# New or Updated APIs
- wolfSSL_get_tlsext_status_type
- wolfSSL_X509_chain_up_ref
- wolfSSL_get0_verified_chain
- SSL_CTX_set_cert_cb
- SSL_certs_clear
- SSL_add0_chain_cert ssl_cert_add0_chain_cert
- SSL_add1_chain_cert ssl_cert_add1_chain_cert
- sk_X509_NAME_new_null
- SSL_CTX_set_cert_cb
- SSL_set0_verify_cert_store
- SSL_set_client_CA_list
# Other Changes
- Ignore gdbinit
- Add api.c tests for new API
- Add `WOLFSSL_X509_STORE* x509_store_pt` to `WOLFSSL`
- Add macro to select the `WOLFSSL` specific store when available and the associated `WOLFSSL_CTX` store otherwise. Calls to `ssl->ctx->cm` and `ssl->ctx->x509_store*` were replaced by macros.
- NO-OP when setting existing store
- Add reference counter to `WOLFSSL_X509_STORE`
- Cleanup MD5 redundant declarations
- WOLFSSL_ERROR may map to nothing so make assignment outside of it
- refMutex fields are excluded with SINGLE_THREADED macro
- Chain cert refactor
- Make `wolfSSL_add0_chain_cert` and `wolfSSL_add1_chain_cert` not affect the context associated with the SSL object
- `wolfSSL_CTX_add1_chain_cert` now updates the `ctx->certChain` on success and stores the cert in `ctx->x509Chain` for later free'ing
- Add doxygen documentation for wc_GetPkcs8TraditionalOffset, wc_CreatePKCS8Key,
wc_EncryptPKCS8Key, and wc_DecryptPKCS8Key.
- Add a new API function, wc_CreateEncryptedPKCS8Key, which handles both
creation of an unencrypted PKCS#8 key and the subsequent encrypting of said key.
This is a wrapper around TraditionalEnc, which does the same thing. This may
become a first-class function at some point (i.e. not a wrapper). TraditionalEnc
is left as is since it is used in the wild.
- Added a unit test which exercises wc_CreateEncryptedPKCS8Key and
wc_DecryptPKCS8Key. Testing wc_CreateEncryptedPKCS8Key inherently also tests
TraditionalEnc, wc_CreatePKCS8Key, and wc_EncryptPKCS8Key.
- Modified wc_EncryptPKCS8Key to be able to return the required output buffer
size via LENGTH_ONLY_E idiom.
- Added parameter checking to wc_EncryptPKCS8Key and wc_DecryptPKCS8Key.
* Added TLS v1.3 sniffer support using static ephemeral key.
* Add support for using a static ephemeral DH and ECC keys with TLS v1.3 using `WOLFSSL_STATIC_EPHEMERAL`.
* Adds new API's `wolfSSL_CTX_set_ephemeral_key` and `wolfSSL_set_ephemeral_key`.
* Expanded TLS extension support in sniffer.
* Refactor of the handshake hashing code.
* Added parameter checking to the TLS v1.3 key derivations (protects use of "DoTls13Finished" if handshake resources have been free'd).
* Added support for loading DH keys via `wc_DhImportKeyPair` and `wc_DhExportKeyPair`, enabled with `WOLFSSL_DH_EXTRA`.
* Added sniffer documentation `sslSniffer/README.md`.
- SSL_CIPHER_get_id
- SSL_CIPHER_get_rfc_name
- SSL_get_cipher_by_value
- X509_print_ex
- X509_NAME_add_entry_by_NID
- X509_time_adj
- X509_time_adj_ex
- DTLSv1_get_timeout
- DTLSv1_handle_timeout
- DTLSv1_set_initial_timeout_duration
- SSL_CTX_set_current_time_cb
- PEM_write_bio_RSA_PUBKEY
- PEM_read_bio_RSA_PUBKEY
- PEM_write_bio_PUBKEY
- EVP_PKEY_missing_parameters
- EVP_PKEY_cmp
- BN_is_negative
- BIO_set_retry_write
* Improvements to the notBefore and notAfter date handling.
