From 34fed15cd0144e9d3d7f497609429be6501eca02 Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Fri, 5 Nov 2021 12:36:49 -0600 Subject: [PATCH 01/12] adjustments to provider tests from Android IDE project update --- .../jsse/test/WolfSSLServerSocketTest.java | 8 ++-- .../provider/jsse/test/WolfSSLX509Test.java | 40 ++++++++++++------- 2 files changed, 30 insertions(+), 18 deletions(-) diff --git a/src/test/com/wolfssl/provider/jsse/test/WolfSSLServerSocketTest.java b/src/test/com/wolfssl/provider/jsse/test/WolfSSLServerSocketTest.java index ca05e7bd..8f8dcb0d 100644 --- a/src/test/com/wolfssl/provider/jsse/test/WolfSSLServerSocketTest.java +++ b/src/test/com/wolfssl/provider/jsse/test/WolfSSLServerSocketTest.java @@ -485,11 +485,11 @@ public Void call() throws Exception { serverFuture.get(); ss.close(); - /* fail case, incorrect root CA loaded to verify server cert. - * serverJKS doesn't verify serverJKS */ + /* fail case, incorrect root CA loaded to verify client cert. + * caJKS does not verify clientJKS (client cert is self-signed) */ this.ctx = tf.createSSLContext("TLSv1.2", ctxProvider, - tf.createTrustManager("SunX509", tf.serverJKS, ctxProvider), - tf.createKeyManager("SunX509", tf.serverJKS, ctxProvider)); + tf.createTrustManager("SunX509", tf.caJKS, ctxProvider), + tf.createKeyManager("SunX509", tf.clientJKS, ctxProvider)); ss = (SSLServerSocket)ctx.getServerSocketFactory() .createServerSocket(0); diff --git a/src/test/com/wolfssl/provider/jsse/test/WolfSSLX509Test.java b/src/test/com/wolfssl/provider/jsse/test/WolfSSLX509Test.java index c17007ad..6f46c3be 100644 --- a/src/test/com/wolfssl/provider/jsse/test/WolfSSLX509Test.java +++ b/src/test/com/wolfssl/provider/jsse/test/WolfSSLX509Test.java @@ -417,10 +417,11 @@ public void testGetters() { } try { - X509Certificate x509; - javax.security.cert.X509Certificate peer; - X509Certificate local[]; + java.security.cert.X509Certificate x509 = null; + javax.security.cert.X509Certificate peer = null; + java.security.cert.Certificate local[]; + /* getPeerCertificateChain() returns array of javax.security.cert.X509Certificate */ certs = client.getSession().getPeerCertificateChain(); if (certs == null) { error("\t\t... failed"); @@ -430,6 +431,7 @@ public void testGetters() { peer = certs[0]; + /* getLocalCertificates() returns array of java.security.cert.Certificate */ local = (X509Certificate[]) server.getSession().getLocalCertificates(); if (local == null) { error("\t\t... failed"); @@ -437,7 +439,14 @@ public void testGetters() { return; } /* @TODO local.length != 2 test */ - x509 = local[0]; + + /* check that getLocalCertificates() returned type X509Certificate */ + if (local[0].getType().equals("X.509")) { + x509 = (X509Certificate)local[0]; + } else { + error("\t\t... failed"); + fail("getLocalCertificates() did not return X509Certificate type"); + } if (x509.getVersion() != 3 || peer.getVersion() != 2) { error("\t\t... failed"); @@ -469,16 +478,19 @@ public void testGetters() { fail("failed date not after"); } - if (!x509.getSubjectDN().getName().equals( - peer.getSubjectDN().getName())) { - error("\t\t... failed"); - fail("subject DN does not match"); - } - - if (!x509.getIssuerDN().getName().equals( - peer.getIssuerDN().getName())) { - error("\t\t... failed"); - fail("issuer DN does not match"); + /* Android KeyStore formats x509 getName() differently than peer getName() */ + if (!tf.isAndroid()) { + if (!x509.getSubjectDN().getName().equals( + peer.getSubjectDN().getName())) { + error("\t\t... failed"); + fail("subject DN does not match"); + } + + if (!x509.getIssuerDN().getName().equals( + peer.getIssuerDN().getName())) { + error("\t\t... failed"); + fail("issuer DN does not match"); + } } if (peer.toString() == null || x509.toString() == null) { From a208231f4ad07e9a685214a2389ba7cd2e15d0ad Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Fri, 5 Nov 2021 12:39:50 -0600 Subject: [PATCH 02/12] update IDE/Android project --- IDE/Android/.idea/compiler.xml | 6 +++ IDE/Android/.idea/gradle.xml | 11 ++-- IDE/Android/.idea/jarRepositories.xml | 25 +++++++++ IDE/Android/.idea/misc.xml | 2 +- IDE/Android/.idea/runConfigurations.xml | 12 ----- IDE/Android/app/src/main/cpp/CMakeLists.txt | 51 +++++++++++++++---- IDE/Android/build.gradle | 2 +- .../gradle/wrapper/gradle-wrapper.properties | 6 +-- 8 files changed, 84 insertions(+), 31 deletions(-) create mode 100644 IDE/Android/.idea/compiler.xml create mode 100644 IDE/Android/.idea/jarRepositories.xml delete mode 100644 IDE/Android/.idea/runConfigurations.xml diff --git a/IDE/Android/.idea/compiler.xml b/IDE/Android/.idea/compiler.xml new file mode 100644 index 00000000..fb7f4a8a --- /dev/null +++ b/IDE/Android/.idea/compiler.xml @@ -0,0 +1,6 @@ + + + + + + \ No newline at end of file diff --git a/IDE/Android/.idea/gradle.xml b/IDE/Android/.idea/gradle.xml index 2996d531..526b4c25 100644 --- a/IDE/Android/.idea/gradle.xml +++ b/IDE/Android/.idea/gradle.xml @@ -1,13 +1,18 @@ + diff --git a/IDE/Android/.idea/jarRepositories.xml b/IDE/Android/.idea/jarRepositories.xml new file mode 100644 index 00000000..a5f05cd8 --- /dev/null +++ b/IDE/Android/.idea/jarRepositories.xml @@ -0,0 +1,25 @@ + + + + + + + + + + + + + \ No newline at end of file diff --git a/IDE/Android/.idea/misc.xml b/IDE/Android/.idea/misc.xml index 37a75096..860da66a 100644 --- a/IDE/Android/.idea/misc.xml +++ b/IDE/Android/.idea/misc.xml @@ -1,6 +1,6 @@ - + diff --git a/IDE/Android/.idea/runConfigurations.xml b/IDE/Android/.idea/runConfigurations.xml deleted file mode 100644 index 7f68460d..00000000 --- a/IDE/Android/.idea/runConfigurations.xml +++ /dev/null @@ -1,12 +0,0 @@ - - - - - - \ No newline at end of file diff --git a/IDE/Android/app/src/main/cpp/CMakeLists.txt b/IDE/Android/app/src/main/cpp/CMakeLists.txt index 07e2b338..9f3a1b78 100644 --- a/IDE/Android/app/src/main/cpp/CMakeLists.txt +++ b/IDE/Android/app/src/main/cpp/CMakeLists.txt @@ -6,12 +6,18 @@ cmake_minimum_required(VERSION 3.4.1) # Add preprocessor defines to CFLAGS -add_definitions(-DWOLFSSL_JNI -DWOLFSSL_DTLS -DOPENSSL_EXTRA -DHAVE_CRL -DHAVE_CRL_MONITOR - -DHAVE_OCSP -DPERSIST_SESSION_CACHE -DPERSIST_CERT_CACHE -DATOMIC_USER - -DHAVE_ECC -DTFM_ECC256 -DHAVE_PK_CALLBACKS -DHAVE_DH -DUSE_FAST_MATH - -DTFM_TIMING_RESISTANT -DECC_TIMING_RESISTANT -DWC_RSA_BLINDING -DTFM_NO_ASM - -DWOLFSSL_USER_IO -DWOLFSSL_CERT_EXT -DWOLFSSL_CERT_GEN - ) +add_definitions(-DHAVE_FFDHE_2048 -DWOLFSSL_TLS13 -DHAVE_TLS_EXTENSIONS -DHAVE_SUPPORTED_CURVES + -DTFM_TIMING_RESISTANT -DECC_TIMING_RESISTANT -DWC_RSA_BLINDING -DHAVE_AESGCM + -DWOLFSSL_SHA512 -DWOLFSSL_SHA384 -DHAVE_HKDF -DNO_DSA -DHAVE_ECC -DTFM_ECC256 + -DECC_SHAMIR -DWC_RSA_PSS -DWOLFSSL_BASE64_ENCODE -DNO_RC4 -DNO_HC128 -DNO_RABBIT + -DWOLFSSL_SHA224 -DWOLFSSL_SHA3 -DHAVE_POLY1305 -DHAVE_ONE_TIME_AUTH -DHAVE_CHACHA + -DHAVE_HASHDRBG -DHAVE_TLS_EXTENSIONS -DHAVE_SUPPORTED_CURVES -DHAVE_EXTENDED_MASTER + -DHAVE_SNI -DHAVE_ALPN -DWOLFSSL_JNI -DWOLFSSL_DTLS -DOPENSSL_EXTRA -DOPENSSL_ALL + -DHAVE_EX_DATA -DHAVE_CRL -DHAVE_OCSP -DHAVE_CRL_MONITOR -DPERSIST_SESSION_CACHE + -DPERSIST_CERT_CACHE -DATOMIC_USER -DHAVE_PK_CALLBACKS -DWOLFSSL_CERT_EXT -DWOLFSSL_CERT_GEN + -DHAVE_ENCRYPT_THEN_MAC -DNO_MD4 -DWOLFSSL_ENCRYPTED_KEYS -DUSE_FAST_MATH -DNO_DES3 + -DKEEP_PEER_CERT -DSESSION_CERTS -DHAVE_SESSION_TICKET -DSIZEOF_LONG=4 -DSIZEOF_LONG_LONG=8 + -DTFM_NO_ASM) # set wolfSSL JNI location as environment variable, change if needed set(wolfssljni_DIR ${CMAKE_SOURCE_DIR}/../../../../../../) @@ -31,6 +37,7 @@ add_library(wolfssl SHARED ${wolfssl_DIR}/wolfcrypt/src/asm.c ${wolfssl_DIR}/wolfcrypt/src/asn.c ${wolfssl_DIR}/wolfcrypt/src/blake2b.c + ${wolfssl_DIR}/wolfcrypt/src/blake2s.c ${wolfssl_DIR}/wolfcrypt/src/camellia.c ${wolfssl_DIR}/wolfcrypt/src/chacha.c ${wolfssl_DIR}/wolfcrypt/src/chacha20_poly1305.c @@ -38,16 +45,22 @@ add_library(wolfssl SHARED ${wolfssl_DIR}/wolfcrypt/src/coding.c ${wolfssl_DIR}/wolfcrypt/src/compress.c ${wolfssl_DIR}/wolfcrypt/src/cpuid.c + ${wolfssl_DIR}/wolfcrypt/src/cryptocb.c ${wolfssl_DIR}/wolfcrypt/src/curve25519.c + ${wolfssl_DIR}/wolfcrypt/src/curve448.c ${wolfssl_DIR}/wolfcrypt/src/des3.c ${wolfssl_DIR}/wolfcrypt/src/dh.c ${wolfssl_DIR}/wolfcrypt/src/dsa.c ${wolfssl_DIR}/wolfcrypt/src/ecc.c ${wolfssl_DIR}/wolfcrypt/src/ecc_fp.c + ${wolfssl_DIR}/wolfcrypt/src/eccsi.c ${wolfssl_DIR}/wolfcrypt/src/ed25519.c + ${wolfssl_DIR}/wolfcrypt/src/ed448.c ${wolfssl_DIR}/wolfcrypt/src/error.c + ${wolfssl_DIR}/wolfcrypt/src/fe_448.c ${wolfssl_DIR}/wolfcrypt/src/fe_low_mem.c ${wolfssl_DIR}/wolfcrypt/src/fe_operations.c + ${wolfssl_DIR}/wolfcrypt/src/ge_448.c ${wolfssl_DIR}/wolfcrypt/src/ge_low_mem.c ${wolfssl_DIR}/wolfcrypt/src/ge_operations.c ${wolfssl_DIR}/wolfcrypt/src/hash.c @@ -55,6 +68,7 @@ add_library(wolfssl SHARED ${wolfssl_DIR}/wolfcrypt/src/hmac.c ${wolfssl_DIR}/wolfcrypt/src/idea.c ${wolfssl_DIR}/wolfcrypt/src/integer.c + ${wolfssl_DIR}/wolfcrypt/src/kdf.c ${wolfssl_DIR}/wolfcrypt/src/logging.c ${wolfssl_DIR}/wolfcrypt/src/md2.c ${wolfssl_DIR}/wolfcrypt/src/md4.c @@ -66,28 +80,41 @@ add_library(wolfssl SHARED ${wolfssl_DIR}/wolfcrypt/src/pwdbased.c ${wolfssl_DIR}/wolfcrypt/src/rabbit.c ${wolfssl_DIR}/wolfcrypt/src/random.c + ${wolfssl_DIR}/wolfcrypt/src/rc2.c ${wolfssl_DIR}/wolfcrypt/src/ripemd.c ${wolfssl_DIR}/wolfcrypt/src/rsa.c - ${wolfssl_DIR}/wolfcrypt/src/sha.c + ${wolfssl_DIR}/wolfcrypt/src/sakke.c ${wolfssl_DIR}/wolfcrypt/src/sha256.c ${wolfssl_DIR}/wolfcrypt/src/sha3.c ${wolfssl_DIR}/wolfcrypt/src/sha512.c + ${wolfssl_DIR}/wolfcrypt/src/sha.c ${wolfssl_DIR}/wolfcrypt/src/signature.c + ${wolfssl_DIR}/wolfcrypt/src/sp_arm32.c + ${wolfssl_DIR}/wolfcrypt/src/sp_arm64.c + ${wolfssl_DIR}/wolfcrypt/src/sp_armthumb.c + ${wolfssl_DIR}/wolfcrypt/src/sp_c32.c + ${wolfssl_DIR}/wolfcrypt/src/sp_c64.c + ${wolfssl_DIR}/wolfcrypt/src/sp_cortexm.c + ${wolfssl_DIR}/wolfcrypt/src/sp_dsp32.c + ${wolfssl_DIR}/wolfcrypt/src/sp_int.c + ${wolfssl_DIR}/wolfcrypt/src/sp_x86_64.c ${wolfssl_DIR}/wolfcrypt/src/srp.c ${wolfssl_DIR}/wolfcrypt/src/tfm.c + ${wolfssl_DIR}/wolfcrypt/src/wc_dsp.c ${wolfssl_DIR}/wolfcrypt/src/wc_encrypt.c + ${wolfssl_DIR}/wolfcrypt/src/wc_pkcs11.c ${wolfssl_DIR}/wolfcrypt/src/wc_port.c ${wolfssl_DIR}/wolfcrypt/src/wolfevent.c ${wolfssl_DIR}/wolfcrypt/src/wolfmath.c ${wolfssl_DIR}/src/crl.c ${wolfssl_DIR}/src/internal.c - ${wolfssl_DIR}/src/wolfio.c ${wolfssl_DIR}/src/keys.c ${wolfssl_DIR}/src/ocsp.c ${wolfssl_DIR}/src/sniffer.c ${wolfssl_DIR}/src/ssl.c - ${wolfssl_DIR}/src/tls.c ${wolfssl_DIR}/src/tls13.c + ${wolfssl_DIR}/src/tls.c + ${wolfssl_DIR}/src/wolfio.c ) # set_target_properties(wolfssl PROPERTIES LIBRARY_OUTPUT_DIRECTORY @@ -97,12 +124,14 @@ add_library(wolfssl SHARED # wolfSSL JNI Java files are tied into build in Module build.gradle file add_library(wolfssljni SHARED ${wolfssljni_DIR}/native/com_wolfssl_wolfcrypt_ECC.c + ${wolfssljni_DIR}/native/com_wolfssl_wolfcrypt_EccKey.c ${wolfssljni_DIR}/native/com_wolfssl_wolfcrypt_RSA.c ${wolfssljni_DIR}/native/com_wolfssl_WolfSSL.c - ${wolfssljni_DIR}/native/com_wolfssl_WolfSSLContext.c - ${wolfssljni_DIR}/native/com_wolfssl_WolfSSLSession.c ${wolfssljni_DIR}/native/com_wolfssl_WolfSSLCertificate.c ${wolfssljni_DIR}/native/com_wolfssl_WolfSSLCertManager.c + ${wolfssljni_DIR}/native/com_wolfssl_WolfSSLContext.c + ${wolfssljni_DIR}/native/com_wolfssl_WolfSSLSession.c + ${wolfssljni_DIR}/native/com_wolfssl_WolfSSLX509StoreCtx.c ) # set_target_properties(wolfssljni PROPERTIES LIBRARY_OUTPUT_DIRECTORY diff --git a/IDE/Android/build.gradle b/IDE/Android/build.gradle index e11a5b35..09988364 100644 --- a/IDE/Android/build.gradle +++ b/IDE/Android/build.gradle @@ -7,7 +7,7 @@ buildscript { } dependencies { - classpath 'com.android.tools.build:gradle:3.3.2' + classpath 'com.android.tools.build:gradle:4.2.2' // NOTE: Do not place your application dependencies here; they belong // in the individual module build.gradle files diff --git a/IDE/Android/gradle/wrapper/gradle-wrapper.properties b/IDE/Android/gradle/wrapper/gradle-wrapper.properties index 01b95c5b..2a5b1bf1 100644 --- a/IDE/Android/gradle/wrapper/gradle-wrapper.properties +++ b/IDE/Android/gradle/wrapper/gradle-wrapper.properties @@ -1,6 +1,6 @@ -#Thu Apr 11 15:51:35 MDT 2019 +#Thu Nov 04 15:51:08 MDT 2021 distributionBase=GRADLE_USER_HOME +distributionUrl=https\://services.gradle.org/distributions/gradle-6.9.1-bin.zip distributionPath=wrapper/dists -zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-4.10.1-all.zip +zipStoreBase=GRADLE_USER_HOME From a6af7b51af8eec18b24baef033e6169ff3077dc8 Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Fri, 5 Nov 2021 12:40:04 -0600 Subject: [PATCH 03/12] update IDE/Android/README.md --- IDE/Android/README.md | 90 +++++++++++++++++++++++++++++++++++++------ 1 file changed, 79 insertions(+), 11 deletions(-) diff --git a/IDE/Android/README.md b/IDE/Android/README.md index 6404d48f..1ca8212a 100644 --- a/IDE/Android/README.md +++ b/IDE/Android/README.md @@ -1,21 +1,43 @@ -This is an example of use with Android Studio. +# Android Studio Example Project -An emulation of Nexus 4 API 23 (Android 6.0, API 23) was used with testing and Android Studio IDE version 3.3.2 was used. +This is an example Android Studio project file for wolfssljni / wolfJSSE. This +project should be used for reference only. -Steps to run example: +Tool and version information used when testing this project: -1) On the Android device BKS format key stores are expected. To convert the JKS example bundles to BKS use the following commands: +- Ubuntu 20.04.3 LTS +- Android Studio Arctic Fox 2020.3.1 Patch 3 +- Android Gradle Plugin Version: 4.2.2 +- Gradle Version: 6.9.1 +- API 28: Android 9.0 (Pie) +- Emulator: Nexus 5X API 28 + +The following sections outline steps required to run this example on an +Android device or emulator. + +## Converting JKS to BKS for Android Use + +On the Android device BKS format key stores are expected. To convert the +JKS example bundles to BKS use the following commands. Note: you will need +to download a version of the bcprov JAR from the Bouncy Castle website: ``` cd examples/provider ./convert-to-bks.sh +``` -exmaple: +For exmaple, when using bcprov-ext-jdk15on-169.jar: + +``` cd examples/provider -./convert-to-bks.sh ~/Downloads/bcprov-jdk15on-161.jar +./convert-to-bks.sh ~/Downloads/bcprov-ext-jdk15on-169.jar ``` -2) Push BKS bundles up to the device along with certificates. To do this start up the emulator/device and use "adb push". An example of this would be the following commands from root wolfssljni directory: +## Push BKS to Android Device or Emulator + +Push BKS bundles up to the device along with certificates. To do this start +up the emulator/device and use `adb push`. An example of this would be the +following commands from root wolfssljni directory: ``` adb shell @@ -28,10 +50,56 @@ adb push ./examples/provider/*.bks /sdcard/examples/provider/ adb push ./examples/certs/ /sdcard/examples/ ``` -3) Add wolfssl source code for compiling. The project looks for the directory wolfssljni/IDE/Android/app/src/main/cpp/wolfssl for wolfSSL source code. This can be done multiple ways one being to download the latest release from wolfSSL's website, unzip it, rename it to wolfssl, and place it in the direcotry wolfssljni/IDE/Android/app/src/main/cpp/. Alternatively GitHub can be used with "cd /IDE/Android/app/src/main/cpp/ && git clone https://github.com/wolfssl/wolfssl". And the final method to be mentioned in this document is by creating a symbolic link to a wolfssl directory on the system by using "cd /IDE/Android/app/src/main/cpp/ && ln -s /path/to/local/wolfssl ./wolfssl". +## Add Native wolfSSL Library Source Code to Project + +This example project is already set up to compile and build the native +wolfSSL library source files, but the wolfSSL files themselves have not been +included in this package. You must download or link an appropriate version +of wolfSSL to this project using one of the options below. + +The project looks for the directory +`wolfssljni/IDE/Android/app/src/main/cpp/wolfssl` for wolfSSL source code. +This can added in multiple ways: + +- OPTION A: Download