provider for OpenSSL 3
openssl genpkey \
-provider default -provider oqsprovider \
-algorithm sphincsshake128fsimple \
-outform der \
-out bench_sphincs_fast_level1_key.der
And certs_test.h was updated using xxd
xxd -i -c 10 -u bench_sphincs_fast_level1_key.der
This was repeated for the 6 variants of SPHINCS+ that wolfSSL supports.
Split out certificate manager APIs into ssl_certman.c.
ssl.c includes ssl_certman.c
Better test coverage.
Minor fixes.
wolfSSL_X509_chain_up_ref calls XFREE with name->heap but name may be
NULL. Check for NULL first.
- nginx: add necessary defines and function
- Implement Certificate Authorities for TLS 1.3
- Implement secret logging for TLS 1.3. Can be used for example with:
./configure CPPFLAGS="-DWOLFSSL_SSLKEYLOGFILE -DSHOW_SECRETS -DHAVE_SECRET_CALLBACK -DWOLFSSL_SSLKEYLOGFILE_OUTPUT='\"/tmp/secrets\"'"
- Implement session context checking for tickets
- Check for authorized responder in OCSP basic response
- Fix handling call to ocsp->statusCb
- compat: Translate SOCKET_PEER_CLOSED_E to WOLFSSL_ERROR_SYSCALL
- Fix wolfSSL_CTX_set_session_cache_mode
- WOLFSSL_SESS_CACHE_OFF means nothing should be on
- WOLFSSL_SESS_CACHE_NO_INTERNAL turns off only the internal cache
- Respect ssl->options.internalCacheOff
- Implement SSL_SESSION_set_time
- wolfSSL_SSL_in_init: fix detection for TLS 1.3
- Fix handling call to ssl->alpnSelect
- SendTls13NewSessionTicket: always generate new ID
- When we send a new ticket for the same session (for example we resumed a connection and are sending a new ticket so that the client can resume in the future), we need to generate a new ID so that we don't overwrite the old session in the cache. Overwriting the session results in the `diff` calculation in `DoClientTicketCheck()` producing the wrong value and failing to resume.
Add nginx github action test
- Fix memory leaks
- wolfSSL_OCSP_basic_verify: implement OCSP_TRUSTOTHER flag
- AKID: implement matching on issuer name and serial number
- ocsp: check for a chain match for OCSP responder
- Split CreateTicket into CreateTicket and SetupTicket
- SendCertificateStatus: free response.buffer
- Use heap hint when allocating responseBuffer
- Remove responseBuffer from internal API's that don't use it anywhere
Address PR comments + other cleanup
Addressing PR comments
Minor change
Make sure the last line gets output as well
Add in ARIA SHA256 session to internal structure
Add in ARIA SHA384 session to internal structure
Add necessary function for ARIA to extract key
Fix unit tests
Rename HAVE_ARIAGCM to HAVE_ARIA
Move aria.* to wolfcrypt/port/aria
Separate out aria-crypt init functions
Adding in ECC+SHA callbacks
Avoid using AC_CHECK_FILE
Rename Aria to wc_Aria
Don't need special cases
Addressing PR comments
Code cleanup
C89 support
Remove TODO
Add documentation about buffer size
Clean up header files
Use ARIA_DEVID by default if available
Dummy update call to make MagicCrypto happy
Fix for detecting what algo type to use
Documentation
Use the appropriate sign/verify
Collect MagicCrypto functions together (and avoid leaks)
Fall back on other implementations on failure
Fix issue when compiling without CRYPTOCB
Addressing PR comments
Better cleanup
Addressing PR comments
Cleaner exit in case of error
- move the testsuite file helps into a new tests/utils.c file so that they can be used across all tests
- dump the raw TLS stream when WOLFSSL_DUMP_MEMIO_STREAM is defined so that it can be examined in Wireshark
This caused an issue on big endian platforms
From the getsockopt man page:
Most socket-level options utilize an int argument for optval. For setsockopt(), the argument should be non‐
zero to enable a boolean option, or zero if the option is to be disabled.
Add support for:
- SM2 elliptic curve and SM2 sign/verify
- SM3 digest
- SM4 cipher with modes ECB/CBC/CTR/GCM/CCM
Add APIs for SM3 and SM4.
Add SM2 sign and verify APIs.
Add support for SM3 in wc_Hash and wc_Hmac API.
Add support for SM3 and SM4 through EVP layer.
Add support for SM2-SM3 certificates. Support key ID and name hash being
with SHA-1/256 or SM3.
Add support for TLS 1.3 cipher suites: TLS-SM4-GCM-SM3, TLS-SM4-CCM-SM3
Add support for TLS 1.2 SM cipher suite: ECDHE-ECDSA-SM4-CBC-SM3
Add support for SM3 in wc_PRF_TLS.
Add SM2-SM3 certificates and keys. Generated with GmSSL-3.0.0 and
OpenSSL.
PEM example converts PEM to DER and DER to PEM.
Supports encrypting DER and writing out as PEM.
Added better support for 40-bit RC2-CBC PBE.
Added AES-128-CBC encryption support with PKCS#5v2.
Fixed handling of iterations to support writing 24-bit values.
Declared enum types for pass to PKCS#8 encryption APIs.
Add more DER and PEM files to certs directory.
Add testing of 'pem' with pem.test script.
Importing an EC point ordinate with one being zero will result in
different errors based on different implementations. Check both known
error codes.
Benchmark usage fixed.
Do leaf CRL check by default
Correct wolfSSL_sk_X509_NAME_push return check
Update OpenSSL compatibility errors for HAProxy
Change X509_V to literal constant values
Fix the compat layer with TLS session ticket reuse
Fix for tls1_2 session resume and cache miss
Save intitial wolfSSL ctx
Check for OpenSSL CRL error code 23
bio.c:
wolfSSL_BIO_flush(): check allocation to bio->ip succeeded.
internal.c:
InitSSL_Ctx(): set ctx->heap to heap if value passed in
ProcessPeerCerts(): check for error MEMORY_E too as a fatal parsing
error
ssl.c:
wolfSSL_shutdown(): SOCKET_ERROR_E is also an indication that the
socket is done, MEMORY_E is a fatal error
wolfSSL_Cleanup(): move free of memory fail couting to wolfSSL API
SessionTicketNoncePrealloc(): eror return must be non-zero
AddSessionToCache(): XFREE checks for NULL no need to do it before
call
wolfSSL_set_psk_use_session_callback(): ensure ssl is not NULL before
dereferencing
wolfSSL_SMIME_read_PKCS7(): check for error return from
wolfSSL_BIO_gets()
asn.c:
wc_MIME_parse_headers(): check allocation succeeded into nextHdr
compress.c:
wc_DeCompressDynamic(): free tmp on inflateInit2 failure
memory.c: rework where memory allocation failure counting code for when
WOFLSSL_STATIC_MEMORY is defined
wc_port.c:
wolfCrypt_Cleanup(): only call wc_MemFailCount_Free() when no
wolfSSL_Cleanup()
Changed EXPECT_DECL to start of as TEST_SKIPPED.
Modified other EXPECT macros appropriately.
Change test functions to not use 'res' when EXPECT_DECL is used.
memory.c:
wc_MemFailCount_Init(): don't declare variable after a statement
conf.c:
wolfSSL_TXT_DB_read(): free the whole WOLFSSL_TXT_DB on failure
instead of just the memory
wolfSSL_CONF_add_string(): pop the value added into section->value
(sk) if it can't be pushed onto conf->data
wolfSSL_NCONF_load(): free the new value if it wasn't able to be added
ocsp.c:
wolfSSL_OCSP_cert_to_id():
free the decoded certificate if parsing failed (is freed after use
otherwise)
free the certificate id on failure and make it NULL and continue
freeing other variables
pk.c:
wolfSSL_RSA_set0_crt_params(): set dmp1, dmq1 and iqmp fields to NULL
if setting the internal failed - returns error and caller needs to free
the passed in BNs
wolfSSL_RSA_set0_factors(): set p and q fields to NULL if setting the
internal failed - returns error and caller needs to free the passed in
BNs
wolfSSL_RSA_set0_key(): set n, e abd d fields to NULL if setting the
internal failed - returns error and caller needs to free the passed in
BNs
x509.c:
wolfSSL_X509_set_serialNumber(): explicit NULL
checkwolfSSL_X509_REQ_add1_attr_by_NID(): check whether push succeeded
and on failure free attribute
asn.c:
ConfirmSignature(): for DSA, allocate separately to ensure no leak on
memory allocation failure.
dh.c:
wc_DhGenerateParams(): ensure tmp and tmp2 are able to be cleared on
error
evp.c:
wolfSSL_EVP_PKEY_CTX_add1_hkdf_info(): fix realloc use to no leak on
failure
wolfSSL_EVP_CIPHER_CTX_iv_length(): handle ctx being NULL.
dtls13.c:
Change end of outputBuffer data calculations to use function
GetOutputBuffer().
Use idx when calculating unused byte count of outputBuffer.
internal.c:
Change end of outputBuffer data calculations to use function
GetOutputBuffer().
Use GetOutputBuffer() to calculate end of data in outputBuffer.
GrowOutputBuffer():
Calculate new size to allocate to include already written data in
case of static buffer.
Copy all data including already written count (idx).
CheckAvailableSize():
Don't subtract idx from length when checking MTU size.
Do subtract idx from bufferSize to determine count of unused bytes
in outputBuffer.
The modular exponentiation implementations in sp_int.c and tfm.c are not
safe when using Encrypted Memory.
Cannot have two pieces of memory where one changes and the other doesn't
based on private value.
Use extra variable to hold the two new values and assign them both back
at the same time in a safe manner.
Alternative implementations used when WC_PROTECT_ENCRYPTED_MEM is
defined.
wolfssl/wolfcrypt/types.h: add 'U' suffix to W64LIT() macro defs, and add SW64LIT() macro defs (not yet used anywhere);
wolfcrypt/src/asn.c: add !WOLFSSL_ECC_CURVE_STATIC gate around DataToHexStringAlloc() to resolve -Wunused;
wolfcrypt/src/ecc.c: guard against zero-valued "len" arg to wc_ecc_get_curve_id_from_oid();
wolfcrypt/src/wc_port.c: fix several argument implicit sign changes in USE_WINDOWS_API paths;
wolfssl/wolfcrypt/ecc.h: remove const attribute from inline buffers in WOLFSSL_ECC_CURVE_STATIC struct ecc_set_type.
wolfssl_sce_unit_test.c:
sce_crypt_Sha_AesCbcGcm_multitest(): duplicate condition
ssl_asn1.c:
wolfSSL_i2t_ASN1_OBJECT(): done is not needed
MonthStr(): fix bounds check on i
woolfcrypt_test.c, test_main.c, wolfssl_tsip_unit_test.c, devices.c,
aes.c, des3.c:
Variable not used.
asn.c:
DecodeSubjKeyId(): sz is unsigned - check for less than zero does
nothing
kcapi_rsa.c:
KcapiRsa_Decrypt(): fix ret check by using else
KcapiRsa_Encrypt(): make same change for consistency
kcapi_hash.c:
KcapiHashFinal(): move ret into #ifdef where it is needed
stm32.c:
wc_Stm32_Hash_GetDigest(): i redeclared with different type - use ii
instead
bio.c, conf.c:
XFREE checks for NULL
Reduce scope of varialbes.
Condition same.
Fix: ./configure --disable-shared --enable-smallstack --enable-all
CFLAGS=-DNO_ASN_TIME
Don't compile mp_test when compiling for SP Math All and RSA
verification only - very few functions available.
ssl.c:
wolfSSL_Rehandshake(): wolfSSL_UseSessionTicket only available when
not NO_WOLFSSL_CLIENT
api.c:
test_wolfSSL_ticket_keys(): meant to be tested on server
bio.c:
wolfSSL_BIO_push(): handles NULL for top and append.
crl.c:
InitCRL_Entry(): set toBeSigned to NULL after freeing when allocation
fails.
AddCRL(): free CRL entry properly on error.
wolfSSL_X509_STORE_add_crl(): check for NULL after
wolfSSL_X509_crl_new call.
ssl.c:
wolfSSL_CertManagerGetCerts(): free the certificate if it didn't get
pushed onto stack
wolfSSL_RAND_Init(): returns success if global already initialized.
ssl_asn1.c: wolfSSL_ASN1_TYPE_set now avaiable when OPENSSL_EXTRA
defined for function wolfssl_dns_entry_othername_to_gn().
x509.c:
Added support for creating a valid General Name of type GEN_OTHERNAME.
Extracted some code out into wolfssl_x509_alt_names_to_gn().
wolfSSL_X509_set_ext(): free data correctly on errors
wolfSSL_X509_PUBKEY_set(): free str if DSA parameters cannot be
retrieved; wolfSSL_OBJ_nid2obj() called separately to handle when
returning NULL.
wolfSSL_X509_NAME_copy(): check for failure when
wolfSSL_X509_NAME_add_entry() is called.
x509_str.c:
wolfSSL_X509_STORE_CTX_new(): check for error from calling
wolfSSL_X509_STORE_CTX_init().
wolfSSL_X509_STORE_get0_objects(): don't double free x509; free memory
correctly on error
Added a new version of 'nofail' handshaking that doesn't use threads.
More tests can be run in single threaded.
Changed tests over to use test_wolfSSL_client_server_nofail() or
test_wolfSSL_client_server_nofail_memio() to simplfy test cases.
Changed tests to use Expect.
CRL:
BufferLoadCRL wasn't freeing allocated data when currentEntry
couldn't be allocated.
ssl.c:
DecodeToX509(): Needs to call FreeDecodedCert even if
ParseCertRelative fails.
wolfSSL_PEM_read_PUBKEY(): Need to check result of
wolfSSL_d2i_PUBKEY is NULL rather than the passed in WOLFSSL_EVP_PKEY.
X509:
wolfSSL_X509_set_ext(): Must free allocated WOLFSSL_X509_EXTENSION
if not pushed on to stack regardless of stack being NULL.
wolfSSL_X509V3_EXT_i2d(): Don't free asn1str on error as it is the
data passed in.
wolfSSL_i2d_X509_NAME_canon(): free names and cano_data when call to
wolfSSL_ASN1_STRING_canon() fails.
PKCS7:
wc_PKCS7_InitWithCert(): Check memory allocation of cert for NULL.
tests/unit.h: fix ExpectPtr() to inhibit pedantic warnings on both gcc and clang;
wolfssl/test.h: in myVerify(), explicitly check for nullness when printing issuer/subject, to avoid cppcheck null-deref warning;
tests/api.c: fixes for:
* myriad "embedding a directive within macro arguments is not portable"
* an "ISO C forbids conversion of object pointer to function pointer type"
* some "stringop-overflow"s
* a clang-analyzer-core.uninitialized.Assign
* a clang-analyzer-core.CallAndMessage "2nd function call argument is an uninitialized value"
* a nullPointerRedundantCheck
* several clang-diagnostic-declaration-after-statement
* a spurious gcc sanitizer maybe-uninitialized in test_wolfSSL_CheckOCSPResponse()
Modified number of tests to not crash on failure and cleanup allocations
on failure.
Added memory fail count option to set which memory allocation to start
failing on.
Fix issues found from testing.
bio.c:
BIO_new() move ref count up so that calls to wolfSSL_BIO_free()
work.
internal.c:
ImportCipherSpecState wasn't checking SetKeySide for failure. Crash
when pointer is NULL and accessed directly.
ocsp.c:
wolfSSL_OCSP_response_get1_basic() doesn't need to free vs->source
as it is freed in WOLFSSL_OCSP_RESPONSE_free().
ssl.c:
ProcessBuffer() Don't strip PKCS#8 header if failed to create DER.
Crasged as directly accessing 'der' which was NULL.
ssl_asn.c:
wolfssl_asn1_integer_require_len was checking wrong variable to see
if allocation failed.
x509,c:
wolfSSL_X509_ALGOR_set0 needs to set aobj only when no failure
possible.
wolfSSL_X509_chain_up_ref needs to call cleanup to ensure everything
is freed.
wolfSSL_X509_NAME_ENTRY_get_object
- object field was being reused if it existed but lost on error
- store object only on success, ie object is not NULL
- moved function into x509.c
wc_RsaEncryptSize(): assumed a key size of 2048 when using hardware key.
Added callback to do lookup and implemented for PKCS#11.
If lookup not supported then assumes 2048 bits.
AES C impl: don't align to 32 bytes, align to 16 as buffer is 16 bytes
long.
