tweak several #includes of settings.h to include types.h instead (all of these are for clarity, as types.h is indirectly included by later #includes), and add #include <wolfssl/wolfcrypt/types.h> where missing;
remove trailing semicolons from PRAGMA*() macro invocations as they are unneeded and can be harmful (inducing frivolous -Wdeclaration-after-statement etc.).
if ENABLED_LINUXKM_PIE, add -DWOLFSSL_NO_OCSP_ISSUER_CHECK to gate out backward dependency in asn.c;
if ENABLE_LINUXKM, don't error on FIPS without thread_ls_on;
for --enable-curl, set ENABLED_MD4="yes", and move --enable-md4 AC_ARG_ENABLE() clause up to a position adjacent to des3 handling;
scripts/sniffer-gen.sh: fix illegal exit code (SC2242);
src/internal.c: fix clang-analyzer-core.NonNullParamChecker in CreateTicket();
src/ocsp.c: fix readability-redundant-preprocessor;
src/tls.c: fix empty-body in TLSX_PskKeModes_Parse() and clang-diagnostic-unreachable-code-break in ALPN_Select();
tests/api.c: fix several clang-analyzer-core.NullDereference related to Expect*() refactor;
wolfcrypt/src/asn.c:
fix -Wconversions in DecodeAuthKeyId() and ParseCertRelative();
fix readability-redundant-declaration re GetCA() and GetCAByName();
gate inclusion of wolfssl/internal.h on !defined(WOLFCRYPT_ONLY);
wolfssl/internal.h: add macro-detection gating around GetCA() and GetCAByName() prototypes matching gates in wolfcrypt/src/asn.c;
tests/utils.c: in create_tmp_dir(), use one-arg variant of mkdir() if defined(__CYGWIN__) || defined(__MINGW32__).
Add support for cipher aliases DHE, EDH and EECDH.
Add define SSL_CTRL_GET_CHAIN_CERTS to help hitch and other programs detect SSL_CTX_get0_chain_certs is supported.
Add wolfSSL_get_locking_callback.
Allow using ECDHE+RSA cipher suites when ECDHE alias is used while in OpenSSL compatibility mode.
Add more alerts for hitch.
SSL_CM should use the CTX's x509_store_pt if available.
Add support for SSL_CERT_FILE and SSL_CERT_DIR. Load default OpenSSL TLS 1.3 ciphers when using OPENSSL_COMPATIBLE_DEFAULTS.
Use wolfSSL_sk_X509_new_null to allocate WOLFSSL_STACK in wolfSSL_CTX_get_extra_chain_certs. Previous approach of malloc'ing without setting type/memsetting was leading to a segfault.
Add --enable-hitch.
hitch: Add unit tests for new APIs, fix a couple of issues uncovered by unit testing.
Correct behavior of wolfSSL_BIO_set_mem_buf for BIO_CLOSE/NOCLOSE and update unit test accordingly.
Add Github action test for hitch.
Split out certificate manager APIs into ssl_certman.c.
ssl.c includes ssl_certman.c
Better test coverage.
Minor fixes.
wolfSSL_X509_chain_up_ref calls XFREE with name->heap but name may be
NULL. Check for NULL first.
- nginx: add necessary defines and function
- Implement Certificate Authorities for TLS 1.3
- Implement secret logging for TLS 1.3. Can be used for example with:
./configure CPPFLAGS="-DWOLFSSL_SSLKEYLOGFILE -DSHOW_SECRETS -DHAVE_SECRET_CALLBACK -DWOLFSSL_SSLKEYLOGFILE_OUTPUT='\"/tmp/secrets\"'"
- Implement session context checking for tickets
- Check for authorized responder in OCSP basic response
- Fix handling call to ocsp->statusCb
- compat: Translate SOCKET_PEER_CLOSED_E to WOLFSSL_ERROR_SYSCALL
- Fix wolfSSL_CTX_set_session_cache_mode
- WOLFSSL_SESS_CACHE_OFF means nothing should be on
- WOLFSSL_SESS_CACHE_NO_INTERNAL turns off only the internal cache
- Respect ssl->options.internalCacheOff
- Implement SSL_SESSION_set_time
- wolfSSL_SSL_in_init: fix detection for TLS 1.3
- Fix handling call to ssl->alpnSelect
- SendTls13NewSessionTicket: always generate new ID
- When we send a new ticket for the same session (for example we resumed a connection and are sending a new ticket so that the client can resume in the future), we need to generate a new ID so that we don't overwrite the old session in the cache. Overwriting the session results in the `diff` calculation in `DoClientTicketCheck()` producing the wrong value and failing to resume.
Add nginx github action test
- Fix memory leaks
- wolfSSL_OCSP_basic_verify: implement OCSP_TRUSTOTHER flag
- AKID: implement matching on issuer name and serial number
- ocsp: check for a chain match for OCSP responder
- Split CreateTicket into CreateTicket and SetupTicket
- SendCertificateStatus: free response.buffer
- Use heap hint when allocating responseBuffer
- Remove responseBuffer from internal API's that don't use it anywhere
Address PR comments + other cleanup
Addressing PR comments
Minor change
Make sure the last line gets output as well
Add in ARIA SHA256 session to internal structure
Add in ARIA SHA384 session to internal structure
Add necessary function for ARIA to extract key
Fix unit tests
Rename HAVE_ARIAGCM to HAVE_ARIA
Move aria.* to wolfcrypt/port/aria
Separate out aria-crypt init functions
Adding in ECC+SHA callbacks
Avoid using AC_CHECK_FILE
Rename Aria to wc_Aria
Don't need special cases
Addressing PR comments
Code cleanup
C89 support
Remove TODO
Add documentation about buffer size
Clean up header files
Use ARIA_DEVID by default if available
Dummy update call to make MagicCrypto happy
Fix for detecting what algo type to use
Documentation
Use the appropriate sign/verify
Collect MagicCrypto functions together (and avoid leaks)
Fall back on other implementations on failure
Fix issue when compiling without CRYPTOCB
Addressing PR comments
Better cleanup
Addressing PR comments
Cleaner exit in case of error
- move the testsuite file helps into a new tests/utils.c file so that they can be used across all tests
- dump the raw TLS stream when WOLFSSL_DUMP_MEMIO_STREAM is defined so that it can be examined in Wireshark
This caused an issue on big endian platforms
From the getsockopt man page:
Most socket-level options utilize an int argument for optval. For setsockopt(), the argument should be non‐
zero to enable a boolean option, or zero if the option is to be disabled.