the latest wolfSSL library release from www.wolfssl.com, +unzip it, rename it to `wolfssl`, and place it in the direcotry +`wolfssljni/IDE/Android/app/src/main/cpp/`. + +``` +$ unzip wolfssl-X.X.X.zip +$ mv wolfssl-X.X.X wolfssljni/IDE/Android/app/src/main/cpp/wolfssl +``` + +- OPTION B: Alternatively GitHub can be used to clone wolfSSL: + +``` +$ cd /IDE/Android/app/src/main/cpp/ +$ git clone https://github.com/wolfssl/wolfssl +$ cp wolfssl/options.h.in wolfssl/options.h +``` + +- OPTION C: A symbolic link to a wolfssl directory on the system by using: + +``` +$ cd /IDE/Android/app/src/main/cpp/ +$ ln -s /path/to/local/wolfssl ./wolfssl +``` + +## Importing and Building the Example Project with Android Studio + +4) Open the Android Studio project by double clicking on the `Android` folder +in wolfssljni/IDE/ + +5) Build the project and run MainActivity from app -> java/com/example.wolfssl. +This will ask for permissions to access the certificates in the /sdcard/ +directory and then print out the server certificate information on success. + +6) OPTIONAL: The androidTests can be run after permissions has been given. +app->java->com.wolfssl->provider.jsse.test->WolfSSLJSSETestSuite and +app->java->com.wolfssl->test->WolfSSLTestSuite -4) Open the Android studio project by double clicking on the Android folder in wolfssljni/IDE/ +## Support -5) Compile the project and run MainActivity from app -> java -> com -> example.wolfssl. This will ask for permissions to access the certificates in the /sdcard/ directory and then print out the server certificate information on success. +Please contact wolfSSL support at support@wolfssl.com with any questions or +feedback. -6) OPTIONAL : The androidTests can then be ran after permissions has been given. app->java->com.wolfssl->provider.jsse.test->WolfSSLJSSETestSuite and app->java->com.wolfssl->test->WolfSSLTestSuite \ No newline at end of file From 50627b436d82cd48d19bd0692b9c6b597ee388a3 Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Fri, 5 Nov 2021 13:06:55 -0600 Subject: [PATCH 04/12] switch to a single README.md --- README | 185 --------------------------------------------------------- 1 file changed, 185 deletions(-) delete mode 100644 README diff --git a/README b/README deleted file mode 100644 index 1e578659..00000000 --- a/README +++ /dev/null @@ -1,185 +0,0 @@ - -wolfSSL JSSE Provider and JNI Wrapper - -This package provides both a wolfSSL Java JSSE provider (wolfJSSE), and a thin -JNI-based interface to the native wolfSSL embedded SSL/TLS library. These -provide Java applications with SSL/TLS support up to the current TLS 1.3 -protocol standard. - -Note 1) -The java.sh script uses a common location for the Java install location. -If your Java install location is different, this could lead to an error -when running java.sh. In this case, you should modify java.sh to match -your environment. - -Build options are : -- ant build (only builds the jar necessary for an app to use) -- ant test (builds the jar and tests then runs the tests, requires JUNIT setup) -- ant examples (builds the jar and example cases) -- ant clean (cleans all Java artifacts) -- ant cleanjni (cleans native artifacts) - - -Why use wolfSSL JSSE? - -This interface gives Java applications access to all the benefits of using -wolfSSL, including current SSL/TLS standards up to TLS 1.3, FIPS 140-2 support, -performance optimizations, hardware cryptography support, commercial support, -and more! - - -wolfSSL JNI Release 1.7.0 (01/15/2021) - -Release 1.7.0 has bug fixes and new features including: - -- Fixes for Infer analysis warnings -- Throw exception in DEFAULT_Context creation if engineInit() fails -- Defer creating DEFAULT WolfSSLContext until first use -- Check if Socket is open before doing TLS shutdown in WolfSSLSocket.close() -- Only load X509TrustStore issuers when needed by native wolfSSL verification -- Fix compiler warnings when used with older versions of native wolfSSL -- Verify and load intermediate CA certs in WolfSSLTrustX509.certManagerVerify() -- Add support for setSoTimeout() in WolfSSLSocket -- Fix suites length check in WolfSSLEngineHelper.setLocalCiphers() -- Check for connection closed before completing handshake in SSLSocket.read/write - -The wolfSSL JNI Manual is available at: -http://www.wolfssl.com/documentation/wolfSSL-JNI-Manual.pdf. For build -instructions and more detailed comments, please check the manual. - - -************ wolfSSL JNI Release 1.6.0 (08/26/2020) - -Release 1.6.0 has bug fixes and new features including: - -- Support for custom TrustManager checkClientTrusted(), checkServerTrusted() -- wolfJSSE TrustManager registered as PKIX provider -- Improved support for auto-loading system CA certificates -- Improved Android TrustManager support -- Use AndroidCAStore KeyStore when available on Android -- Support for X509Certificate.getSubjectAlternativeNames() -- Fix for native memory leak in JSSE WolfSSLTrustX509 -- Optimization of WolfSSLTrustX509 to hold less memory at idle -- Addition of missing finalize() methods in some JSSE classes -- Casts to uintptr_t instead of intptr_t at native JNI level -- Conversion to use GetByteArrayElements for potential memory use savings -- Consistently use wolfCrypt XMALLOC/XFREE for native memory allocation -- Use javah in build.xml for older ant/Java versions without nativeheaderdir -- Add JSSE debug logging for native wolfSSL with wolfssl.debug system parameter -- Add more JSSE-level debug messages for easier troubleshooting -- Add internal implementation of SSLParameters, WolfSSLParameters -- Add client-side SNI support -- Fix warnings when DH is disabled (--disable-dh) -- Add Java thread ID to JSSE debug log messages for easier multithreaded debug -- Improve handshake synchronization in WolfSSLSocket for multi-threaded apps -- Add support for jsse.enableSNIExtension system property -- Add client-side session ticket support -- Add support for jdk.tls.client.enableSessionTicketExtension system property -- Enable session ticket and session cert support by default on Android AOSP -- Fixes compatibility with OkHttp on Android -- Add support for non-blocking socket operations in WolfSSLSession/Socket -- Moves I/O mutex locking to native level for more efficient locking - -The wolfSSL JNI Manual is available at: -http://www.wolfssl.com/documentation/wolfSSL-JNI-Manual.pdf. For build -instructions and more detailed comments, please check the manual. - - -************ wolfSSL JNI Release 1.5.0 (01/17/2020) - -Release 1.5.0 has bug fixes and new features including: - -- New JSSE provider (wolfJSSE) including TLS 1.3 support! -- Add JSSE debug logging with wolfjsse.debug system parameter -- Add JSSE install script and helper files for Android AOSP -- Add JSSE example apps (examples/provider) -- Add JNI wrappers to detect if native features/protocols are compiled in -- Add JNI wrapper for PKCS#8 offset getter -- Add JNI wrapper for wolfSSL_get_ciphers_iana() -- Update build.xml to use nativeheaderdir instead of javah target -- Update tests to use junit-4.13 / hamcrest-all-1.3 -- Update to build, now ant build does not build and run tests / examples - -The wolfSSL JNI Manual is available at: -http://www.wolfssl.com/documentation/wolfSSL-JNI-Manual.pdf. For build -instructions and more detailed comments, please check the manual. - - -************ wolfSSL JNI Release 1.4.0 (11/16/2018) - -Release 1.4.0 has bug fixes and new features including: - -- Better support for conditional native wolfSSL feature dependencies -- Adds methods for checking if native features are enabled -- Optional method for loading native JNI library from a specific path -- TLS 1.0 functions are compiled out unless WOLFSSL_ALLOW_TLSV10 is defined -- Wrapper for native wolfCrypt ECC shared secret public key callback -- Allow other HmacSHA* hash types to be used in Atomic User callback examples -- Error string buffer size set to use WOLFSSL_MAX_ERROR_SZ -- Fix for RSA doSign() output length -- Fix for I/O, Atomic User, and Public Key callback registration in examples -- Updated example key and certificate files - -The wolfSSL JNI Manual is available at: -http://www.wolfssl.com/documentation/wolfSSL-JNI-Manual.pdf. For build -instructions and more detailed comments, please check the manual. - - -************ wolfSSL JNI Release 1.3.0 (12/04/2015) - -Release 1.3.0 has bug fixes and new features including: - -- Updated support to wolfSSL 3.7.0 -- Added finalizers for WolfSSLContext and WolfSSLSession classes -- Fix for SSLv3 now disabled by default in wolfSSL proper -- SSLv3 now marked as @Deprecated -- PSK (pre-shared key) support for client and server -- Better error checking and exception handling -- New WolfSSLJNIException class -- WolfSSLSession now cached in native WOLFSSL struct for callbacks -- Easier inclusion of junit4 in build.xml - -The wolfSSL JNI Manual is available at: -http://www.wolfssl.com/documentation/wolfSSL-JNI-Manual.pdf. For build -instructions and more detailed comments, please check the manual. - - -************ wolfSSL JNI Release 1.2.0 (06/02/2015) - -Release 1.2.0 has bug fixes and new features including: - -- Updated support for wolfSSL 3.4.6 and CyaSSL to wolfSSL name change -- Benchmark functionality in example client -- Updated example certificates -- Better detection of Java home on Mac and Linux - -The wolfSSL JNI Manual is available at: -http://www.wolfssl.com/documentation/wolfSSL-JNI-Manual.pdf. For build -instructions and more detailed comments, please check the manual. - - -************ wolfSSL JNI Release 1.1.0 (10/25/2013) - -Release 1.1.0 has bug fixes and new features including: - -- Updated support for CyaSSL 2.9.4 -- Updated example certificates and CRLs -- Now expects user to have JUnit JARs pre-installed on dev platform -- Updated unit tests, JUnit4 style -- Android support -- CRL monitor now optional in server mode - -The wolfSSL JNI Manual is available at: -http://www.wolfssl.com/documentation/wolfSSL-JNI-Manual.pdf. For build -instructions and more detailed comments, please check the manual. - - -************ wolfSSL JNI Release 1.0.0 (10/25/2013) - -Release 1.0.0 is the first public release of wolfSSL JNI, the Java wrapper for -the CyaSSL embedded SSL library. - -The wolfSSL JNI Manual is available at: -http://www.wolfssl.com/documentation/wolfSSL-JNI-Manual.pdf. For build -instructions and more detailed comments, please check the manual. - From 01bce04aeb7b18ecbe622cda76e47d9d3c104432 Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Fri, 5 Nov 2021 13:13:06 -0600 Subject: [PATCH 05/12] update README.md, add examples/README.md and examples/provider/README.md --- README.md | 169 ++++++++++++++++-- examples/README.md | 48 +++++ examples/provider/ClientSSLSocket.java | 7 +- examples/provider/MultiThreadedSSLClient.java | 4 +- examples/provider/README.md | 152 ++++++++++++++++ 5 files changed, 356 insertions(+), 24 deletions(-) create mode 100644 examples/README.md create mode 100644 examples/provider/README.md diff --git a/README.md b/README.md index 21a7a40e..3e7be079 100644 --- a/README.md +++ b/README.md @@ -1,25 +1,154 @@ # wolfSSL JSSE Provider and JNI Wrapper -This package provides both a wolfSSL Java JSSE provider (**wolfJSSE**), and a thin JNI-based interface to the native [wolfSSL embedded SSL/TLS library](https://www.wolfssl.com/products/wolfssl/). These provide Java applications with SSL/TLS support up to the current [TLS 1.3](https://www.wolfssl.com/tls13) protocol standard. +This package provides both a wolfSSL Java JSSE provider (**wolfJSSE**), and a +thin JNI-based interface to the native +[wolfSSL embedded SSL/TLS library](https://www.wolfssl.com/products/wolfssl/). +These provide Java applications with SSL/TLS support up to the current +[TLS 1.3](https://www.wolfssl.com/tls13) protocol standard. + +## Why use wolfJSSE? + +This interface gives Java applications access to all the benefits of using +wolfSSL, including current SSL/TLS standards up to +[TLS 1.3](https://www.wolfssl.com/tls13), +[FIPS 140-2 and 140-3](https://www.wolfssl.com/license/fips/) support, +performance optimizations, hardware cryptography support, +[commercial support](https://www.wolfssl.com/products/support-and-maintenance/), +and more! + +## User Manual + +The wolfSSL JNI/JSSE Manual is available on wolfssl.com: +[wolfSSL JNI Manual](https://www.wolfssl.com/documentation/wolfSSL-JNI-Manual.pdf). + +For additional build instructions and more detailed comments, please check +the manual. + +## Building ***Note 1)*** -The java.sh script uses a common location for the Java install location. If your Java install location is different, this could lead to an error when running java.sh. In this case, you should modify java.sh to match your environment. +The java.sh script uses a common location for the Java install location. If +your Java install location is different, this could lead to an error when +running java.sh. In this case, you should modify java.sh to match your +environment. Build targets for ant are : -* ant build (only builds the jar necessary for an app to use) -* ant test (builds the jar and tests then runs the tests, requires JUNIT setup) -* ant examples (builds the jar and example cases) -* ant clean (cleans all Java artifacts) -* ant cleanjni (cleans native artifacts) +* **ant build** (only builds the jar necessary for an app to use) +* **ant test** (builds the jar and tests then runs the tests, requires JUNIT setup) +* **ant examples** (builds the jar and example cases) +* **ant clean** (cleans all Java artifacts) +* **ant cleanjni** (cleans native artifacts) + +wolfJSSE currently supports compilation on Linux/Unix and Android. + +To build wolfJSSE on Linux, first download, compile, and install wolfSSL. +wolfSSL can be downloaded from the wolfSSL download page or cloned from +GitHub. + +``` +$ unzip wolfssl-X.X.X.zip +$ cd wolfssl-X.X.X +$ ./configure --enable-jni +$ make check +$ sudo make install +``` + +Then, to build wolfJSSE: + +``` +$ cd wolfssljni +$ ./java.sh +$ ant +$ ant test +``` + +To compile and run the examples, use the `ant examples` target: + +``` +$ ant examples +``` + +Then, run the examples from the root directory using the provided wrapper +scripts: + +``` +$ ./examples/provider/ServerJSSE.sh +$ ./examples/provider/ClientJSSE.sh +``` + +## Examples + +Examples of using wolfssljni can be found in the `./examples` subdirectory. +See [examples/README.md](./examples/README.md) for more details. + +Examples of using wolfJSSE can be found in the `./examples/provider` +subdirectory. See [examples/provider/README.md](./examples/provider/README.md) +for more details. -# Why use wolfSSL JSSE? +## Debugging -This interface gives Java applications access to all the benefits of using wolfSSL, including current SSL/TLS standards up to [TLS 1.3](https://www.wolfssl.com/tls13), [FIPS 140-2 and 140-3](https://www.wolfssl.com/license/fips/) support, performance optimizations, hardware cryptography support, [commercial support](https://www.wolfssl.com/products/support-and-maintenance/), and more! +wolfJSSE debug logging can be enabled by using `-Dwolfjsse.debug=true` at +runtime. -# Release Notes +wolfSSL native debug logging can be enabled by using `-Dwolfssl.debug=true` at +runtime, if native wolfSSL has been compiled with `--enable-debug`. -## wolfSSL JNI Release 1.7.0 (01/15/2021) +JDK debug logging can be enabled using the `-Djavax.net.debug=all` option. + +## Building for Android + +wolfSSL JNI and JSSE can be built and used on the Android platform, either +at the application-level or installed inside a modified version of the +Android AOSP at the system-level. + +### Android Application Level Usage + +An example Android Studio application is included in this package, to show +users how they could include the wolfSSL native and wolfSSL JNI/JSSE sources +in an Androi Studio application. For more details, see the Android Studio +project and README.md located in the [./IDE/Android](./IDE/Android) directory. + +Using wolfJSSE at the application level will allow developers to register +wolfJSSE as a Security provider at the application