search

ohadi100 / tls_sys_api

0 stars 0 forks source link

readme

TLSStreamAndSocket API

Disclaimer

The sole idea of the TLS-Library API reference implementation is to define the API and proove its idea working. It should give the application developer the blueprint of how to use TLS-Library by using the provided API.

This software was written as a proof of concept and is in no way intended to be used in a production environment. It may contain defects and security flaws and is not enough tested.

Be sure to not use the implementation for production grade products.


Documentation

please find a documentation at folder e3_security_tlsapi/doc.

It contains:


Releases and Notes

Version Release Date Branch Tag Notes
1.3.0r 07.02.24 api-1.3 v1.3.0r
  • improvement cmake find_package: check if target sysapi_tls::sysapi_tls (alias) already exits: Needed to be added manually, since this (alias) use case is not supported by default.
1.3.0q 05.02.24 api-1.3 v1.3.0q
  • replace cp with ln in build script to fix EU2K and 9SCR PRLS
1.3.0p 02.02.24 api-1.3 v1.3.0p
  • support of c++14/c++17
  • use wolfssl as independant product
  • improvements of global variable handling
  • generate cmake files for tls lib users
  • fixed build issue for DEV_1PV0
1.3.0o 08.01.24 api-1.3 v1.3.0o
  • added wolfssl build flag '--enable-altcertchains'. This is needed to allows loading intermediate Certificate Authorities (CA’s) as trusted and ignoring no signer failures for CA’s up the chain to root. See issue IMAN-157131.
  • fixed handling softfail/hardfail for legacy use case (handle as soft fail)
  • upgrade wolfssl version to 5.6.4
1.3.0n 28.11.23 api-1.3 v1.3.0n
  • fixed DEV_1PV0 build error
  • removed botan ref-impl
  • fix implementation for legacy use case
1.3.0m 22.08.23 api-1.3 v1.3.0m
  • applying SCA checks on the TLS API
  • fix local build problem
  • fix and extend OCSP failure logs
1.3.0l 12.07.23 api-1.3 v1.3.0l
  • rework of vwg::tls::initTLSLib()
  • fix cappa build errors
1.3.0k 08.06.23 api-1.3 v1.3.0k
  • add find_package cmake mechanism
  • fix cappa ICC build
  • fix products delivery configuration
  • change logging to use the syslog logging lib
1.3.0j 08.06.23 api-1.3 v1.3.0j
  • TLS will not establish a connection if the certificate does not match the provided server name
1.3.0i 04.05.23 api-1.3 v1.3.0i
  • Removed OpenSSL dependency (IMAN-135360).
  • Improved local test cases (IMAN-136255).
  • Better usage of WolfSSL constants in the reference implementation (IMAN-136361).
  • Bug fix regarding which certificates are checked for authinfo extension (IMAN-135386).
1.3.0h 30.03.23 api-1.3 v1.3.0h
  • Extension of error logs in case of wolfssl failure
  • Extension of error logs of the Revocation check and the Authentic time
  • cleanup of build scripts
1.3.0g 19.02.23 api-1.3 v1.3.0g
  • upgrade to WolfSSL 5.5.4
  • the tls shall not require authInfo extension on root cert
1.3.0f 19.01.22 api-1.3 v1.3.0f
  • build for ICC DEV_9SCR failed
  • extension for TLSCipherSuiteUseCase "CSUSDefaultWithSoftFail" with OCSP
1.3.0e 12.01.22 api-1.3 v1.3.0e
  • Extend ref impl, documenatation and test suite for OCSP deletion handlingion requests
  • Decode OCSP Response failed ( pointer is Null)
  • close shall not block for robustness reasons
  • update copyright note
  • clarify GPLv2 license handling (tlsAPI-WS/test/tlsSimpleSample/src/wolfssl_cert_server.cpp)
1.3.0d 12.12.22 api-1.3 v1.3.0d
  • upgrade to wolfssl 5.5.3
1.3.0c 08.12.22 api-1.3 v1.3.0c
  • DoCache works, but reading from cache leads to verification error
  • OCSP insert and remove from cache issue
  • TLS API 1.3.0b reference implementation has a misspelled return code in TLSEngine.cpp
1.3.0b 20.10.22 api-1.3 v1.3.0b
  • Unintialized bytes in vwg::tls::impl::InternIOStream::Connect()
  • Thread Manager need to see the native thread name.
  • fix in botan engine feed function buffer length check
1.3.0a 11.09.22 SOP_ME4_2022 1.3.0a
