* Added new `wolfSSL_CTX_load_verify_locations_ex` that supports flags `WOLFSSL_LOAD_FLAG_IGNORE_ERR`, `WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY` and `WOLFSSL_LOAD_FLAG_PEM_CA_ONLY`.
* Fix for `PemToDer` to handle PEM which may include a null terminator in length at end of file length causing wrong error code to be returned. Added test case for this. (ZD 4278)
* Added macro to override default flags for `wolfSSL_CTX_load_verify_locations` using `WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS`.
* Added tests for loading CA PEM's from directory using `wolfSSL_CTX_load_verify_locations` and `wolfSSL_CTX_load_verify_locations_ex` with flags.
* Added tests for `wolfSSL_CertManagerLoadCABuffer`.
* Updated the expired test certs and added them to `./certs/test/gen-testcerts.sh` script.
Change define to WOLFSSL_MEMORY_LOG.
Fix for ED25519 server certificate - single cert to allow comparison
with ECC dynamic memory usage.
Free memory earlier to reduce maximum memory usage in a connection.
Make MAX_ENCODED_SIG_SZ only as big as necessary.
Change memory allocation type in sha256 from RNG to DIGEST.
If we know the key type use it in decoding private key
1. Added a missed attr files for the OSCP status files. Bare minimum attr.
2. Added the attr files to the automake include.
3. Fix out of bounds read with the OCSP URL.
1. Made killing the OCSP server process more reliable.
2. Added attr files for the OSCP status files. Bare minimum attr.
3. Added a NL to the error string from the client regarding external tests.
Allows configurations without RSA, DH and ECC but with Curve25519
algorithms to work with SSL/TLS using X25519 key exchange and Ed25519
certificates.
Fix Ed25519 code to call wc_Sha512Free().
Add certificates to test.h and fix examples to use them.
1. Added certificates for localhost where the CN and SAN match and differ.
2. Change subject name matching so the CN is checked if the SAN list doesn't exit, and only check the SAN list if present.
3. Added a test case for the CN/SAN mismatch.
4. Old matching behavior restored with build option WOLFSSL_ALLOW_NO_CN_IN_SAN.
5. Add test case for a correct certificate.
Note: The test for the garbage certificate should fail. If you enable the old behavior, that test case will start succeeding, causing the test to fail.
* Fix `MatchDomainName` to also check for remaining len on success check.
* Enhanced `DNS_entry` to include actual ASN.1 length and use it thoughout (was using XSTRLEN).
Added additional tests for matching on domain name:
* Check for bad common name with embedded null (CN=localhost\0h, Alt=None) - Note: Trouble creating cert with this criteria
* Check for bad alternate name with embedded null (CN=www.nomatch.com, Alt=localhost\0h)
* Check for bad common name (CN=www.nomatch.com, Alt=None)
* Check for bad alternate name (CN=www.nomatch.com, Alt=www.nomatch.com)
* Check for good wildcard common name (CN=*localhost, Alt=None)
* Check for good wildcard alternate name (CN=www.nomatch.com, Alt=*localhost)
1. Added files that were missing from the certs directory include.am files.
2. Fixed the duplicate items in the certs directory's include.am files.
3. Reorganized the certs directory include.am files to be a tree.
* Added test for certificate with bad alt name containing a null character mid byte stream.
* Fix for issue with suites unit test where last arg in file doesn't conain data for a param, causing it to skip test.
* Fix for last test in tests/test.conf not being run for `TLSv1.2 RSA 3072-bit DH 3072-bit`.
* Moved the `tls-cert-fail.test` tests into the new expected failure suite test (`./tests/test-fails.conf`). Now it explicilty checks RSA and ECC for the no signer and no sig tests.
kaleb-himes
David Garske
Eric Blankenhorn
Sean Parkinson
John Safranek
toddouska
Jacob Barthelmeh