Update OpenSSL interopability testing

Added TLS 1.3 testing.
Added Ed25519 and Ed448 testing.
Added tesitng of OpenSSL client against wolfSSL server.
Fixed builds of Curve25519/Curve448/Ed25519/Ed448 in different
configurations.

configure.ac

@@ -3131,7 +3131,7 @@ AC_ARG_ENABLE([supportedcurves],
 
 if test "x$ENABLED_SUPPORTED_CURVES" = "xyes"
 then
-    AS_IF([test "x$ENABLED_ECC" = "xno" && test "x$ENABLED_CURVE25519" = "xno"],
+    AS_IF([test "x$ENABLED_ECC" = "xno" && test "x$ENABLED_CURVE25519" = "xno" && test "x$ENABLED_CURVE448" = "xno"],
           [ENABLED_SUPPORTED_CURVES=no],
           [AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SUPPORTED_CURVES"])
 fi
@@ -3231,7 +3231,7 @@ then
     ENABLED_ENCRYPT_THEN_MAC=yes
     AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DHAVE_MAX_FRAGMENT -DHAVE_TRUNCATED_HMAC -DHAVE_ALPN -DHAVE_TRUSTED_CA"
     # Check the ECC supported curves prereq
-    AS_IF([test "x$ENABLED_ECC" != "xno" || test "x$ENABLED_CURVE25519" = "xyes" || test "x$ENABLED_TLS13" = "xyes"],
+    AS_IF([test "x$ENABLED_ECC" != "xno" || test "x$ENABLED_CURVE25519" = "xyes" || test "x$ENABLED_CURVE448" = "xyes" || test "x$ENABLED_TLS13" = "xyes"],
           [ENABLED_SUPPORTED_CURVES=yes
            AM_CFLAGS="$AM_CFLAGS -DHAVE_SUPPORTED_CURVES"])
 fi

scripts/openssl.test

@@ -15,19 +15,31 @@ generate_port() {
 }
 
 
-generate_port
-openssl_port=$port
 no_pid=-1
-server_pid=$no_pid
-ecdh_server_pid=$no_pid
-wolf_suites_tested=0
-wolf_suites_total=0
+servers=""
+openssl_pid=$no_pid
+ecdh_openssl_pid=$no_pid
+ecdsa_openssl_pid=$no_pid
+ed25519_openssl_pid=$no_pid
+ed448_openssl_pid=$no_pid
+tls13_psk_openssl_pid=$no_pid
+wolfssl_pid=$no_pid
+ecdh_wolfssl_pid=$no_pid
+ecdsa_wolfssl_pid=$no_pid
+ed25519_wolfssl_pid=$no_pid
+ed448_wolfssl_pid=$no_pid
+tls13_psk_wolfssl_pid=$no_pid
+anon_wolfssl_pid=$no_pid
+wolf_cases_tested=0
+wolf_cases_total=0
 counter=0
-testing_summary="OpenSSL Interop Testing Summary:\nVersion\tTested\t#Found\t#Tested\n"
+testing_summary="OpenSSL Interop Testing Summary:\nVersion\tTested\t#Found\t#wolf\t#Found\t#OpenSSL\n"
 versionName="Invalid"
 if [ "$OPENSSL" = "" ]; then
     OPENSSL=openssl
 fi
+WOLFSSL_SERVER=./examples/server/server
+WOLFSSL_CLIENT=./examples/client/client
 
 version_name() {
     case $version in "0")
@@ -43,6 +55,15 @@ version_name() {
         versionName="TLSv1.2"
         ;;
     "4")
+        versionName="TLSv1.3"
+        ;;
+    "d")
+        versionName="Down"
+        ;;
+    "")
+        versionName="Def"
+        ;;
+    "5")
         versionName="ALL"
         ;;
     esac
@@ -51,17 +72,16 @@ version_name() {
 do_cleanup() {
     echo "in cleanup"
 
-    if  [ $server_pid != $no_pid ]
-    then
-        echo "killing server"
-        kill -9 $server_pid
-    fi
-
-    if  [ $ecdh_server_pid != $no_pid ]
-    then
-        echo "killing ECDH-RSA server"
-        kill -9 $ecdh_server_pid
-    fi
+    IFS=$OIFS #restore separator
+    for s in $servers
+    do
+        f2=${s%:*}
+        sname=${f2%:*}
+        pid=${f2##*:}
+        port=${s##*:}
+        echo "killing server: $sname ($port)"
+        kill -9 $pid
+    done
 }
 
 do_trap() {
@@ -72,76 +92,122 @@ do_trap() {
 
 trap do_trap INT TERM
 
-echo -e "\nTesting existence of openssl command...\n"
-command -v $OPENSSL >/dev/null 2>&1 || { echo >&2 "Requires openssl command, but it's not installed.  Ending."; exit 0; }
 
