1. Updated the IDE/WIN10 user settings to enable RDSEED by default.
2. Updated the Windows GenerateSeed() function to take into account the
RDSEED enabled setting.
3. Exclude the TestSeed() function check for the "selftest" build as
well as old FIPS.
1. Update the SEED_BLOCK_SZ to 4 for non-FIPS builds.
2. Change fips-check.sh to skip copying over the random.{c,h} files for
now. Need the tagged versions of the other files and the new random for
now.
1. For non-FIPS builds, lower the entropy request size to the old value.
2. Added a consistency check to the result of the entropy source. The test
involves requesting an additional 64-bits, then doing a running
comparison of each block of 64-bits. The first block of bits is ignored.
3. Refactored the RNG seeding a bit. Renamed all variables with
"entropy" in the name as "seed". Renamed the constants for entropy sizes
as seed sizes. Changed the security strength to its actual value and
introduced an entropy scaling factor for the number of bits of entropy
per bit and a size for the NDRBG block size.
4. Changed it so the user can change the parameters for the RNG at the
build configuration. If using FIPSv2, triggers an error if the paramters
are changed.
Document how length of ECDSA signature calculated.
Check parameter not NULL before use.
Formatting fix.
Also, disable RSA test of EVP_DigestSign/Verify* when HAVE_USER_RSA.
* Added new `wolfSSL_CTX_load_verify_locations_ex` that supports flags `WOLFSSL_LOAD_FLAG_IGNORE_ERR`, `WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY` and `WOLFSSL_LOAD_FLAG_PEM_CA_ONLY`.
* Fix for `PemToDer` to handle PEM which may include a null terminator in length at end of file length causing wrong error code to be returned. Added test case for this. (ZD 4278)
* Added macro to override default flags for `wolfSSL_CTX_load_verify_locations` using `WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS`.
* Added tests for loading CA PEM's from directory using `wolfSSL_CTX_load_verify_locations` and `wolfSSL_CTX_load_verify_locations_ex` with flags.
* Added tests for `wolfSSL_CertManagerLoadCABuffer`.
* Updated the expired test certs and added them to `./certs/test/gen-testcerts.sh` script.
Code doesn't require a DecodedCert which saves on dynamic memory usage.
WOLFSSL_SMALL_CERT_VERIFY: Don't have a DecodedCert allocated and verify
certificate signature in ProcessPeerCerts as this is maximum dynamic
memory usage.
WOLFSSL_SMALL_CERT_VERIFY is enabled with 'lowresource' configuration
option.
Fix sp_clear to work with NULL parameter.
Define a new function HashId that maps to the hashing function
available.
Set MAX_CERT_VERIFY_SZ to be the maximum based on what algorithms are
compiled in.
Fix usage of MAX_CERT_VERIFY_SZ in functions sending certificate verify
messages.
1. When checking an OID sum against an OID string based on context, skip the unknown OIDs instead of treating them as parse errors.
2. When getting an OID, pass the lower error upstream instead of just PARSE error.