  • Extension of the ref-impl. for extension of the OCSP Proxy handling for persistent storage
1.2.0b 17.05.22 SOP_ME4_2022 1.2.0b
  • Merge changes from SOP_ME4_2022 1.0.0k
  • Move connectionLoggingName to Parent
1.2.0a 28.04.22 SOP_ME4_2022 1.2.0a
  • Add client information string for logging
  • Register Wolfssl trace callback to TLS-Library
  • Direct TLS-Library logs into sys-log
  • Add makefile cappa dependencies to SYSAPI_COLLECTION and FND_LOG
  • AAdd TLSCipherSuiteUseCasesSettings with Softfail Implemention
1.1.0k 16.05.22 SOP_ME3_2021 v1.1.0k
  • Fix Botan engines (cert + psk) feed() remove internal buffer size constrain
  • copy *.tsv files for packaging
  • Handle Cmake error - do not ignore
1.1.0j 29.03.22 SOP_ME3_2021 v1.1.0j
  • Added Android build variant (linux_amd64_icc_sdk), for arm64-v8a, under Clang
1.1.0i 10.03.22 SOP_ME3_2021 v1.1.0i
  • Migrated to wolfssl version 5.2.0
  • A few changes made in order to switch from wolfssl version 4.8.1 to 5.2.0
1.1.0h 06.03.22 SOP_ME3_2021 v1.1.0h
  • Added TLSAPI_ENABLE_OE3_SPECIAL_CERT_HANLING for special handling for the O3
  • TrM OCSP Caching does not work due to Cache-IDs not being deterministic
1.1.0g 24.01.22 SOP_ME3_2021 v1.1.0g
  • Fixed evaluation of public key pins according to RFC 7469, Sec.2.6.
  • Fixed hash pinning tests in the components tests.
1.1.0f 25.11.21 SOP_ME3_2021 v1.1.0f
  • Updated gcc version 9.3.0.
  • Cleanup API documentation and fixed clang format.
  • Fixed CI/CD issues.
1.1.0e 23.09.21 SOP_ME3_2021 v1.1.0e
  • Fixed linkage error.
1.1.0d 13.09.21 SOP_ME3_2021 v1.1.0d
  • Added workaraound to BEs scripts for CI/CD.
1.1.0c 29.08.21 SOP_ME3_2021 v1.1.0c
  • Updated to wolfssl-4.8.1.
  • Fixed hash pinning implementation due to crashing.
  • Deployment CI/CD scripts.
1.1.0b 07.07.21 SOP_ME3_2021 v1.1.0b
  • Disable the OCSP requests in case of hard fail fallback mecahnism by enabling the flag ICAS3_NO_OCSP_HARD_FAIL due to ICAS3.
1.1.0a 31.05.21 SOP_ME3_2021 v1.1.0a
  • Added OCSP proxy client/server callbacks.
1.1.0RC4b 22.04.21 SOP_ME3_2021 v1.1.0RC4b
  • Updated to wolfssl-4.7.0.
  • Fixed memory leaks and valgrind warnings.
  • Added more unit tests.
1.1.0RC4a 01.03.21 SOP_ME3_2021 v1.1.0RC4a
  • Fixed the key size check in WolfSSl PSKCallback to be no bigger than keyMaxLength.
  • Removed const from "toIANAProtocolName" bool return value.
1.1.0RC3a 11.02.21 SOP_ME3_2021 v1.1.0RC3a
  • Extension of use cases for cipher suite selection.
  • Added OCSP fallback mechanism.
  • Improved Unit Test (85% coverage).
  • Improved component test.
  • Improve connection process - success is depend on Hash-Pinning check in WolfSSL.
1.1.0RC2a 09.12.20 SOP_ME3_2021 v1.1.0RC2a
  • Added authentic time check.
1.1.0RC1a 30.11.20 SOP_ME3_2021 v1.1.0RC1a
  • Added alpn support.
1.0.4i 18.11.20 SOP_ME_2020 v1.0.4i
  • Fall Back to no-mutex usage for wolfSSL_shutdown.
1.0.4h 17.11.20 SOP_ME_2020 v1.0.4h
  • Improved Unit Test.
  • Updated to WolfSSL 4.5.0.
  • TLS 1.3 suppport in WolfSSL cert-based engine.
  • Improved CMakefile and repository structure.
  • Fixed UserIOStream bug - return user implementaion in isOpen and isClose instead of defualt value.
  • Removed close server after failed "doSSLHandshake"
1.0.4g 29.10.20 SOP_ME_2020 v1.0.4g
  • removed wolfSSL_CTX_set_verify - SSL_VERIFY_PEER mode is turned on by default
1.0.4f 26.10.20 SOP_ME_2020 v1.0.4f
  • wolfSSL_get_peer_chain is used instead of wolfSSL_SESSION_get_peer_chain
1.0.4e 19.10.20 SOP_ME_2020 v1.0.4e
  • Supported Elliptic Curves Extension with wolfSSL
1.0.4d 05.08.20 SOP_ME_2020 v1.0.4d
  • Fixed the stream usage by distinguishing between the user's stream implementation and the library's stream implementation
1.0.4c 27.07.20 SOP_ME_2020 v1.0.4c
  • Fixed the stream and the engines implementation to support multi-threaded systems
1.0.4b 22.06.20 SOP_ME_2020 v1.0.4b
  • Fixed creation of multiple connections with different security levels & ports in wolfSSL PSK engine
