- Add WC_EVP_PKEY_ED25519 / WC_EVP_PKEY_ED448 type constants and
matching EVP_PKEY_ED25519 / EVP_PKEY_ED448 OpenSSL aliases.
- Extend WOLFSSL_EVP_PKEY with ed25519/ed448 fields and ownership
bits, and free them in wolfSSL_EVP_PKEY_free().
- Add d2i probe functions that accept both SubjectPublicKeyInfo /
PKCS#8 PrivateKeyInfo encodings and raw 32/57-byte key material,
and hook them into the d2i_evp_pkey_try() chain.
- Map the Ed25519/Ed448 signature OIDs in the relevant lookups and
teach the PEM key-format dispatch and SSL_CTX_use_PrivateKey
switch about the new types.
When wc_DhKeyDecode() rejected the input, d2iTryAltDhKey() returned 0
after freeing the DH object. d2i_evp_pkey_try() treats any value >= 0
as success, so a non-DH input would stop the probe chain at the DH
step and never reach the Falcon, Dilithium, Ed25519, or Ed448 probes
that follow. d2i_PUBKEY()/d2i_PrivateKey() consequently returned NULL
for any key type past DH in the chain.
ToTraditionalInline_ex2 original ASN code:
- Now return 0 when no OCTECT_STRING data found.
- Change callers to accept 0 as a valid returnb value.
SizeASN_Items:
- Change encoded size to word32 as won't be negative.
- Change callers to supply a pointer to a word32 instead of integer.
Fix casting due to change of parameter type.
ASN_LEN_ENC_LEN: Function to calculate the length of the encoded ASN.1
length.
GetLength_ex:
- Change minLen to word32
- Change length to word32 and change negative check appropriately for
different type.
GetASNHeader_ex:
- If not checking lengths in GetLength_ex, check it here.
DecodeObjectId:
- Ensure no overflow in calculation.
_RsaPrivateKeyDecode (original)
- Clear RSA integers on failure (will be done in free anyway).
wc_CreatePKCS8Key (original):
- safe check of overflow.
DecryptContent (templare):
- Parse will fail if OID not recognized, and recognized OIDs are 9/10
bytes long - but check idx is 9/10 anyway so we know we can read 2 end
bytes of data.
wc_RsaPublicKeyDecode_ex (original):
- Fix calculation of seqEndIdx and use it to bound modulus and
exponent.
DecodePolicyOID
- enusre inSz is not too long.
- Ensure no overflow in calculation.
SetOidValue (orginal):
- Safe check of inSz and oidSz.
SetAltNames (original):
- Improve length checks
FlattenAltNames:
- Check for overflow.
- Better length check.
ParseCRL_CertList (original):
- overflow check
Move EC and RSA code out of pk.c into separate file.
Move out of ssl.c into separate files:
- Certificate APIs
- CRL/OCSP APIs
- Public Key APIs
- ECH
Internal Certificate Manager APIs pulled out into ssl_certman.c.
d2i and i2d WOLFSSL_EVP_PKEY APIs pulled out into evp_pk.c.
Fix formatting.