From f718187424f60d66b5dd1ef163964c1c60154085 Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Mon, 18 Nov 2024 16:01:07 -0700 Subject: [PATCH 1/3] JSSE: remove SSLSocket.connect(SocketAddress endpoint), not needed since super equivalent calls connect(SocketAddress endpoint, int port) --- .../wolfssl/provider/jsse/WolfSSLSocket.java | 46 +------------------ 1 file changed, 1 insertion(+), 45 deletions(-) diff --git a/src/java/com/wolfssl/provider/jsse/WolfSSLSocket.java b/src/java/com/wolfssl/provider/jsse/WolfSSLSocket.java index 74d6b225..7a88d3a4 100644 --- a/src/java/com/wolfssl/provider/jsse/WolfSSLSocket.java +++ b/src/java/com/wolfssl/provider/jsse/WolfSSLSocket.java @@ -2070,51 +2070,7 @@ public void bind(SocketAddress bindpoint) throws IOException { /** * Connects the underlying Socket associated with this SSLSocket. * - * @param endpoint address of peer to connect underlying Socket to - * - * @throws IOException upon error connecting Socket - */ - @Override - public synchronized void connect(SocketAddress endpoint) - throws IOException { - - InetSocketAddress address = null; - - WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO, - "entered connect(SocketAddress endpoint)"); - - if (!(endpoint instanceof InetSocketAddress)) { - throw new IllegalArgumentException("endpoint is not of type " + - "InetSocketAddress"); - } - - if (this.socket != null) { - this.socket.connect(endpoint); - } else { - super.connect(endpoint); - } - - address = (InetSocketAddress)endpoint; - - /* register host/port for session resumption in case where - createSocket() was called without host/port, but - SSLSocket.connect() was explicitly called with SocketAddress */ - if (address != null && EngineHelper != null) { - EngineHelper.setHostAndPort( - address.getAddress().getHostAddress(), - address.getPort()); - EngineHelper.setPeerAddress(address.getAddress()); - } - - /* if user is calling after WolfSSLSession creation, register - socket fd with native wolfSSL */ - if (ssl != null) { - checkAndInitSSLSocket(); - } - } - - /** - * Connects the underlying Socket associated with this SSLSocket. + * Also called by super.connect(SocketAddress). * * @param endpoint address of peer to connect underlying socket to * @param timeout timeout value to set for underlying Socket connection From 59c30d34a7832817579578cd9316f51cf1f357bc Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Mon, 18 Nov 2024 16:09:14 -0700 Subject: [PATCH 2/3] JSSE: add debug and close Socket if doHandshake() throws SSLException in startHandshake() --- .../wolfssl/provider/jsse/WolfSSLSocket.java | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/src/java/com/wolfssl/provider/jsse/WolfSSLSocket.java b/src/java/com/wolfssl/provider/jsse/WolfSSLSocket.java index 7a88d3a4..7b130f56 100644 --- a/src/java/com/wolfssl/provider/jsse/WolfSSLSocket.java +++ b/src/java/com/wolfssl/provider/jsse/WolfSSLSocket.java @@ -1456,6 +1456,8 @@ public synchronized void removeHandshakeCompletedListener( @Override public synchronized void startHandshake() throws IOException { int ret; + int err = 0; + String errStr = ""; WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO, "entered startHandshake(), trying to get handshakeLock"); @@ -1506,19 +1508,25 @@ public synchronized void startHandshake() throws IOException { try { ret = EngineHelper.doHandshake(0, this.getSoTimeout()); + err = ssl.getError(ret); + errStr = WolfSSL.getErrorString(err); + + /* close socket if the handshake is unsuccessful */ } catch (SocketTimeoutException e) { WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO, "got