SP int: Don't call _sp_mulmod but call sp_mul and _sp_div to do mod
operation. For RSA, fewer calls for mod operation means less stack used
at deepest point.
wolfSSL_X509_NAME_ENTRY_create_by_txt and
wolfSSL_X509_NAME_ENTRY_create_by_NID:
- object field was being reused if it existed but lost on error
- extracted common code
- store object only on success, ie object is not NULL
Skip ECC private key check when the TPM is used to generate the key, since it doesn't release the private part. this option needs to be used with a FIPS approved TPM for the end result to be FIPS approved
sp_mulmod
- scan-build getting confused with size of result
- don't check result size as checked already
- split out implementation of sp_mulmod from check
StoreEccKey
- ensure pubKey is not NULL even though all uses will not be
GetCertKey
- ensure source is not NULL
- cert->source may be NULL in incorrect usages of APIs
DecodeRsaPssParams() assumed params is never NULL. Should never be
called with NULL but check saves a NULL dereference.
PrintObjectIdText() didn't check return of call to GetObjectId. 'oid'
will retain -1 value on error and work as normal on error return.
Cleaner to check for ASN_PARSE_E and handle - other error,
ASN_UNKNOWN_OID_E, is OK for printing.
1. The description text for the brainpool enable option in configure was
using a shell variable that ended up in the output. Switched to the
description pattern used in other options.
* make wolfssl compile with Mingw-w64
* cmake: CMAKE_SYSTEM_PROCESSOR is AMD64 on Windows
* cmake: use target_compile_definitions instead of add_definitions
* cmake: change default value of WOLFSSL_BUILD_OUT_OF_TREE_DEFAULT to ON
* cmake: link crypt32.lib on Windows
* cmake: export wolfssl
* move Config.cmake.in to cmake directory
* revert changes to .gitignore
* add Config.cmake.in to include.am
linuxkm/linuxkm_wc_port.h: activate SAVE/RESTORE_VECTOR_REGISTERS() whenever defined(WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS) for benchmark.c support, independent of vector crypto features;
fix and optimize various alignment issues with stack and heap allocations;
fix macro definitions for XMALLOC/XREALLOC/XFREE to correctly use kvmalloc and friends when defined(HAVE_KVMALLOC), and to use wolfSSL_Malloc() and friends when defined(WOLFSSL_TRACK_MEMORY);
purge stale LINUXKM_SIMD_IRQ code.
In DTLS v1.3 the normal (plaintext) record header can be used only with
unprotected message (epoch == 0). Protected messages use the unified header.
Check this invariant using `IsAtLeastTLSv1_3` instead of `ssl->options.tls1_3`
because the latter is false before version negotiation.
In DTLSv1.2 the DTLS normal header is used for all the epoch, this check doesn't
interfere because:
1. the first CH's epoch must be zero in all DTLS versions
2. In case of downgrade after version negotiation `IsAtLeastTLSv1_3` is false
configure.ac: Don't use == in test.
client.c: Merge string to one line.
asn.c/asn_public.h:
fix conversion warnings/errors.
wc_Asn1_Print no longer public and doesn't need to check for NULL.
wc_Asn1_PrintAll check all pointer parameters for NULL.
The `kse->pubKeyLen` parameter is used as an input parameter to `DhGenKeyPair`
to provide the size of the `pubKey` buffer (the same size as the prime p). After
that, `kse->pubKeyLen` is used to check that the public key generated is of the
same length as the prime p. If this is not the case, the public key is
padded. If the key generation is asynchronous, then `TLSX_KeyShare_GenDhKey` may
be invoked twice. The second time, the `kse->pubKeyLen` value, updated
asynchronously by the async code, is overwritten with the prime size at the
beginning of the function. When this happens, a wrong public key value is used,
and the shared secret computed is incorrect.
Similar reasoning can be applied to `kse->keyLen`
* zephyr wolfssl_tls_sock: fix project name
* zephyr tls_sock.c: don't include options.h when using user settings
* zephyr: define XSTAT_TYPE for use with XSTAT
* set dev ID with signature check
* refactor devId use and add API to set devId in WOLFSSL_CERT_MANAGER structure
* add api.c call to set devid with WOLFSSL_CERT_MANAGER
* resolving devID CRL issue and CM pointer
* add device find callback
* add simple test case
wolfssl/wolfcrypt/sp_int.h: refactor MP_INT_SIZEOF() using sizeof(sp_int_minimal) and addition, rather than sizeof(sp_int) and subtraction, for clarity and analyzer mollification.
GetDateInfo called with a local index (reset to 0) but size is of
original buffer. Subtract the index into original buffer from size to
get size available for parsing.
TLS 1.3 Server: don't cache the messages for Ed25519/Ed448 when doing
TLS 1.3.
ASN DecodeCertInternal: Call GetCertName for issuer and subject after
freeing the dataASN.
* Add TLSv1.3 stateful support
Fix internal and external session cache
* session cache fixes
* Refactor
- implement wolfSSL_CTX_flush_sessions
- use wolfSSL_CTX_flush_sessions to make test_wolfSSL_CTX_add_session_ext deterministic
- add dtls to test_wolfSSL_CTX_add_session_ext
- DoClientTicket_ex does not modify ssl object
- only call session remove callback on:
- timeout
- session is being overwritten/removed from the cache
* Session fixes
- restore bogus ID on session duplicate
- don't evict on overwrite
- use memmove instead on memcpy as `ssl->session == session` is possible
- ignore ClientSession parameter in AddSessionToCache on NO_SESSION_CACHE_REF
- use sessionID when altSessionID not present
* Session fixes
- DoClientTicketFinalize: always copy in the ID as teh altSessionID
- don't overwrite ex_data when overwriting cacheSession and cacheSession owns it
* Callback wants to retain a copy
* wolfSSL_GetSessionClient: ssl->ctx->get_sess_cb does not apply here
* test_wolfSSL_CTX_add_session_ext
gate expected results on WOLFSSL_DTLS_NO_HVR_ON_RESUME
* TlsSessionIdIsValid: copy return can't be ignored
* Silence unused parameter
* test_wolfSSL_CTX_add_session_ext: handle async case
* Gate wolfSSL_SSL_CTX_remove_session on NO_SESSION_CACHE
* ssl.c: style fixes
* Add twcase_get_sessionCb_cleanup to free external cache
* Remove hard tab
* Correct build error in wolfSSL_CTX_flush_sessions
* Jenkins fixes:
- altSessionID only available with WOLFSSL_TICKET_HAVE_ID
- slim out psk_sess_free_cb_ctx
* Stateful dtls case has 2 accesses. Stateless just one.
* Add version numbering to hostap logs
* Import internal.h for test_wolfSSL_SESSION_get_ex_new_index
* wolfSSL_SetSession: don't check SslSessionCacheOff for session setting
* wolfSSL_SetSession: fully set expired session for OpenSSL compatibility
* wolfSSL_SetSession: check if setting same object
* AddSession: always populate the session object to allow re-use
* Add logging to wolfSSL_NewSession and wolfSSL_FreeSession
* Always setup session object
* Check if session has been setup before setting it
* Print errors in async test
* Make SetupSession available outside NO_SESSION_CACHE
* Review comments
* Fix ticBuf leak and TlsSessionIdIsValid logic
* Fix unmatched curly brackets
* TlsSessionIdIsValid: always need to check copy var
* TlsResumptionIsValid: set resume to FALSE default
* wolfSSL_SetSession: remove now variable since only used in one place
* Move internalCacheLookupOff into HAVE_EXT_CACHE block
---------
Co-authored-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
The order may be 1 bit larger than prime for some curves.
Handle this in calculation of maximum size of curve.
SP int _sp_mont_red(): ensure m->used is never 0 when doing default
implementaion.
Ed25519CheckPubKey/Ed448CheckPubKey: get the public key from certificate
in a new function, wc_CertGetPubKey, that uses less memory.
Set the ENCRYPT_BASE_BITS to minimal values when Curve448/Curve25519 are
the largest public key algorithms.
Move declaration of sp_ints until after checks of valid parameters.
In particular, whether used field of input/s are valid.
Pull implementations of algorithms out into separate functions as a
pattern to fix.
SP int should be able to calculate size of encoded number for a radix of
10 when mp_int has all digits used.
sp_radix_size declared a temporary mp_int of 1 greater than input. Don't
need it 1 greater. Stack declaration of maximum plus one caused address
sanitizer error.
Changed temporary mp_int to be same size as input mp_int.
fix for benign clang-analyzer-deadcode.DeadStores in aes.c:wc_AesFeedbackEncrypt();
fix for cppcheck:selfAssignment in chacha.c:wc_Chacha_wordtobyte().
- Add CONFIG_PTHREAD_IPC when using threads
- Add logging config suggestions
- test.c: fix undefined `ret` error
- Increase stack size for samples
- Ignore ASN_BEFORE_DATE_E in examples
- wc_port.h: add missing posix thread includes
- wc_port.h: move definitions to relevant section
- benchmark.c: fix missing `arc` and `argv` errors
- benchmark.c: fflush does not work on stdout in Zephyr
- Update z_fs_open implementation to support flags
CheckCertSignature
Free the dataASN before calling ConfirmSignature.
dataASN not needed at this point and ConfirmSignature uses lots of
memory.
DecodeCertInternal:
Free the dataASN before calling DecodeCertExtensions,
dataASN not needed at this point and DecodeCertExtensions uses more
memory.
ecc_verify_hash:
v doesn't need to be a new allocated variable - reuse w.
v is the modular reduction of x-ordinate to prime calculated at end.
New creation of mp_ints r and s to be minimal size must not be
re-initialized.
Changes to ASN.1 code to handle r and s being initialized and to not
initialize again.
Public API wc_ecc_is_point() needs to validate the parameters.
Ensure that the x and y are in range [0, p-1] and z is one (affine
ordinates).
Made the API a wrapper around existing calculation code.
When x-ordinate is a large negative, then it will spend large amounts of
time adding the prime to a large negative intermediate value.
fixes for clang-tidy/bugprone-macro-parentheses in wolfssl/wolfcrypt/sp_int.{c,h} and wolfcrypt/src/ecc.c;
fix for clang-analyzer-deadcode.DeadStores in olfcrypt/src/asn.c.
Tested with `./configure --disable-asm --enable-32bit --enable-asn=original --enable-cryptonly CFLAGS="-Wconversion -pedantic" && make`. Some progress with ASN template, but not complete.
* Update to ensure full blocks for crypto in En/DecodeAuthEnvelopedData.
* Corrected spacing and comments
* Set plain to NULL after free on non-error path.
* refactor error-checking cascade in wc_PemCertToDer_ex() as in wc_PemPubKeyToDer_ex(),
* refactor staticBuffer gating/dynamics in wc_PemPubKeyToDer_ex() as in wc_PemCertToDer_ex(),
* and use IO_FAILED_E, not BUFFER_E, for I/O errors on the file handles, in both routines;
fix smallstack null pointer dereferences in src/pk.c:wolfSSL_RSA_GenAdd() and src/ssl.c:set_curves_list().
Minimize use of stack.
Make very large stack allocations dynamic memory allocations unless
WOLFSSL_SP_NO_MALLOC.
ProcessBufferTryDecode() split up into a function for each type.
ProcessBufferTryDecodeRsa() decodes the data and gets key size rather
than having or allocating an RsaKey.
Added wc_RsaPrivateKeyValidate() that only validates the encoding is an
RSA key and returns the key size in bytes.
For SP int, only create sp_ints of required size in RSA and ECC
implementation. For WOLFSSL_SMALL_STACK, memory is allocated to have
just enough bytes and size is set to maximum supported. Otherwise,
relies on dynamic stack variables.
For ECC, MAX_ECC_BITS_USE used when dynamic stack variables not
supported. Significantly reduces memory usage when RSA/DH is also built.
Add macros to sp_int.h, tfm.h and integer.h to support declaring,
allocating, initializing and freeing mp_ints.
For integer.h, mp_int is always static as size is no more than 32 bytes.
For tfm.h, WOLFSSL_SMALL_STACK has a full mp_int allocated, otherwise
the full mp_int is put on the stack.
For sp_int.h with new macros, dynamically allocate sp_int to minimal
size when WOLFSSL_SMALL_STACK, or when dynamic stack variables, declare
them to be of minimal size or otherwise declare with a fixed max.
Added mp_bitsused(), for all implementations, to get the number of bits
available based on used. Included for RSA to get the size of the
modulus.
SP int now always uses dynamic stack variables if possible rather than
for builds with WOLFSSL_SP_SMALL.
Moved code out into separate functions so that stack allocations don't
happen when not going down code path.
Create a fixed buffer BIO of length 1 and then write one byte into it so
that there is 0 length to write into.
Test cases removed as setting fixed buffer BIO to length 0 allocated 0
length buffer that is sometimes returning NULL.
linuxkm/module_exports.c.template: include wolfssl/wolfcrypt/wolfmath.h, to bring in wc_GetMathInfo() prototype;
src/ssl.c: move "Global pointer to constant BN on" to src/ssl_bn.c; and in wolfSSL_Cleanup(), call the new wolfSSL_BN_free_one() rather than using ad hoc cleanup logic;
src/ssl_bn.c: add bn_one and wolfSSL_BN_free_one();
src/ssl_asn1.c: fix bugprone-macro-parentheses in bufLenOrNull(); refactor wolfSSL_ASN1_TIME_diff() to avoid floating point math; use intermediate tm_year variable in wolfssl_asn1_time_to_tm() to avoid target-specific type conflicts on tm->tm_year; use "FALL_THROUGH", not "/* fall-through */", in wolfSSL_ASN1_TYPE_set (clang-diagnostic-implicit-fallthrough);
wolfcrypt/src/ecc.c: fix identicalInnerCondition in ecc_mul2add();
wolfcrypt/src/integer.c: refactor OPT_CAST()s in mp_grow() to unconditional casts as elsewhere, to mollify a confused cppcheck-all-intmath;
tests/api.c: reformat some overlong lines.
Fix checking of negative with unsigned variables.
Check digestSz for 0 in wc_SSH_KDF() so that no possibility of dividing
by zero.
Change XMEMCPY to XMEMSET in renesas_sce_util.c.
Fix test.c to free prvTmp and pubTmp on read error.
Remove unused variables.
XFREE checks for NULL so don't check before call.
Move variable declarations to reduce scope.
Implementations of ASN.1 APIs reworked.
Added tests.
Added wolfssl_bn_set_neg for ASN.1 code.
Added wolfssl_sk_new_type() and wolfssl_sk_pop_type() to generically
handle creating and popping a stack of elements of a type.
No longer freeing pathlen field of ASN1 OBJECT in
wolfSSL_X509_EXTENSION_free(). This is happening in
wolfSSL_ASN1_OBJECT_free().
Stop wolfSSL_i2d_X509_NAME_canon from double freeing ASN.1 STRING's data
field.
Fixed up GetFormattedTime() to be better code.
Added ASN_CLASS_MASK to mask off the class part of an ASN.1 tag.
NO_ASN_TIME means no implementation to get the current time. Disable
features that won'r work without time.
* Add introspection for math build.
* Raise build error if more than one multi-precision math library used.
* Fix ESP32 to support using any multi-precision math option.
* Refactor math headers to use `wolfmath.h`
* Refactor of the opaque math variable type `MATH_INT_T` used by crypto hardware (QuickAssist, SE050, ESP32 and STM32).
* Cleanups for building with `WOLFCRYPT_ONLY` and `NO_BIG_INT`.
* Stop forcing use of fast math by default for platforms in settings.h. Note: For users that still want to use fast math (tfm.c) they will need to add USE_FAST_MATH to their build settings.
Applies To:
```
WOLFSSL_ESPWROOM32
WOLFSSL_ESPWROOM32SE
MICROCHIP_PIC32
WOLFSSL_PICOTCP_DEMO
WOLFSSL_UTASKER
WOLFSSL_NRF5x
FREERTOS_TCP
WOLFSSL_TIRTOS
EBSNET
FREESCALE_COMMON
FREESCALE_KSDK_BM
WOLFSSL_DEOS
MICRIUM
WOLFSSL_SGX
```
ForceZero the client and server secret regardless of whether TLS 1.3 as
it may change but have been copied in.
ForceZero the input buffer in wolfSSL_Clear() when encryption was on.
Changed wc_PRF_TLS to only check the parts of data used.
Changed where scatch is added for checking in wc_AesCtrEncrypt.
Change wc_MakeRsaKey to memset p, q, tmp1, tmp2 and tmp3 to all zeros so
that MemZero check works. Memset not needed otherwise.
