Add support for:
- SM2 elliptic curve and SM2 sign/verify
- SM3 digest
- SM4 cipher with modes ECB/CBC/CTR/GCM/CCM
Add APIs for SM3 and SM4.
Add SM2 sign and verify APIs.
Add support for SM3 in wc_Hash and wc_Hmac API.
Add support for SM3 and SM4 through EVP layer.
Add support for SM2-SM3 certificates. Support key ID and name hash being
with SHA-1/256 or SM3.
Add support for TLS 1.3 cipher suites: TLS-SM4-GCM-SM3, TLS-SM4-CCM-SM3
Add support for TLS 1.2 SM cipher suite: ECDHE-ECDSA-SM4-CBC-SM3
Add support for SM3 in wc_PRF_TLS.
Add SM2-SM3 certificates and keys. Generated with GmSSL-3.0.0 and
OpenSSL.
PEM example converts PEM to DER and DER to PEM.
Supports encrypting DER and writing out as PEM.
Added better support for 40-bit RC2-CBC PBE.
Added AES-128-CBC encryption support with PKCS#5v2.
Fixed handling of iterations to support writing 24-bit values.
Declared enum types for pass to PKCS#8 encryption APIs.
Add more DER and PEM files to certs directory.
Add testing of 'pem' with pem.test script.
Also:
* added HAVE_FALCON guards as needed.
* corrected minor falcon bugs as I found them.
* handling OID sum collision between DILITHIUM_LEVEL5 and DILITHIUM_AES_LEVEL3
Tested with the following commands:
examples/server/server -v 4 -l TLS_AES_256_GCM_SHA384 \
-c ~/tmp/dilithium_aes_level5_entity_cert.pem \
-k ~/tmp/dilithium_aes_level5_entity_key.pem \
-A ~/tmp/dilithium_aes_level5_root_cert.pem --pqc P521_KYBER_LEVEL5
examples/client/client -v 4 -l TLS_AES_256_GCM_SHA384 \
-c ~/tmp/dilithium_aes_level5_entity_cert.pem \
-k ~/tmp/dilithium_aes_level5_entity_key.pem \
-A ~/tmp/dilithium_aes_level5_root_cert.pem --pqc P521_KYBER_LEVEL5
with permutations of SHAKE,AES variants and levels 2,3,5
Add support for parsing and verifying certificates with RSA-PSS
signatures. Including check PSS parameters in key with those in
signature algorithm.
Add support for parsing private RSA PSS key.
Add support for parsing public RSA PSS key.
* This PR resolves issues with using TLS client authentication (mutual auth) with crypto callbacks. The TLS client auth will not be sent without a private key being set. The solution is to allow setting a public key only if crypto callbacks is enabled and a devId is set.
* Fix to allow using crypto callbacks with TLS mutual authentication where a private key is not available.
* Fix for ED25519 sign when only a private key is loaded.
* Fix to enable crypto callbacks for ED25519 and Curve25519 in TLS by using the _ex init functions.
* Fix for wc_PemToDer return code where a PKCS8 header does not exist.
* Remove duplicate logs in DoCertificateVerify.
* Doxygen API updates: Added crypto callback help and updated use_PrivateKey with info about public key use.
* * Added crypto callback tests for TLS client and server with mutual auth for RSA, ECC and ED25519.
* Enhanced the API unit test TLS code to allow setting CA, cert and key.
* Revert ED25519 changes. Opt to calculate public key directly when required for signing in the TLS crypto callback test. Build configuration fixes.
* Fix to use proper devId in `ProcessBufferTryDecode`.
* Various build fixes due to changes in PR. G++ issue with `missing-field-initializers`. Unused api.c func with DTLS and session export. Duplicate `eccKeyPubFile` def.
* Added crypto callback TLS tests at WOLFSSL object level. Fix for ED25519/ED448 with client mutual auth where the private key is not set till WOLFSSL object. Fix issues with `wolfSSL_CTX_GetDevId` where devId is set on WOLFSSL object. Enable the `_id` API's for crypto callbacks.
