* Sniffer: Remove old restrictions for max strength, encrypt-then-mac and forcing openssl-extra.
* Fix bound warning with strncpy in sniffer.c.
* Fix for async DH issue.
* Fix for SP math all not initializing raw big int.
* Fix for array bounds warning with "-O3" on SetEccPublicKey.
* Fix a sniffer async edge case with TLS v1.2 static RSA and extended master.
* Improved the sniffer test script detection of features.
* Disable ECC custom curve test with Intel QuickAssist.
Passing in x=0 and y=0 meant to return ECC_INF_E.
Passing in x=0, y=not 0 or x=not 0, y=0 now checks whether the point is
valid and forces a return of BAD_FUNC_ARG when IS_POINT_E is returned
from check.
- Add support for ASN1_TIME_compare, DH_new_by_nid, OBJ_length, OBJ_get0_data,
and ChaCha20-Poly1305 and HKDF in the EVP layer.
- Map EC_POINT_get_affine_coordinates to
wolfSSL_EC_POINT_get_affine_coordinates_GFp and EC_POINT_set_affine_coordinates
to wolfSSL_EC_POINT_set_affine_coordinates_GFp.
- Add kdf.h compatibility header.
Curve25519: reduce to less than mod at end of curve25519, optimize to
not use imulq when andq can be used instead.
x86_64 Karatsuba Mul: Don't put add carry into overflow and then
continue adding zero. Overflow is lost.
EC point add is a double if affine ordinates are the same.
Fix AVX2 implementation of mod inv to do conversion from 26 bits in
32-bit registers to 64 bits in 64-bit registers. Also handle negative
value.
RSA OAEP: loop down to last byte. Must have a separator.
Div for x86_64: fix to have all 1s when high word equals divisor.
Allow Chachac20-Poly1305 to take an empty msg.
Allow AES-SIV to have an empty nonce.
Don't allow the length to be malleable. Must use the smallest number of
bytes to represent value.
ECDSA and DSA signature values are positive.
Add Sha512-224 and Sha512-256 OIDs.
ASN template - ensure the ECDSA/DSA signature uses all data.
Curve25519/Curve448 - WOLFSSL_ECDHX_SHARED_NOT_ZERO means shared secret
can't be 0.
Curve25519/Curve448 - check public value is less than order.
ECC - x or y may be zero but not both.
Ed25519/Ed448 - check S is less than order.
Ed448 - ge_p3_dbl can be simplified for ASM.
Prime check (integer.c/tfm.c/sp_int.c): Don't allow negative values and
make sure random candidate doesn't have bits higher than those in a set
when bits not a multiple of 8.
RSA: support Sha512-224 and Sha512-256.
RSA: Fix check for invalid in decryption. Affects plaintexts 256 bytes
and longer.
RSA: Don't allow base be larger than modulus.
RSA: Check small ciphertext (1 or 0) on decrypt when not using OAEP.
RSA: WOLFSSL_RSA_DECRYPT_TO_0_LEN allows decrypted value to be 0.
SP math all: fix div to handle large a and d when checking size of
remainder.
SP math all: set sign of result in sp_mod_2d()
Added a test for the TLSv1.3 KDF to the wolfcrypt test. It uses 6
different test cases from the CAVP tests. A set of 8 session keys are
generated using multiple exporters.
David Garske
Jacob Barthelmeh
Eric Blankenhorn
John Safranek
elms
Daniel Pouzzner
kaleb-himes
Chris Conlon
Sean Parkinson
Hideki Miyazaki
Hayden Roche
Daniele Lacamera