Upstream merge + resolve conflict.

CMakeLists.txt

@@ -269,6 +269,18 @@ if(NOT WOLFSSL_SINGLE_THREADED)
     endif()
 endif()
 
+# DTLS-SRTP
+add_option("WOLFSSL_SRTP"
+    "Enables wolfSSL DTLS-SRTP (default: disabled)"
+    "no" "yes;no")
+
+if(WOLFSSL_SRTP)
+    list(APPEND WOLFSSL_DEFINITIONS
+        "-DWOLFSSL_SRTP")
+    set(WOLFSSL_DTLS "yes")
+    set(WOLFSSL_KEYING_MATERIAL "yes")
+endif()
+
 
 # DTLS
 add_option("WOLFSSL_DTLS"

ChangeLog.md

@@ -23,7 +23,7 @@ NOTE: * --enable-heapmath is being deprecated and will be removed by 2024
 * Added LMS/HSS and XMSS/XMSS^MT wolfcrypt hooks, both normal and verify-only options.
 * Added support for the AES EAX mode of operation
 * Port for use with Hitch (https://github.com/varnish/hitch) added
-* Add XTS API's to handle multiple sectors in new port ot VeraCrypt
+* Add XTS API's to handle multiple sectors in new port to VeraCrypt
 
 ## Enhancements and Optimizations
 

IDE/CRYPTOCELL/main.c

@@ -27,7 +27,7 @@
 /* wolfCrypt_Init/wolfCrypt_Cleanup to turn CryptoCell hardware on/off */
 #include <wolfssl/wolfcrypt/wc_port.h>
 
-/* SEGGER_RTT_Init, you can potential replace it with other serial terminal */
+/* SEGGER_RTT_Init, you can potentially replace it with other serial terminal */
 #include "SEGGER_RTT.h"
 
 int main(void)

IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/CMakeLists.txt

@@ -206,7 +206,7 @@ else()
                           "\"${WOLFSSL_ROOT}/wolfcrypt/src\""
                           "\"${WOLFSSL_ROOT}/wolfcrypt/src/port/Espressif\""
                           "\"${WOLFSSL_ROOT}/wolfcrypt/src/port/atmel\""
-                          # TODO: Make this a univeral makefile that detects if bechmark / test needed
+                          # TODO: Make this a universal makefile that detects if benchmark / test needed
                           # Sometimes problematic with SM; consider gating detection.
                           #"\"${WOLFSSL_ROOT}/wolfcrypt/benchmark\"" # the benchmark application
                           #"\"${WOLFSSL_ROOT}/wolfcrypt/test\"" # the test application

IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/CMakeLists.txt

@@ -206,7 +206,7 @@ else()
                           "\"${WOLFSSL_ROOT}/wolfcrypt/src\""
                           "\"${WOLFSSL_ROOT}/wolfcrypt/src/port/Espressif\""
                           "\"${WOLFSSL_ROOT}/wolfcrypt/src/port/atmel\""
-                          # TODO: Make this a univeral makefile that detects if bechmark / test needed
+                          # TODO: Make this a universal makefile that detects if benchmark / test needed
                           # Sometimes problematic with SM; consider gating detection.
                           #"\"${WOLFSSL_ROOT}/wolfcrypt/benchmark\"" # the benchmark application
                           #"\"${WOLFSSL_ROOT}/wolfcrypt/test\"" # the test application

IDE/Espressif/ESP-IDF/examples/wolfssl_test/main/main.c

@@ -241,6 +241,6 @@ void app_main(void)
 #else
         vTaskDelay(60000);
 #endif
-    } /* done whle */
+    } /* done while */
 #endif
 }

IDE/Renesas/cs+/Projects/t4_demo/README_en.txt

@@ -12,7 +12,7 @@ Setup process:
   - Unzip wolfssl under the same directory
 
 2. Set up wolfSSL
-  - open wolfssl\IDE\Renesas\cs+\Projec/wolfssl\lib.mtpj with CS+ and build
+  - open wolfssl\IDE\Renesas\cs+\Projects\wolfssl\lib.mtpj with CS+ and build
   - open t4_demo.mtpj and build. This create demo program library.
 