Changes for new compiler - thinks uninitialized.
src/internal.c: fix for -Wdeclaration-after-statement and clang-diagnostic-unreachable-code-break;
tests/api.c: fix for -Wunused-variable and clang-analyzer-deadcode.DeadStores;
olfcrypt/src/pkcs12.c: fixes for cppcheck uselessAssignmentPtrArg and arrayIndexThenCheck, and clang-tidy clang-analyzer-deadcode.DeadStores and clang-analyzer-core.NonNullParamChecker;
wolfssl/src/tls.c: fix for clang-analyzer-deadcode.DeadStores;
wolfcrypt/src/tfm.c: fix for clang-diagnostic-newline-eof;
src/tls13.c: fix for clang-analyzer-core.NonNullParamChecker.
HAVE_ECH only used by TLS 1.3 add protection around all code.
ssl->options.onlyPskDheKe only available when HAVE_SUPPORTED_CURVES.
CleanupClientTickets() defined when HAVE_SUPPORTED_CURVES.
TLSX_KeyShare_DeriveSecret only defined when HAVE_SUPPORTED_CURVES.
DecodeResponseData - initialize variable single.
New OpenSSL compatibility BN code requires mp_read_radix - turn on in
integer.c, sp_int.c when OPENSSL_EXTRA defined.
rsa.c:_CheckProbablePrime - make sure tmp1 and tmp2 are initialized
before error handling jumps to freeing them.
test_remove_hs_message uses 1024-bit DH key which is not supported when
using SP math with SP.
Long server IDs were being truncated. Hash long IDs instead.
TLS 1.3 session ticket on client side no longer added session to client
cache. Explicit call added.
Loading from memory based on register that is overwritten in ldrd.
When ldrd split out for older processors, register overwritten before
second load.
Switch order of loads in this case.
AES-GCM stremaing was caching IV even when larger than buffer copying
into.
Instead, require calls to wc_AesGcmSetIV() or wc_AesGcmSetExtIV() to
cache IV.
wc_AesGcmInit() now uses passed in IV or retrieves from cache.
on handshake messages' errors:
- don't send alerts on WANT_READ, WANT_WRITE and WC_PENDING_E "errors"
- use return error code to decide which alert description
to send
- use alert description handshake_failure in the general case
- if a fatal alert was already sent, do not send any new alerts. This allow
a more specific alert description in case the exact description can't be
derived from the return code
src/internal.c: In function 'SendCertificateVerify':
./wolfssl/wolfcrypt/types.h:345:40: error: attribute 'fallthrough' not preceding a case label or default label [-Werror]
345 | #define FALL_THROUGH ; __attribute__ ((fallthrough))
In file included from ./wolfssl/internal.h:27,
from src/internal.c:92:
src/internal.c: In function 'SendCertificateVerify':
./wolfssl/wolfcrypt/types.h:345:40: error: attribute 'fallthrough' not preceding a case label or default label [-Werror]
345 | #define FALL_THROUGH ; __attribute__ ((fallthrough))
DER/BER encoding requires positive numbers to not have leading zeros.
Sometimes customer's have examples that break the rules.
In those cases define: WOLFSSL_ASN_INT_LEAD_0_ANY
Define used in original ASN.1 implementation.
BN APIs from ssl.c have been moved out to ssl_bn.c that is included in
ssl.c.
Added defines for BN_rand() and BN_pseudo_rand() to indicate which bits
are to be set.
'internal' field now always maps to the ;mpi' field that is a MP
integer.
SetIndividualInternal/External renamed to wolfssl_bn_get/set_value.
Fixed BN APIs to work as closely to OpenSSL as possible.
Added tests.
Moved wolfssl_make_rng out to ssl.c as BN APIs are using it now.
SP int and TFM now check trials are in a valid range for
mp_prime_is_prime_ex().
configure.ac: remove implied --disable-examples when --disable-inline;
tests/api.c: always include wolfcrypt/src/misc.c;
wolfcrypt/src/misc.c: use WC_MISC_STATIC to designate staticness of the misc functions;
wolfssl/wolfcrypt/misc.h: define WC_MISC_STATIC to empty or static depending on #ifdef NO_INLINE or not (respectively);
wolfssl/wolfcrypt/types.h: #ifdef NO_INLINE, #define WC_INLINE WC_MAYBE_UNUSED, and move the definitions of WARN_UNUSED_RESULT and WC_MAYBE_UNUSED above the definition of WC_INLINE for clarity;
wolfssl/wolfcrypt/mem_track.h: always declare TrackMalloc() et al static (no functional change, because the state and callback bindings were and remain unconditionally static, but previously #ifdef NO_INLINE the functions were globals, leading to multiple definitions.
* Check for circular dependencies in compatibility headers
* Run header check only when ENABLED_OPENSSLEXTRA
* Add missing include
* Pedantic compilers don't like empty translation units
* Fix macro guards
* wolfcrypt/test/test.{c,h}: refactor to capture and encode error retvals using WC_TEST_RET_*() macros (based on line numbers), and print line and return code in err_sys().
* wolfcrypt/test/test.h: cast back to int in WC_TEST_RET_ENC(), to fix MSVC warning.
* configure.ac: add shake128 and shake256 to enable-all and enable-all-crypto;
* wolfcrypt/benchmark/benchmark.c: fix gating for bench_shake128() from !defined(WOLFSSL_NO_SHAKE128) to defined(WOLFSSL_SHAKE128).
* wolfcrypt/test/test.h: add WC_TEST_RET_TAG_* and WC_TEST_RET_DEC_TAG(), and refactor WC_TEST_RET_{ENC,DEC}_*() macros to implement the tag mechanism;
* add render_error_message() with tag-specific rendering of error strings;
* wolfcrypt/test/test.c: smallstack refactor of shake128_test() and shake128_absorb_test();
* wolfcrypt/test/test.c: change gating around mp_test() and related routines from defined(HAVE_VALGRIND) to defined(WOLFSSL_PUBLIC_MP);
* smallstack refactor of mp_test();
* refactor a slew of WC_TEST_RET_ENC_NC associated with XFOPEN/XFREAD to be WC_TEST_RET_ENC_ERRNO, and add error detection for XFREAD (previously silently tolerating zero retvals).
* wolfcrypt/test/test.c: build mp_test() only if WOLFSSL_SP_MATH_ALL or USE_FAST_MATH (in addition to WOLFSSL_PUBLIC_MP), because many general purpose functions such as sp_mulmod() are gated out in SP builds without WOLFSSL_SP_MATH_ALL.
* wolfcrypt/test/test.c: fix array bounds flubs in shake128_test();
* don't print_fiducials() in wolfcrypt_test() header, but rather, after render_error_message() in err_sys().
* wolfcrypt/test/test.{c,h}: wrap some overlong lines, and fix an unused-variable warning in mp_test_set_is_bit().
* wolfcrypt/test/test.c: fixes for several misplaced and several missing WC_TEST_RET_ENC_EC()s.
When a certificate is loaded then the private key type and size is set
based on the public key.
Always set, even if previously set.
Use case is setting an RSA certificate against ctx and then setting EC
certificate against ssl.
Made the following updates based on review feedback
Fixed mixed variable declaration and simplified cases by typedefing
wolfssl_RX64_HW_Hash to wc_Sha, wc_Sha224, & wc_Sha256
Added files to include.am so they are built when using make
Add WOLFSSL_RENESAS_RX64_HASH to settings.h and set WOLFSSL_NO_HASH_RAW
in settings.h based on value of WOLFSSL_RENESAS_RX64_HASH
Add and handle return value for rx64_hw_Open
Fix some minor formatting and comments
Adding support for SHA1, SHA224, and SHA256 hardware acceleration on
Renesas RX64 and RX71 microcontrollers.
This follows the a similar pattern as the Renesas TSIP support.
Speed comparison for hashing 64KB of data on a RX64M
| Hash Speed | SHA1 | SHA256 |
|:----------:|:----:|:------:|
| Hardware | 4ms | 4ms |
| Software | 11ms | 89ms |
Update define for RX64/RX71 SHA hardware support
This will allow for different hardware acceleration modules to be
enabled individually.
Init & Close for the RX64/RX71 SHA subsystem for WolfCrypt
This ensures that the SHA subsystem is ready for use when WolfCrypt
needs access to it.
Shorten the max line length, clean up comments
This wraps code and comments at 80 characters and adds some comments
In case buf size sz is too small it will get updated to the larger required value
and can't be used anymore to clear the buffer.
As the buffer is untouched don't need to clear it anyway.
Signed-off-by: Nuno Gonçalves <nunojpg@gmail.com>
SP ECC signing code was generating signatures with r of 0.
This is not allowed by the algorithm description.
Retry sig gen when r is 0 like when s is 0.
move typedefs for WOLFSSL_CRYPTO_EX_*() from wolfssl/openssl/compat_types.h to wolfssl/wolfcrypt/types.h, grouped with the other EX_DATA-related typedefs, as they are needed whenever defined(HAVE_EX_DATA) regardless of openssl compatness;
properly gate wolfSSL_CTX_get_ex_new_index() and wolfSSL_X509_get_ex_new_index() prototypes on defined(HAVE_EX_DATA).
* stunnel 5.67 support
- ssl->session->ticketAdd may be set when parsing a ticket before PSK
- PSK binders should be calculated based on ciphersuite associated with PSK
- Add option to prioritise PSK order instead of ciphersuite order
- Update ctx->method->version when using Set_CTX_max_proto_version API
- Simplify wolfSSL_parse_cipher_list
- Keep copy of old list and then add in the previous ciphersuites depending on whether we are doing only TLS 1.3 ciphersuites or not
- Specify CRL revocation in alert
- Match reason string to match OpenSSL
- Add support for external data callbacks for WOLFSSL_SESSION
* Upref the session for stunnel instead of duplicating it
* Add small stack option for wolfSSL_parse_cipher_list
* Espressif examples run with local wolfSSL (no setup!)
* include.am Espressif local no-setup component files
* cleanup Espressif Example CMakeLists.txt, use function
* multiple wolfSSL installs is now a fatal Espressif build error
* Examples no longer need setup
* CompileAll builds local examples, not IDF_PATH ones
* Espressif compileAllExamples both local & ESP-IDF components
* add wolfssl_test_idf test project
* move VisualGDB projects to subdirectories
* move VisualGDB wolfssl_server to subdirectory
* update include.am for moved VisualGDB project files
* Support rwlock
* Fix typo, ENABLE_SESSION_CACHE_ROW_LOCK with TITAN_SESSION_CACHE
* Implement read lock
- Use read lock for the SessionCache
- Don't copy the
* TLS 1.3: Don't push ticket to cache if we don't retrieve from it
* Detect rwlock support with PTHREAD_RWLOCK_INITIALIZER
* Implement explicit rwlocks
- Mutex's still necessary for signals. Implement explicit rwlocks and we can migrate critical mutexs to rwlocks when necessary.
* Remove WOLFSSL_USE_RWLOCK guard around mutex condLock
* condLock not necessary after all
* Use configure.ac to check for pthread_rwlock_destroy support
* Can't include config.h in wc_port.h as that breaks make distcheck
* Check for pthread_rwlock_t to determine if rwlock is available
* Code review
---------
Co-authored-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
* set the client state correctly when wc_ecc_ctx_set_kdf_salt is called
* add test that covers wc_ecc_ctx_set_kdf_salt
* use shared key and smallstack to reduce test stack usage
Add NIDs for RSA-PSS to OpenSSL compat layer.
Have wc_RsaPublicKeyDecode call wc_RsaPublicKeyDecode_ex where logic for
RSA-PSS handling is already done.
wolfSSL_EC_POINT_set_affine_coordinates_GFp wasn't checking the point is
valid for the curve. Added call to check point when setting.
Made check available for opensslextra.
Fixed test to have valid ordinates to set.
Two places in sp_invmod_mont_ct were not checking err is set before
performing a new operation and setting err. Change to check error before
performing operation.
API support doesn't allow for a point to be in Jacobian ordinates.
wolfSSL_EC_POINT_add() has ordinates in Montgomery form.
When needed, compile with WOLFSSL_EC_POINT_CMP_JACOBIAN.
wolfSSL_EC_POINT_set_affine_coordinates_GFp wasn't checking the point is
valid for the curve. Added call to check point when setting.
Made check available for opensslextra.
Fixed test to have valid ordinates to set.
./configure --enable-wolfssh --enable-cryptonly \
--disable-asn --disable-rsa --disable-ecc
./configure --disable-asn --disable-rsa --disable-ecc --enable-psk
./configure --enable-cryptonly --disable-asn --disable-rsa --disable-ecc
1. Fails compiling the KDF file, can't find c32toa inline function.
2. In configure, move the check for ECC when ASN is disabled up to the
other ASN checks. It also needs to be checked with cryptonly is
disabled.
used and size have no reason to be negative - change type.
Change code to match unsigned change. Mostly change variables to be
unsigned where possible.
integer.c: Only have mp_rand_prime available when needed and
mp_prime_is_prime_ex is available.
Fixes from regression testing.
Two places in sp_invmod_mont_ct were not checking err is set before
performing a new operation and setting err. Change to check error before
performing operation.
fix file descriptor leaks in AF_ALG code, and fix return codes (WC_AFALG_SOCK_E, not -1) in afalg_aes.c;
fixes for sanitizer-detected forbidden null pointer args in AfalgHashUpdate() and AfalgHashCopy();
fixes for resource leaks in api.c test_wolfSSL_AES_cbc_encrypt() (missing wc_AesFree()s);
fixes for resource leaks in test.c openssl_test() (missing wolfSSL_EVP_CIPHER_CTX_cleanup());
also some local fixes for bugprone-signed-char-misuse, readability-redundant-preprocessor, and clang-diagnostic-strict-prototypes, in src/pk.c and src/ssl.c.
* Fix for STM32 Hash peripherals (like on F437) with FIFO depth = 1.
* Cleanups for `XREALLOC` and new `WOLFSSL_NO_REALLOC` to force undef of `XREALLOC`.
* Change STM32 Cube to default to `NO_TLS_UART_TEST`.
Reworked the implementations of the EC APIs including:
wolfSSL_EC_curve, wolfSSL_EC_METHOD, wolfSSL_EC_GROUP,
wolfSSL_EC_POINT, wolfSSL_EC_KEY, wolfSSL_ECDSA_SIG, wolfSSL_ECDSA and
wolfSSL_ECDH.
Added support for EC parameters to PEM decoding.
EccEnumToNID() moved out of wolfCrypt - it maps NIDs defined in
wolfssl/openssl/ec.h to those in wolfssl/wolfcrypt/ecc.h.
Moved wc_OBJ_sn2nid() out of wolfCrypt - implementation uses
EccEnumToNID().
Changed reference counding to use wolfSSL_Ref.
Added tests to api.c that increase coverage of EC APIs.
_sp_div_small: Make it explicit as possible that we only want the bottom
digit of the product subtracted from the bottom word of t. Top digit is
unnecessary and more cycles used if calculated.
Fix for GeneratePublicDh was not right in #6002.
sp_DhExp_* are called from multiple functions.
Sometimes outLen contains a value and sometimes not.
Check public key output size in GeneratePublicDh before calling SP.
add support for EXTRA_CPPFLAGS, EXTRA_CCASFLAGS, and EXTRA_LDFLAGS;
fix typo in setup for CFLAG_VISIBILITY;
lightly refactor handling of CPPFLAGS/AM_CPPFLAGS in handlers for --with-liboqs, --with-wnr, and --with-cavium;
refactor+enhance options.h generation to handle -U directives.
Adding in tests of various versions of OpenWrt. Also simplified the way to reproduce potential issues and added in breadcrumbs for debugging.
Co-authored-by: Andras Fekete <andras@wolfssl.com>
mp_to_unsigned_len checks length and front pads with zeros.
Return MP_VAL when length is too small in all implemenations.
Make TFM implementation check length.
Add test case.
* First test
* Don't forget to run autogen.sh!
* Add tools needed by automake
* Try additional platforms
* Add in qemu for other platforms
* No real support for arm containers
* Fix indentation
* Simplify container build with a testing script
* Simpler names for actions
* No need to distribute OpenWRT test files
* Better list to put ignore files onto
* Create an 'ignore_files' list after all
* Add in some documentation of how OpenWRT tests work
* Fix up naming of OpenWrt
Co-authored-by: Andras Fekete <andras@wolfssl.com>
To speed up counting bits, use the instruction that counts leading zeros
in a word.
Fix _sp_div_3 to use registers with 0 in them for multiplication result.
* First attempt with GCC only
* Make the test run on every push temporarily
Also clean up the description of the workflow
* Fix invalid job name
* Missing hunks added
* Try out matrix actions
* Fix missing 'runs-on'
* Only needs to run on Ubuntu
* Use local installations of gcc/clang instead of containers
* Explicitly list out compilers to test
* Clean up names and concurrency group
* Only need to run on PRs and important branches
Co-authored-by: Andras Fekete <andras@wolfssl.com>
- Allocate ssl->suites when necessary for the WOLFSSL object to have its own instance. Use AllocateSuites() to allocate the object.