scope. The application can +they use the Java Security API for SSL/TLS operations which will then use the +underlying wolfJSSE provider (and subsequently native wolfSSL). + +Applications can add the wolfJSSE provider using: + +``` +import com.wolfssl.provider.jsse.WolfSSLProvider; +... +Security.addProvider(new WolfSSLProvider()); +``` + +To instead insert the WolfSSLProvider as the top priority provider: + +``` +import com.wolfssl.provider.jsse.WolfSSLProvider; +... +Security.insertProviderAt(new WolfSSLProvider(), 1); +``` + +There are also additional Android examples using wolfSSL JNI in the +[wolfssl-examples](https://github.com/wolfssl/wolfssl-examples/tree/master/android) repository. + +### Android AOSP System Level Installation + +wolfJSSE can be installed inside an Android AOSP build and registered at the +OS/system level. This will allow wolfJSSE to be registered as the highest +priority JSSE provider on Android, thus allowing any application using the +Java Security API to automatically use wolfJSSE and wolfSSL. + +For details on how to install wolfJSSE in Android AOSP, see the README located +in the [./platform/android_aosp](./platform/android_aosp) directory. + +Additional instructions can be found on the wolfSSL.com website: +[Installing a JSSE Provider in Android OSP](https://www.wolfssl.com/docs/installing-a-jsse-provider-in-android-osp/). + +## Release Notes + +### wolfSSL JNI Release 1.7.0 (01/15/2021) Release 1.7.0 has bug fixes and new features including: @@ -39,7 +168,7 @@ http://www.wolfssl.com/documentation/wolfSSL-JNI-Manual.pdf. For build instructions and more detailed comments, please check the manual. -## wolfSSL JNI Release 1.6.0 (08/26/2020) +### wolfSSL JNI Release 1.6.0 (08/26/2020) Release 1.6.0 has bug fixes and new features including: @@ -76,7 +205,7 @@ http://www.wolfssl.com/documentation/wolfSSL-JNI-Manual.pdf. For build instructions and more detailed comments, please check the manual. -## wolfSSL JNI Release 1.5.0 (01/17/2020) +### wolfSSL JNI Release 1.5.0 (01/17/2020) Release 1.5.0 has bug fixes and new features including: @@ -96,7 +225,7 @@ http://www.wolfssl.com/documentation/wolfSSL-JNI-Manual.pdf. For build instructions and more detailed comments, please check the manual. -## wolfSSL JNI Release 1.4.0 (11/16/2018) +### wolfSSL JNI Release 1.4.0 (11/16/2018) Release 1.4.0 has bug fixes and new features including: @@ -116,7 +245,7 @@ http://www.wolfssl.com/documentation/wolfSSL-JNI-Manual.pdf. For build instructions and more detailed comments, please check the manual. -## wolfSSL JNI Release 1.3.0 (12/04/2015) +### wolfSSL JNI Release 1.3.0 (12/04/2015) Release 1.3.0 has bug fixes and new features including: @@ -135,7 +264,7 @@ http://www.wolfssl.com/documentation/wolfSSL-JNI-Manual.pdf. For build instructions and more detailed comments, please check the manual. -## wolfSSL JNI Release 1.2.0 (06/02/2015) +### wolfSSL JNI Release 1.2.0 (06/02/2015) Release 1.2.0 has bug fixes and new features including: @@ -149,7 +278,7 @@ http://www.wolfssl.com/documentation/wolfSSL-JNI-Manual.pdf. For build instructions and more detailed comments, please check the manual. -## wolfSSL JNI Release 1.1.0 (10/25/2013) +### wolfSSL JNI Release 1.1.0 (10/25/2013) Release 1.1.0 has bug fixes and new features including: @@ -165,7 +294,7 @@ http://www.wolfssl.com/documentation/wolfSSL-JNI-Manual.pdf. For build instructions and more detailed comments, please check the manual. -## wolfSSL JNI Release 1.0.0 (10/25/2013) +### wolfSSL JNI Release 1.0.0 (10/25/2013) Release 1.0.0 is the first public release of wolfSSL JNI, the Java wrapper for the CyaSSL embedded SSL library. @@ -174,3 +303,7 @@ The wolfSSL JNI Manual is available at: http://www.wolfssl.com/documentation/wolfSSL-JNI-Manual.pdf. For build instructions and more detailed comments, please check the manual. +## Support + +For support inquiries and feedback please contact support@wolfssl.com. + diff --git a/examples/README.md b/examples/README.md new file mode 100644 index 00000000..cf48f3c7 --- /dev/null +++ b/examples/README.md @@ -0,0 +1,48 @@ + +# wolfSSL JNI Examples + +This directory contains examples for the wolfSSL thin JNI wrapper. To view +examples for the wolfSSL JSSE provider, look in the +[./examples/provider](./provider) directory. + +Examples should be run from the package root directory, and using the provided +wrapper scripts. The wrapper scripts set up the correct environment variables +for use with the wolfjni jar included in the wolfssljni package. + +## Notes on Debug and Logging + +wolfJSSE debug logging can be enabled by using `-Dwolfjsse.debug=true` at +runtime. + +wolfSSL native debug logging can be enabled by using `-Dwolfssl.debug=true` at +runtime, if native wolfSSL has been compiled with `--enable-debug`. + +JDK debug logging can be enabled using the `-Djavax.net.debug=all` option. + +## wolfSSL JNI Example Client and Server + +Example client/server applications that use wolfSSL JNI: + +**Server.java** - Example wolfSSL JNI server \ +**Client.java** - Example wolfSSL JNI client + +These examples can be run with the provided bash scripts: + +``` +$ cd +$ ./examples/server.sh +$ ./examples/client.sh +``` + +To view usage and available options for the examples, use the `-?` +argument: + +``` +$ ./examples/server.sh --help +``` + +## Support + +Please contact the wolfSSL support team at support@wolfssl.com with any +questions or feedback. + diff --git a/examples/provider/ClientSSLSocket.java b/examples/provider/ClientSSLSocket.java index 2acfcfbe..8acc7eda 100644 --- a/examples/provider/ClientSSLSocket.java +++ b/examples/provider/ClientSSLSocket.java @@ -36,13 +36,12 @@ * The wrapper script enables javax.net logging, by defining: * -Djavax.net.debug=all * - * Example usag for connecting to the wolfSSL example server is: + * Example usage for connecting to the wolfSSL example server is: * * $ ./examples/provider/ClientSSLSocket.sh 127.0.0.1 11111 \ - * ./examples/provider/client.jks ./examples/provider/cacerts.jks + * ./examples/provider/client.jks ./examples/provider/client.jks * - * The password for both client.jks and cacerts.jks is: - * "wolfSSL test" + * The password for client.jks is: "wolfSSL test" */ import java.io.*; diff --git a/examples/provider/MultiThreadedSSLClient.java b/examples/provider/MultiThreadedSSLClient.java index 38b62de9..9e43cb6d 100644 --- a/examples/provider/MultiThreadedSSLClient.java +++ b/examples/provider/MultiThreadedSSLClient.java @@ -39,12 +39,12 @@ * Example usage: * * $ ant examples - * $ ./examples/provider/MultiThreadedSSLClient.java + * $ ./examples/provider/MultiThreadedSSLClient.sh * * This example is designed to connect against the MultiThreadedSSLServer * example: * - * $ ./examples/provider/MultiThreadedSSLServer.java + * $ ./examples/provider/MultiThreadedSSLServer.sh * * This example also prints out average SSL/TLS handshake time, which is * measured in milliseconds on the "startHandshake()" API call. diff --git a/examples/provider/README.md b/examples/provider/README.md new file mode 100644 index 00000000..6b9a2998 --- /dev/null +++ b/examples/provider/README.md @@ -0,0 +1,152 @@ + +# wolfJSSE Provider Examples + +This directory contains examples for the wolfSSL JSSE provider (wolfJSSE). + +Examples should be run from the package root directory, and using the provided +wrapper scripts. The wrapper scripts set up the correct environment variables +for use with the wolfJSSE provider included in the wolfssljni package. For +example to run the example JSSE server and client, after compiling wolfSSL and +wolfssljni: + +``` +$ cd +$ ./examples/provider/ServerJSSE.sh +$ ./examples/provider/ClientJSSE.sh +``` + +## Notes on Debug and Logging + +wolfJSSE debug logging can be enabled by using `-Dwolfjsse.debug=true` at +runtime. + +wolfSSL native debug logging can be enabled by using `-Dwolfssl.debug=true` at +runtime, if native wolfSSL has been compiled with `--enable-debug`. + +JDK debug logging can be enabled using the `-Djavax.net.debug=all` option. + +## wolfJSSE Example Client