Fix for DES3 on STM32 CUBEMX#1
Closed
NickolasLapp wants to merge 3 commits into
Closed
Conversation
… for RNG, AES, SHA1, DES3 and MD5. Adds new WOLFSSL_STM32_CUBEMX and WOLFSSL_STM32F4 defines. Tested on STM32F437II.
…AesDecrypt with STM32.
dgarske
pushed a commit
that referenced
this pull request
Jun 29, 2017
Reset list of supported sig algorithms before sending certificate request on server. Refactored setting of ticket for both TLS13 and earlier. Remember the type of key for deciding which sig alg to use with TLS13 CertificateVerify. RSA PKCS #1.5 not allowed in TLS13 for CertificateVerify. Remove all remaining DTLS code as spec barely started. Turn off SHA512 code where decision based on cipher suite hash. Fix fragment handling to work with encrypted messages. Test public APIS.
dgarske
pushed a commit
that referenced
this pull request
Jul 15, 2019
Do version negotiation first. Look for, parse and negotiate with SupportedVersions extension upfront. Only need to handle TLS 1.3 ClientHello after this. Any version greater than TLS 1.2 in Legacy Version field is translated to TLS 1.2. Fix preMasterSz to when not using PreSharedKey. Not finsing KeyShare in ClientHello sends a missing_extension alert. Decoding signature algorithms in new TLS 1.3 range now returns error when not recognized. Don't allow RSA PKCS #1.5 signatures to be verified. Fix accept when downgraded from TLS 1.3 to go to wolfSSL_accept. Fix server state when sending ChangeCipherSpec for MiddleBox compatability. Send a new session ticket even when resuming.
dgarske
pushed a commit
that referenced
this pull request
Apr 14, 2020
RSA PKCS #1.5 padding for signing is not reliant on a random.
rizlik
added a commit
that referenced
this pull request
Jan 19, 2022
otherwise if profile_str_len is > strlen(gSrtpProfiles[i].name) we end up
comparing memory past gSrtpProfiles[i].name. -fsanitize=address catches this:
```
==100159==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f40d8d533b2 at pc 0x7f40d8eb014f bp 0x7f40d50fe240 sp 0x7f40d50fd9e8
READ of size 21 at 0x7f40d8d533b2 thread T107
#0 0x7f40d8eb014e in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:860
#1 0x7f40d8eb06e6 in __interceptor_memcmp /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:892
#2 0x7f40d8eb06e6 in __interceptor_memcmp /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:887
#3 0x7f40d8c2e830 in DtlsSrtpFindProfile src/ssl.c:1310
#4 0x7f40d8c2e9ed in DtlsSrtpSelProfiles src/ssl.c:1347
#5 0x7f40d8c2eada in wolfSSL_CTX_set_tlsext_use_srtp src/ssl.c:1359
#6 0x563bf381b4c5 in server_test examples/server/server.c:2278
#7 0x7f40d88f0258 in start_thread (/usr/lib/libpthread.so.0+0x9258)
wolfSSL#8 0x7f40d88195e2 in __GI___clone (/usr/lib/libc.so.6+0xfe5e2)
```
dgarske
pushed a commit
that referenced
this pull request
Jun 5, 2026
1. BasicConstraints pathLenConstraint absent vs. 0 — get_ext_d2i/set_ext/V3_EXT_d2i now distinguish "no constraint" from 0 per RFC 5280 §4.2.1.9, using the existing basicConstPlSet flag. 2. GENERAL_NAME_print GEN_DIRNAME — added missing return-value normalization so the directory name is actually printed (was emitting only DirName:). 3. GENERAL_NAME_print GEN_DNS — use ASN1_STRING_print like the EMAIL/URI cases, avoiding NULL-strData deref and NUL-truncation. 4. X509_print BasicConstraints — print , pathlen:N to match OpenSSL. 5. X509_print Extended Key Usage — print Any Extended Key Usage (was omitted). 6. get_ext_d2i CRL_DIST_OID double-free — null gn immediately after ownership transfers to dp, so an error from the next push doesn't free it twice. 7. X509V3_EXT_print SAN truncation/failure — match XSNPRINTF size cap to the allocation; was truncating at indent==1 and failing at indent>=2. 8. X509V3_EXT_print AUTH_KEY/SUBJ_KEY NULL deref — NULL-check i2s_ASN1_STRING return before passing to %s. 9. X509_add_ext SAN type confusion — reject DIRNAME/RID/X400/EDIPARTY; only the ASN1_STRING*-backed types are read via gn->d.ia5. Was performing a wild-pointer XMEMCPY in add_altname_ex. Also: extracted the SAN and WOLFSSL_CUSTOM_OID arms of X509_add_ext into static helpers (behavior-preserving). Regression tests added for #1–5 and wolfSSL#9; existing GENERAL_NAME_print test hardened (gives GEN_DIRNAME a real directoryName, eliminating an OOB read that the print fix would otherwise expose).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.