- Move cipher negotiation options from Suites into Options
ZD15346
The DTLS server needs to save the message_seq number of the client
hello for use in both the hello verify request in the stateless start
and for the server hello. Move the stashing of the value earlier in
DoClientHello(). (Issue #5224)
* Adding some developer utilities for Docker.
* Add support for `make test`
* Don't need to run the testsuite specifically
* Share .gitconfig and ssh keys with the container
Co-authored-by: Andras Fekete <andras@wolfssl.com>
* Fixed `PEM_BUFSIZE` macro redefined when building with coexist.
* Updated the `user_settings_all.h` and `user_settings_wolfboot_keytools.h` to include latest options.
* Improved API unit test error case checking where `TEST_RES_CHECK` is not used.
* Changed `TEST_SKIPPED` to unique value.
* Added CI tests for enable-all, small stack, and user setting templates.
* Refactor GitHub actions and add ESP tests.
* Add script for building all examples for ESP.
* Fixes for ESP-IDF v5.0
* Consolidating Espressif files into a single include.am
Co-authored-by: Andras Fekete <andras@wolfssl.com>
pool->sz is the size without the record header. The handshake header is present already.
Reproducible with
./udp_proxy -p 12345 -s 127.0.0.1:11111 -x 1:3 -S server
or
./udp_proxy -p 12345 -s 127.0.0.1:11111 -x 1:3 -S server
and
./examples/server/server -l ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305 -u -i
./examples/client/client -l ECDHE-RSA-AES256-GCM-SHA384 -u -R -p 12345 -i
There seems to have been a misunderstanding that WOLFSSL_OP_NO_TICKET would only disable tickets
for TLS version lower than 1.2. But it includes 1.2 as well.
Fix random prime generation for big endian to set low bits after
shifting top word.
Allow SP_MATH to be built without RSA, DH and ECC - needed for PKCS#12.
Add DH 2048 bit parameters to cert_test.c for test.c when NO_ASN and
WOLFSSL_SP_MATH.
This method requires some explanation. Its sibling is
int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
which re-inits the WOLFSSL* with all settings in the new CTX.
That one is the right one to use *before* a handshake is started.
This method was added by OpenSSL to be used *during* the handshake, e.g.
when a server inspects the SNI in a ClientHello callback and
decides which set of certificates to use.
Since, at the time the SNI callback is run, some decisions on
Extensions or the ServerHello might already have been taken, this
method is very restricted in what it does:
- changing the server certificate(s)
- changing the server id for session handling
and everything else in WOLFSSL* needs to remain untouched.
aia is a stack and must be pop freed rather than freed with XFREE.
Extract function that creates Authority Info Access stack.
Fix spelling issue raised by codespell.
Configuration
- thread-local storaoge is selected when available
- '--enable-error-queue-per-thread' and '--disable-error-queue-per-thread' can
be used as before to explicitly en-/disable the feature.
Implementation:
- with thread-local-storage, error queue is realized in one struct without
allocations. Queue size is restricted to 16 entries (per thread), which
is the same limit in OpenSSL 1.1.x.
- without thread-local-storage, all error queue operations are mutex locked
- wc_PeekErrorNodeLineData() and wc_GetErrorNodeErr() added for use by SSL
functions to allow locked queue iterations/manipulations.
Enabling SP with ASM didn't enable SP or error out when SP wasn't
configured. Now enables SP when '' and errors when 'no'.
SAKKE modinv used large amounts of stack. Change to have more temporary
memory allocated increased to cover the usage.
ECC, SAKKE: sp_<bits>_ecc_mulmod_<cpu><words>() used large amounts of
stack. Allocate when WOLFSSL_SMALL_STACK.
wc_DhCheckKeyPair() not available when HAVE_SELFTEST.
Wasn't compiled in before as WOLFSSL_HAVE_SP_DH wasn't defined.
--enable-entropy-memuse enables the software base entropy gatherer.
The entropy source uses difference in timing to read/write cache lines.
Random indeces into a buffer are updated with the high resolution timer
value which is fed into a hash to produce further random indeces.
The current time is added to the entropy samples at time of
conditioning.
When initializing the RNG and are using RDRAND, or one of the other
replacement random number generators that could fall back to the
Hash_DRBG if unavailable, set the status to DRBG_OK. This would fix a
problem if someone assumes the DRBG status is meaningful.
Make sp_rshd not available when WOLFSSL_SP_MATH in header.
sp_rshd is not required by any wolfCrypt code.
Fix sp_rshd comment on #endif
Make sp_div publicly available in some WOLFSSL_SP_MATH builds.
Delare sp_div for some WOLFSSL_SP_MATH builds.
Fix test.c to compile with WOLFSL_SP_MATH and HAVE_VALGRIND.
- adding patch for HAProxy, see dod/QUIC.md, based on current master.
For documentaton purposes, since HAProxy does not accept PRs. To be
removed once forwarded to the project.
SP int can be configured to declare temporary sp_ints.
Check that the requested number of digits is not larger than the max
supported (SP_INT_DIGITS).
Also check arrays of sp_ints too.
ULLONG_MAX is not defined for old versions of C compiler.
An unsigned long long type may still be available though.
Don't use unsigned long long for a 64-bit type when NO_64BIT is defined.
Tidy up Espressif ESP32 test and benchmark examples:
* add VisualGDB project and solution files for server and client
* "hardware in use revert to software" is now verbose level message
* Remove (void) TAG; - not needed to appease compiler
* include esp_log.h lib with defined(WOLFSSL_ESPIDF)
* large ESP32 default stack size
* check for max number of arguments assembled into array
* cleanup & comments per code review
* wolfssl_test VisualGDB updates
* Espressif wolfssl_test default stack 55,000 bytes
Change API test cases to return a result.
Test success is now TEST_SUCCESS (1).
Test result can be returned with use of macro TEST_RES_CHECK().
Always print the id, name of the test and the result (skipped or
otherwise) before and after running the test case.
Changed test case output to go to stderr.
Fixed some formatting.
Add option to take index and/or name of test case to run.
Added option to list all API tests.
Added option to only run API tests.
Added options to show usage.
Fixing issue #3070. When the OCSP responder returns an unknown exception,
continue through to checking the CRL. Before, it was setting the flag
to check CRL, then clearing it because of the exception.
This fixes hash based dir lookup of ASN1/DER CRLs in OpenSSL
compatible API. The function wolfSSL_X509_load_crl_file is
called with entry->dir_type, rather than hardcoded filetype.
A new test crl was added, and existing crl 0fdb2da4.r0 was
reorganized to a new dir.
Also, completes the stub wolfSSL_X509_LOOKUP_add_dir. A new
test function test_X509_LOOKUP_add_dir was added to tests/api.c
Specific compress key code for P521 doesn't need a n square function.
Fixing generation of x86_64 ASM scripts resulted in adding carriage
return to chacha_asm.S.
clang-analyzer-deadcode.DeadStores in examples/server/server.c;
-Werror=use-after-free and LeakSanitizer Direct leak in tests/api.c;
nullPointerRedundantCheck in src/pk.c which identified a semantically consequential flub.
In configure.ac and CMakeLists.txt, check for the header
Security/SecTrustSettings.h. If this header is found, enable the feature. If
it isn't, disable it. For non-configure/non-CMake builds, require the user to
explicitly define HAVE_SECURITY_SECTRUSTSETTINGS_H if they want to use system
CA certs (handled in settings.h).
For shared secrets, when a curve has a cofactor, the private key (in
range of order) is multiplied by the cofactor before use.
If there is a cofactor involved, check bit size of scalar against
modulus instead of order.
fflush stdout after each scenario for line-buffered pipelining;
refactor csv_header_count into sym_header_printed, asym_header_printed, and pqasym_header_printed;
move SAKKE tests to precede PQ tests;
rename bench_stats_sym_check() to bench_stats_check();
add bench_stats_asym_finish_ex() accepting a "desc_extra" arg, and use it to disambiguate otherwise-homonymous SAKKE runs;
fix bench_aesecb_internal() to not check time (syscall) for every 3 blocks processed.
Ed25519 and Ed448 need to enable certs.
If no system CA certs can't be parsed,
wolfSSL_CTX_load_system_CA_certs() will fail. Don't try test if RSA and
ECC are not enabled.
Fix benchmark.c so that e is defined when WOLFSSL_BENCHMARK_ALL defined.
MAX_LENGTH_SZ is 4 and supports lengths up to 2^24 - one byte for length
and 3 bytes of length.
(new gcc compiler fix)
Don't ForceZero the output buffer before free.
ForceZero it when encryption fails.
ShrinkInputBuffer needs to zeroize input buffer even if not currently
encrypting as it may be using the buffer on wolfSSL object reuse.
Fix SP to zeroize the whole buffer.
Fix DH to check cBuf when WOLFSSL_CHECK_MEM_ZERO defined.
Reorganized the DH APIs into groups.
Reworked all DH APIs.
Improved testing of DH API.
Implemented wolfSSL_PEM_read_RSAPublicKey() and
wolfSSL_PEM_write_RSA_PUBKEY().
Fix public key PEM write implementations to use the correct
header/footer names.
Added support for "RSA PUBLIC KEY" in header and footer in DerToPemEx().
Reworked PEM read/write APIs to be independent. No longer create an EVP
to use common function - common functionality refectored out.
Similarly file APIs don't create a BIO and call the partner APIs.
Improved testing of PEM read/write APIs.
Generic read BIO from memory BIO now returns the buffer instead of
allocating memory and reading.
No longer reading chunks when a file BIO.
Added wolfssl_make_rng() to create or get get global random. All RSA and
DH APIs now use this. DH_generate_parameters() creates a random object
and use global on error rather than just using global random.
Changed implementations to use BIO_new_fp() instead of create a new BIO
and setting file pointer.
- Pass in the build configuration to the output rpm package
- Compiler test fails in %configure step in %prep due to missing linker script (injected by rpmbuild). Moving to %build section.
- .la files not wanted in rpm package and delete .la file after install step
- Compiler test fails due to missing linker script (injected by rpmbuild)
https://fedoraproject.org/wiki/Changes/RemoveLaFiles#Upgrade.2Fcompatibility_impact
- Conditional include sp_int.h
- FIPS header and hash update
1. Add a flag to the DH test to indicate that the second key is initted.
2. Add a flag to the DH test to indicate that the RNG is initted.
Fixes an issue where the DH wolfCrypt test can crash or lock up when
the DH parameters file is missing. Localized to the test only.
For the CMake and autotools flows, enabling user_settings.h will define the
macro WOLFSSL_USER_SETTINGS_ASM. This will cause the generated
user_settings_asm.h to be included in the .S assembly files. If the user is
building without autotools or CMake, these files will include user_settings.h
directly, unless WOLFSSL_USER_SETTINGS_ASM is defined.
* Fix api.c build error with `NO_FILESYSTEM` and `WOLFSSL_CERT_EXT`.
* Fix for building tests/suites.c with static memory (missing `LARGEST_MEM_BUCKET`).
* Always expose `wc_ecc_set_rng` for compatibility.
When looking up the session by ID on the server, check that the protocol
version of the SSL and session match on TLS 1.3 or not.
TLS 1.3 sessions don't work with TLS 1.2 handshakes and vice-versa.
For sqr and mul (28/32 bits) the sums of products can exceed maximum
64-bit signed value. Handle last sum value, that may cause overflow,
separately.
Fix formatting of overflow last line.
Added new x86 assembly for AES.
AES-CBC decrypt only 4 blocks at a time (not 6 or 8) due to reduces
register count.
GCM implementation for AVX2, AVX1 and AESNI only.
Disabled looking for other assembly files for x86.
For user_settings.h builds, .S assembly files need to include user_settings.h
in order to get the defines used by the build. However, a user_settings.h may
contain code only understood by a C compiler and not the assembler (e.g. a
typedef). This commit makes it so our autotools and CMake builds produce a file
user_settings_asm.h when doing a user_settings.h build. This generated header
contains only the preprocessor directives from the user_settings.h. As a result,
it can be safely included by our assembly code files.
WOLFSSL_PSS_LONG_SALT and WOLFSSL_PSS_SALT_LEN_DISCOVER are supported in our
latest FIPS module (v5). These should be defined for engine builds as long as
the FIPS version isn't v2.
* add Versal specific glue
The same structure of an "XSecure client" is used throughout the API's,
therefor define it once and re-use in all clients.
* integrate Versal AES-GCM engine
* integrate Versal SHA3-384 engine
* add versal support to tests
- There's no intermediate-hash API for Versal.
* add specific test with large AAD
Test only with `n*16 byte` wide chunks of AAD, so it gets processed in the
hardware engine.
* add specific test with misaligned AES-GCM arguments
* integrate Versal RSA engine
* disable failing RSA test-case when Xilinx Crypto is enabled
* introduce define `WOLFSSL_XILINX_CRYPT_VERSAL`
* integrate Versal TRNG engine
* allow using Versal TRNG w/o wolfcrypt DRBG
Versal TRNG already provides a HRNG mode which does the same as the
wolfcrypt DRBG implementation.
* add support for user-supplied nonce to Versal TRNG
* add `wc_XsecureErrorToString()` to map PLM error codes to messages.
* integrate Versal EcDSA engine
* update tests to work with Versal EcDSA
If deterministic K is enabled, the tests failed here since the Versal
EcDSA engine doesn't support the SECP256R1 curve yet.
* Xilinx crypto engines like aligned memory very much
Make this a default choice, not via the user configuration.
* add Xilinx-specific `WOLFSSL_MSG()` equivalent
`WOLFSSL_XIL_MSG()` does the same as `WOLFSSL_MSG()` besides waiting for
1 second before printing to stdout, since the PLM maybe prints to same and
outputs would be mixed up.
This waiting can be disabled by defining `WOLFSSL_XIL_MSG_NO_SLEEP`.
* add option to enable DPA CounterMeasures in AES-GCM crypto engine
* add "command mode" to Xilinx bare-metal example
* update Xilinx default user settings
* add script to execute benchmarks
* add scripts to create graphics
* add Vitis 2022.1 example projects
Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de>
* add option to run benchmarks with and w/o AAD
This adds the possibility to benchmark AES-GCM and AES-CCM both with and
w/o AAD, with the option to also run both.
The default behavior when wolfSSL provides the `main()` function is
unchanged.
The default behavior when wolfSSL doesn't provide the `main()` function has
been changed to "run both benchmarks - with and w/o ADD".
* add option to run benchmarks against 4096bit RSA&DH keys
* remove `BENCH_SIZE` macro from benchmark.c
* pre-define benchmark sizes in a single place, before it had to be done in two places
* improve `benchmark_static_init()`
- static variable doesn't need to be in global scope
- add option to force re-init
- add more static variables to be reset
* add `-blocks` option to benchmarks
* expose benchmark `main()` as `wolfcrypt_benchmark_main()`
* fix benchmark `-?` output
* use correct SI/Binary prefix in benchmarks
* use a separate column per detail in CSV output of benchmark
* add `-aad_size` option to benchmark
* don't always print symmetric CSV headers
* always use M[i]B/s when output format is CSV
* Versal specific patches for benchmarks
This also removes the default define for `COUNTS_PER_SECOND` for Xilinx
targets, since I prefer to have a build failure over wrongly calculated
output.
Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de>
* fix compilation warning
* adjust SHA3-384 test error-codes
The way the codes were constructed before, they were not unique.
* unify code
Instead of having `ifdef`'s in the code, define our own wrapper around
the keysource as required.
* add CMake option for help-text in wolfCrypt tests
* expose test `main()` as `wolfcrypt_test_main()`
* Don't overwrite previously set errors
* add FreeRTOS support for Xilinx demo
* move `fp_reverse` from `tfm.c` to `wolfmath.c` and rename to
`mp_reverse`.
Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de>
Generation scripts fixed for ARM32.
Regenerated output inlcudes:
- support for ARM32 architectures less than 7
- SP code also ensures parameters are in specific registers
This new function, wolfSSL_CTX_load_system_CA_certs, currently only supports
Linux-based OS's. It searches through conventional CA directories and once it
finds one, attempts to load CA certs from it. After the first directory is
found, we don't check the others.
This commit also adds a function wolfSSL_get_system_CA_dirs, which returns a
pointer to an array of directories where wolfSSL_CTX_load_system_CA_certs will
look for CA certs. This is used in a unit test, where we only want to expect
success if one of these directories actually exists on the test system.
Finally, this commit adds support for SSL_CTX_set_default_verify_paths to the
compatibility layer. It doesn't model the exact behavior of its OpenSSL
counterpart; it's mostly a wrapper around wolfSSL_CTX_load_system_CA_certs,
manipulating the return value of that function to conform to OpenSSL's
conventions.