* Proper fix for `eccKeyPubFile` name conflict. Was causing RSA test to fail (expected DER, not PEM).
* add DIST_POINT compatibility functions
* switch X509_LU_* from enum to define, prevent compiler type warnings
* refactoring, adding in comments, and formating
* refactoring and a memory leak fix
* cast return value for g++ warning
* refactor wolfSSL_sk_DIST_POINT_pop_free and remove NULL assign after free
* fix get next DIST_POINT node for free function
Co-authored-by: Jacob Barthelmeh <jacob@wolfssl.com>
* Remove NTRU and OQS
* Keep the DTLS serialization format backwards compatible.
* Remove n from mygetopt_long() call.
* Fix over-zealous deletion.
* Resolve problems found by @SparkiDev
- `EVP_PKEY_assign_RSA` should store the private key in DER format, not the
public key.
- The last call to `infoCb` in `wolfSSL_BIO_write` should provide the length of
the data to write.
- We should be able to parse RSA public keys starting with BEGIN RSA PUBLIC KEY
and ending with END RSA PUBLIC KEY.
Digest size compared to key size - P521 has large key size.
Fixed to round down.
Added P-521 keys and certificates.
Added testing of P-521 keys and certificcates to unittest.
* Added TLS v1.3 sniffer support using static ephemeral key.
* Add support for using a static ephemeral DH and ECC keys with TLS v1.3 using `WOLFSSL_STATIC_EPHEMERAL`.
* Adds new API's `wolfSSL_CTX_set_ephemeral_key` and `wolfSSL_set_ephemeral_key`.
* Expanded TLS extension support in sniffer.
* Refactor of the handshake hashing code.
* Added parameter checking to the TLS v1.3 key derivations (protects use of "DoTls13Finished" if handshake resources have been free'd).
* Added support for loading DH keys via `wc_DhImportKeyPair` and `wc_DhExportKeyPair`, enabled with `WOLFSSL_DH_EXTRA`.
* Added sniffer documentation `sslSniffer/README.md`.
* Added ECC and RSA intermediate CA's and server/client chain certificates for testing.
* Enhanced suites test to support expected fail arg `-H exitWithRet` in any test .conf file.
* Added new `test-altchains.conf` for testing with `WOLFSSL_ALT_CERT_CHAINS` defined.
* Added new `test-chains` for testing chains.
* Added new `test-dhprime.conf` for DH prime check tests.
* Added new `test-trustedpeer.conf` for testing `WOLFSSL_TRUST_PEER_CERT`.
* Refactor to add `-2` to disable DH prime check by default (except for new test-dhprime.conf).
* Added ability to run a specific test.conf file using syntax like `./tests/unit.test tests/test-altchains.conf`.
1. Added files that were missing from the certs directory include.am files.
2. Fixed the duplicate items in the certs directory's include.am files.
3. Reorganized the certs directory include.am files to be a tree.
* Fixes to support certificate generation (`WOLFSSL_CERT_GEN`) without RSA enabled.
* Added new ECC CA for 384-bit tests.
* Created new server cert chain (ECC CA for 256-bit that signs server-ecc.pem)
* Created new `./certs/ecc/genecc.sh` script for generating all ECC CA's, generated server cert req (CSR), signing with CA and the required CRL.
* Moved the wolfCrypt ECC CA / ECC cert gen test into `ecc_test` as `ecc_test_cert_gen`.
* Refactor duplicate code that saves DER to disk, converts DER to PEM and saves PEM to disk into SaveDerAndPem function.
* Changed `ecc_test_make_pub` and `ecc_test_key_gen` to use XMALLOC for temp buffers (uses heap instead of stack).
* Cleanup to combine all certificate subject information into global `certDefaultName`.
* Updated cert request info to use wolfSSL instead of Yassl.
* Cleanup to combine keyUsage into `certKeyUsage` and `certKeyUsage2`.
* Re-number error codes in rsa_test.
* Moved the certext_test after the ecc_test, since it uses a file generated in `ecc_test_cert_gen`.
