New session creation function, NewSession, that doesn't initialize
mutex.
Calling functions, wolfSSL_SESSION_new() and wolfSSL_SESSION_copy(),
initialize the mutex.
Move the setting of the key in the handshake from right before
sending the finished message to between building change cipher spec
and sending it. This way there won't be any opportunity to send a
message after the change cipher spec that won't be encrypted.
perhaps some of this code should additionally be wrapped in
- #ifndef NO_WOLFSSL_SERVER
It is fragile and ugly to litter the code with the likes of
- #if defined(OPENSSL_ALL) || (defined(OPENSSL_EXTRA) && (defined(HAVE_STUNNEL) || \
- defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY) || \
- defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_OPENSSH) ))
while it is much clearer and much more maintainable to wrap SNI-related
code with an SNI-specific feature-define HAVE_SNI (and possibly further
restrict with feature-define #ifndef NO_WOLFSSL_SERVER).
Was opening and closing sessions when operations not compiled in were
being attempted (e.g. hashing during certificate signing).
C_Sign can be used with X509 RSA (raw) as it does the same operations as
C_Decrypt. Use the function matching hig level operation where
supported.
Make debugging functions take a CK_ULONG rather than an int - to avoid
casting.
- Use OcspEntry in OcspResponse instead of CertStatus. OcspEntry is more
analogous to an OCSP SingleResponse, which contains issuer name and key
hashes. Correspondingly, remove these hashes from OcspResponse, since they'll
now be stored per SingleResponse in an OcspEntry.
- Add a hashAlgoOID to OcspEntry (corresponds to hashAlgorithm in CertId in RFC
6960). This makes OcspEntry more closely resemble an OCSP SingleResponse.
- Change WOLFSSL_OCSP_CERTID to map to OcspEntry. OcspEntry contains all the
information that an OCSP CertID contains, and is a better fit than
OcspRequest.
- Add a pointer to the raw CertId in an OCSP SingleResponse to OcspEntry, along
with a size field to indicate how many bytes the CertId occupies. This will
be used in an OpenSSL compatibility function, i2d_OCSP_CERTID, which yields
the raw bytes of the CertId.
1. Removed a flag set that would force all certificates in a chain
to be verified. There was a compile time option to make that happen
already.
2. Replace some options for some test failure test cases that were added
and immediately removed.
(ZD 11292)
Reset DTLS stored messages on a FreeHandshakeResources call even if secure renegotiation is enabled. Without this, in a server initiated rehandshake, the server would keep old messages (ChangeCipherSpec and Finished) even when it sent a HelloRequest message.