and Server + +Example client/server applications that use wolfJSSE along with the SSLSocket +API. + +**ServerJSSE.java** - Example wolfJSSE server \ +**ClientJSSE.java** - Example wolfJSSE client + +These examples can be run with the provided bash scripts: + +``` +$ ./examples/provider/ServerJSSE.sh +$ ./examples/provider/ClientJSSE.sh +``` + +## ClientSSLSocket.java + +Very minimal JSSE client example using SSLSocket. Does not support all the +options that ClientJSSE.java does. + +Example usage is: + +``` +$ ./examples/provider/ClientSSLSocket.sh [host] [port] [keystore] [truststore] +``` + +Example usage for connecting to the wolfSSL example server is: + +``` +$ ./examples/provider/ClientSSLSocket.sh 127.0.0.1 11111 \ + ./examples/provider/client.jks ./examples/provider/client.jks +``` + +The password for client.jks is: "wolfSSL test" + +## MultiThreadedSSLClient.java + +Multi threaded SSLSocket example that connects a specified number of client +threads to a server. Intended to test multi-threading with wolfJSSE. + +This example creates a specified number of client threads to a server located +at 127.0.0.1:11118. This example is set up to use the SSLSocket class. It makes +one connection (handshake), sends/receives data, and shuts down. + +A random amount of time is injected into each client thread before: + + 1) The SSL/TLS handshake + 2) Doing I/O operations after the handshake + +The maximum amount of sleep time for each of those is "maxSleep", or 3 seconds +by default. This is intended to add some randomness into the the client thread +operations. + +Example usage: + +``` +$ ant examples +$ ./examples/provider/MultiThreadedSSLClient.sh -n +``` + +This example is designed to connect against the MultiThreadedSSLServer example: + +``` +$ ./examples/provider/MultiThreadedSSLServer.sh +``` + +This example also prints out average SSL/TLS handshake time, which is measured +in milliseconds on the "startHandshake()" API call. + +## MultiThreadedSSLServer.java + +SSLServerSocket example that creates a new thread per client connection. + +This server waits in an infinite loop for client connections, and when connected +creates a new thread for each connection. This example is compiled when +`ant examples` is run in the package root. + +``` +$ ant examples +$ ./examples/provider/MultiThreadedSSLServer.sh +``` + +For multi threaded client testing, test against MultiThreadedSSLClient.sh. +For example, to connect 10 client threads: + +``` +$ ./examples/provider/MultiThreadedSSLClient.sh -n 10 +``` + +## ProviderTest.java + +This example tests the wolfSSL provider installation. It lists all providers +installed on the system, tries to look up the wolfSSL provider, and if +found, prints out the information about the wolfSSL provider. Finally, it tests +what provider is registered to provide TLS to Java. + +This app can be useful for testing if wolfJSSE has been installed +correctly at the system level. + +``` +$ ./examples/provider/ProviderTest.sh +``` + +Note, if wolfJSSE has not been installed at the OS system level, wolfJSSE +will not show up as an installed provider when this example is run. + +## ThreadedSSLSocketClientServer.java + +SSLSocket example that connects a client thread to a server thread. + +This example creates two threads, one server and one client. The examples +are set up to use the SSLSocket and SSLServerSocket classes. They make +one connection (handshake) and shut down. + +Example usage: + +``` +$ ./examples/provider/ThreadedSSLSocketClientServer.sh +``` + +## Support + +Please contact the wolfSSL support team at support@wolfssl.com with any +questions or feedback. + From 2b402959bcecda23f10e54371430c935149a8470 Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Wed, 10 Nov 2021 13:43:03 -0700 Subject: [PATCH 06/12] add WolfSSL.getCiphersAvailableIana(), use to set default cipher suites in JSSE WolfSSLContext --- native/com_wolfssl_WolfSSL.c | 149 ++++++++++++++++++ native/com_wolfssl_WolfSSL.h | 8 + src/java/com/wolfssl/WolfSSL.java | 35 +++- src/java/com/wolfssl/WolfSSLCustomUser.java | 3 +- .../provider/jsse/WolfSSLAuthStore.java | 10 +- .../wolfssl/provider/jsse/WolfSSLContext.java | 12 +- src/test/com/wolfssl/test/WolfSSLTest.java | 19 ++- 7 files changed, 220 insertions(+), 16 deletions(-) diff --git a/native/com_wolfssl_WolfSSL.c b/native/com_wolfssl_WolfSSL.c index edcc5a9e..05335927 100644 --- a/native/com_wolfssl_WolfSSL.c +++ b/native/com_wolfssl_WolfSSL.c @@ -1048,6 +1048,155 @@ JNIEXPORT jstring JNICALL Java_com_wolfssl_WolfSSL_getEnabledCipherSuitesIana return retString; } +/* Returns list of available cipher suites in IANA format. Uses + * wolfSSL_get_ciphers_compat() in order to get a prioritized list. Normal + * wolfSSL_get_ciphers() returns list of compiled-in cipher suites, but not + * in same priority order that would be set during a normal connection. + * + * @param protocolVersion protocol version that matches the Enum in + * src/java/com/wolfssl/WolfSSL.java: + * + * public static enum TLS_VERSION { + * INVALID, (0) + * TLSv1, (1) + * TLSv1_1, (2) + * TLSv1_2, (3) + * TLSv1_3, (4) + * SSLv23 (5) + * } + * @returns colon-separated cipher suite string. + */ +JNIEXPORT jstring JNICALL Java_com_wolfssl_WolfSSL_getAvailableCipherSuitesIana + (JNIEnv* jenv, jclass jcl, jint protocolVersion) +{ + char cipherList[4096]; + int i = 0; + int numCiphers = 0; +#if defined(WOLFSSL_CIPHER_INTERNALNAME) || defined(NO_ERROR_STRINGS) || \ + defined(WOLFSSL_QT) + int ret = 0; + int flags; + byte cipherSuite0; + byte cipherSuite; +#endif + const char* cipherName = NULL; + const char* ianaName = NULL; + WOLFSSL_METHOD* method = NULL; + + WOLFSSL* ssl = NULL; + WOLFSSL_CTX* ctx = NULL; + + STACK_OF(SSL_CIPHER) *supportedCiphers = NULL; + const SSL_CIPHER* cipher = NULL; + + jstring retString; + (void)jcl; + + if (jenv == NULL) { + return NULL; + } + + if (protocolVersion < 0 || protocolVersion > 5) { + printf("Input protocol version invalid: %d\n", protocolVersion); + return NULL; + } + + XMEMSET(cipherList, 0, sizeof(cipherList)); + + switch (protocolVersion) { +#ifndef NO_OLD_TLS + #ifdef WOLFSSL_ALLOW_TLSV10 + case 1: + method = wolfTLSv1_client_method(); + break; + #endif + case 2: + method = wolfTLSv1_1_client_method(); + break; +#endif /* NO_OLD_TLS */ +#ifndef WOLFSSL_NO_TLS12 + case 3: + method = wolfTLSv1_2_client_method(); + break; +#endif +#ifdef WOLFSSL_TLS13 + case 4: + method = wolfTLSv1_3_client_method(); + break; +#endif + case 5: + method = wolfSSLv23_client_method(); + break; + default: + printf("Input protocol version invalid: %d\n", protocolVersion); + return NULL; + } + + /* create temporary WOLFSSL_CTX and WOLFSSL structs to get expected + * available cipher list */ + ctx = wolfSSL_CTX_new(method); + if (ctx == NULL) { + return NULL; + } + + ssl = wolfSSL_new(ctx); + if (ssl == NULL) { + wolfSSL_CTX_free(ctx); + return NULL; + } + + supportedCiphers = wolfSSL_get_ciphers_compat(ssl); + if (supportedCiphers == NULL) { + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); + return NULL; + } + + numCiphers = sk_num(supportedCiphers); + + for (i = 0; i < numCiphers; i++) { + cipher = (const WOLFSSL_CIPHER*)sk_value(supportedCiphers, i); + if (cipher != NULL) { + cipherName = wolfSSL_CIPHER_get_name(cipher); + + #if defined(WOLFSSL_CIPHER_INTERNALNAME) || \ + defined(NO_ERROR_STRINGS) || defined(WOLFSSL_QT) + /* CIPHER_get_name() returns internal cipher format in this case, + * need to convert to IANA format next */ + ret = wolfSSL_get_cipher_suite_from_name(cipherName, + &cipherSuite0, &cipherSuite, &flags); + if (ret == 0) { + ianaName = wolfSSL_get_cipher_name_iana_from_suite( + cipherSuite0, cipherSuite); + } + #else + /* cipherName already in IANA format */ + ianaName = cipherName; + #endif + if (ianaName != NULL) { + /* colon separated list */ + if (i != 0 && (XSTRLEN(cipherList) + 1) < sizeof(cipherList)) { + XSTRNCAT(cipherList, ":", 1); + } + if ((XSTRLEN(ianaName) + XSTRLEN(cipherList) + 1) < + sizeof(cipherList)) { + XSTRNCAT(cipherList, ianaName, XSTRLEN(ianaName)); + } + } + } + /* reset