*This patch is dependent on https://github.com/wolfSSL/wolfssl/pull/3871 because proto version selection logic is refactored in that pull request.*
This patch contains the following changes:
- Enable more options with `--enable-haproxy`
- Compatibility layer additions
- `STACK_TYPE_X509_OBJ`
- `OCSP_id_cmp`
- `X509_STORE_get0_objects`
- `X509V3_EXT_nconf_nid`
- `X509V3_EXT_nconf`
- `X509_chain_up_ref`
- `X509_NAME_hash`
- `sk_X509_NAME_new_null`
- `X509_OBJECT_get0_X509`
- `X509_OBJECT_get0_X509_CRL`
- `ASN1_OCTET_STRING_free`
- `X509_LOOKUP_TYPE`
- `OSSL_HANDSHAKE_STATE`
- New `OPENSSL_COMPATIBLE_DEFAULTS` define will set default behaviour that is compatible with OpenSSL
- WOLFSSL_CTX
- Enable all compiled in protocols
- Allow anonymous ciphers
- Set message grouping
- Set verify to SSL_VERIFY_NONE
- In `SetSSL_CTX`, don't change `send` and `recv` callback if currently using `BIO`
- `ssl->peerVerifyRet`
- Return first that occured
- Set correct value on date error
- Set revoked error on OCSP or CRL error
- Save value in session and restore on resumption
- Add to session serialization
- With `OPENSSL_EXTRA`, send an alert on invalid downgrade attempt
- Handle sni callback `SSL_TLSEXT_ERR_NOACK`
- Add `WOLFSSL_VERIFY_DEFAULT` option for `wolfSSL_CTX_set_verify` and `wolfSSL_set_verify` to allow resetting to default behaviour
- Add doxygen documentation for wc_GetPkcs8TraditionalOffset, wc_CreatePKCS8Key,
wc_EncryptPKCS8Key, and wc_DecryptPKCS8Key.
- Add a new API function, wc_CreateEncryptedPKCS8Key, which handles both
creation of an unencrypted PKCS#8 key and the subsequent encrypting of said key.
This is a wrapper around TraditionalEnc, which does the same thing. This may
become a first-class function at some point (i.e. not a wrapper). TraditionalEnc
is left as is since it is used in the wild.
- Added a unit test which exercises wc_CreateEncryptedPKCS8Key and
wc_DecryptPKCS8Key. Testing wc_CreateEncryptedPKCS8Key inherently also tests
TraditionalEnc, wc_CreatePKCS8Key, and wc_EncryptPKCS8Key.
- Modified wc_EncryptPKCS8Key to be able to return the required output buffer
size via LENGTH_ONLY_E idiom.
- Added parameter checking to wc_EncryptPKCS8Key and wc_DecryptPKCS8Key.
* Cleanup `WOLFSSL_DH_EXTRA` macro logic and do not allow with FIPS v1 or v2.
* Fixes for httpd (if `SSL_CONF_FLAG_FILE` is defined it is used to indicate support for `SSL_CONF_CTX_set_flags` and `SSL_CONF_cmd_value_type`).
* Add Curve448 and ED448 key type to `enum wc_PkType`.
* Expand `dh_ffdhe_test` to include 4096 bit.
