* Fixes for building with Ed/Curve25519 only. Fix for IoT safe demo to exit after running once. Added `WOLFSSL_DH_EXTRA` to `--enable-all` and `--enable-sniffer`. Cleanup uses of `==` in configure.ac. Various spelling fixes.
* Fix for sniffer with TLS v1.3 session tickets.
* Fix for ASN Template Ed25519 key export (missing version / not setting OID correctly).
* Add key import/export support for Curve25519/Curve448. Refactor of the 25519/448 ASN code to combine duplicate code.
* Refactor of Curve25519 code. Improved public key export to handle generation when only private is set. Improved private scalar buffer sizing.
* Fix for static ephemeral loading of file buffer.
* Added sniffer Curve25519 support and test case.
* Fix for sniffer to not use ECC for X25519 if both are set.
* Fix Curve448 public export when only private is set.
* Fix for `dh_generate_test` for small stack size.
* Reduce stack size use on new asymmetric DER import/export functions. Cleanup pub length calc.
* Fix invalid comment.
*This patch is dependent on https://github.com/wolfSSL/wolfssl/pull/3871 because proto version selection logic is refactored in that pull request.*
This patch contains the following changes:
- Enable more options with `--enable-haproxy`
- Compatibility layer additions
- `STACK_TYPE_X509_OBJ`
- `OCSP_id_cmp`
- `X509_STORE_get0_objects`
- `X509V3_EXT_nconf_nid`
- `X509V3_EXT_nconf`
- `X509_chain_up_ref`
- `X509_NAME_hash`
- `sk_X509_NAME_new_null`
- `X509_OBJECT_get0_X509`
- `X509_OBJECT_get0_X509_CRL`
- `ASN1_OCTET_STRING_free`
- `X509_LOOKUP_TYPE`
- `OSSL_HANDSHAKE_STATE`
- New `OPENSSL_COMPATIBLE_DEFAULTS` define will set default behaviour that is compatible with OpenSSL
- WOLFSSL_CTX
- Enable all compiled in protocols
- Allow anonymous ciphers
- Set message grouping
- Set verify to SSL_VERIFY_NONE
- In `SetSSL_CTX`, don't change `send` and `recv` callback if currently using `BIO`
- `ssl->peerVerifyRet`
- Return first that occured
- Set correct value on date error
- Set revoked error on OCSP or CRL error
- Save value in session and restore on resumption
- Add to session serialization
- With `OPENSSL_EXTRA`, send an alert on invalid downgrade attempt
- Handle sni callback `SSL_TLSEXT_ERR_NOACK`
- Add `WOLFSSL_VERIFY_DEFAULT` option for `wolfSSL_CTX_set_verify` and `wolfSSL_set_verify` to allow resetting to default behaviour
- Use OcspEntry in OcspResponse instead of CertStatus. OcspEntry is more
analogous to an OCSP SingleResponse, which contains issuer name and key
hashes. Correspondingly, remove these hashes from OcspResponse, since they'll
now be stored per SingleResponse in an OcspEntry.
- Add a hashAlgoOID to OcspEntry (corresponds to hashAlgorithm in CertId in RFC
6960). This makes OcspEntry more closely resemble an OCSP SingleResponse.
- Change WOLFSSL_OCSP_CERTID to map to OcspEntry. OcspEntry contains all the
information that an OCSP CertID contains, and is a better fit than
OcspRequest.
- Add a pointer to the raw CertId in an OCSP SingleResponse to OcspEntry, along
with a size field to indicate how many bytes the CertId occupies. This will
be used in an OpenSSL compatibility function, i2d_OCSP_CERTID, which yields
the raw bytes of the CertId.
Update configure.ac and various #ifdefs to enable WolfSSL to
build features for use by lighttpd.
Change signature of wolfSSL_GetVersion() to take const arg.
Pass (const WOLFSSL*) to wolfSSL_GetVersion() for use with
SSL_CTX_set_info_callback(), where OpenSSL callback takes (const SSL *)
* Added Apache httpd support `--enable-apachehttpd`.
* Added `SSL_CIPHER_get_version`, `BIO_new_fp`, `SSL_SESSION_print` and `SSL_in_connect_init` compatibility API's.
* Fix to expose `ASN1_UTCTIME_print` stub.
* Pulled in `wolfSSL_X509_get_ext_count` from QT.
* Added `X509_get_ext_count`, `BIO_set_callback`, `BIO_set_callback_arg` and `BIO_get_callback_arg`.
* Added `wolfSSL_ERR_print_errors`.
* Added `BIO_set_nbio` template.
* Fixes for building with Apache httpd.
* Added DH prime functions required for Apache httpd.