+check_process_running() {
+    if [ "$ps_grep" = "" ]
+    then
+        ps -p $server_pid > /dev/null
+        PS_EXIT=$?
+    else
+        ps | grep "^ *$server_pid " > /dev/null
+        PS_EXIT=$?
+    fi
+}
 
-echo -e "\nTesting for _build directory as part of distcheck, different paths"
-currentDir=`pwd`
-if [ $currentDir = *"_build" ]
-then
-    echo -e "_build directory detected, moving a directory back"
-    cd ..
-fi
+#
+# Start an OpenSSL server
+#
+start_openssl_server() {
+    if [ "$wolfssl_client_avail" = "" ]
+    then
+        return
+    fi
 
+    generate_port
+    server_port=$port
+    found_free_port=0
+    counter=0
+    while [ "$counter" -lt 20 ]; do
+        echo -e "\n# Trying to start $openssl_suite OpenSSL server on port $server_port..."
+        echo "#"
 
-# get wolfssl ciphers
-wolf_ciphers=`./examples/client/client -e`
+        if [ "$cert_file" != "" ]
+        then
+            echo "# " $OPENSSL s_server -accept $server_port -cert $cert_file -key $key_file  -quiet -CAfile $ca_file -www -dhparam ./certs/dh2048.pem -verify 10 -verify_return_error -psk $psk_hex -cipher "ALL:eNULL"
+            $OPENSSL s_server -accept $server_port -cert $cert_file -key $key_file  -quiet -CAfile $ca_file -www -dhparam ./certs/dh2048.pem -verify 10 -verify_return_error -psk $psk_hex -cipher "ALL:eNULL" &
+        else
+            echo "# " $OPENSSL s_server -accept $server_port -quiet -nocert -www -dhparam ./certs/dh2048.pem -verify 10 -verify_return_error -psk $psk_hex -cipher "ALL:eNULL"
+            $OPENSSL s_server -accept $server_port -quiet -nocert -www -dhparam ./certs/dh2048.pem -verify 10 -verify_return_error -psk $psk_hex -cipher "ALL:eNULL" &
+        fi
+        server_pid=$!
+        # wait to see if s_server successfully starts before continuing
+        sleep 0.1
+
+        check_process_running
+        if [ "$PS_EXIT" = "0" ]
+        then
+            echo "s_server started successfully on port $server_port"
+            found_free_port=1
+            break
+        else
+            #port already started, try a different port
+            counter=$((counter+ 1))
+            generate_port
+            server_port=$port
+        fi
+    done
 
-found_free_port=0
-while [ "$counter" -lt 20 ]; do
-    echo -e "\nTrying to start openssl server on port $openssl_port...\n"
+    if [ $found_free_port = 0 ]
+    then
+        echo -e "Couldn't find free port for server"
+        do_cleanup
+        exit 1
+    fi
 
-    $OPENSSL s_server -accept $openssl_port -cert ./certs/server-cert.pem -key ./certs/server-key.pem  -quiet -CAfile ./certs/client-ca.pem -www  -dhparam ./certs/dh2048.pem -dcert ./certs/server-ecc.pem -dkey ./certs/ecc-key.pem -verify 10 -verify_return_error -psk 1a2b3c4d -cipher "ALL:eNULL" &
-    server_pid=$!
-    # wait to see if s_server successfully starts before continuing
-    sleep 0.1
+    servers="$servers OpenSSL_$openssl_suite:$server_pid:$server_port"
+}
 
-    if ps -p $server_pid > /dev/null
+#
+# Start a wolfSSL server
+#
+start_wolfssl_server() {
+    if [ "$wolfssl_server_avail" = "" ]
     then
-        echo "s_server started successfully on port $openssl_port"
-        found_free_port=1
-        break
-    else
-        #port already started, try a different port
-        counter=$((counter+ 1))
-        generate_port
-        openssl_port=$port
+        echo "# wolfSSL server not available"
+        return
     fi
-done
 