 3. Set up AlphaProject

IDE/Renesas/e2studio/RZN2L/README.md

@@ -152,7 +152,7 @@ $./examples/server/server -b -d -i -v 4
 
 + For ECDSA sign and verify use,
 Enable the `USE_CERT_BUFFER_256` macro in `wolfssl_demo.h`
-Disble the `USE_CERT_BUFFER_2048` macro in `wolfssl_demo.h`
+Disable the `USE_CERT_BUFFER_2048` macro in `wolfssl_demo.h`
 
 + launch server with the following option.
 ```
@@ -214,7 +214,7 @@ $./examples/server/server -b -d -i -v 3
 
 + For ECDSA sign and verify use,
 Enable the `USE_CERT_BUFFER_256` macro in `wolfssl_demo.h`
-Disble the `USE_CERT_BUFFER_2048` macro in `wolfssl_demo.h`
+Disable the `USE_CERT_BUFFER_2048` macro in `wolfssl_demo.h`
 
 + launch server with the following option.
 ```
@@ -281,7 +281,7 @@ static const byte ucIPAddress[4]          = { 192, 168, 11, 241 };
 
 + For ECDSA sign and verify use,
 Enable the `USE_CERT_BUFFER_256` macro in `wolfssl_demo.h`
-Disble the `USE_CERT_BUFFER_2048` macro in `wolfssl_demo.h`
+Disable the `USE_CERT_BUFFER_2048` macro in `wolfssl_demo.h`
 
 + launch server from e2studio
 
@@ -311,7 +311,7 @@ Cleaning up socket and wolfSSL objects.
 Waiting connection....
 ```
 
-You will see the follwoing message on Linux terminal.
+You will see the following message on Linux terminal.
 ```
 $ ./examples/client/client -h 192.168.11.241 -p 11111 -v 4
 SSL version is TLSv1.3
@@ -333,7 +333,7 @@ Received: hello wolfssl!
 Cleaning up socket and wolfSSL objects.
 Waiting connection....
 ```
-You will see the follwoing message on Linux terminal.
+You will see the following message on Linux terminal.
 ```
 $ ./examples/client/client -h 192.168.11.241 -p 11111 -v 4 -A ./certs/ca-ecc-cert.pem -c ./certs/client-ecc-cert.pem  -k ./cert
 s/ecc-client-key.pem
@@ -359,7 +359,7 @@ static const byte ucIPAddress[4]          = { 192, 168, 11, 241 };
 
 + For ECDSA sign and verify use,
 Enable the `USE_CERT_BUFFER_256` macro in `wolfssl_demo.h`
-Disble the `USE_CERT_BUFFER_2048` macro in `wolfssl_demo.h`
+Disable the `USE_CERT_BUFFER_2048` macro in `wolfssl_demo.h`
 
 + launch server from e2studio
 
@@ -389,7 +389,7 @@ Cleaning up socket and wolfSSL objects.
 Waiting connection....
 ```
 
-You will see the follwoing message on Linux terminal.
+You will see the following message on Linux terminal.
 ```
 $ ./examples/client/client -h 192.168.11.241 -p 11111 -v 3
 SSL version is TLSv1.2
@@ -411,7 +411,7 @@ Received: hello wolfssl!
 Cleaning up socket and wolfSSL objects.
 Waiting connection....
 ```
-You will see the follwoing message on Linux terminal.
+You will see the following message on Linux terminal.
 ```
 $ ./examples/client/client -h 192.168.11.241 -p 11111 -v 3 -A ./certs/ca-ecc-cert.pem -c ./certs/client-ecc-cert.pem  -k ./certs/ecc-client-key.pem
 SSL version is TLSv1.2

