Testing:
./autogen.sh
./configure --enable-psk
make all check
$ ./examples/server/server -j -l ECDHE-PSK-AES128-GCM-SHA256
SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256
SSL curve name is SECP256R1
Client message: hello wolfssl!
$ ./examples/client/client -s -l ECDHE-PSK-AES128-GCM-SHA256
SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256
SSL curve name is SECP256R1
I hear you fa shizzle!
Discovered the AES-GCM flow using this command didn't work in our OpenSSH port.
This commit makes the behavior match OpenSSL and adds testing using known
OpenSSL-generated test vectors to prevent regressions. This was one of those
problems where two ends of a connection would work fine if they were both using
wolfSSL but not if one was using OpenSSL (i.e. OpenSSH interop with AES-GCM
was broken).
Prior to this commit, if you wanted access to the Finished messages from a
handshake, you needed to turn on the compatibility layer, via one of
OPENSSL_ALL, WOLFSSL_HAPROXY, or WOLFSSL_WPAS. With this commit, defining any
of these causes WOLFSSL_HAVE_TLS_UNIQUE to be defined (a reference to the
tls-unique channel binding which these messages are used for) in settings.h.
This allows a user to define WOLFSSL_HAVE_TLS_UNIQUE to access the Finished
messages without bringing in the whole compat layer.
Allow the user to register a session remove callback with wolfSSL_CTX_sess_set_remove_cb() that will be called when the session is about to be free'd or evicted from cache.
CBIORecv/Send are only assigned once.
IOCB_ReadCtx/WriteCtx only assigned once.
BuildMessage checks output and input wiht sizeOnly every call - state
machine doesn't cache these.
Renamed alias_tbl variables to something unique.
Other cppcheck fixes.
Also reworked pem_read_bio_key().
* Fix wolfSSL_RSA_public_decrypt() return value to match Openssl
* Add support for EVP_PKEY_verify_init() and EVP_PKEY_verify()
* wpa_supplicant SAE public key functionality requires this function.
* Add DSA support for EVP_PKEY_sign/verify()
* Add ECDSA support for EVP_PKEY_sign/verify()
* Add tests for EVP_PKEY_sign_verify()
* Fix "siglen = keySz" at error cases
* Fix wolfSSL_DSA_do_sign() usage
1. Check wolfSSL_BN_num_bytes() return value
2. Check siglen size
3. Double the siglen
* Check return code of wolfSSL_i2d_ECDSA_SIG() in wolfSSL_EVP_DigestSignFinal()
* Add size calculations to `wolfSSL_EVP_PKEY_sign`
* Add size checks to wolfSSL_EVP_PKEY_sign before writing out signature
* Use wc_ecc_sig_size() to calculate ECC signature size
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
Co-authored-by: Juliusz Sosinowicz <juliusz@wolfssl.com>