-if [ $found_free_port = 0 ]
-then
-    echo -e "Couldn't find free port for server"
-    do_cleanup
-    exit 1
-fi
+    wolfssl_cert=""
+    wolfssl_key=""
+    wolfssl_caCert=""
+    if [ "$cert_file" != "" ]
+    then
+        wolfssl_cert="-c$cert_file"
+    fi
+    if [ "$key_file" != "" ]
+    then
+        wolfssl_key="-k$key_file"
+    fi
+    if [ "$ca_file" != "" ]
+    then
+        wolfssl_caCert="-A$ca_file"
+    fi
 
-# if ECDH-RSA is enabled then start up server for ECDH-RSA suites
-case $wolf_ciphers in
-*ECDH-RSA*)
     generate_port
-    ecdh_port=$port
+    server_port=$port
     found_free_port=0
     counter=0
     while [ "$counter" -lt 20 ]; do
-        echo -e "\nTrying to start ECDH-RSA openssl server on port $ecdh_port...\n"
+        echo -e "\n# Trying to start $wolfssl_suite wolfSSL server on port $server_port..."
 
-        $OPENSSL s_server -accept $ecdh_port -cert ./certs/server-ecc-rsa.pem -key ./certs/ecc-key.pem  -quiet -CAfile ./certs/client-ca.pem -www -dhparam ./certs/dh2048.pem -verify 10 -verify_return_error -cipher "ALL:eNULL" &
-        ecdh_server_pid=$!
+        echo "#"
+        echo "# $WOLFSSL_SERVER -p $server_port $wolfssl_cert $wolfssl_key $wolfssl_caCert -g -v d -x -i $psk $crl -l ALL"
+        $WOLFSSL_SERVER -p $server_port $wolfssl_cert $wolfssl_key $wolfssl_caCert -g -v d -x -i $psk $crl -l ALL &
+        server_pid=$!
         # wait to see if s_server successfully starts before continuing
         sleep 0.1
 
-        if ps -p $ecdh_server_pid > /dev/null
+        check_process_running
+        if [ "$PS_EXIT" = "0" ]
         then
-            echo "s_server started successfully on port $ecdh_port"
+            echo "wolfSSL server started successfully on port $server_port"
             found_free_port=1
             break
         else
             #port already started, try a different port
             counter=$((counter+ 1))
             generate_port
-            ecdh_port=$port
+            server_port=$port
         fi
     done
 
