Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

4.3.7 release preparation #12044

Draft
wants to merge 16 commits into
base: 4.3_bugfix
Choose a base branch
from
Draft

4.3.7 release preparation #12044

wants to merge 16 commits into from

Conversation

kLabz
Copy link
Contributor

@kLabz kLabz commented Mar 7, 2025

Warning

Do NOT merge! I will rebase when the release is ready

kLabz and others added 16 commits March 7, 2025 08:55
…1646)

* [mbedtls] Store bio functions in a GC root.

* [mbedtls] Fix incorrect alt name check.

* [mbedtls] Replace String_val with Bytes_val to prevent compiler warnings.

* [mbedtls] use SecTrustCopyAnchorCertificates to get root certs on macOS.

SecKeychainOpen is deprecated.

* [mbedtls] Remove unused includes and use angled brackets.

* [mbedtls] Fix more warnings.

* [mbedtls] Support mbedtls 3.x.
…ts (#11838)

* Use windows api to verify ssl certs

Taken from:
Apprentice-Alchemist/hashlink@4d59012

* Handle error if cert store fails to open

* Fix mscv warnings about invalid arguments

Warning	C6387	'parameters' could be '0':  this does not adhere to the specification for the function 'CertGetCertificateChain'.

Warning	C6387	'policy_parameters' could be '0':  this does not adhere to the specification for the function 'CertVerifyCertificateChainPolicy'.

This also fixes an "incorrect parameter" runtime error.

* Clear errors if certificate loading succeeded

* Perform checks for all calls of verify_callback

We need to do this every time, because if any callback call returns a
non zero flags then the entire verification fails, see:
https://github.com/Mbed-TLS/mbedtls/blob/3aefa5b705846c5d4466ae8747160ae9e5054ea8/library/x509_crt.c#L3031

We don't need to loop through the chain, since mbedtls already loops
through and calls the callback on every certificate in the chain.

* Free handles on certificate verification errors

* Replace existing certificates if they exist

This avoids duplicate certificates in the store

* Propagate CN_MISMATCH ssl cert error

The windows api functions won't check this automatically for us without
further modifications, so it's easiest to just respect mbedtls'
judgement and propagate this error.

* Clarify comment regarding error mapping

* Skip verification callback if no errors were found
* copy var flags when duplicating

Also don't unroll loops that have static vars
closes #11800

* hoist static locals when unrolling loops

see #11800

* hoist all var declarations when unrolling loops

* awkwardly deal with captured locals

* clean up a bit, but don't hoist non-statics after all

* don't need this now

* remove test
* add CfNoLookup

* invalidate
* Local statics cannot be found in class decls

* Add test

* Update test

* Fix test for CI
* clean up warning handling and add optional WUnsafeEnumEquality

* wah
* Always check var shadowing, disable associated warning by default

* Deprecate some warnings related defines
* [ci] Use ARM runner.

* [ci] Run tests on Linux ARM runners.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
6 participants