* WiFiClientSecure: don't decrypt when testing for 'connected'
* WiFiClientSecure: don't trash unread decrypted data when writing
When application requests to write data, check if there is any unread
decrypted data left. If there is, don't write immediately, but save the
data to be written. When all decrypted data has been consumed by the
application, send out the saved outgoing data.
Fixes https://github.com/esp8266/Arduino/issues/2256.
Mainly useful for testing WiFiClientSecure in local environments.
If allowSelfSignedCerts is called before verifyCertChain, then the
certificate chain will be verified, but the final certificate may be
self-signed.
The ax_port_malloc, ax_port_calloc, ax_port_realloc, and ax_port_free
functions in WiFiClientSecure are not actually used by the AXTLS library.
It's directly using the library routines, and these function are never
used. Remove these dead bits of code to make the axtls operation clearer.
When WiFiClientSecure::connect was called, it would first tear down and
existing and set up new TCP session, then tear down existing TLS session
(using ssl_free), and then set up a new one. This caused TLS close-
notify alert to be sent to the new TCP session, preventing new session
from being established. This change postpones setting IO ctx to the new
TCP connection, fixing this issue.
Ref https://github.com/esp8266/Arduino/issues/3330
Some websites have certificates with uppercase letters in CN. This change
makes _verifyDN function accept such certificates by converting all names
to lower case before comparing them.
Resolves#2978
- update ssl_client_new signature
- add max fragment length negotiation support (hardcoded to 4096 bytes)
- build axtls with -f{function,data}-sections, ~1k less DRAM usage,
~3k less flash
- strip prefix from build paths in debug symbols
* Suppressed -Wunused-parameter and -Wunused-function by casting to void unused identifiers.
* Explicit initialization of all fields to suppress -Wmissing-field-initializers.
* Fixed signed/unsigned integer comparison.
* memset initialization of structs.
* More -Wunused-parameter fixes.
* WiFiClient: use DataSource for writes
* ESP8266WebServer: delegate writing to WiFiClient
* ESP8266WebServer: set write timeout before sending content
If it fails due to a malloc somewhere in bigint.c, we will still crash (although with a less obvious crash message). If it fails in increase_bm_data_size, axTLS will handle this and report that connection has been aborted. This error will be passed on to the user, so that an application can recover and attempt to reconnect.
Improves the convenience of the verification of fingerprints.
As ':' are commonly inserted by web browser inside the SHA1 of https web sites, this created false problems with signatures "not matching".
Now, copied and pasted signature from Firefox simply because the verify function will skipped them...
- free up some memory by getting rid of intermediate buffer
- libaxtls: update to 6830d98
- allocate plaintext buffer in two stages: 4*MSS initially, grow to 16k after handshake
- free certificate data after handshake is complete
- preallocate some structures to reduce memory fragmentation