Make logic to avoid masking return error conditionally compiled based on STSAFE configuration
Update logic at second crypto-callback location to return error code rather than mask it
configure.ac: Get rid of v5-RC8, v5-RC9, v5-RC10, v5-RC11, v5-ready, and v5-dev.
v5-ready is now just ready and v5-dev just dev.
IDE/WIN10/user_settings.h: Make the FIPS blocks define HAVE_FIPS. Change WCv5.0
block to WCv5.0-RC12. Change FIPS Ready block to use HAVE_FIPS_VERSION_MINOR 3
instead of HAVE_FIPS_VERSION_MINOR 2.
In async mode, we always store all handshake messages before processing them. The server hello done message has a length of 0 but we still need to store it to process it.
in DtlsMsgNew(), iff WOLFSSL_ASYNC_CRYPT, allow sz==0 allocation, to fix infinite loop in ProcessReplyEx() around DoDtlsHandShakeMsg();
in DtlsMsgAssembleCompleteMessage() restore fix from 0603031362 for pointerOutOfBounds (undefined behavior) construct;
in ProcessReplyEx(), in WOLFSSL_DTLS13 case ack, check and propagate error from DoDtls13Ack() (fix from @guidovranken).
Check size passed to mp_init_size() 1..SP_INT_DIGITS.
More checks of parameters to SP int functions to ensure result is big
enough to hold value calculated.
ticketEncCb can return WC_PENDING_E. If it does in DoClientTicket, we need to
propagate this up to the calling function (e.g. DoPreSharedKeys), rather than
treating it as a failure.
I tested this by running the following experiment
./examples/server/server -v 4 -r &
./examples/client/client -v 4 -r
and adding the following async simulation code to wc_ChaCha20Poly1305_Decrypt:
#ifdef WOLFSSL_ASYNC_CRYPT
static int testAsync = 0;
if ((testAsync++ % 2) == 0) {
return WC_PENDING_E;
}
#endif
Prior to these changes, you can see that the WC_PENDING_E will not be handled
properly in DoClientTicket (using gdb). A full TLS handshake proceeds from
there. With this commit, running the same experiment shows the pending error
being handled properly.
- Mark old epochs as invalid so we don't attempt to decrypt with them
- Return a non-zero value if possible in unit tests
- Move Dtls13CheckAEADFailLimit to dtls13.c
- Reset state in processreply
wolfSSL_clear: check return from InitSSL_Suites() call.
TLS13: check ClientHello cipher suite length is even.
Silently remove duplicate cipher suites from user input.
Add tests of duplicate cipher suite removal.
Don't define WOLFSSL_HAVE_KYBER unless configured.
Only compile code in ext_kyber.c when WOLFSSL_HAVE_KYBER defined.
Include config.h and settings in ext_kyber.c. This allowed
HAVE_VISIBILITY to be defined.
Cleanup kyber.h.
Handle multiple instances of the same cipher suite being in the server's
list.
Fix client order negotiation of cipher suite when doing pre-shared keys.
- Use wolfSSL API wolfSSL_set_groups() and wolfSSL_CTX_set_groups()
to configure curves list
- This sets ssl->groups and ctx->groups accordingly and makes
TLSX_KEY_SHARE generation respect the selection and precedence.
- Add tests in quic to assert the order of selections.
Fix Small Stack Cache option so that it works with various options
including ALT_ECC_SIZE.
Allow ALT_ECC_SIZE when SP math all or SP math is compiled in.
Cortex-A5 - Cortex-A9 only support 64-bit wide NEON.
Remove use of WOLFSSL_ARM_ARCH_NO_VREV.
Use WOLFSSL_ARM_ARCH_NEON_64BIT to indicate to use 64-bit NEON registers
and not 128-bit NEON registers.
fix bugprone-macro-parentheses in wolfssl/ssl.h;
fix pointerOutOfBounds and declaration-after-statement in src/internal.c DtlsMsgAssembleCompleteMessage().
- Use WOLF_SK_COMPARE_CB() to generate the correct types instead of using void* for the callback parameters.
- Remove WOLFSSL_STACK.comp entirely since it is not used anywhere. Ignore input parameters that used to set this member.
This function would only accept the string "SHA" for SHA-1-based HMAC, but it
should also accept "SHA1." This is similar to how wolfSSL_EVP_get_digestbyname
allows both "SHA" and "SHA1." We didn't have a test for this in api.c. I added
one, and it failed before my fix here.
Don't reserve the full message length of memory. Instead we only allocate memory for the fragments that we have already received. We also dynamically combine memory fragments when we receive overlap.
Change to build assembly code for ARMv7a with NEON instruction set.
./configure -host=armv7a --enable-armasm
Added ARM32 SHA-256 NEON only implementation.
- wire the wc_ChaCha_* implementation into the EVP API
as `wolfSSL_EVP_chacha20`
- follow IV conversions of OpenSSL
- add test case
- have QUIC support use this for header protection when
CHACHA20_POLY1305 has been negotiated in the handshake.
Checking WOLFSSL_MAX_RSA_BITS against SP_INT_BITS even though RSA is
disabled.
/configure --disable-shared --enable-sp --enable-sp-math --disable-rsa
--disable-dh --enable-ecc
Ed25519 and Ed448 make public key APIs now check whether the private key
was set.
The private key and public key flags setting and clearing also updated.
Testing of unset private key and calling make public key added for
Ed25519 and Ed448.
Change to use 64-bits for types stored - use WOLFSSL_32BIT_MILLI_TIME if
a 64-bit type is not available.
TimeNowInMill() returns 0 on error instead of GETTIME_ERROR.
Detect when certificate's RSA public key size is too big and fail on
loading of certificate.
Fix unit test to only attempt to use 3072 bit RSA-PSS keys when
RSA_MAX_SIZE supports it.
* Add test case for OpenSSLs capability to init a evp context partially in several calls.
* EVP handling of CHACHA20_POLY1305 improvment
- save key at ctx for Init()s without IV
- reuse stored key for Init()s with new IV, reusing ctx
- free and zero key on ctx clenaup
* Adding type cast to XMALLOC to force compiler compatibility.
* EVP: using same DYNAMIC_TYPE in alloc and free of chacha20_poly1305 key.
Co-authored-by: Stefan Eissing <stefan.eissing@greenbytes.de>
Add x86_64 assembly code:
- BMI2
- AVX2 (using ymm, slower than BMI2)
- AVX2 of 4 similtaneous hashes
Add SHAKE128 functions and tests.
Add Absorb and Squeeze functions for SHAKE128 and SHAK256 and tests.
Add doxygen for SHA-3 and SHAKE functions.
Update other generated x86_64 assembly files to include settings.h.
in api.c test_wolfSSL_dtls12_fragments_spammer(), inhibit clang-analyzer-deadcode.DeadStores;
in asn.c ParseCRL_Extensions() old (!WOLFSSL_ASN_TEMPLATE) version, fix bounds check to prevent overshift;
in misc.c ctMaskCopy(), use `*(x + i)`, not x[i], to tiptoe around cppcheck-2.9 objectIndex bug.
P-256/384/521.
New functions:
- sp_ecc_make_key_256_nb
- sp_ecc_make_key_384_nb
- sp_ecc_make_key_521_nb
- sp_ecc_secret_gen_256_nb
- sp_ecc_secret_gen_384_nb
- sp_ecc_secret_gen_521_nb
This commit also tweaks the testing for ECDSA testing in test.c. Instead of
testing with one of P-256/384/521, we test with all that are available.
This function was just freeing the stack object itself of GENERAL_NAMES with
wolfSSL_sk_free, but this doesn't free the data in the items of the stack. The
fix is to replace wolfSSL_sk_free with wolfSSL_sk_GENERAL_NAME_free.
1. In api.c, change the name of the devId global to testDevId.
2. In api.c, for the SNI test, some of the pointers were multiply
typecast eventually to `void **`. An older compiler didn't like
that. Just use void pointer.
Fix handling of counter to support incrementing across all bytes in
ARM32 crypto asm.
Added test cases for wrapping of counter when 2 blocks are being
encrypted to check assembly alternative path.
Verifying gnerated ECC signature in TLS handshake code to mitigate when
an attacker can gain knowledge of the private key through fault
injection in the signing process.
Requires WOLFSSL_CHECK_SIG_FAULTS to be defined.
Fix handling of counter to support incrementing across all bytes in ARM
crypto asm.
Added test cases for wrapping of counter.
Extracted ARM ASM for AES-CTR.
Use ASM to created encrypted temporary block.
- PR #5486 had test failures in tls13.test and quit unit.test
- the extension was no longer added in SessionTicket messages
- added extra parameter to clarify how the TLSX is used
- Optimize memory usage. Write directly to ssl->session->ticket in CreateTicket() and use a hash to make sure the InternalTicket was encrypted.
- DoClientTicket does not fatally error out anymore. Errors in the ticket result in the ticket being rejected instead.
OpenSSL compat expects ASN_SELF_SIGNED_E when a self signed cert can't be verified. This is useful when translating the error with GetX509Error into a X509_V_ERR_* error.
- add wolfSSL_CTX_curve_is_disabled() and wolfSSL_curve_is_disabled()
to have common checks on wether a curve has been disabled by user
- add macros returning 0 for above function when OPENSSL_EXTRA is not
defined, enabling use without #fidef check
- add macros for checking if named groups are in a certain range
WOLFSSL_NAMED_GROUP_IS_FFHDE()
WOLFSSL_NAMED_GROUP_IS_PQC()
Fixed QuicTransportParam_free() use without case when compiling
with c++.
* PSA: set AES key bits, define PSA_ALG_NONE/PSA_KEY_ID_NULL if needed
* Zephyr: add TimeNowInMilliseconds() for tls13.c, clock_settime() for test.c, update CMakeLists.txt
* Skip including unistd.h for Zephyr in benchmark.c
* Zephyr: update README, add nRF5340dk support to wolfssl_test sample app
* Zephyr: add wolfCrypt benchmark sample app
* Zephyr: add nRF5340 support to tls_thread sample app
* PSA: use specific hash algo with psa_sign/verify_hash()
* Zephyr: add support for PSA Crypto API with PK callbacks to wolfssl_tls_threaded sample app
* Zephyr: add new files to zephyr/include.am
fix TLS version gating in tests/quic.c;
fix gating in src/ssl.c for wolfSSLv2_client_method() and wolfSSLv2_server_method();
reorganize prototypes in wolfssl/ssl.h for wolf*_method*() to group systematically by protocol version and gate correctly on support for that version in the build.
- new internal field for keeping early data enabled status,
as QUIC does not call SSL_write_early_data() itself.
- using read_/write_early_data() methods in QUIC handshake
when early data is enabled. This triggers the internals
that emit the proper early data indication handlings.
Also:
* added HAVE_FALCON guards as needed.
* corrected minor falcon bugs as I found them.
* handling OID sum collision between DILITHIUM_LEVEL5 and DILITHIUM_AES_LEVEL3
Tested with the following commands:
examples/server/server -v 4 -l TLS_AES_256_GCM_SHA384 \
-c ~/tmp/dilithium_aes_level5_entity_cert.pem \
-k ~/tmp/dilithium_aes_level5_entity_key.pem \
-A ~/tmp/dilithium_aes_level5_root_cert.pem --pqc P521_KYBER_LEVEL5
examples/client/client -v 4 -l TLS_AES_256_GCM_SHA384 \
-c ~/tmp/dilithium_aes_level5_entity_cert.pem \
-k ~/tmp/dilithium_aes_level5_entity_key.pem \
-A ~/tmp/dilithium_aes_level5_root_cert.pem --pqc P521_KYBER_LEVEL5
with permutations of SHAKE,AES variants and levels 2,3,5
Support wolfSSL_CTX_set1_curves_list being available when X25519 and/or
X448 only defined.
Don't recognize X25519 or X448 if corresponding define is not set.
Enable test in api.c.
Add support for parsing and verifying certificates with RSA-PSS
signatures. Including check PSS parameters in key with those in
signature algorithm.
Add support for parsing private RSA PSS key.
Add support for parsing public RSA PSS key.
added numerous missing _SMALL_STACK code paths (PK objects on the stack);
in settings.h, enable WOLFSSL_SMALL_STACK_STATIC by default when WOLFSSL_SMALL_STACK is defined (NO_WOLFSSL_SMALL_STACK_STATIC to override);
fixes for unsafe strcat()s in tests/quic.c;
fix for unsafe macro WOLFSSL_IS_QUIC();
fix to exclude quic from enable-all when enable-linuxkm (quic needs opensslextra, and opensslextra currently only works in-kernel in cryptonly builds);
fix for signed/unsigned clash in wolfSSL_quic_receive().
In test with ngtcp2 example client using openssl, session resumption
against a QUIC wolfssl server failed. The error was tracked down to
wolfSSL believing EaryData needs to be handled and returning SUCCESS
from wolfSSL_SSL_do_handshake() after the server Finished had been
sent.
However the handshake was not complete and ngtcp2 invoked the
post_handshake processing for new data arriving from the client.
This failed a check in post processing that the ssl->handShakeState
actually was HANDSHAKE_DONE.
The workaround in this PR repeats do_handshake until the ssl
state acually says it is complete. This way, session resumption works.
Either this alternative do_handshake() is merged for QUIC protocol
hanlders. Or we need to fix the 'normal' do_handshake() to no return
SUCCESS when early data is expected on a QUIC WOLFSSL.
use camel case not underscores in variable names;
restore use of const int variables for buffer sizes in several spots (for ease of smallstack code paths should they be needed);
use more MISRAish flow control in X509PrintSignature().
also, capture the retval from several more snprintf()s to pass directly to wolfSSL_BIO_write(), avoiding frivolous strlen()s.
fix various possible buffer overruns;
fix various runtime-error-driven memory leaks;
various refactors for efficiency, clarity, and safety, including refactors to eliminate unsafe XSTRNCAT() calls.
wc_CertNew() and wc_CertFree() is for use by ABI type aplications, and
others, for having wolfCrypt perform the new/free of the certification
structure w/o the application needing too, and more importantly, needing
to contain knowledge of the structure.
We have users who need to debug errors coming out of libwolfssl in production,
where --enable-debug isn't an option. Our error queue implementation is the
solution, but our usage of WOLFSSL_ERROR isn't consistent. This commit greatly
expands our usage of WOLFSSL_ERROR. There are too many error cases to tackle
all at once, and not all error cases are particularly meaningful or likely to be
hit in regular operation of the library. I've tried to focus on errors that
users are likely to hit, and I've chosen to ignore things like the mountain of
BUFFER_E and BAD_FUNC_ARG cases (for the most part). I've also tried to expand
WOLFSSL_ERROR usage in files where we haven't been using it historically
(e.g. aes.c), so the pattern is now there for other developers to follow. In
order to prevent these additions from exploding the size of libwolfssl, they're
all behind a new macro, WOLFSSL_ERROR_VERBOSE. If WOLFSSL_VERBOSE_ERRORS is
defined, WOLFSSL_ERROR_VERBOSE just maps to WOLFSSL_ERROR.
- can be reverted to previous style by defining NO_TLSX_PSKKEM_PLAIN_ANNOUNCE
- QUIC interop testing reveals that at least QUIC stacks refrain from
issuing session tickets unless the ClientHello shows this extension.
The call to FreeAsyncCtx after SendBuffered was added to clean up state when we are ready to advance state. If we do not advance state, then clean up should be handled in the relevant state.
The error is due to the message triggered by the processing of the
message (Connect()->SendTls13Certificate/SendTls13CertificateVerify/SendTls13Verify). Consider
the message processed to avoid double processing.
- Modify all existing tests to return an int. This moves us in the direction of
being able to return error/success from a test rather than just calling abort
when something fails. Also, all tests now have the same signature, so they can
easily be members of an array of test cases.
- Wrap each test in a TEST_CASE struct, which just stores a pointer to the test
function and the name of the test, for now. In the future, other metadata can
be added (e.g. should this test be run/skipped) to TEST_CASE, if desired.
- Modify all tests to return 0 on success. Right now, this doesn't do us much
good because the failure mechanism isn't returning some value != 0, it's
abort.
- Add TestSetup and TestCleanup functions that run before and after each test,
respectively. The former does nothing right now, and the latter clears the
error queue, if the error queue is compiled in.
During post-handshake authentication async code mistakes connect() error code
with the error code of DoTls13CertificateRequest and wrongly rewinds the buffer.
The bug was never triggered because of side effects of ShrinkBuffer (removed in
40cb6e0853)
wolfSSL_ERR_get_error and wolfSSL_ERR_peek_error_line_data should return the
earliest error in the queue (i.e. the error at the front), but prior to this
commit, they returned the latest/most recent one instead.