ianaName to NULL for next loop */ + ianaName = NULL; + } + + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); + + /* build and return Java String from cipherList array */ + retString = (*jenv)->NewStringUTF(jenv, cipherList); + + return retString; +} + JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSL_isEnabledCRL (JNIEnv* jenv, jclass jcl) { diff --git a/native/com_wolfssl_WolfSSL.h b/native/com_wolfssl_WolfSSL.h index dd49cd61..90324590 100644 --- a/native/com_wolfssl_WolfSSL.h +++ b/native/com_wolfssl_WolfSSL.h @@ -331,6 +331,14 @@ JNIEXPORT jstring JNICALL Java_com_wolfssl_WolfSSL_getEnabledCipherSuites JNIEXPORT jstring JNICALL Java_com_wolfssl_WolfSSL_getEnabledCipherSuitesIana (JNIEnv *, jclass); +/* + * Class: com_wolfssl_WolfSSL + * Method: getAvailableCipherSuitesIana + * Signature: (I)Ljava/lang/String; + */ +JNIEXPORT jstring JNICALL Java_com_wolfssl_WolfSSL_getAvailableCipherSuitesIana + (JNIEnv *, jclass, jint); + /* * Class: com_wolfssl_WolfSSL * Method: TLSv1Enabled diff --git a/src/java/com/wolfssl/WolfSSL.java b/src/java/com/wolfssl/WolfSSL.java index be982407..c5bf198d 100644 --- a/src/java/com/wolfssl/WolfSSL.java +++ b/src/java/com/wolfssl/WolfSSL.java @@ -34,6 +34,18 @@ */ public class WolfSSL { + /* If this enum is changed, also change switch statement cases in + * ./native/com_wolfssl_WolfSSL.c, + * Java_com_wolfssl_WolfSSL_getAvailableCipherSuitesIana() */ + public static enum TLS_VERSION { + INVALID, + TLSv1, + TLSv1_1, + TLSv1_2, + TLSv1_3, + SSLv23 + } + /* ------------------ wolfSSL JNI error codes ----------------------- */ public final static int JNI_SESSION_UNAVAILABLE = -10001; @@ -286,6 +298,7 @@ public WolfSSL() throws WolfSSLException { static native String getEnabledCipherSuites(); static native String getEnabledCipherSuitesIana(); + static native String getAvailableCipherSuitesIana(int version); /* ------------------------- Java methods --------------------------- */ @@ -867,7 +880,9 @@ public static String[] getCiphers() { } /** - * Gets a list of all cipher suites supported and uses the format TLS_* + * Gets a list of all cipher suites supported by native wolfSSL and + * uses the format TLS_*. This list may not be in priority order. If + * priority order is desired, see getCiphersAvailableIana(). * @return list of all cipher suites supported */ public static String[] getCiphersIana() { @@ -880,6 +895,24 @@ public static String[] getCiphersIana() { return suiteArray; } + /** + * Gets a list of all cipher suites available for current native wolfSSL + * configuration and selected protocol level. In the format TLS_*. + * + * @param version protocol version for which to get cipher suites. + * @return list of cipher suites. + */ + public static String[] getCiphersAvailableIana(TLS_VERSION version) { + /* passing Enum as ordinal to JNI layer, see com_wolfssl_WolfSSL.c */ + String cipherSuites = getAvailableCipherSuitesIana(version.ordinal()); + if (cipherSuites == null) + return null; + + String[] suiteArray = cipherSuites.split(":"); + + return suiteArray; + } + /* ------------------------- isEnabled methods -------------------------- */ /** diff --git a/src/java/com/wolfssl/WolfSSLCustomUser.java b/src/java/com/wolfssl/WolfSSLCustomUser.java index 5334ffe2..3ac9a791 100644 --- a/src/java/com/wolfssl/WolfSSLCustomUser.java +++ b/src/java/com/wolfssl/WolfSSLCustomUser.java @@ -1,4 +1,3 @@ - /* WolfSSLCustomUser.java * * Copyright (C) 2006-2021 wolfSSL Inc. @@ -22,7 +21,7 @@ package com.wolfssl.provider.jsse; import com.wolfssl.WolfSSL; -import com.wolfssl.provider.jsse.WolfSSLAuthStore.TLS_VERSION; +import com.wolfssl.WolfSSL.TLS_VERSION; /** * Base class is intended to give some customizing points. diff --git a/src/java/com/wolfssl/provider/jsse/WolfSSLAuthStore.java b/src/java/com/wolfssl/provider/jsse/WolfSSLAuthStore.java index 20be8ea5..297bce46 100644 --- a/src/java/com/wolfssl/provider/jsse/WolfSSLAuthStore.java +++ b/src/java/com/wolfssl/provider/jsse/WolfSSLAuthStore.java @@ -22,6 +22,7 @@ package com.wolfssl.provider.jsse; import com.wolfssl.WolfSSL; +import com.wolfssl.WolfSSL.TLS_VERSION; import com.wolfssl.WolfSSLSession; import javax.net.ssl.KeyManager; import javax.net.ssl.KeyManagerFactory; @@ -51,15 +52,6 @@ */ public class WolfSSLAuthStore { - static enum TLS_VERSION { - INVALID, - TLSv1, - TLSv1_1, - TLSv1_2, - TLSv1_3, - SSLv23 - } - private TLS_VERSION currentVersion = TLS_VERSION.INVALID; private X509KeyManager km = null; diff --git a/src/java/com/wolfssl/provider/jsse/WolfSSLContext.java b/src/java/com/wolfssl/provider/jsse/WolfSSLContext.java index 51ea7038..d2505043 100644 --- a/src/java/com/wolfssl/provider/jsse/WolfSSLContext.java +++ b/src/java/com/wolfssl/provider/jsse/WolfSSLContext.java @@ -29,6 +29,8 @@ import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Arrays; +import java.util.List; +import java.util.Collections; import javax.net.ssl.KeyManager; import javax.net.ssl.SSLContextSpi; @@ -42,10 +44,10 @@ import javax.net.ssl.X509TrustManager; import com.wolfssl.WolfSSL; +import com.wolfssl.WolfSSL.TLS_VERSION; import com.wolfssl.WolfSSLException; import com.wolfssl.WolfSSLJNIException; import com.wolfssl.provider.jsse.WolfSSLAuthStore; -import com.wolfssl.provider.jsse.WolfSSLAuthStore.TLS_VERSION; /** * wolfSSL implementation of SSLContextSpi @@ -64,9 +66,13 @@ private WolfSSLContext(TLS_VERSION version) { private void createCtx() throws WolfSSLException { long method; + String[] ciphersIana = null; + + /* Get available wolfSSL cipher suites in IANA format */ + ciphersIana = WolfSSL.getCiphersAvailableIana(this.currentVersion); WolfSSLCustomUser ctxAttr = WolfSSLCustomUser.GetCtxAttributes - (this.currentVersion, WolfSSL.getCiphersIana()); + (this.currentVersion, ciphersIana); if(ctxAttr.version == TLS_VERSION.TLSv1 || ctxAttr.version == TLS_VERSION.TLSv1_1 || @@ -128,7 +134,7 @@ private void createCtx() throws WolfSSLException { } /* auto-populate enabled ciphersuites with supported ones */ - if(ctxAttr.list != null) { + if(ctxAttr.list != null && ctxAttr.list.length > 0) { params.setCipherSuites(ctxAttr.list); } else { params.setCipherSuites(WolfSSL.getCiphersIana()); diff --git a/src/test/com/wolfssl/test/WolfSSLTest.java b/src/test/com/wolfssl/test/WolfSSLTest.java index 64a3810c..3c8f4690 100644 --- a/src/test/com/wolfssl/test/WolfSSLTest.java +++ b/src/test/com/wolfssl/test/WolfSSLTest.java @@ -52,7 +52,7 @@ public void testWolfSSL() throws WolfSSLException { test_WolfSSL_new(lib); test_WolfSSL_protocol(); test_WolfSSL_Method_Allocators(lib); - + testGetCiphersAvailableIana(); } public void test_WolfSSL_new(WolfSSL lib) { @@ -111,5 +111,22 @@ public void tstMethod(long method, String name) { } System.out.println("\t\t... passed"); } + + public void testGetCiphersAvailableIana() { + System.out.print("\tgetCiphersAvailableIana()"); + + String[] ciphers = WolfSSL.getCiphersAvailableIana( + WolfSSL.TLS_VERSION.SSLv23); + if (ciphers == null) { + System.out.println("\t... failed"); + fail("available ciphers array was null"); + } + if (ciphers.length == 0) { + System.out.println("\t... failed"); + fail("available ciphers array length was zero"); + } + + System.out.println("\t... passed"); + } } From 6e0b59090f0b51e0bbd5c55ab8067ce485d76f3a Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Wed, 10 Nov 2021 16:05:52 -0700 Subject: [PATCH 07/12] fix FIPS Ready compatibility with WC_RNG_SEED_CB --- native/com_wolfssl_WolfSSL.