socket timeout in doHandshake()"); - /* close socket if the handshake is unsuccessful */ + close(); + throw e; + + } catch (SSLException e) { + WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO, + "native handshake failed in doHandshake(): error code: " + + err + ", TID " + Thread.currentThread().getId() + ")"); close(); throw e; } if (ret != WolfSSL.SSL_SUCCESS) { - int err = ssl.getError(ret); - String errStr = WolfSSL.getErrorString(err); - - /* close socket if the handshake is unsuccessful */ close(); throw new SSLHandshakeException(errStr + " (error code: " + err + ", TID " + Thread.currentThread().getId() + ")"); From c6fbb8e97bdb2e8500faf3742326bafd82b71555 Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Mon, 18 Nov 2024 16:27:57 -0700 Subject: [PATCH 3/3] Android: update sample CMakeLists.txt with -DWOLFSSL_CERT_REQ, needed for wolfSSL_X509_REQ_set_version() --- IDE/Android/app/src/main/cpp/CMakeLists.txt | 33 +++++++++++---------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/IDE/Android/app/src/main/cpp/CMakeLists.txt b/IDE/Android/app/src/main/cpp/CMakeLists.txt index d06b7fe6..2e1ee867 100644 --- a/IDE/Android/app/src/main/cpp/CMakeLists.txt +++ b/IDE/Android/app/src/main/cpp/CMakeLists.txt @@ -52,16 +52,17 @@ if ("${WOLFSSL_PKG_TYPE}" MATCHES "normal") -DHAVE_CRL -DHAVE_OCSP -DHAVE_CRL_MONITOR -DPERSIST_SESSION_CACHE -DPERSIST_CERT_CACHE -DATOMIC_USER -DHAVE_PK_CALLBACKS -DWOLFSSL_CERT_EXT -DWOLFSSL_CERT_GEN - -DHAVE_SNI -DHAVE_ALPN -DNO_RC4 -DHAVE_ENCRYPT_THEN_MAC - -DNO_MD4 -DWOLFSSL_ENCRYPTED_KEYS -DHAVE_DH_DEFAULT_PARAMS - -DNO_ERROR_QUEUE -DWOLFSSL_EITHER_SIDE -DWC_RSA_NO_PADDING - -DWC_RSA_PSS -DWOLFSSL_PSS_LONG_SALT -DWOLFSSL_TICKET_HAVE_ID - -DWOLFSSL_ERROR_CODE_OPENSSL -DWOLFSSL_ALWAYS_VERIFY_CB - -DWOLFSSL_VERIFY_CB_ALL_CERTS -DWOLFSSL_EXTRA_ALERTS - -DHAVE_EXT_CACHE -DWOLFSSL_FORCE_CACHE_ON_TICKET - -DWOLFSSL_AKID_NAME -DHAVE_CTS -DNO_DES3 -DGCM_TABLE_4BIT - -DTFM_TIMING_RESISTANT -DECC_TIMING_RESISTANT - -DHAVE_AESGCM -DSIZEOF_LONG=4 -DSIZEOF_LONG_LONG=8 + -DWOLFSSL_CERT_REQ -DHAVE_SNI -DHAVE_ALPN -DNO_RC4 + -DHAVE_ENCRYPT_THEN_MAC -DNO_MD4 -DWOLFSSL_ENCRYPTED_KEYS + -DHAVE_DH_DEFAULT_PARAMS -DNO_ERROR_QUEUE -DWOLFSSL_EITHER_SIDE + -DWC_RSA_NO_PADDING -DWC_RSA_PSS -DWOLFSSL_PSS_LONG_SALT + -DWOLFSSL_TICKET_HAVE_ID -DWOLFSSL_ERROR_CODE_OPENSSL + -DWOLFSSL_ALWAYS_VERIFY_CB -DWOLFSSL_VERIFY_CB_ALL_CERTS + -DWOLFSSL_EXTRA_ALERTS -DHAVE_EXT_CACHE + -DWOLFSSL_FORCE_CACHE_ON_TICKET -DWOLFSSL_AKID_NAME -DHAVE_CTS + -DNO_DES3 -DGCM_TABLE_4BIT -DTFM_TIMING_RESISTANT + -DECC_TIMING_RESISTANT -DHAVE_AESGCM -DSIZEOF_LONG=4 + -DSIZEOF_LONG_LONG=8 # For gethostbyname() -DHAVE_NETDB_H @@ -156,12 +157,12 @@ elseif("${WOLFSSL_PKG_TYPE}" MATCHES "fipsready") -DNO_RC4 -DNO_MD4 -DNO_MD5 -DNO_DES3 -DNO_DSA -DNO_RABBIT -DWOLFSSL_JNI -DHAVE_EX_DATA -DHAVE_OCSP -DHAVE_CRL_MONITOR - -DWOLFSSL_CERT_EXT -DWOLFSSL_CERT_GEN -DHAVE_SNI -DHAVE_ALPN - -DWOLFSSL_ENCRYPTED_KEYS -DNO_ERROR_QUEUE -DWOLFSSL_EITHER_SIDE - -DWOLFSSL_PSS_LONG_SALT -DWOLFSSL_TICKET_HAVE_ID - -DWOLFSSL_ERROR_CODE_OPENSSL -DWOLFSSL_EXTRA_ALERTS - -DWOLFSSL_FORCE_CACHE_ON_TICKET -DWOLFSSL_AKID_NAME -DHAVE_CTS - -DKEEP_PEER_CERT -DSESSION_CERTS + -DWOLFSSL_CERT_EXT -DWOLFSSL_CERT_GEN -DWOLFSSL_CERT_REQ + -DHAVE_SNI -DHAVE_ALPN -DWOLFSSL_ENCRYPTED_KEYS -DNO_ERROR_QUEUE + -DWOLFSSL_EITHER_SIDE -DWOLFSSL_PSS_LONG_SALT + -DWOLFSSL_TICKET_HAVE_ID -DWOLFSSL_ERROR_CODE_OPENSSL + -DWOLFSSL_EXTRA_ALERTS -DWOLFSSL_FORCE_CACHE_ON_TICKET + -DWOLFSSL_AKID_NAME -DHAVE_CTS -DKEEP_PEER_CERT -DSESSION_CERTS -DSIZEOF_LONG=4 -DSIZEOF_LONG_LONG=8 # For gethostbyname()