* Fix and move the BN DH prime macros.
* Fix for `SSL_CTX_set_tlsext_servername_arg` to have return code.
* Only add the `BN_get_rfc*_prime_*` macro's if older than 1.1.0.
* Added `ERR_GET_FUNC`, `SSL_CTX_clear_extra_chain_certs` prototypes.
* Added `wolfSSL_CTX_set_client_cert_cb` template and `OPENSSL_load_builtin_modules` stub macro.
* Added `X509_INFO` templates (`X509_INFO_new`, `X509_INFO_free`, `sk_X509_INFO_new_null`, `sk_X509_INFO_num`, `sk_X509_INFO_value`, `sk_X509_INFO_free`). Added `sk_X509_shift`.
* Added BIO_set_callback, BIO_get_callback, BIO_set_callback_arg, BIO_get_callback_arg
* add BIO_set_nbio, ERR_print_errors and tests
* add X509 INFO stack push function
* Add ASN1_UTCTIME_print and unit test
* Add X509_get_ext_count unit test
* initial commit of wolfSSL_PEM_X509_INFO_read_bio
* Added `sk_X509_NAME_new`, `sk_X509_NAME_push`, `sk_X509_NAME_find`, `sk_X509_NAME_set_cmp_func` and `sk_X509_NAME_free`. Grouped `sk_X509_NAME_*` functions.
* Cleanup sk X509 NAME/INFO pop free template.
* Advance openssl compatibility to v1.1.0 for Apache httpd. Added TLS version macros. Implemented sk X509 NAME/INFO pop and pop_free.
* Added `TLS_client_method` support.
* Added `SSL_get_server_tmp_key` and `EC_curve_nid2nist`.
* Added `SSL_CTX_set_min_proto_version` and `SSL_CTX_set_max_proto_version`. Fix for `BN_get_rfc*_prime_*` with the v1.1.0 change.
* add test cases for PEM_X509_INFO_read_bio
* Fixes for `BN_get_rfc*_prime_*` macros. Added template for `SSL_DH_set0_pqg`. Fix for `SSL_OP_NO_` to use Macro's (as is done in openssl). Added `SSL_set_verify_result`. Added stub for `OPENSSL_malloc_init`.
* Apache httpd compatibility functions. BIO setter/getters.
* implement ASN1_TIME_check and add test case
* add SSL_get_client_CA_list
* add initial implementation of wolfSSL_DH_set0_pqg
* Add apache support to OBJ_txt2nid and unit test, add stub for OBJ_create
* add X509_STORE_CTX_get1_chain, sk_free, sk_X509_dup
* Add sk_SSL_COMP_num and SSL_COMP struct
* implement and test of SSL_SESSION_print
* add SSL_CTX_set_client_cert_cb
* expand BIO_printf and add test case
* Added `OCSP_CERTID_dup`. Added `ASN1_TYPE`.
* add implementation for wolfSSL_get_server_tmp_key
* add wolfSSL_BIO_puts and test case
* Add X509_EXTENSION_get_object and X509_EXTENSION_get_data
* add helper for bio flag set and null x509 stack
* add test adn implementation for wolfSSL_i2d_PrivateKey
* Added `ASN1_OTHERNAME`, `ACCESS_DESCRIPTION` and `GENERAL_NAME`. Added `sk_ACCESS_DESCRIPTION_pop_free` and `ACCESS_DESCRIPTION_free` stubs.
* add wolfSSL_PEM_read_bio_ECPKParameters
* add BIO_vfree
* add X509_up_ref
* add X509_STORE_CTX_set_ex_data
* add _GNU_SOURCE macro and wolfSSL_EVP_read_pw_string
* add wolfSSL_EVP_PKEY_ref_up function
* X509_get_ext, X509V3_EXT_print, and d2i_DISPLAYTEXT stubs
* add X509_set_issuer_name
* add wolfSSL_sk_SSL_CIPHER_* functions and tests
* add prototype for sk_X509_EXTENSION and ACCESS_DESCRIPTION
* fix casting to avoid clang warning
* adjust test_wolfSSL_X509_STORE_CTX test case
* Added `OpenSSL_version`
* renegotiate functions and additional stack functions
* add aditional stub functions
* Add Apache httpd requirements for ALPN, CRL, Cert Gen/Req/Ext and SecRen. Fix for `sk_X509_INFO_new_null`.
* add ocsp stub functions
* Proper fix for `sk_X509_INFO_new_null`. Added templates for `X509_get_ext_by_NID` and `X509_add_ext`. Added templates for `ASN1_TIME_diff` and `ASN1_TIME_set`.
* x509 extension stack additions
* Fixed template for `OCSP_id_get0_info`.