1.0.4a 26.05.20 SOP_ME_2020 v1.0.4a
  • Fixed creation of multiple connections with different security levels in wolfSSL PSK engine
  • Fixed stream closing on error issues
  • Minor naming, documentation and readability fixes
1.0.4 17.02.20 SOP_ME_2020 v1.0.4
  • CiphersuitesId is represented by string
  • New Wolfssl version in use 4.3.0
1.0.3 15.01.20 SOP_ME_2020 v1.0.3
  • Support single-sided authentication
  • Support multiple ciphersuites for cert-based
  • Support certPinning using EC certificates
  • Updated documentation
1.0.2 01.12.19 SOP_ME_2020 v1.0.2
  • Fix IOStream headers
  • Update MockTEE
1.0.1 03.11.19 SOP_ME_2020 v1.0.1
  • Fixed API
  • Changed signedness of some parameters
1.0.0 02.09.19 SOP_ME_2020 v1.0.0
  • Added server name indication (SNI) support
  • Fixed shutdown issues
1.0.0 RC8a 04.08.19 SOP_ME_2020 RC8a
  • Replaced TEE mock
  • Added TEE error codes
  • Enabled usage of PSK key of size 256 & 512 in addition to 128 bit
  • Added functionality for creating socket on already accepted connection FD
1.0.0 RC7b 01.07.19 RC7
  • added certificate pinning
1.0.0 RC7a 27.06.19 RC7 v1.0.0_RC7
  • added OCSP stapling
  • added cert pinning (Botan only)
  • added support for TLS alert codes
  • extended botan for dropTLS support
1.0.0 RC6c 18.04.19 RC6c Cert POC
  • Adaptions for the e3 SW-PAC
1.0.0 RC6b 18.04.19 RC6b PSK POC
  • Adaptions for the e3 SW-PAC
1.0.0 RC6a 07.03.19 RC6_pre
  • adding support for certificate based client
  • refactor botan engine
  • refactor wolfssl engine
1.0.0 RC5b 04.03.19 master
  • fixed non-blocking send
  • fix IPv6 bind failure
  • added new logging mechanism
1.0.0 RC5a 18.02.19 master
  • adding clinet/server hint
  • update of readme file, to refect the last deliries
  • cleanup of API
  • adding session creation using file-descriptor
  • separating the build process(engine and library)
1.0.0 RC4 Preview 05.12.18 rc4_pre
  • Extension for viwi proxy: adding an factory to upgrade a server socket.
  • Extension for MOD to support certificate based TLS
1.0.0 RC3f 24.01.19 master
  • adding test application
  • fixing readme.
  • adding gcov support
1.0.0 RC3e 17.01.19 master
  • fix memory leaks
1.0.0 RC3d 16.12.18 master
  • Adding support for non-blocking API calls
1.0.0 RC3c 06.12.18 master v1.0.0_RC3c
  • This version will only contain bug fixes.
  • FIX of IPv6 issues.
  • Fix return of send/receive is an enum (TLSEngineError)
  • Every accept in the server sockets creates a new engine
1.0.0 RC3b 15.11.18 master v1.0.0_RC3b
  • Complete the reference implementation. Adding missing function calls
  • Providing a verification suite which tests the implementation against the expectations.
  • changed to cmake for building the reference library and verification suite.
1.0.0 RC3a 05.11.18 v1.0.0_RC3a
  • Adding Botan SSL Support to reference implementation.
1.0.0 RC3 30.10.18 v1.0.0_RC3
  • ErrorHandler use shared_ptr for inet
  • ErrorHandler use enum for error code
  • InetAddressFactory make ctor private.
  • add c++ style callbacks
  • improve return code -- setters to ctors
  • using Lamda expression for callback
  • provide a initial reference implementation
Preview for 1.0.0 RC3 25.10.18 preview_1.0.0_RC3
  • ErrorHandler use shared_ptr for inet
  • ErrorHandler use enum for error code
  • InetAddressFactory make ctor private.
  • add c++ style callbacks
  • improve return code -- setters to ctors
1.0.0 RC2 22.10.18 master v1.0.0_RC2
  • update of return codes (new codes added).
  • adding reference implementation of tlsLibrary.
  • adding reference project providing server and client samples.
1.0.0 RC1 22.10.18 master
  • Initial Version

Buidling the API and Sample

Prerequisite:

How to build && run gcov

cd tlsAPI-WS mkdir build cd build cmake .. make all -j3 make test make coverage

The HTML output report will be created under tests/gcov/html_output folder (open index.html). The PDF output report will be created under tests/gcov folder.