IDE/Renesas/e2studio/RZN2L/test/src/rzn2l_tst_thread_entry.c

@@ -131,7 +131,7 @@ void RSIP_KeyGeneration(FSPSM_ST *g)
 }
 
 /* only pointer sets to NULL     */
-/* onwer of keys should be freed */
+/* owner of keys should be freed */
 void Clr_CallbackCtx(FSPSM_ST *g)
 {
     (void) g;

README

@@ -95,7 +95,7 @@ NOTE: * --enable-heapmath is being deprecated and will be removed by 2024
 * Added LMS/HSS and XMSS/XMSS^MT wolfcrypt hooks, both normal and verify-only options.
 * Added support for the AES EAX mode of operation
 * Port for use with Hitch (https://github.com/varnish/hitch) added
-* Add XTS API's to handle multiple sectors in new port ot VeraCrypt
+* Add XTS API's to handle multiple sectors in new port to VeraCrypt
 
 ## Enhancements and Optimizations
 

README.md

@@ -100,7 +100,7 @@ NOTE: * --enable-heapmath is being deprecated and will be removed by 2024
 * Added LMS/HSS and XMSS/XMSS^MT wolfcrypt hooks, both normal and verify-only options.
 * Added support for the AES EAX mode of operation
 * Port for use with Hitch (https://github.com/varnish/hitch) added
-* Add XTS API's to handle multiple sectors in new port ot VeraCrypt
+* Add XTS API's to handle multiple sectors in new port to VeraCrypt
 
 ## Enhancements and Optimizations
 

cmake/functions.cmake

@@ -53,7 +53,7 @@ function(generate_build_flags)
     if(WOLFSSL_SCTP OR WOLFSSL_USER_SETTINGS)
         set(BUILD_SCTP "yes" PARENT_SCOPE)
     endif()
-    if(WOLFSSL_DTLS_CID OR WOLFSSL_USER_SETTINGS)
+    if(WOLFSSL_DTLS_CID OR WOLFSSL_USER_SETTINGS OR WOLFSSL_DTLS)
         set(BUILD_DTLS_COMMON "yes" PARENT_SCOPE)
     endif()
     set(BUILD_MCAST ${WOLFSSL_MCAST} PARENT_SCOPE)

doc/dox_comments/header_files/aes.h

@@ -1533,7 +1533,7 @@ WOLFSSL_API int wc_AesEaxEncryptFinal(AesEax* eax,
     \ref wc_AesEaxInit. When done using the \c AesEax context structure, make 
     sure to free it using \ref wc_AesEaxFree.
 
-    \return 0 if data is authenticated succesfully
+    \return 0 if data is authenticated successfully
     \return AES_EAX_AUTH_E if the authentication tag does not match the
     supplied authentication code vector \c authIn
     \return other error code on failure

examples/server/server.h

@@ -27,7 +27,7 @@
 THREAD_RETURN WOLFSSL_THREAD server_test(void* args);
 
 /* Echo bytes using buffer of blockSize until [echoData] bytes are complete. */
-/* If [bechmarkThroughput] set the statistcs will be output at the end */
+/* If [benchmarkThroughput] set the statistics will be output at the end */
 int ServerEchoData(WOLFSSL* ssl, int clientfd, int echoData, int blockSize,
                    size_t benchmarkThroughput);
 

src/internal.c

@@ -20394,7 +20394,7 @@ int ProcessReplyEx(WOLFSSL* ssl, int allowSocketErr)
         case getRecordLayerHeader:
 
             /* DTLSv1.3 record numbers in the header are encrypted, and AAD
-             * uses the unecrypted form. Because of this we need to modify the
+             * uses the unencrypted form. Because of this we need to modify the
              * header, decrypting the numbers inside
              * DtlsParseUnifiedRecordLayer(). This violates the const attribute
              * of the buffer parameter of GetRecordHeader() used here. */