* add X509 stub functions
* add X509_STORE_CTX_get0_store() and unit test
* Added `EVP_PKEY_CTX_new_id`, `EVP_PKEY_CTX_set_rsa_keygen_bits`, `EVP_PKEY_keygen_init`, `EVP_PKEY_keygen` and `BN_to_ASN1_INTEGER`.
* x509v3 stubs and req add extensions
* Add OBJ_txt2obj and unit test; add long name to wolfssl_object_info table for use by OBJ_* functions
* wolfSSL_set_alpn_protos implementation
* Added `EVP_SignInit_ex` and `TLS_server_method` implementation. Added stubs for `RSA_get0_key` and `i2d_OCSP_REQUEST_bio`. Fix typo on `OCSP_response_create`. Fix warning in `wolfSSL_set_alpn_protos`.
* Added `X509_EXTENSION_free` stub. Fixed a few macro typos/adding missing.
* add X509_STORE_CTX_get0_current_issuer and unit test
* add OBJ_cmp and unit test
* add RSA_get0_key and unit test
* add OCSP_check_nonce
* Implement X509_set_notAfter/notBefore/serialNumber/version,X509_STORE_CTX_set_depth,X509V3_set_ctx.
* Modify wolfSSL_X509_set_notAfter/notBefore and add tests for each.
* Add test_wolfSSL_X509_set_version w/ fixes to _set_version and fix _set_notBefore/notAfter tests
* add OCSP_id_get0_info and unit test, move WOLFSSL_ASN1_INTEGER to asn_public.h from ssl.h
* inital implementation of wolfSSL_X509_sign
* add debugging messages and set data for BIO's
* Add i2d_OCSP_REQUEST_bio.
* implementation of some WOLFSSL_BIO_METHOD custom functions
* fix for ASN time structure and remove log node
* initial eNULL support and sanity checks
* fixes after rebasing code
* adjust test cases and ASN1_TIME print
* Various fixes for memory leaks
* Apache compatibility in CTX_set_client_CA_list for X509_NAME use; add X509_NAME_dup as supporting function
* Add initial X509_STORE_load_locations stub for Apache
* Updates to X509_get_ext_d2i to return GENERAL_NAME struct instead of ASN1_OBJECT for alternative names and add supporting GENERAL_NAME functions
* Add X509_STORE_load_locations implementation; add wolfSSL_CertManagerLoadCRL_ex; initial renegotiation fixes/updates
* Fix for freeing peer cert in wolfSSL_Rehandshake instead of FreeHandShakeResources during secure renegotiation
* Add X509_ALGOR and X509_PUBKEY structs for X509_PUBKEY_get0_param and X509_get_X509_PUBKEY implementation
* Initial implementation of wolfSSL_X509_get_X509_PUBKEY and wolfSSL_X509_PUBKEY_get0_param
* Add implementation for X509_get0_tbs_sigalg and X509_ALGOR_get0
* Add OBJ_nid2ln implementation
* Fix compile errors in tests/api.c for some build options
* Updates to X509_STORE_load_locations for non-CRL types; Add additional DETECT_CERT_TYPE enum and logic for detecting certificate type in ProcessFile
* Add X509_STORE_load_locations unit test and minor error handling fixes
* Add unit test for X509_sign
* Set correct alert type for revoked certificates; add/fix a few WOLFSSL_ENTER messages
* Add X509_ALGOR member to X509 struct; refactoring and unit tests for wolfSSL_X509_ALGOR_get0 and wolfSSL_X509_get0_tbs_sigalg
* Add X509_PUBKEY member to X509 struct; refactoring and unit tests for wolfSSL_X509_get_X509_PUBKEY and wolfSSL_X509_PUBKEY_get0_param
* Stack fixes after rebase
* Secure renegotiation refactoring: add ACCEPT_BEGIN_RENEG to AcceptState for use in wolfSSL_SSL_in_connect_init; free old peer cert when receiving new cert to fix memory leak
* Move enc-then-mac enable option in configure.ac for apache httpd compatibility
* Simplify wolfSSL_SSL_in_connect_init logic
* Remove unneeded wolfSSL_CertManagerLoadCRL_ex
* Fixes for jenkins test failures
* SSL_get_secure_renegotiation_support for print statement in Apache
The ValidateDate() function is wrapped by a macro so it may be replaced
in environments without ASN_TIME built in. In two cases, OCSP and CRL,
ValidateDate() is called directly instead of by the macro. This change
fixes that.
Store DER copy of CA certificate with signer when
WOLFSSL_SIGNER_DER_CERT is defined.
Keep the bad issuer error for later when compiling for OpenSSL
compatability.
Authority Info string needs to be passed back with a nul terminator.
