.github/workflows/pq-all.yml: for the --enable-sp-math scenario, --disable-quic (QUIC unit tests fail on that combo);
wolfcrypt/test/test.c: add WC_MAYBE_UNUSED to ecdsa_test_deterministic_k_rs(), to fix armel sp-math build.
F-2145
wolfSSL_CTX_use_RSAPrivateKey staged the RSA private key DER (PKCS#1:
n, e, d, p, q, dP, dQ, qInv) in a heap buffer and freed it without
ForceZero. Zeroize before XFREE.
Add NULL and bounds validation to public API entry points that
were missing basic argument checks. Fixes span ALPN, session cache,
X509, SRP, PrivateKey ID/Label, and OBJ_obj2txt.
- Add WC_EVP_PKEY_ED25519 / WC_EVP_PKEY_ED448 type constants and
matching EVP_PKEY_ED25519 / EVP_PKEY_ED448 OpenSSL aliases.
- Extend WOLFSSL_EVP_PKEY with ed25519/ed448 fields and ownership
bits, and free them in wolfSSL_EVP_PKEY_free().
- Add d2i probe functions that accept both SubjectPublicKeyInfo /
PKCS#8 PrivateKeyInfo encodings and raw 32/57-byte key material,
and hook them into the d2i_evp_pkey_try() chain.
- Map the Ed25519/Ed448 signature OIDs in the relevant lookups and
teach the PEM key-format dispatch and SSL_CTX_use_PrivateKey
switch about the new types.
Move EC and RSA code out of pk.c into separate file.
Move out of ssl.c into separate files:
- Certificate APIs
- CRL/OCSP APIs
- Public Key APIs
- ECH
Internal Certificate Manager APIs pulled out into ssl_certman.c.
d2i and i2d WOLFSSL_EVP_PKEY APIs pulled out into evp_pk.c.
Fix formatting.
Mostly combinations of NO_WOLFSSL_CLIENT, NO_WOLFSSL_SERVER and
WOLFSSL_NO_CLIENT_AUTH were failing.
Added configurations to CI loop.
wc_AesGcmDecryptFinal: use WC_AES_BLOCK_SIZE to satisfy compiler.
Exposes dynamic TLS certificate loading and OCSP stapling to allow applications to load certs lazily.
The server no longer needs to load the CA to staple OCSP responses.
Adds a certificate setup callback (WOLFSSL_CERT_SETUP_CB)
Adds an OCSP status callback to load OCSP responses directly
Adds `wc_NewOCSP`, `wc_FreeOCSP`, and `wc_CheckCertOcspResponse`
Don't call verify twice on the same error
Send correct alert on status response error
WOLFSSL_DEBUG_CERTS definitions priority when defining WOLFSSL_MSG_CERT_LOG()
and WOLFSSL_MSG_CERT_LOG_EX, update documentation in preamble, and fix the
WOLFSSL_ANDROID_DEBUG definition of WOLFSSL_DEBUG_PRINTF_FIRST_ARGS and the
WOLFSSL_ESPIDF definition of WOLFSSL_DEBUG_PRINTF();
src/ssl_load.c: use WOLFSSL_MSG_CERT_LOG_EX(), not WOLFSSL_DEBUG_PRINTF(), in
ProcessFile().
WOLFSSL_DEBUG_PRINTF() macro adapted from wolfssl_log(), refactor
wolfssl_log() to use it, and move printf setup includes/prototypes from
logging.c to logging.h;
src/ssl_load.c: add source_name arg and WOLFSSL_DEBUG_CERTIFICATE_LOADS clauses
to ProcessBuffer() and ProcessChainBuffer(), and pass reasonable values from
callers;
remove expired "Baltimore CyberTrust Root" from certs/external/ca_collection.pem
and certs/external/baltimore-cybertrust-root.pem.