In DoAlert, we were adding an error to the queue for all alerts. However, a
close_notify isn't really an error. This commit makes it so DoAlert only adds
errors to the queue for non-close_notify alerts. In ReceiveData, similarly, we
were adding an error to the queue when the peer sent a close_notify, as
determined by ssl->error == ZERO_RETURN. Now, we don't add an error in this
case.
Don't assume that the underlying medium of DTLS provides the full message in a
single operation. This is usually true for message-based socket (eg. using UDP)
and false for stream-based socket (eg. using TCP).
Commit changes:
- Do not error out if we don't have the full message while parsing the header.
- Do not assume that the record header is still in the buffer when decrypting
the message.
- Try to get more data if we didn't read the full DTLS header.
Improve not to use forward declaration struct definition
- include ssl.h rather than forward declaration struct to resolve struct name
- to include ssl.h, it needs to avoid cyclic reference for crypt structure. therefore, Sha and Aes definitions are moved to another header file
add wolfCrypt error codes IO_FAILED_E "Input/output failure" and SYSLIB_FAILED_E "System/library call failed";
tests/api.c and tests/unit.c: flush stdout for error message in Fail() macro, add fflush(stdout) after printf()s, print success message at end of unit_test(), and send several error messages to stderr instead of stdout;
wolfcrypt/test/test.c: add fallthrough macro definition of printf() that pairs it with fflush(stdout);
unit.h: in definition of macro AssertPtr(), add PRAGMA_GCC("GCC diagnostic ignored \"-Wpedantic\"");
sp_int.c: refactor several lingering instances of "if (0) { ... }" code pattern to #if 0 ... #endif.
This fixes the following things:
* Memory leaks in SE050 SHA messages
* Add key to SE050 for ECC sign hash function
* Remove circular include
* Correct prototype for `se050_hash_final`
* A few defined check fixes
NOTE: * --enable-heapmath is being deprecated and will be removed by 2024
* Old CyaSSL/CtaoCrypt shim layer was removed in this release (5.6.4)
## Vulnerabilities
* [Medium] A fix was added, but still under review for completeness, for a Bleichenbacher style attack, leading to being able to decrypt a saved TLS connection and potentially forge a signature after probing with a large number of trial connections. This issue is around RSA decryption and affects static RSA cipher suites on the server side, which are not recommended to be used and are off by default. Static RSA cipher suites were also removed from the TLS 1.3 protocol and only present in TLS 1.2 and lower. All padding versions of RSA decrypt are affected since the code under review is outside of the padding processing. Information about the private keys is NOT compromised in affected code. It's recommended to disable static RSA cipher suites and update the version of wolfSSL used if using RSA private decryption alone outside of TLS. The fix is located in this pull request (https://github.com/wolfSSL/wolfssl/pull/6896)
## New Feature Additions
* DTLS 1.3 PQC: support fragmenting the second ClientHello message. This allows arbitrarily long keys to be used, opening up support for all PQC ciphersuites in DTLS 1.3.
* SM2/SM3/SM4: Chinese cipher support including TLS 1.3 and 1.2 cipher suites. SM2 SP implementation available.
* Ability to parse ASN1 only with SMIME_read_PKCS7
* Added support for MemUse Entropy on Windows
* Added Ada Bindings for wolfSSL
* Added a PEM example that converts to and from DER/PEM.
* Added LMS/HSS and XMSS/XMSS^MT wolfcrypt hooks, both normal and verify-only options.
* Added support for the AES EAX mode of operation
* Port for use with Hitch (https://github.com/varnish/hitch) added
* Add XTS API's to handle multiple sectors in new port ot VeraCrypt
## Enhancements and Optimizations
* Turned on SNI by default on hosts with resources
* Improved support for Silicon Labs Simplicity Studio and the ERF32 Gecko SDK
* Thumb-2 and ARM32 Curve25519 and Ed25519 assembly have significantly improved performance.
* Thumb-2 AES assembly code added.
* Thumb-2 and ARM32 SP implementations of RSA, DH and ECC have significantly improved performance.
* Minor performance improvements to SP ECC for Intel x64.
* AES-XTS assembly code added for Intel x64, Aarch64 and ARM32.
* Added support for X963 KDFs to ECIES.
* Added 32-bit type only implementation of AES GMULT using tables.
* Add support for nginx version 1.25.0
* Add support for Kerberos version 5 1.21.1
* Check all CRL entries in case a single issuer has multiple CRL's loaded
* CRL verify the entire chain including loaded CA's
* Added example for building wolfSSL as an Apple universal binary framework using configure
* Sniffer tool now supports decrypting TLS sessions using secrets obtained from a SSLKEYLOGFILE
* Updates made for EBSNET port
* Update "--enable-jni" to include additional defines for expanded JNI support. Also includes JCE and JSSE builds under the single enable option now.
## Fixes
* Fixed error handling when decrypted pre-master secret is too long when using static RSA.
* Added a fix for keymod use with i.MX RT1170 CAAM blobs
* Added a fix for AES-GCM use with Petalinux Xilinx
* Fixed `wc_SignatureGenerate_ex` to not call verify twice
* Fixed wolfCrypt FIPS DLL on Win32
* Fixed TFM math library big-endian reading implementation when a zero length buffer is passed in.
* Fixed NO_CERT configurations to build correctly.
* Fixed ARM AES-GCM streaming assembly when –enable-opensslextra defined.
* Added modulus checks to heap math implementation of mp_exptmod().
* Fixed Windows assembly code to handle that certain XMM registers are non-volatile.
* Aarch64 SP ECC implementation of sp_256_mont_dbl_4 has the register list for the assembly code fixed to include all used registers.
* mp_sqrt_mod_prime fixed to limit the number of iterations of a loop to handle malicious non-prime values being passed in.
* Ignore session ID's shorter than 32 bytes instead of erroring out
# wolfSSL Release 5.6.3 (Jun 16, 2023)
Release 5.6.3 of wolfSSL embedded TLS has 4 bug fixes:
* Fix for setting the atomic macro options introduced in release 5.6.2. This issue affects GNU gcc autoconf builds. The fix resolves a potential mismatch of the generated macros defined in options.h file and the macros used when the wolfSSL library is compiled. In version 5.6.2 this mismatch could result in unstable runtime behavior.
* Fix for invalid suffix error with Windows build using the macro GCM_TABLE_4BIT.
* Improvements to Encrypted Memory support (WC_PROTECT_ENCRYPTED_MEM) implementations for modular exponentiation in SP math-all (sp_int.c) and TFM (tfm.c).
* Improvements to SendAlert for getting output buffer.
# wolfSSL Release 5.6.2 (Jun 09, 2023)
Release 5.6.2 has been developed according to wolfSSL's development and QA process (see link below) and successfully passed the quality criteria.
NOTE: * --enable-heapmath is being deprecated and will be removed by 2024
Release 5.6.2 of wolfSSL embedded TLS has bug fixes and new features including:
## Vulnerabilities
* [Low] In cases where a malicious agent could analyze cache timing at a very detailed level, information about the AES key used could be leaked during T/S Box lookups. One such case was shown on RISC-V hardware using the MicroWalk tool (https://github.com/microwalk-project/Microwalk). A hardened version of T/S Box lookups was added in wolfSSL to help mitigate this potential attack and is now on by default with RISC-V builds and can be enabled on other builds if desired by compiling wolfSSL with the macro WOLFSSL_AES_TOUCH_LINES. Thanks to Jan Wichelmann, Christopher Peredy, Florian Sieck, Anna Pätschke, Thomas Eisenbarth (University of Lübeck): MAMBO-V: Dynamic Side-Channel Leakage Analysis on RISC-V. Fixed in the following GitHub pull request https://github.com/wolfSSL/wolfssl/pull/6309
* [High] In previous versions of wolfSSL if a TLS 1.3 client gets neither a PSK (pre shared key) extension nor a KSE (key share extension) when connecting to a malicious server, a default predictable buffer gets used for the IKM value when generating the session master secret. Using a potentially known IKM value when generating the session master secret key compromises the key generated, allowing an eavesdropper to reconstruct it and potentially allowing surreptitious access to or meddling with message contents in the session. This issue does not affect client validation of connected servers, nor expose private key information, but could result in an insecure TLS 1.3 session when not controlling both sides of the connection. We recommend that TLS 1.3 client side users update the version of wolfSSL used. Thanks to Johannes from Sectra Communications and Linköping University for the report. Fixed in the following GitHub pull request https://github.com/wolfSSL/wolfssl/pull/6412
## New Feature Additions
### New Ports and Expansions
* Add support for STM32H5
* Add support for Renesas TSIP v1.17
* Add Renesas SCE RSA crypto-only support
* STARCORE DSP port and example builds added
* Add the function wc_PKCS7_SetDefaultSignedAttribs for setting PKCS7 signed attributes to use with PKCS7 bundle creation
* NXP IMX6Q CAAM port with QNX and performance optimizations for AES-CTR
### New Build Options
* ASN.1 print utility to decode ASN.1 syntax and print out human readable text --enable-asn-print. Utility app is located in the directory ./examples/asn1/
* Add introspection for math build, wc_GetMathInfo() to get information about the math library compiled into the linked wolfSSL library
* Implement TLS recommendations from RFC 9325 for hardening TLS/DTLS security. Enabled with the autoconf flag --enable-harden-tls.
* Add option to support disabling thread local storage, --disable-threadlocal
* Added wc_DsaSign_ex() and wc_DsaVerify_ex() for handling alternative digest algorithms with DSA Sign/Verify
* Implement atomic operations interface. Macros auto-detect if atomic operations are expected to be available, can be turned off with the macro WOLFSSL_NO_ATOMICS
* Added support for DTLS 1.3 Authentication and Integrity-Only Cipher Suites
* Expand crypto callback to have a device ID find callback function with wc_CryptoCb_SetDeviceFindCb. Enabled with the macro WOLF_CRYPTO_CB_FIND
## Enhancements and Optimizations
### Optimizations
* Increased performance with ChaCha20 C implementation and general XOR operations
* Added integer type to the ASN.1 sequencing with ASN.1 Integer sequence
* With wolfSSL_get_x509_next_altname reset alt name list to head once cycled through if compiling with the macro WOLFSSL_MULTICIRCULATE_ALTNAMELIST
* Additional key validity sanity checks on input to wolfSSL_EC_KEY_set_private_key
* adds support for TLSv1.3 stateful session tickets when using SSL_OP_NO_TICKET
### Memory Optimizations
* Improvements to stack usage and management with SP int math library
* Optimization to TLS 1.3 server to remove caching messages for Ed25519/Ed448
* Added a HAVE_CURL macro build for building a subset of the wolfSSL library when linking with cURL
* Memory usage improvement with reducing the size of alignment needed with AES
* Reduce run time memory used with ECC operations and ALT_ECC_SIZE
* Fixes and improvements for building edge cases such as crypto callback without hash-drbg with low footprint options
* Support HAVE_SESSION_TICKET build option without depending on realloc
### Documentation
* Instructions for GPDMA on STM32 configuration added
* Add in instructions for compiling with zephyr on STM32
* Documentation fixup for wolfSSL_get_chain_cert()
* Fix the file pointed to in the TI RTOS documentation that we maintain
* Documentation for wolfSSL_CertManagerFreeCRL
* Updates made to AES and Chacha documentation
* Update Japanese comments for Ed25519, AES, and other miscellaneous items
### Tests
* Add in an option for easily testing malloc failures when building with WOLFSSL_MEM_FAIL_COUNT macro
* Updated in process for using Expect vs Assert to facilitate more malloc failure tests
* Enhance wolfCrypt test for builds that do not have ECC SECP curves enabled
* ESP32 platform-specific VisualGDB test & benchmark projects
* Update to dependencies in docker container file used for tests
* Fix up for base 10 output with bundled benchmark application
### Port Updates
* Zephyr port update, compile time warning fixes, misc. fixes when used with TLS and update of includes
* Update RIOT-OS to not compile out use of writev by default
* Update Micrium port to enable use of STM32_RNG
* Micrium updates for XMEMOVE and XSTRTOK use
* Various Espressif HW crypto, SHA2, AES, MP updates
* Added in ASIO build option with CMake builds
### General Enhancements
* Global codebase cleanup for C89 compliance and wolfCrypt -Wconversion hygiene
* PKCS#11 enhancement adding a callback for RSA key size when using a hardware key, by default 2048 bit key is used
* Allow for unknown OIDs in extensions in wolfSSL_X509_set_ext()
* Allow user to override XSTAT by defining the macro XSTAT when compiling
* Support UPN and SID with x509 certificate extensions and custom OID build
* Write next IV in wolfSSL_DES_ede3_cbc_encrypt for better handling of inline encryption
* Adding NO_ASN_TIME_CHECK build option for compiling out certificate before/after checks
* Improve different peer recvfrom handling and error reporting with ipv4 vs ipv6
## Fixes
* Fix for STM32 ECC sign and verify out of bounds buffer write when the hash length passed in is larger than the key size. Thanks to Maximilian for the report.
* Fix to skip Async_DevCtxInit when using init rsa/ecc label/id api's
* Revert WOLFSSL_NO_ASN_STRICT macro guard around alternate names directory list
* In async mode, don't retry decrypting if a valid error is encountered on a packet parse attempt
* Add additional sanity check on PKCS7 index value in wc_PKCS7_DecryptKekri
* Fix for padding when using an AuthEnvelope PKCS7 type with GCM/CCM stream ciphers
* Fix siphash assembly so that no register is left behind
* Fix to not send a TLS 1.3 session ID resume response when resuming and downgrading to a protocol less than TLS 1.3
* Fix overwriting serialNumber by favouriteDrink when generating a certificate using Cert struct
* Fix for the default realloc used with EspressIf builds
* Track SetDigest usage to avoid invalid free under error conditions
* DTLS v1.3 fix for epoch 0 check on plaintext message
* Fix for session ticket memory leak in wolfSSL_Cleanup
* Fixes for propagating SendAlert errors when the peer disconnects
* Replace XMEMCPY with XMEMMOVE to fix valgrind-3.15.0 reports "Source and destination overlap in memcpy" when using --enable-aesgcm-stream
* Fix for potential out-of-bounds write edge case in fp_mod_2d with --enable-fastmath math library
* Fix getting ECC key size in stm32_ecc_sign_hash_ex
* Fix for case where wc_PeekErrorNodeLineData was not unlocking error queue on error
* Fix for async ECC shared secret state
* Fix for better error checking with sp_gcd with SP int math library
* Fix memory leak in TLSX_KeyShare_Setup when handling an error case
* Fix for double free edge case in InitOCSPRequest when handling a memory allocation failure
* X509 NAME Entry fix for leaking memory on error case
* Fix wolfssl_asn1_time_to_tm setting unexpected fields in tm struct
* Fix for FIPS ECC integrity check with crypto callback set
* BN_to_ASN1_INTEGER fix for handling leading zero byte padding when needed
* Fix a typo in PP macro and add a ceiling to guard against implementation bugs
* DTLS 1.3 fix for using the correct label when deriving the resumption key
* OCSP fix for GetDateInfo edge case with non ASN template builds
* Allow a user set certificate callback function to override the skipAddCA flag when parsing a certificate
* SP int: sp_radix_size when radix 10 fix temp size for handling edge case
* Fixes and improvements for handling failures with memory allocations
* Fix for DecodeECC_DSA_Sig to handle r and s being initialized
* Fix for wc_ecc_is_point to ensure that the x and y are in range [0, p-1] and z is one (affine ordinates)
### Build Fixes
* Fix for building on Windows with CMake and using USER_SETTINGS and fix for options.h creation with CMake when using USER_SETTINGS
* CMake fixes and improvements for use with mingw32
* Fix for building with wpas and x509 small options
* Check if colrm is available for options.h creation when using autoconf
* Clean up NO_BIG_INT build, removing WOLFSSL_SP_MATH macro and heapmath compile
* Fix PKCS#7 build with NO_PKCS7_STREAM
* Fix compilation error in CC-RX and remove unnecessary public key import
* SP Build fixes for ARM assembly with ARMv6 clz and ARM thumb debug build
* For to not advertise support for RSA in TLS extensions when compiled with NO_RSA
# wolfSSL Release 5.6.0 (Mar 24, 2023)
Release 5.6.0 has been developed according to wolfSSL's development and QA process (see link below) and successfully passed the quality criteria.
