Add support for nginx-1.25.0 #6515
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
julek-wolfssl
force-pushed
the
nginx-1.25.0
branch
3 times, most recently
from
ae619bb
to
2709946
Compare
kareem-wolfssl
requested changes
Jun 22, 2023
|
This PR now depends on wolfSSL/osp#146. It fixes the stunnel error. |
julek-wolfssl
force-pushed
the
nginx-1.25.0
branch
2 times, most recently
from
9e7eacf
to
0f853e1
Compare
|
Once wolfSSL/wolfssl-nginx#22 is merged, the nginx action in this PR will need to be changed to point at the master branch of https://github.com/wolfSSL/wolfssl-nginx. |
kareem-wolfssl
previously approved these changes
Jun 23, 2023
|
I'm ready to merge this, but there are some conflicts in api.c now, please resolve them. |
julek-wolfssl
force-pushed
the
nginx-1.25.0
branch
3 times, most recently
from
b8ed6af
to
ded113c
Compare
|
retest this please |
1 similar comment
|
retest this please |
julek-wolfssl
force-pushed
the
nginx-1.25.0
branch
from
ded113c
to
0cde3a5
Compare
julek-wolfssl
force-pushed
the
nginx-1.25.0
branch
from
0cde3a5
to
f431db8
Compare
|
retest this please |
dgarske
requested changes
Jul 5, 2023
src/tls.c
Outdated
| @@ -3013,6 +3016,10 @@ static void TLSX_CSR_Free(CertificateStatusRequest* csr, void* heap) | |||
| break; | |||
| } | |||
|
|
|||
| #ifdef WOLFSSL_TLS13 | |||
| if (csr->response.buffer != NULL) | |||
| XFREE(csr->response.buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER); | |||
There was a problem hiding this comment.
Added a way to use a heap hint. Also removed responseBuffer from internal API's that don't use it anywhere.
src/tls.c
Outdated
| @@ -3187,7 +3194,13 @@ static int TLSX_CSR_Parse(WOLFSSL* ssl, const byte* input, word16 length, | |||
| ret = BUFFER_ERROR; | |||
| } | |||
| if (ret == 0) { | |||
| csr->response.buffer = (byte*)(input + offset); | |||
| csr->response.buffer = (byte*)XMALLOC(resp_length, NULL, | |||
There was a problem hiding this comment.
Please add heap hint ssl->heap.
There was a problem hiding this comment.
Added a way to use a heap hint. Also removed responseBuffer from internal API's that don't use it anywhere.
src/tls13.c
Outdated
| } | ||
| fprintf(fp, "\n"); | ||
|
|
||
| if (fp != stderr) { |
There was a problem hiding this comment.
Prefer just wrap this with #ifdef WOLFSSL_SSLKEYLOGFILE_OUTPUT
There was a problem hiding this comment.
Just using WOLFSSL_SSLKEYLOGFILE_OUTPUT gating without if's.
julek-wolfssl
force-pushed
the
nginx-1.25.0
branch
2 times, most recently
from
ce8cefa
to
9d3170a
Compare
dgarske
requested changes
Jul 6, 2023
src/tls13.c
Outdated
| { | ||
| int i; | ||
| const char* str = NULL; | ||
| unsigned char clientRandom[32]; |
There was a problem hiding this comment.
Please use byte and RAN_LEN.
|
@julek-wolfssl Recommend a squash on merge or on next push (28 is a lot) |
SparkiDev
previously requested changes
Jul 6, 2023
- nginx: add necessary defines and function - Implement Certificate Authorities for TLS 1.3 - Implement secret logging for TLS 1.3. Can be used for example with: ./configure CPPFLAGS="-DWOLFSSL_SSLKEYLOGFILE -DSHOW_SECRETS -DHAVE_SECRET_CALLBACK -DWOLFSSL_SSLKEYLOGFILE_OUTPUT='\"/tmp/secrets\"'" - Implement session context checking for tickets - Check for authorized responder in OCSP basic response - Fix handling call to ocsp->statusCb - compat: Translate SOCKET_PEER_CLOSED_E to WOLFSSL_ERROR_SYSCALL - Fix wolfSSL_CTX_set_session_cache_mode - WOLFSSL_SESS_CACHE_OFF means nothing should be on - WOLFSSL_SESS_CACHE_NO_INTERNAL turns off only the internal cache - Respect ssl->options.internalCacheOff - Implement SSL_SESSION_set_time - wolfSSL_SSL_in_init: fix detection for TLS 1.3 - Fix handling call to ssl->alpnSelect - SendTls13NewSessionTicket: always generate new ID - When we send a new ticket for the same session (for example we resumed a connection and are sending a new ticket so that the client can resume in the future), we need to generate a new ID so that we don't overwrite the old session in the cache. Overwriting the session results in the `diff` calculation in `DoClientTicketCheck()` producing the wrong value and failing to resume. Add nginx github action test - Fix memory leaks - wolfSSL_OCSP_basic_verify: implement OCSP_TRUSTOTHER flag - AKID: implement matching on issuer name and serial number - ocsp: check for a chain match for OCSP responder - Split CreateTicket into CreateTicket and SetupTicket - SendCertificateStatus: free response.buffer - Use heap hint when allocating responseBuffer - Remove responseBuffer from internal API's that don't use it anywhere
julek-wolfssl
force-pushed
the
nginx-1.25.0
branch
from
9d3170a
to
0abaa89
Compare
|
@dgarske Rebased and squashed to one commit. |
dgarske
approved these changes
Jul 7, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
./configure CPPFLAGS="-DWOLFSSL_SSLKEYLOGFILE -DSHOW_SECRETS -DHAVE_SECRET_CALLBACK -DWOLFSSL_SSLKEYLOGFILE_OUTPUT='\"/tmp/secrets\"'"