- `EVP_PKEY_assign_RSA` should store the private key in DER format, not the
public key.
- The last call to `infoCb` in `wolfSSL_BIO_write` should provide the length of
the data to write.
- We should be able to parse RSA public keys starting with BEGIN RSA PUBLIC KEY
and ending with END RSA PUBLIC KEY.
Prototype is required when internal.h is not included and GetCA is not
defined.
wolfSSL_EVP_CIPHER_CTX_set_iv_length() is called with CBC cipher in
api.c. Function is not specificly for GCM, though not strictly needed
for CBC.
TFM:
Use register or memory for c0, c1, c2 in SQRADD and SQRADD2.
SP:
Use register or memory for vl, vh, vo in SP_ASM_MUL_ADD,
SP_ASM_MUL_ADD2 and SP_ASM_SQR_ADD.
* Adds `--enable-linuxkm-pie` and associated infrastructure, to support FIPS mode in the Linux kernel module.
* Adds `tests/api.c` missing (void) arglist to `test_SSL_CIPHER_get_xxx()`.
- Add an --enable-rsyslog option to configure.ac.
- Add a few missing `WOLFSSL_ERROR` calls that were expected by rsyslog unit
tests.
- Add better documentation around `WOLFSSL_SHUTDOWN_NOT_DONE` and define it to
be 0 (rather than 2) when `WOLFSSL_ERROR_CODE_OPENSSL` is defined. This is in
accordance with OpenSSL documentation. Without this change, rsyslog was
failing to do the bidirectional shutdown properly because it was checking the
shutdown return value against 0. I'm keeping the old value when
`WOLFSSL_ERROR_CODE_OPENSSL` isn't defined because it's part of the public
wolfssl interface (it's in ssl.h).
- Handle case where output buffer is NULL. In this case, passed in output buffer
length pointer should be given the maximum output buffer size needed.
- Add better debug messages.
# New or Updated APIs
- wolfSSL_get_tlsext_status_type
- wolfSSL_X509_chain_up_ref
- wolfSSL_get0_verified_chain
- SSL_CTX_set_cert_cb
- SSL_certs_clear
- SSL_add0_chain_cert ssl_cert_add0_chain_cert
- SSL_add1_chain_cert ssl_cert_add1_chain_cert
- sk_X509_NAME_new_null
- SSL_CTX_set_cert_cb
- SSL_set0_verify_cert_store
- SSL_set_client_CA_list
# Other Changes
- Ignore gdbinit
- Add api.c tests for new API
- Add `WOLFSSL_X509_STORE* x509_store_pt` to `WOLFSSL`
- Add macro to select the `WOLFSSL` specific store when available and the associated `WOLFSSL_CTX` store otherwise. Calls to `ssl->ctx->cm` and `ssl->ctx->x509_store*` were replaced by macros.
- NO-OP when setting existing store
- Add reference counter to `WOLFSSL_X509_STORE`
- Cleanup MD5 redundant declarations
- WOLFSSL_ERROR may map to nothing so make assignment outside of it
- refMutex fields are excluded with SINGLE_THREADED macro
- Chain cert refactor
- Make `wolfSSL_add0_chain_cert` and `wolfSSL_add1_chain_cert` not affect the context associated with the SSL object
- `wolfSSL_CTX_add1_chain_cert` now updates the `ctx->certChain` on success and stores the cert in `ctx->x509Chain` for later free'ing
pyOpenSSL needs the OpenSSL function X509_EXTENSION_dup, so this commit adds
that to the compatibility layer. It also needs to be able to access the DER
encoding of the subject alt names in a cert, so that's added as well.
John Safranek