src/ssl.c

@@ -8432,7 +8432,7 @@ static int LoadSystemCaCertsWindows(WOLFSSL_CTX* ctx, byte* loaded)
  * directly into wolfSSL "the old way".
  *
  * As of MacOS 14.0 we are still able to use this method to access system
- * certificates. Accessiblity of this API is indicated by the presence of the
+ * certificates. Accessibility of this API is indicated by the presence of the
  * Security/SecTrustSettings.h header. In the likely event that Apple removes
  * access to this API on Macs, this function should be removed and the
  * DoAppleNativeCertValidation() routine should be used for all devices.
@@ -8579,7 +8579,7 @@ int wolfSSL_CTX_load_system_CA_certs(WOLFSSL_CTX* ctx)
 #if defined(HAVE_SECURITY_SECTRUSTSETTINGS_H) \
   && !defined(WOLFSSL_APPLE_NATIVE_CERT_VALIDATION)
     /* As of MacOS 14.0 we are still able to access system certificates and
-     * load them manually into wolfSSL "the old way". Accessiblity of this API
+     * load them manually into wolfSSL "the old way". Accessibility of this API
      * is indicated by the presence of the Security/SecTrustSettings.h header */
     ret = LoadSystemCaCertsMac(ctx, &loaded);
 #elif defined(WOLFSSL_APPLE_NATIVE_CERT_VALIDATION)

src/ssl_crypto.c

@@ -1616,8 +1616,8 @@ WOLFSSL_HMAC_CTX* wolfSSL_HMAC_CTX_new(void)
  *
  * Not an OpenSSL compatibility API.
  *
- * @param [in, out] ctx  HMAC contect object.
- * @return  1 inficating success.
+ * @param [in, out] ctx  HMAC context object.
+ * @return  1 indicating success.
  */
 int wolfSSL_HMAC_CTX_Init(WOLFSSL_HMAC_CTX* ctx)
 {

src/tls.c

@@ -8396,7 +8396,7 @@ static int TLSX_KeyShare_ProcessPqc(WOLFSSL* ssl, KeyShareEntry* keyShareEntry)
     ret = kyber_id2type(oqs_group, &type);
     if (ret != 0) {
         WOLFSSL_MSG("Invalid OQS algorithm specified.");
-        ret = BAD_FUNC_ARG;
+        return BAD_FUNC_ARG;
     }
     if (ret == 0) {
         ret = wc_KyberKey_Init(type, kem, ssl->heap, INVALID_DEVID);
@@ -8887,7 +8887,7 @@ static int server_generate_pqc_ciphertext(WOLFSSL* ssl,
     ret = kyber_id2type(oqs_group, &type);
     if (ret != 0) {
         WOLFSSL_MSG("Invalid Kyber algorithm specified.");
-        ret = BAD_FUNC_ARG;
+        return BAD_FUNC_ARG;
     }
 
     if (ret == 0) {

src/x509.c

@@ -5218,15 +5218,16 @@ static WOLFSSL_X509* loadX509orX509REQFromBuffer(
     const unsigned char* buf, int sz, int format, int type)
 {
 
-    int ret;
+    int ret = 0;
     WOLFSSL_X509* x509 = NULL;
     DerBuffer* der = NULL;
 
     WOLFSSL_ENTER("wolfSSL_X509_load_certificate_ex");
 
     if (format == WOLFSSL_FILETYPE_PEM) {
     #ifdef WOLFSSL_PEM_TO_DER
-        if (PemToDer(buf, sz, type, &der, NULL, NULL, NULL) != 0) {
+        ret = PemToDer(buf, sz, type, &der, NULL, NULL, NULL);
+        if (ret != 0) {
             FreeDer(&der);
         }
     #else
@@ -5252,20 +5253,28 @@ static WOLFSSL_X509* loadX509orX509REQFromBuffer(
     #ifdef WOLFSSL_SMALL_STACK
         cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
                                      DYNAMIC_TYPE_DCERT);
-        if (cert != NULL)
+        if (cert == NULL) {
+            ret = MEMORY_ERROR;
+        }
+        else
     #endif
         {
             InitDecodedCert(cert, der->buffer, der->length, NULL);
-            if (ParseCertRelative(cert, type, 0, NULL) == 0) {
+            ret = ParseCertRelative(cert, type, 0, NULL);
+            if (ret == 0) {
                 x509 = (WOLFSSL_X509*)XMALLOC(sizeof(WOLFSSL_X509), NULL,
                                                              DYNAMIC_TYPE_X509);
                 if (x509 != NULL) {
                     InitX509(x509, 1, NULL);
-                    if (CopyDecodedToX509(x509, cert) != 0) {
+                    ret = CopyDecodedToX509(x509, cert);
+                    if (ret != 0) {
                         wolfSSL_X509_free(x509);
                         x509 = NULL;
                     }
                 }
+                else {
+                    ret = MEMORY_ERROR;
+                }
             }
 