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/native/com_wolfssl_WolfSSL.c b/native/com_wolfssl_WolfSSL.c index 05335927..c930064e 100644 --- a/native/com_wolfssl_WolfSSL.c +++ b/native/com_wolfssl_WolfSSL.c @@ -26,6 +26,7 @@ #include #include #include +#include #ifdef HAVE_FIPS #include #endif @@ -63,6 +64,9 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSL_init (void)jenv; (void)jcl; +#ifdef WC_RNG_SEED_CB + wc_SetSeed_Cb(wc_GenerateSeed); +#endif return (jint)wolfSSL_Init(); } From b5286ced6f1632b73cbcbf3f24d4a83e775e78ea Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Thu, 11 Nov 2021 16:33:53 -0700 Subject: [PATCH 08/12] add kdf.c to Android AOSP Android.mk --- platform/android_aosp/wolfssl/Android.mk | 1 + 1 file changed, 1 insertion(+) diff --git a/platform/android_aosp/wolfssl/Android.mk b/platform/android_aosp/wolfssl/Android.mk index 2c95df01..a177e887 100644 --- a/platform/android_aosp/wolfssl/Android.mk +++ b/platform/android_aosp/wolfssl/Android.mk @@ -52,6 +52,7 @@ LOCAL_SRC_FILES+= \ ./wolfcrypt/src/hmac.c \ ./wolfcrypt/src/idea.c \ ./wolfcrypt/src/integer.c \ + ./wolfcrypt/src/kdf.c \ ./wolfcrypt/src/logging.c \ ./wolfcrypt/src/md2.c \ ./wolfcrypt/src/md4.c \ From f594800c232b3651cccda9a7490564a5695afb89 Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Thu, 11 Nov 2021 17:17:53 -0700 Subject: [PATCH 09/12] update README for 1.8.0 release --- README.md | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/README.md b/README.md index 3e7be079..0bc75106 100644 --- a/README.md +++ b/README.md @@ -148,6 +148,41 @@ Additional instructions can be found on the wolfSSL.com website: ## Release Notes +### wolfSSL JNI Release 1.8.0 (11/12/2021) + +Release 1.8.0 has bug fixes and new features including: + +* Add Socket method wrappers, fixes behavior when inner Socket used with JSSE +* Add wrappers to get FIPS verifyCore hash (FIPS error cb or directly) +* Fix potential NullPointerException with several clone() methods +* Refactor of SSLSessionContext implementation +* Fix behavior of WolfSSLSocket.getSoTimeout() when external Socket is wrapped +* Fix timeout used in socketSelect to correctly handle fractional sec timeouts +* Fix memory leak when custom X509TrustManager is used with wolfJSSE +* Add support for multiple X509TrustManager objects across multiple sessions +* Call WolfSSL.cleanup() in finalizer to release library resources earlier +* Release native WOLFSSL memory sooner, when WolfSSLSocket is closed +* Better management and freeing of native WolfSSLCertificate memory +* Release native logging callback when library is freed +* Release native wolfCrypt FIPS callback when library is freed +* Release CTX-level Java verify callback when CTX is freed +* Release CTX-level Java CRL callback when CTX is freed +* Better global reference cleanup in error conditions +* Fix unused variable warnings in non-FIPS builds +* Use one static WolfSSL object across all WolfSSLProvider objects +* Release local JNI array inside WolfSSLSession.read() on function exit +* Add multi-threaded JSSE provider client and server examples +* Update Android AOSP install script to create missing blank files if needed +* Update Android AOSP build fies to define `SIZEOF_LONG` and `SIZEOF_LONG_LONG` +* Update IDE/Android example Android Studio project +* Fix default cipher suite list order used in JSSE WolfSSLContext objects +* Fix FIPS Ready compatibility with `WC_RNG_SEED_CB` +* Update Android AOSP Android.mk to compile wolfCrypt kdf.c + +The wolfSSL JNI Manual is available at: +http://www.wolfssl.com/documentation/wolfSSL-JNI-Manual.pdf. For build +instructions and more detailed comments, please check the manual. + ### wolfSSL JNI Release 1.7.0 (01/15/2021) Release 1.7.0 has bug fixes and new features including: From 202aa77ff4e0f4374b2b6aa47e6fa409bc975682 Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Fri, 12 Nov 2021 14:27:19 -0700 Subject: [PATCH 10/12] run FIPS 140-3 CAST up front on library load if needed --- native/com_wolfssl_WolfSSL.c | 104 ++++++++++++++++++++++++++++++++++- 1 file changed, 102 insertions(+), 2 deletions(-) diff --git a/native/com_wolfssl_WolfSSL.c b/native/com_wolfssl_WolfSSL.c index c930064e..bd5ef9ad 100644 --- a/native/com_wolfssl_WolfSSL.c +++ b/native/com_wolfssl_WolfSSL.c @@ -64,10 +64,110 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSL_init (void)jenv; (void)jcl; + int ret = 0; + #ifdef WC_RNG_SEED_CB - wc_SetSeed_Cb(wc_GenerateSeed); + ret = wc_SetSeed_Cb(wc_GenerateSeed); + if (ret != 0) { + printf("wc_SetSeed_Cb() failed"); + } #endif - return (jint)wolfSSL_Init(); + +#if defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION == 5) + /* run FIPS 140-3 conditional algorithm self tests early to prevent + * multi threaded issues later on */ + if (ret == 0) { + ret = wc_RunCast_fips(FIPS_CAST_AES_CBC); + if (ret != 0) { + printf("AES-CBC CAST failed"); + } + } + if (ret == 0) { + ret = wc_RunCast_fips(FIPS_CAST_AES_GCM); + if (ret != 0) { + printf("AES-GCM CAST failed"); + } + } + if (ret == 0) { + ret = wc_RunCast_fips(FIPS_CAST_HMAC_SHA1); + if (ret != 0) { + printf("HMAC-SHA1 CAST failed"); + } + } + if (ret == 0) { + ret = wc_RunCast_fips(FIPS_CAST_HMAC_SHA2_256); + if (ret != 0) { + printf("HMAC-SHA2-256 CAST failed"); + } + } + if (ret == 0) { + ret = wc_RunCast_fips(FIPS_CAST_HMAC_SHA2_512); + if (ret != 0) { + printf("HMAC-SHA2-512 CAST failed"); + } + } + + if (ret == 0) { + ret = wc_RunCast_fips(FIPS_CAST_HMAC_SHA3_256); + if (ret != 0) { + printf("HMAC-SHA3-256 CAST failed"); + } + } + if (ret == 0) { + ret = wc_RunCast_fips(FIPS_CAST_DRBG); + if (ret != 0) { + printf("Hash_DRBG CAST failed"); + } + } + if (ret == 0) { + ret = wc_RunCast_fips(FIPS_CAST_RSA_SIGN_PKCS1v15); + if (ret != 0) { + printf("RSA sign CAST failed"); + } + } + if (ret == 0) { + ret = wc_RunCast_fips(FIPS_CAST_ECC_PRIMITIVE_Z); + if (ret != 0) { + printf("ECC Primitive Z CAST failed"); + } + } + if (ret == 0) { + ret = wc_RunCast_fips(FIPS_CAST_DH_PRIMITIVE_Z); + if (ret != 0) { + printf("DH Primitive Z CAST failed"); + } + } + if (ret == 0) { + ret = wc_RunCast_fips(FIPS_CAST_ECDSA); + if (ret != 0) { + printf("ECDSA CAST failed"); + } + } + if (ret == 0) { + ret = wc_RunCast_fips(FIPS_CAST_KDF_TLS12); + if (ret != 0) { + printf("KDF TLSv1.2 CAST failed"); + } + } + if (ret == 0) { + ret = wc_RunCast_fips(FIPS_CAST_KDF_TLS13); + if (ret != 0) { + printf("KDF TLSv1.3 CAST failed"); + } + } + if (ret == 0) { + ret = wc_RunCast_fips(FIPS_CAST_KDF_SSH); + if (ret != 0) { + printf("KDF SSHv2.0 CAST failed"); + } + } +#endif + + if (ret == 0) { + return (jint)wolfSSL_Init(); + } else { + return (jint)WOLFSSL_FAILURE; + } } /* used in unit tests */ From 7bbdbee5284cfa16dc0709fdd33516b36cf0ba65 Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Fri, 12 Nov 2021 14:34:45 -0700 Subject: [PATCH 11/12] return String[] directly from WolfSSL.java cipher suite getters --- src/java/com/wolfssl/WolfSSL.java | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/src/java/com/wolfssl/WolfSSL.java b/src/java/com/wolfssl/WolfSSL.java index c5bf198d..8085c5c5 100644 --- a/src/java/com/wolfssl/WolfSSL.java +++ b/src/java/com/wolfssl/WolfSSL.java @@ -874,9 +874,7 @@ public static String[] getCiphers() { if (cipherSuites == null) return null; - String[] suiteArray = cipherSuites.split(":"); - - return suiteArray; + return cipherSuites.split(":"); } /** @@ -890,9 +888,7 @@ public static String[] getCiphersIana() { if (cipherSuites == null) return null; - String[] suiteArray = cipherSuites.split(":"); - - return suiteArray; + return cipherSuites.split(":"); } /** @@ -908,9 +904,7 @@ public static String[] getCiphersAvailableIana(TLS_VERSION version) { if (cipherSuites == null) return null; - String[] suiteArray = cipherSuites.split(":"); - - return suiteArray; + return cipherSuites.split(":"); } /* ------------------------- isEnabled methods -------------------------- */ From a4f1447d998a00bcfc11c8f7bafc43dc3e2d1e22 Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Fri, 12 Nov 2021 14:47:26 -0700 Subject: [PATCH 12/12] add FIPS 140-3 compatibility to 1.8.0 release notes --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 0bc75106..ac7b66ef 100644 --- a/README.md +++ b/README.md @@ -152,6 +152,7 @@ Additional instructions can be found on the wolfSSL.com website: Release 1.8.0 has bug fixes and new features including: +* wolfCrypt FIPS 140-3 and FIPS Ready compatibility * Add Socket method wrappers, fixes behavior when inner Socket used with JSSE * Add wrappers to get FIPS verifyCore hash (FIPS error cb or directly) * Fix potential NullPointerException with several clone() methods