NOTE: * --enable-heapmath is being deprecated and will be removed by 2024
* This release makes ASN Template the default with ./configure, the previous ASN parsing can be built with --enable-asn=original
Release 5.6.0 of wolfSSL embedded TLS has bug fixes and new features including:
## New Feature Additions
* ASN template is now the default ASN parsing implementation when compiling with configure
* Added in support for TLS v1.3 Encrypted Client Hello (ECH) and HPKE (Hybrid Public Key Encryption)
* DTLS 1.3 stateless server ClientHello parsing support added
### Ports
* Add RX64/RX71 SHA hardware support
* Port to RT1170 and expand NXP CAAM driver support
* Add NuttX integration files for ease of use
* Updated Stunnel support for version 5.67
Compatibility Layer
* Add in support for AES-CCM with EVP
* BN compatibility API refactoring and separate API created
* Expanding public key type cipher suite list strings support
### Misc.
* Support pthread_rwlock and add enable option
* Add wolfSSL_CertManagerLoadCABuffer_ex() that takes a user certificate chain flag and additional verify flag options
* Docker build additions for wolfSSL library and wolfCLU application
* Add favorite drink pilot attribute type to get it from the encoding
* Added in support for indefinite length BER parsing with PKCS12
* Add dynamic session cache which allocates sessions from the heap with macro SESSION_CACHE_DYNAMIC_MEM
## Improvements / Optimizations
### Tests
* Additional CI (continuous integration) testing and leveraging of GitHub workflows
* Add CI testing for wpa_supplicant, OpenWrt and OpenVPN using GitHub workflows
* Add compilation of Espressif to GitHub workflows tests
* Refactoring and improving error results with wolfCrypt unit test application
* Minor warning fixes from Coverity static analysis scan
* Add new SHA-512/224 and SHA-512/256 tests
* Used codespell and fixed some minor typos
### Ports
* Improve TLS1.2 client authentication to use TSIP
* Updated Kyber macro to be WOLFSSL_HAVE_KYBER and made changes that make Kyber work on STM32
* AES-GCM Windows assembly additions
* CRLF line endings, trailing spaces for C# Wrapper Projects
Compatibility Layer
* Update `PubKey` and `Key` PEM-to-DER APIs to support return of needed DER size
* Allow reading ENC EC PRIVATE KEY as well via wolfSSL_PEM_read_bio_ECPrivateKey
* Improve wolfSSL_EC_POINT_cmp to handle Jacobian ordinates
* Fix issue with BIO_reset() and add BIO_FLAGS_MEM_RDONLY flag support for read only BIOs
### SP
* In SP math library rework mod 3 and use count leading zero instruction
* Fix with SP ECC sign to reject the random k generated when r is 0
* With SP math add better detection of when add won't work and double is needed with point_add_qz1 internal function
* With SP int fail when buffer writing to is too small for number rather than discarding the extra values
### Builds
* Define WOLFSSL_SP_SMALL_STACK if wolfSSL is build with --enable-smallstack
* Fix CMake to exclude libm when DH is not enabled
* Allow building of SAKKE as external non-FIPS algorithm with wolfmikey product
* Add option to add library suffix, --with-libsuffix
* ASN template compile option WOLFSSL_ASN_INT_LEAD_0_ANY to allow leading zeros
* Add user_settings.h template for wolfTPM to examples/configs/user_settings_wolftpm.h
* Purge the AES variant of Dilithium
* Expand WOLFSSL_NO_ASN_STRICT to allow parsing of explicit ECC public key
* Remove relocatable text in ARMv7a AES assembly for use with FIPS builds
* Expand checking for hardware that supports ARMv7a neon with autotools configure
* Sanity check on allocation fails with DSA and FP_ECC build when zeroizing internal buffer
* Additional TLS alerts sent when compiling with WOLFSSL_EXTRA_ALERTS macro defined
### Benchmarking
* Update wolfCrypt benchmark Windows build files to support x64 Platform
* Add SHA512/224 and SHA512/256 benchmarks, fixed CVS macro and display sizes
* Separate AES-GCM streaming runs when benchmarked
* No longer call external implementation of Kyber from benchmark
* Fix for benchmarking shake with custom block size
* Fixes for benchmark help `-alg` list and block format
Documentation/Examples
* Document use of wc_AesFree() and update documentation of Ed25519 with Doxygen
* Move the wolfSSL Configuration section higher in QUIC.md
* Add Japanese Doxygen documentation for cmac.h, quic.h and remove incomplete Japanese doxygen in asn_public.h
* Espressif examples run with local wolfSSL now with no additional setup needed
* Added a fix for StartTLS use In the example client
* Add a base-line user_settings.h for use with FIPS 140-3 in XCode example app
### Optimizations
* AES-NI usage added for AES modes ECB/CTR/XTS
### Misc
* Update AES-GCM stream decryption to allow long IVs
* Internal refactor to use wolfSSL_Ref functions when incrementing or decrementing the structures reference count and fixes for static analysis reports
* Cleanup function logging making adjustments to the debug log print outs
* Remove realloc dependency in DtlsMsgCombineFragBuckets function
* Refactor to use WOLFSSL_CTX’s cipher suite list when possible
* Update internal padding of 0’s with DSA sign and additional tests with mp_to_unsigned_bin_len function
* With DTLS SRTP use wolfSSL_export_keying_material instead of wc_PRF_TLS
* Updated macro naming from HAVE_KYBER to be WOLFSSL_HAVE_KYBER
* Update AES XTS encrypt to handle in-place encryption properly
* With TLS 1.3 add option to require only PSK with DHE
## Fixes
### Ports
* Fix for AES use with CAAM on imx8qxp with SECO builds
* Fix for PIC32 crypto HW and unused `TLSX_SetResponse`
* Fix warning if ltime is unsigned seen with QNX build
* Updates and fix for Zephyr project support
* Include sys/time.h for WOLFSSL_RIOT_OS
* Move X509_V errors from enums to defines for use with HAProxy CLI
* Fix IAR compiler warnings resolved
* Fix for STM32 Hash peripherals (like on F437) with FIFO depth = 1
* ESP32 fix for SHA384 init with hardware acceleration
### Builds
* Add WOLFSSL_IP_ALT_NAME macro define to --enable-curl
* Fixes for building with C++17 and avoiding clashing with byte naming
* Fixes SP math all build issue with small-stack and no hardening
* Fix for building with ASN template with `NO_ASN_TIME` defined
* Fix building FIPSv2 with WOLFSSL_ECDSA_SET_K defined
* Don't allow aesgcm-stream option with kcapi
* Fix DTLS test case for when able to read peers close notify alert on FreeBSD systems
* Fix for "expression must have a constant value" in tls13.c with Green Hills compiler
* Fixes for building KCAPI with opensslextra enabled
* Fix warnings of shadows min and subscript with i486-netbsd-gcc compiler
* Fix issue with async and `WOLFSSL_CHECK_ALERT_ON_ERR`
* Fix for PKCS7 with asynchronous crypto enabled
### Math Library
* SP Aarch64 fix for conditional changed in asm needing "cc" and fix for ECC P256 mont reduce
* In SP builds add sanity check with DH exp. to check the output length for minimum size
* In SP math fix scalar length check with EC scalar multiply
* With SP int fix handling negative character properly with read radix
* Add error checks before setting variable err in SP int with the function sp_invmod_mont_ct
* Fix to add sanity check for malloc of zero size in fastmath builds
* In fastmath fix a possible overflow in fp_to_unsigned_bin_len length check
* Heapmath fast mod. reduce fix
### Compatibility Layer
* Fixes for encoding/decoding ecc public keys and ensure i2d public key functions do not include any private key information
* Fix for EVP_EncryptUpdate to update outl on empty input
* Fix SE050 RSA public key loading and RSA/ECC SE050 TLS Compatibility
* Rework EC API and validate point after setting it
* Fix for X509 RSA PSS with compatibility layer functions
* Fix size of structures used with SHA operations when built with opensslextra for Espressif hardware accelerated hashing
* Added sanity check on key length with wolfSSL_CMAC_Init function
* Fix for return value type conversion of bad mutex error in logging function
* Fix NID conflict NID_givenName and NID_md5WithRSAEncryption
* Fix unguarded XFPRINTF calls with opensslextra build
* Fix wolfSSL_ASN1_INTEGER_to_BN for negative values
* Fix for potential ASN1_STRING leak in wolfSSL_X509_NAME_ENTRY_create_by_txt and wolfSSL_X509_NAME_ENTRY_create_by_NID when memory allocation fails
### Misc.
* Add sanity check to prevent an out of bounds read with OCSP response decoding
* Sanity check to not allow 0 length with bit string and integer when parsing ASN1 syntax
* Adjust RNG sanity checks and remove error prone first byte comparison
* With PKCS7 add a fix for GetAsnTimeString() to correctly increment internal data pointer
* PKCS7 addition of sequence around algo parameters with authenvelop
* DSA fixes for clearing mp_int before re-reading data and avoid mp_clear without first calling mp_init
* Fix for SRTP setting bitfield when it is encoded for the TLS extension
* Fix for handling small http headers when doing CRL verification
* Fix for ECCSI hash function to validate the output size and curve size
* Fix for value of givenName and name being reversed with CSR generation
* Fix for error type returned (OCSP_CERT_UNKNOWN) with OCSP verification
* Fix for a potential memory leak with ProcessCSR when handling OCSP responses
* Fix for VERIFY_SKIP_DATE flag not ignoring date errors when set
* Fix for zlib decompression buffer issue with PKCS7
* Fix for DTLS message pool send size used and DTLS server saving of the handshake sequence
* Fix to propagate WOLFSSL_TICKET_RET_CREATE error return value from DoDecryptTicket()
* Fix for handling long session IDs with TLS 1.3 session tickets
* Fix for AES-GCM streaming when caching an IV
* Fix for test case with older selftest that returns bad padding instead of salt len error
* Add fix for siphash cache and added in additional tests
* Fix potential out of bounds memset to 0 in error case with session export function used with --enable-sessionexport builds
* Fix possible NULL dereference in TLSX_CSR_Parse with TLS 1.3
* Fix for sanity check on RSA pad length with no padding using the build macro WC_RSA_NO_PADDING
# wolfSSL Release 5.5.4 (Dec 21, 2022)
Release 5.5.4 of wolfSSL embedded TLS has bug fixes and new features including:
## New Feature Additions
* QUIC related changes for HAProxy integration and config option
* Support for Analog Devices MAXQ1080 and MAXQ1065
* Testing and build of wolfSSL with NuttX
* New software based entropy gatherer with configure option --enable-entropy-memuse
* NXP SE050 feature expansion and fixes, adding in RSA support and conditional compile of AES and CMAC
* Support for multi-threaded sniffer
## Improvements / Optimizations
### Benchmark and Tests
* Add alternate test case for unsupported static memory API when testing mutex allocations
* Additional unit test cases added for AES CCM 256-bit
* Initialize and free AES object with benchmarking AES-OFB
* Kyber with DTLS 1.3 tests added
* Tidy up Espressif ESP32 test and benchmark examples
* Rework to be able to run API tests individually and add display of time taken per test
### Build and Port Improvements
* Add check for 64-bit ABI on MIPS64 before declaring a 64-bit CPU
* Add support to detect SIZEOF_LONG in armclang and diab
* Added in a simple example working on Rx72n
* Update azsphere support to prevent compilation of file included inline
* --enable-brainpool configure option added and default to on when custom curves are also on
* Add RSA PSS salt defines to engine builds if not FIPS v2
### Post Quantum
* Remove kyber-90s and route all Kyber through wolfcrypt
* Purge older version of NTRU and SABER from wolfSSL
### SP Math
* Support static memory build with sp-math
* SP C, SP int: improve performance
* SP int: support mingw64 again
* SP int: enhancements to guess 64-bit type and check on NO_64BIT macro set before using long long
* SP int: check size required when using sp_int on stack
* SP: --enable-sp-asm now enables SP by default if not set
* SP: support aarch64 big endian
### DTLS
* Allow DTLS 1.3 to compile when FIPS is enabled
* Allow for stateless DTLS client hello parsing
### Misc.
* Easier detection of DRBG health when using Intel’s RDRAND by updating the structures status value
* Detection of duplicate known extensions with TLS
* PKCS#11 handle a user PIN that is a NULL_PTR, compile time check in finding keys, add initialization API
* Update max Cert Policy size based on RFC 5280
* Add Android CA certs path for wolfSSL_CTX_load_system_CA_certs()
* Improve logic for enabling system CA certs on Apple devices
* Stub functions to allow for cpuid public functions with non-intel builds
* Increase RNG_SECURITY_STRENGTH for FIPS
* Improvements in OpenSSL Compat ERR Queue handling
* Support ASN1/DER CRLs in LoadCertByIssuer
* Expose more ECC math functions and improve async shared secret
* Improvement for sniffer error messages
* Warning added that renegotiation in TLS 1.3 requires session ticket
* Adjustment for TLS 1.3 post auth support
* Rework DH API and improve PEM read/write
## Fixes
### Build Fixes
* Fix --enable-devcrypto build error for sys without u_int8_t type
* Fix casts in evp.c and build issue in ParseCRL
* Fixes for compatibility layer building with heap hint and OSSL callbacks
* fix compile error due to Werro=undef on gcc-4.8
* Fix mingw-w64 build issues on windows
* Xcode project fixes for different build settings
* Initialize variable causing failures with gcc-11 and gcc-12 with a unique wolfSSL build configuration
* Prevent WOLFSSL_NO_MALLOC from breaking RSA certificate verification
* Fixes for various tests that do not properly handle `WC_PENDING_E` with async. builds
* Fix for misc `HashObject` to be excluded for `WOLFCRYPT_ONLY`
### OCSP Fixes
* Correctly save next status with OCSP response verify
* When the OCSP responder returns an unknown exception, continue through to checking the CRL
### Math Fixes
* Fix for implicit conversion with 32-bit in SP math
* Fix for error checks when modulus is even with SP int build
* Fix for checking of err in _sp_exptmod_nct with SP int build
* ECC cofactor fix when checking scalar bits
* ARM32 ASM: don't use ldrd on user data
* SP int, fix when ECC specific size code included
### Port Fixes
* Fixes for STM32 PKA ECC (not 256-bit) and improvements for AES-GCM
* Fix for cryptocell signature verification with ECC
* Benchmark devid changes, CCM with SECO fix, set IV on AES import into SECO
### Compat. Layer Fixes
* Fix for handling DEFAULT:... cipher suite list
* Fix memory leak in wolfSSL_X509_NAME_ENTRY_get_object
* Set alt name type to V_ASN1_IA5STRING
* Update name hash functions wolfSSL_X509_subject_name_hash and wolfSSL_X509_issuer_name_hash to hash the canonical form of subject
* Fix wolfSSL_set_SSL_CTX() to be usable during handshake
* Fix X509_get1_ocsp to set num of elements in stack
* X509v3 EXT d2i: fix freeing of aia
* Fix to remove recreation of certificate with wolfSSL_PEM_write_bio_X509()
* Link newly created x509 store's certificate manager to self by default to assist with CRL verification
* Fix for compatibility `EC_KEY_new_by_curve_name` to not create a key if the curve is not found
### Misc.
* Free potential signer malloc in a fail case
* fix other name san parsing and add RID cert to test parsing
* WOLFSSL_OP_NO_TICKET fix for TLSv1.2
* fix ASN template parsing of X509 subject directory attribute
* Fix the wrong IV size with the cipher suite TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256
* Fix incorrect self signed error return when compiled with certreq and certgen.
* Fix wrong function name in debug comment with wolfSSL_X509_get_name_oneline()
* Fix for decryption after second handshake with async sniffer
* Allow session tickets to properly resume when using PQ KEMs
* Add sanity overflow check to DecodeAltNames input buffer access
# wolfSSL Release 5.5.3 (Nov 2, 2022)
Release 5.5.3 of wolfSSL embedded TLS has the following bug fix:
## Fixes
* Fix for possible buffer zeroization overrun introduced at the end of v5.5.2 release cycle in GitHub pull request 5743 (https://github.com/wolfSSL/wolfssl/pull/5743) and fixed in pull request 5757 (https://github.com/wolfSSL/wolfssl/pull/5757). In the case where a specific memory allocation failed or a hardware fault happened there was the potential for an overrun of 0’s when masking the buffer used for (D)TLS 1.2 and lower operations. (D)TLS 1.3 only and crypto only users are not affected by the issue. This is not related in any way to recent issues reported in OpenSSL.
