- wolfSSL_BIO_ctrl_pending ignore BASE64 bio's as well now
- Save the last Finished messages sent or received in the WOLFSSL struct
- Implement wolfSSL_CTX_set_max_proto_version
- wolfSSL_d2i_X509_bio now uses wolfSSL_BIO_read so that the entire chain is properly read from the BIO
Move the setting of the key in the handshake from right before
sending the finished message to between building change cipher spec
and sending it. This way there won't be any opportunity to send a
message after the change cipher spec that won't be encrypted.
perhaps some of this code should additionally be wrapped in
- #ifndef NO_WOLFSSL_SERVER
It is fragile and ugly to litter the code with the likes of
- #if defined(OPENSSL_ALL) || (defined(OPENSSL_EXTRA) && (defined(HAVE_STUNNEL) || \
- defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY) || \
- defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_OPENSSH) ))
while it is much clearer and much more maintainable to wrap SNI-related
code with an SNI-specific feature-define HAVE_SNI (and possibly further
restrict with feature-define #ifndef NO_WOLFSSL_SERVER).
Was opening and closing sessions when operations not compiled in were
being attempted (e.g. hashing during certificate signing).
C_Sign can be used with X509 RSA (raw) as it does the same operations as
C_Decrypt. Use the function matching hig level operation where
supported.
Make debugging functions take a CK_ULONG rather than an int - to avoid
casting.
- Use OcspEntry in OcspResponse instead of CertStatus. OcspEntry is more
analogous to an OCSP SingleResponse, which contains issuer name and key
hashes. Correspondingly, remove these hashes from OcspResponse, since they'll
now be stored per SingleResponse in an OcspEntry.
- Add a hashAlgoOID to OcspEntry (corresponds to hashAlgorithm in CertId in RFC
6960). This makes OcspEntry more closely resemble an OCSP SingleResponse.
- Change WOLFSSL_OCSP_CERTID to map to OcspEntry. OcspEntry contains all the
information that an OCSP CertID contains, and is a better fit than
OcspRequest.
- Add a pointer to the raw CertId in an OCSP SingleResponse to OcspEntry, along
with a size field to indicate how many bytes the CertId occupies. This will
be used in an OpenSSL compatibility function, i2d_OCSP_CERTID, which yields
the raw bytes of the CertId.
1. Removed a flag set that would force all certificates in a chain
to be verified. There was a compile time option to make that happen
already.
2. Replace some options for some test failure test cases that were added
and immediately removed.
(ZD 11292)
Reset DTLS stored messages on a FreeHandshakeResources call even if secure renegotiation is enabled. Without this, in a server initiated rehandshake, the server would keep old messages (ChangeCipherSpec and Finished) even when it sent a HelloRequest message.
1. Fixed a couple possible 0 byte allocations.
2. Fixed a couple missed frees due to error conditions.
3. Fixed a possible double free.
To recreate:
$ scan-build ./configure --disable-shared --enable-opensslextra=x509small --disable-memory
$ scan-build ./configure --disable-shared --enable-opensslextra --disable-memory
Make default to pick lowest hash with RSA and ECC (TLS 1.2 and lower).
WOLFSSL_STRONGEST_HASH_SIG picks the strongest hash.
WOLFSSL_ECDSA_MATCH_HASH will pick the hash to match the ECC curve.