             FreeDecodedCert(cert);
@@ -5277,6 +5286,10 @@ static WOLFSSL_X509* loadX509orX509REQFromBuffer(
         FreeDer(&der);
     }
 
+    if (ret != 0) {
+        WOLFSSL_ERROR(ret);
+    }
+
     return x509;
 }
 

tests/api.c

@@ -35690,7 +35690,7 @@ static int test_X509_STORE_untrusted(void)
         NULL
     };
 
-    /* Only immediate issuer in untrusted chaing. Fails since can't build chain
+    /* Only immediate issuer in untrusted chain. Fails since can't build chain
      * to loaded CA. */
     ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted1, 0,
             X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, 1), TEST_SUCCESS);

wolfcrypt/src/ext_lms.c

@@ -231,7 +231,7 @@ const char * wc_LmsKey_RcToStr(enum wc_LmsRc lmsEc)
 
 /* Init an LMS key.
  *
- * Call this before setting the parms of an LMS key.
+ * Call this before setting the params of an LMS key.
  *
  * Returns 0 on success.
  * */
@@ -404,7 +404,7 @@ int wc_LmsKey_SetParameters(LmsKey * key, int levels, int height,
         key->lm_ots_type[i] = ots;
     }
 
-    /* Move the state to parms set.
+    /* Move the state to params set.
      * Key is ready for MakeKey or Reload. */
     key->state = WC_LMS_STATE_PARMSET;
 
@@ -656,7 +656,7 @@ int wc_LmsKey_MakeKey(LmsKey* key, WC_RNG * rng)
     return 0;
 }
 
-/* Reload a key that has been prepared with the appropriate parms and
+/* Reload a key that has been prepared with the appropriate params and
  * data. Use this if you wish to resume signing with an existing key.
  *
  * Write/read callbacks, and context data, must be set prior.

wolfcrypt/src/ext_xmss.c

@@ -97,7 +97,7 @@ static int sha256_cb(const unsigned char *in, unsigned long long inlen,
 
 /* Init an XMSS key.
  *
- * Call this before setting the parms of an XMSS key.
+ * Call this before setting the params of an XMSS key.
  *
  *  key         [in]  The XMSS key to init.
  *  heap        [in]  Unused.
@@ -201,7 +201,7 @@ static int wc_XmssKey_SetOid(XmssKey * key, uint32_t oid, int is_xmssmt)
 
 /* Set the XMSS key parameter string.
  *
- * The input string must be one of the supported parm set names in
+ * The input string must be one of the supported param set names in
  * the "Name" section from the table in wolfssl/wolfcrypt/xmss.h,
  * e.g. "XMSS-SHA2_10_256" or "XMSSMT-SHA2_20/4_256".
  *

wolfcrypt/src/port/Espressif/esp32_mp.c

@@ -1015,8 +1015,8 @@ int esp_mp_montgomery_init(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* M,
         return MP_HW_FALLBACK;
     }
     if ((X == NULL) || (Y == NULL) || (M == NULL) ) {
-        /* if a bad oprand passed, we cannot use HW */
-        ESP_LOGE(TAG, "ERROR: Bad Montgomery operand, falling back to SW");
+        /* if a bad operand passed, we cannot use HW */
+        ESP_LOGE(TAG, "ERROR: Bad montgomery operand, falling back to SW");
         return MP_HW_FALLBACK;
     }
     XMEMSET(mph, 0, sizeof(struct esp_mp_helper));