Exposes dynamic TLS certificate loading and OCSP stapling to allow applications to load certs lazily.
The server no longer needs to load the CA to staple OCSP responses.
Adds a certificate setup callback (WOLFSSL_CERT_SETUP_CB)
Adds an OCSP status callback to load OCSP responses directly
Adds `wc_NewOCSP`, `wc_FreeOCSP`, and `wc_CheckCertOcspResponse`
Don't call verify twice on the same error
Send correct alert on status response error
Order of preference, based on algorithms compiled in, to use with HMAC
for TLS 1.3 cookie:
1. SHA-256
2. SHA-384
3. SHA-512
4. SM3
Make code compile and unittest pass when SHA-256 not compiled in.
Certificates used for testing require SHA-256 so handshake testing
fails.
add WC_GENERATE_SEED_DEFAULT, which defaults to wc_GenerateSeed if not overridden, and replace wc_GenerateSeed with WC_GENERATE_SEED_DEFAULT in various calls to wc_SetSeed_Cb();
linuxkm/linuxkm_wc_port.h: if FIPS <v6 and RDSEED, define WC_LINUXKM_RDSEED_IN_GLUE_LAYER and define WC_GENERATE_SEED_DEFAULT wc_linuxkm_GenerateSeed_IntelRD;
wolfcrypt/test/test.c: update rng_seed_test() with gating and vectors for FIPS v5 with HAVE_AMD_RDSEED or HAVE_INTEL_RDSEED;
wolfssl/wolfcrypt/types.h: add WC_HAVE_VECTOR_SPEEDUPS helper macro, and enlarge fallthrough definition coverage for DISABLE_VECTOR_REGISTERS.
refactor all static flag initializations to use cpuid_get_flags_ex() for race-free dynamics;
refactor cpuid_set_flags() to be race-free;
wolfssl/wolfcrypt/wc_port.h and wolfcrypt/src/wc_port.c: add
* WOLFSSL_ATOMIC_COERCE_INT()
* WOLFSSL_ATOMIC_COERCE_UINT()
* wolfSSL_Atomic_Uint
* wolfSSL_Atomic_Uint_Init()
* wolfSSL_Atomic_Int_AddFetch()
* wolfSSL_Atomic_Int_SubFetch()
* wolfSSL_Atomic_Int_CompareExchange()
* wolfSSL_Atomic_Uint_FetchAdd()
* wolfSSL_Atomic_Uint_FetchSub()
* wolfSSL_Atomic_Uint_AddFetch()
* wolfSSL_Atomic_Uint_SubFetch()
* wolfSSL_Atomic_Uint_CompareExchange()
wolfcrypt/test/test.c: add to memory_test() tests for all atomic macros and APIs;
.github/workflows/pq-all.yml: don't use -Wpedantic for CC=c++ scenario.
* Store in extensions the full octet string
Store in WOLFSSL_X509_EXTENSION.value always the full contents of the
OCTET STRING of the extension, instead of different type of data
depending on the type of extension. Previously this was only done for
unknown extensions.
* Avoid local variables in 'DecodeExtKeyUsageInternal'
There is a great performance loss on configs using 'WOLFSSL_NO_MALLOC',
'WOLFSSL_STATIC_MEMORY' and 'USE_FAST_MATH' if function
'DecodeExtKeyUsageInternal' uses intermediate variables. This can be
observed running the Zephyr test 'wolfssl_test/prj-no-malloc.conf'.
Avoid using intermediate variables, and use raw pointers to the final
destination instead.
* Add missing calls to 'FreeDecodedCert'
* Return error code from 'wolfSSL_ASN1_STRING_into_old_ext_fmt'
* Fix lines larger than 80
* Allow NULL parameters for 'DecodeAuthKeyId'
* Add comment explaining build option '--enable-old-extdata-fmt'
* Test full OCTET STRING in tests/api.c
* wolfSSL_X509V3_EXT_d2i: Honor 'WOLFSSL_SMALL_STACK'
* zephyr/wolfssl_test_no_malloc: Increase test timeout
* wolfSSL_X509V3_EXT_d2i: Extract repeated code into common part
* wolfcrypt: Remove 'WOLFSSL_LOCAL' from .c files
* wolfcrypt: Change location of functions to make diff easier
wolfcrypt/benchmark/benchmark.c:
* use WC_RELAX_LONG_LOOP() as default definition of TEST_SLEEP(), and remove WC_RELAX_LONG_LOOP() from bench_stats_sym_finish()/bench_stats_asym_finish_ex();
* when WOLFSSL_LINUXKM but !WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS., properly wrap kernel_fpu_begin...end around floating point ops.
Original ASN.1 code wasn't checking that data in a sequence didn't
exceed the length of the sequence.
In particular, the contents of the parameters and the PKCS#5 parameters.