# wolfSSL Release 5.5.2 (Oct 28, 2022)
Release 5.5.2 of wolfSSL embedded TLS has bug fixes and new features including:
## Vulnerabilities
* [Med] In the case that the WOLFSSL_CALLBACKS macro is set when building wolfSSL, there is a potential heap over read of 5 bytes when handling TLS 1.3 client connections. This heap over read is limited to wolfSSL builds explicitly setting the macro WOLFSSL_CALLBACKS, the feature does not get turned on by any other build options. The macro WOLFSSL_CALLBACKS is intended for debug use only, but if having it enabled in production, users are recommended to disable WOLFSSL_CALLBACKS. Users enabling WOLFSSL_CALLBACKS are recommended to update their version of wolfSSL. Thanks to Lucca Hirschi and Steve Kremer from LORIA, Inria and Max Ammann from Trail of Bits for finding and reporting the bug with the tlspuffin tool developed partly at LORIA and Trail of Bits. CVE 2022-42905
Release 5.5.2 of wolfSSL embedded TLS has bug fixes and new features including:
## New Feature Additions
* Add function wolfSSL_CTX_load_system_CA_certs to load system CA certs into a WOLFSSL_CTX and --sys-ca-certs option to example client
* Add wolfSSL_set1_host to OpenSSL compatible API
* Added the function sk_X509_shift
* AES x86 ASM for AES-CBC and GCM performance enhancements
* Add assembly for AES for ARM32 without using crypto hardware instructions
* Xilinx Versal port and hardware acceleration tie in
* SP Cortex-M support for ICCARM
## Enhancements
* Add snifftest vcxproj file and documentation
* Nucleus Thread Types supported
* Handle certificates with RSA-PSS signature that have RSAk public keys
* Small stack build improvements
* DTLS 1.3 improvements for Alerts and unit tests
* Add a binary search for CRL
* Improvement of SSL/CTX_set_max_early_data() for client side
* Remove unused ASN1_GENERALIZEDTIME enum value from wolfssl/ssl.h
* Add user_settings.h for Intel/M1 FIPSv2 macOS C++ projects
* Add dtlscid.test to ‘make check’ unit testing
* Generate an assembler-safe user_settings.h in configure.ac and CMakeLists.txt
* ForceZero enabled with USE_FAST_MATH
* Add TLS 1.3 support of ticketNonce sizes bigger than MAX_TICKET_NONCE_SZ
* FIPSv2 builds on win10 adjust for new fastmath default in settings.h
* Add IRQ install for Aruix example
## Fixes
* When looking up the session by ID on the server, check that the protocol version of the SSL and session match on TLS 1.3 or not
* Fix for potential EVP_PKEY_DH memory leak with OPENSSL_EXTRA
* Curve448 32-bit C code: handle corner case
* Fixup builds using WOLFSSL_LOG_PRINTF
* Correct DIST_POINT_NAME type value
* Do not perform IV Wrap test when using cert3389 inlined armasm
* Fix for Linux kernel module and stdio.h
* (D)TLS: send alert on version mismatch
* Fix PKCS#7 SignedData verification when signer cert is not first in SET
* Fix bug with wolfIO_TcpConnect not working with timeout on Windows
* Fix output length bug in SP non-blocking ECC shared secret gen
* Fix build with enable-fastmath and disable-rsa
* Correct wolfSSL_sk_X509_new in OpenSSL compatible API
* Fixes for SP and x86_64 with MSVC
* Fix wrong size using DTLSv1.3 in RestartHandshakeHashWithCookie
* Fix redundant file include with TI RTOS build
* Fix wolfCrypt only build with wincrypt.h
* DTLS 1.2: Reset state when sending HelloVerifyRequest
# wolfSSL Release 5.5.1 (Sep 28, 2022)
Release 5.5.1 of wolfSSL embedded TLS has bug fixes and new features including:
## Vulnerabilities
* [Med] Denial of service attack and buffer overflow against TLS 1.3 servers using session ticket resumption. When built with --enable-session-ticket and making use of TLS 1.3 server code in wolfSSL, there is the possibility of a malicious client to craft a malformed second ClientHello packet that causes the server to crash. This issue is limited to when using both --enable-session-ticket and TLS 1.3 on the server side. Users with TLS 1.3 servers, and having --enable-session-ticket, should update to the latest version of wolfSSL. Thanks to Max at Trail of Bits for the report, found by Lucca Hirschi from LORIA, Inria, France with the tlspuffin tool developed partly at LORIA and Trail of Bits. CVE-2022-39173
## New Feature Additions
* Add support for non-blocking ECC key gen and shared secret gen for P-256/384/521
* Add support for non-blocking ECDHE/ECDSA in TLS/DTLS layer.
* Port to NXP RT685 with FreeRTOS
* Add option to build post quantum Kyber API (--enable-kyber)
* Add post quantum algorithm sphincs to wolfCrypt
* Config. option to force no asm with SP build (--enable-sp=noasm)
* Allow post quantum keyshare for DTLS 1.3
## Enhancements
* DTLSv1.3: Do HRR Cookie exchange by default
* Add wolfSSL_EVP_PKEY_new_CMAC_key to OpenSSL compatible API
* Update ide win10 build files to add missing sp source files
* Improve Workbench docs
* Improve EVP support for CHACHA20_POLY1305
* Improve `wc_SetCustomExtension` documentation
* RSA-PSS with OCSP and add simple OCSP response DER verify test case
* Clean up some FIPS versioning logic in configure.ac and WIN10 user_settings.h
* Don't over-allocate memory for DTLS fragments
* Add WOLFSSL_ATECC_TFLXTLS for Atmel port
* SHA-3 performance improvements with x86_64 assembly
* Add code to fallback to S/W if TSIP cannot handle
* Improves entropy with VxWorks
* Make time in milliseconds 64-bits for longer session ticket lives
* SP int: default to 16 bit word size when NO_64BIT defined
* Limit the amount of fragments we store per a DTLS connection and error out when max limit is reached
* Detect when certificate's RSA public key size is too big and fail on loading of certificate
## Fixes
* Fix for async with OCSP non-blocking in `ProcessPeerCerts`
* Fixes for building with 32-bit and socket size sign/unsigned mismatch
* Fix Windows CMakeList compiler options
* TLS 1.3 Middle-Box compat: fix missing brace
* Configuration consistency fixes for RSA keys and way to force disable of private keys
* Fix for Aarch64 Mac M1 SP use
* Fix build errors and warnings for MSVC with DTLS 1.3
* Fix HMAC compat layer function for SHA-1
* Fix DTLS 1.3 do not negotiate ConnectionID in HelloRetryRequest
* Check return from call to wc_Time
* SP math: fix build configuration with opensslall
* Fix for async session tickets
* SP int mp_init_size fixes when SP_WORD_SIZE == 8
* Ed. function to make public key now checks for if the private key flag is set
* Fix HashRaw WC_SHA256_DIGEST_SIZE for wc_Sha256GetHash
* Fix for building with PSK only
* Set correct types in wolfSSL_sk_*_new functions
* Sanity check that size passed to mp_init_size() is no more than SP_INT_DIGITS
# wolfSSL Release 5.5.0 (Aug 30, 2022)
Note:
** If not free’ing FP_ECC caches per thread by calling wc_ecc_fp_free there is a possible memory leak during TLS 1.3 handshakes which use ECC. Users are urged to confirm they are free’ing FP_ECC caches per thread if enabled to avoid this issue.
Release 5.5.0 of wolfSSL embedded TLS has bug fixes and new features including:
## Vulnerabilities
* [Low] Fault injection attack on RAM via Rowhammer leads to ECDSA key disclosure. Users doing operations with private ECC keys such as server side TLS connections and creating ECC signatures, who also have hardware that could be targeted with a sophisticated Rowhammer attack should update the version of wolfSSL and compile using the macro WOLFSSL_CHECK_SIG_FAULTS. Thanks to Yarkin Doroz, Berk Sunar, Koksal Must, Caner Tol, and Kristi Rahman all affiliated with the Vernam Applied Cryptography and Cybersecurity Lab at Worcester Polytechnic Institute for the report.
* [Low] In wolfSSL version 5.3.0 if compiled with --enable-session-ticket and the client has non-empty session cache, with TLS 1.2 there is the possibility of a man in the middle passing a large session ticket to the client and causing a crash due to an invalid free. There is also the potential for a malicious TLS 1.3 server to crash a client in a similar manner except in TLS 1.3 it is not susceptible to a man in the middle attack. Users on the client side with –enable-session-ticket compiled in and using wolfSSL version 5.3.0 should update their version of wolfSSL. Thanks to Max at Trail of Bits for the report and "LORIA, INRIA, France" for research on tlspuffin.
* [Low] If using wolfSSL_clear to reset a WOLFSSL object (vs the normal wolfSSL_free/wolfSSL_new) it can result in runtime issues. This exists with builds using the wolfSSL compatibility layer (--enable-opnesslextra) and only when the application is making use of wolfSSL_clear instead of SSL_free/SSL_new. In the case of a TLS 1.3 resumption, after continuing to use the WOLFSSH object after having called wolfSSL_clear, an application could crash. It is suggested that users calling wolfSSL_clear update the version of wolfSSL used. Thanks to Max at Trail of Bits for the report and "LORIA, INRIA, France" for research on tlspuffin.
* Potential DoS attack on DTLS 1.2. In the case of receiving a malicious plaintext handshake message at epoch 0 the connection will enter an error state reporting a duplicate message. This affects both server and client side. Users that have DTLS enabled and in use should update their version of wolfSSL to mitigate the potential for a DoS attack.
## New Feature Additions
* QUIC support added, for using wolfSSL with QUIC implementations like ngtcp2
* SE050 port additions and fixes
* Added support for Dilithium post quantum algorithm use with TLS
* Support for RSA-PSS signed certificates
* Support for Infineon AURIX IDE
* Add Zephyr support for nRF5340 with CryptoCell-312
## Enhancements
* Expanded ABI support by 50 APIs to include wolfCrypt and Certificates making a total of 113 ABIs controlled and maintained
* DTLS 1.3 partial support for ConnectionID as described by RFC9146 and RFC9147
* Added support for X509_CRL_print function
* Remove deprecated algorithms in Renesas cs+ project
* Support more build options disable/enable with i.MX CAAM build
* wolfSSL_CTX_set_options and wolfSSL_CTX_get_options functions added to non compatibility layer builds
* TFM: change inline x86 asm code to compile with clang
* Improvements to error queue and fix for behavior of wolfSSL_ERR_get_error
* scripts/makedistsmall.sh script added for creating a small source/header only package
* TLS 1.3: restrict extension validity by message, Extensions ServerName, SupportedGroups and ALPN must not appear in server_hello
* Add liboqs integration to CMake build system
* Adds wolfSSL_PEM_read_RSAPrivateKey() to the OpenSSL compatible API
* Added support for P384 pre-share in bundled example server
* Replace clz assembly instruction in ARM 32 builds when not supported
* Integrate chacha20-poly1305 into the EVP interface
* Additional validation that extensions appear in correct messages
* Allow SAN to be critical with ASN template build
* Support wolfSSL_CTX_set1_curves_list being available when X25519 and/or X448 only defined
* Adds wolfSSL_PEM_read_RSA_PUBKEY() to the OpenSSL compatible API
* Match OpenSSL self signed error return with compatibility layer build
* Added wolfSSL_dtls_create_peer and wolfSSL_dtls_free_peer to help with Python and Go wrappers for DTLS
## Fixes
* DTLS 1.3 asynchronous use case fixes
* Fix handling of counter to support incrementing across all bytes in ARM crypto asm
* Fixes for ED25519/ED448 private key with public key export (RFC8410)
* Fix for build with NO_TLS macro
* Fix for write dup function to copy over TLS version
* Fix to handle path lengths of 0 when checking certificate CA path lengths
* Fix for CMake not installing sp_int.h for SP math all
* When WOLFSSL_VALIDATE_ECC_IMPORT is defined ECC import validates private key value is less than order
* PSA crypto fixes
* Fix for not having default pkcs7 signed attributes
* DTLS socket and timeout fixes
* SP int: exptmod ensure base is less than modulus
* Fix for AddPacketInfo with WOLFSSL_CALLBACKS to not pass encrypted TLS 1.3 handshake messages to callbacks
* Fix for sniffer to ensure the session was polled before trying to reprocess it
# wolfSSL Release 5.4.0 (July 11, 2022)
Note:
@@ -2627,7 +3318,7 @@ More info can be found on-line at //http://wolfssl.com/yaSSL/Docs.html
a) If using wolfSSL for DTLS on the server side of a publicly accessible
machine you MUST update.
b) If using wolfSSL for TLS on the server side with private RSA keys allowing
ephemeral key exchange without low memory optimziations you MUST update and
ephemeral key exchange without low memory optimizations you MUST update and
regenerate the private RSA keys.
Please see https://www.wolfssl.com/wolfSSL/Blog/Blog.html for more details
This is a Docker environment for compiling, testing and running WolfSSL. Use `run.sh` to build everything (Docker container, WolfSSL, etc.). This script takes in arguments that can be passed to `./configure`. For example: `run.sh --enable-all`
When the compilation and tests succeed, you will be dropped in to a shell environment within the container. This can be useful to build other things within the environment. Additional tests can be run as well as debugging of code.
# Docker Hub
These images are also uploaded to the wolfSSL's [Docker Hub page](https://hub.docker.com/orgs/wolfssl/repositories). There is a convenience script here `buildAndPush.sh` that will create the appropriate containers and push them to the repo.
# FAQ
## permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock
You need to be added to the `docker` group to run Docker containers. Run `sudo usermod -aG docker $USER`. You may need to restart the Docker daemon.
## Unable to access symlinked files outside of WolfSSL
The volume mounted in the Docker container needs to have all files that your compilation will need. To solve this, you have a couple options:
1. Change the `WOLFSSL_DIR` variable in the `run.sh` to one higher up (by adding `/..` to the path). Then update the `docker build` to include the correct path to the Dockerfile and the `docker run` argument to the working directory (`-w`) to the WolfSSL source directory
2. Move the external repository to within the WolfSSL directory. For example create an `external` folder which has your files. This route may have complications when stashing Git work.
@@ -40,7 +40,7 @@ The folder hierarchy is the same as the wolfSSL folders with an exception of the
4. Right click on each folders, add or link all the source code in the corresponding folder in wolfSSL.
5. Remove non-C platform dependent files from your build. At the moment, only aes_asm.asm and aes_asm.s must be removed from your wolfssl/wolfcrypt/src folder.
5. Remove non-C platform dependent files from your build. At the moment, only aes_asm.asm, aes_gcm_asm.asm and aes_asm.s must be removed from your wolfssl/wolfcrypt/src folder.
6. In your C/C++ compiler preprocessor settings, add the wolfSSL directories to your include paths.
Here's an example of the paths that must be added.
@@ -6,6 +6,7 @@ and have not yet been upgraded to the master branch V5.
See the latest [migration guides](https://docs.espressif.com/projects/esp-idf/en/latest/esp32/migration-guides/index.html).
## Overview
ESP-IDF development framework with wolfSSL by setting *WOLFSSL_ESPIDF* definition
Including the following examples:
@@ -17,29 +18,57 @@ Including the following examples:
The *user_settings.h* file enables some of the hardened settings.
## Requirements
1. [ESP-IDF development framework](https://docs.espressif.com/projects/esp-idf/en/latest/get-started/)
## Setup for Linux
1. Run `setup.sh` at _/path/to_`/wolfssl/IDE/Espressif/ESP-IDF/` to deploy files into ESP-IDF tree
2. Find Wolfssl files at _/path/to/esp_`/esp-idf/components/wolfssl/`
3. Find [Example programs](https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF/examples) under _/path/to/esp_`/esp-idf/examples/protocols/wolfssl_xxx` (where xxx is the project name)
3. Find [Example Programs](https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF/examples) under _/path/to/esp_`/esp-idf/examples/protocols/wolfssl_xxx` (where xxx is the project name)
## Setup for Windows
1. Run ESP-IDF Command Prompt (cmd.exe) or Run ESP-IDF PowerShell Environment
2. Run `setup_win.bat` at `.\IDE\Espressif\ESP-IDF\`
3. Find Wolfssl files at _/path/to/esp_`/esp-idf/components/wolfssl/`
4. Find [Example programs](https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF/examples) under _/path/to/esp_`/esp-idf/examples/protocols/wolfssl_xxx` (where xxx is the project name)
@@ -14,3 +14,177 @@ When you want to run the benchmark program
2.`idf.py monitor` to see the message
See the README.md file in the upper level 'examples' directory for more information about examples.
## Performance
Reminder than when building on WSL in `/mnt/c` there will be a noticeable performance degradation at compile time. Using `~/` will be faster at the cost of shared filesystems.
Example build on WSL:
```
Optionally install wolfSSL component
# cd /mnt/c/workspace/wolfssl/IDE/Espressif/ESP-IDF
./setup.sh
cd /mnt/c/workspace/wolfssl/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark
# Pick ESP-IDF install directory, this one for v4.4.2 in VisualGDB
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