* Improvements to BIO and BIO_METHOD
- Moved structure to public area to allow for dereferencing
- Renamed members to provide compatibility.
- Added support for custom BIO methods for read/write.
* Added advanced openssl compatibility test cases for key and certificate generation.
* Fix for `ASN1_STRING_set` to allow NULL data.
* Fix to populate public key information on `EVP_PKEY_assign_RSA` and `EVP_PKEY_assign_EC_KEY`.
* Fix naming for `X509_get_notBefore` and `X509_get_notAfter` functions.
* Added `wc_EccPublicKeyDerSize`.
* Improvements to `wc_RsaPublicKeyDerSize`, so dummy memory doesn't have to be allocated.
* Made the `wc_*PublicKeyDerSize` functions public.
* Eliminate use of snprintf for UTC to generalized time conversion in `wolfSSL_ASN1_TIME_to_generalizedtime`.
* Added new `wolfSSL_CTX_load_verify_locations_ex` that supports flags `WOLFSSL_LOAD_FLAG_IGNORE_ERR`, `WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY` and `WOLFSSL_LOAD_FLAG_PEM_CA_ONLY`.
* Fix for `PemToDer` to handle PEM which may include a null terminator in length at end of file length causing wrong error code to be returned. Added test case for this. (ZD 4278)
* Added macro to override default flags for `wolfSSL_CTX_load_verify_locations` using `WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS`.
* Added tests for loading CA PEM's from directory using `wolfSSL_CTX_load_verify_locations` and `wolfSSL_CTX_load_verify_locations_ex` with flags.
* Added tests for `wolfSSL_CertManagerLoadCABuffer`.
* Updated the expired test certs and added them to `./certs/test/gen-testcerts.sh` script.
In the past, Doxygen just listed API for wolfSSL and wolfCrypt in one long list.
Now there are two separate pages for the wolfSSL and wolfCrypt API references.
wolfSSL remains agnostic to network socket behavior be it blocking or non-blocking. The non-blocking flag was meant for the default EmbedRecvFrom() callback for use with UDP to assist the timing of the handshake.
1. Deprecate wolfSSL_set_using_nonblock() and wolfSSL_get_using_nonblock() for use with TLS sockets. They become don't-cares when used with TLS sessions.
2. Added functions wolfSSL_dtls_set_using_nonblock() and wolfSSL_dtls_get_using_nonblock().
3. Removed a test case from EmbedReceive() that only applied to UDP.
4. Removed the checks for non-blocking sockets from EmbedReceive().
5. Socket timeouts only apply to DTLS sessions.
* More cleanup to move PEM functions from ssl.c to asn.c (`wolfSSL_CertPemToDer`, `wolfSSL_KeyPemToDer`, `wolfSSL_PubKeyPemToDer`). Renamed these API's to `wc_` and added backwards compatability macro for old function names.
* Added PK callback context tests for client/server examples (`SetupPkCallbackContexts`).
* Added new test define for `TEST_PK_PRIVKEY` to allows simulating hardware based private key.
* Added new test.h function for loading PEM key file and converting to DER (`load_key_file`).
* Added way to get private key signature size (`GetPrivateKeySigSize`).
* Added new ECC API `wc_ecc_sig_size_calc` to return max signature size for a key size.
* Added inline comments to help track down handshake message types.
* Cleanup of RSS PSS terminating byte (0xbc) to use enum value.
* Fixed bug with PK callback for `myEccVerify` public key format.
* Fixed bug with PK callback for ED25519 verify key buffer in DoServerKeyExchange.
David Garske
Daniele Lacamera
elms
Juliusz Sosinowicz
TakayukiMatsuo
Eric Blankenhorn
Hayden Roche
toddouska
Daniel Pouzzner
Sean Parkinson
Takashi Kojo
Chris Conlon
kaleb-himes
Ethan Looney
Jacob Barthelmeh
John Safranek
abrahamsonn
connerwolfssl
Takashi Kojo
connerWolfSSL