@@ -151,113 +217,661 @@ case $wolf_ciphers in
         do_cleanup
         exit 1
     fi
+
+    servers="$servers wolfSSL_$wolfssl_suite:$server_pid:$server_port"
+}
+
+check_server_ready() {
+    # server should be ready, let's make sure
+    server_ready=0
+    while [ "$counter" -lt 20 ]; do
+        echo -e "waiting for $server_name ready..."
+        echo -e Checking | nc localhost $server_port
+        nc_result=$?
+        if [ $nc_result = 0 ]
+        then
+            echo -e "$server_name ready!"
+            server_ready=1
+            break
+        fi
+        sleep 0.1
+        counter=$((counter+ 1))
+    done
+
+    if [ $server_ready = 0 ]
+    then
+        echo -e "Couldn't verify $server_name is running, timeout error"
+        do_cleanup
+        exit 1
+    fi
+}
+
+#
+# Run wolfSSL client against OpenSSL server
+#
+do_wolfssl_client() {
+    if [ "$wolfssl_client_avail" = "" ]
+    then
+        return
+    fi
+
+    wolfssl_cert=""
+    wolfssl_key=""
+    wolfssl_caCert=""
+    if [ "$cert" != "" ]
+    then
+        wolfssl_cert="-c$cert"
+    fi
+    if [ "$key" != "" ]
+    then
+        wolfssl_key="-k$key"
+    fi
+    if [ "$caCert" != "" ]
+    then
+        wolfssl_caCert="-A$caCert"
+    fi
+    wolfssl_resume="-r"
+    if [ "$openssl_psk_resume_bug" != "" -a "$tls13_suite" != "" ]
+    then
+        wolfssl_resume=
+    fi
+    if [ "$version" != "5" -a "$version" != "" ]
+    then
+        echo "#"
+        echo "# $WOLFSSL_CLIENT -p $port -g $wolfssl_resume -l $wolfSuite -v $version $psk $adh $wolfssl_cert $wolfssl_key $wolfssl_caCert $crl"
+        $WOLFSSL_CLIENT -p $port -g $wolfssl_resume -l $wolfSuite -v $version $psk $adh $wolfssl_cert $wolfssl_key $wolfssl_caCert $crl
+    else
+        echo "#"
+        echo "# $WOLFSSL_CLIENT -p $port -g $wolfssl_resume -l $wolfSuite $psk $adh $wolfssl_cert $wolfssl_key $wolfssl_caCert $crl"
+        # do all versions
+        $WOLFSSL_CLIENT -p $port -g $wolfssl_resume -l $wolfSuite $psk $adh $wolfssl_cert $wolfssl_key $wolfssl_caCert $crl
+    fi
+
+    client_result=$?
+
+    if [ $client_result != 0 ]
+    then
+        echo -e "client failed! Suite = $wolfSuite version = $version"
+        do_cleanup
+        exit 1
+    fi
+    wolf_temp_cases_tested=$((wolf_temp_cases_tested+1))
+}
+
+#
+# Run OpenSSL client against wolfSSL server
+#
+do_openssl_client() {
+    if [ "$wolfssl_server_avail" = "" ]
+    then
+        return
+    fi
+
+    if [ "$version" = "" -o "$version" = "5" ]
+    then
+        if [ "$tls13_cipher" = "" -a "$openssl_tls13" != "" ]
+        then
+            openssl_version="-no_tls1_3"
+        fi
+    fi
+    if [ "$cert" != "" ]
+    then
+        openssl_cert1="-cert"
+        openssl_cert2="$cert"
+    fi
+    if [ "$key" != "" ]
+    then
+        openssl_key1="-key"
+        openssl_key2="$key"
+    fi
+    if [ "$caCert" != "" ]
+    then
+        openssl_caCert1="-CAfile"
+        openssl_caCert2="$caCert"
+    fi
+    if [ "$tls13_cipher" = "" ]
+    then
+        echo "#"
+        echo "# $OPENSSL s_client -connect localhost:$port -reconnect -cipher $cmpSuite $openssl_version $openssl_psk $openssl_cert1 $openssl_cert2 $openssl_key1 $openssl_key2 $openssl_caCert1 $openssl_caCert2"
+        echo "Hello" | $OPENSSL s_client -connect localhost:$port -reconnect -cipher $cmpSuite $openssl_version $openssl_psk $openssl_cert1 $openssl_cert2 $openssl_key1 $openssl_key2 $openssl_caCert1 $openssl_caCert2
+    else
+        echo "#"
+        echo "# $OPENSSL s_client -connect localhost:$port -reconnect -ciphersuites=$cmpSuite $openssl_version $openssl_psk $openssl_cert1 $openssl_cert2 $openssl_key1 $openssl_key2 $openssl_caCert1 $openssl_caCert2"
+        echo "Hello" | $OPENSSL s_client -connect localhost:$port -reconnect -ciphersuites=$cmpSuite $openssl_version $openssl_psk $openssl_cert1 $openssl_cert2 $openssl_key1 $openssl_key2 $openssl_caCert1 $openssl_caCert2
+    fi
+
+    client_result=$?
+
+    if [ $client_result != 0 ]
+    then
+        echo -e "client failed! Suite = $wolfSuite version = $version"
+        do_cleanup
+        exit 1
+    fi
+    open_temp_cases_tested=$((open_temp_cases_tested+1))
+}
+
+OIFS=$IFS # store old separator to reset
+
+#
+# Start
+#
+ps -p $PPID >/dev/null 2>&1
+if [ "$?" = "1" ]
+then
+    ps_grep="yes"
+    echo "ps -p not working, using ps and grep"
+fi
+
+echo -e "\nTesting existence of openssl command...\n"
+command -v $OPENSSL >/dev/null 2>&1 || { echo >&2 "Requires openssl command, but it's not installed.  Ending."; do_cleanup; exit 0; }
+
+
+echo -e "\nTesting for _build directory as part of distcheck, different paths"
+currentDir=`pwd`
+if [ $currentDir = *"_build" ]
+then
+    echo -e "_build directory detected, moving a directory back"
+    cd ..
+fi
+echo -e "\nChecking for wolfSSL client - needed for cipher list"
+wolfssl_client_avail=`$WOLFSSL_CLIENT -?`
+case $wolfssl_client_avail in
+*"Client not compiled in!"*)
+    wolfssl_client_avail=
+    echo >&2 "Requires wolfSSL client, but it's not built.  Ending."
+    do_cleanup
+    exit 0
     ;;
 esac
 
-# server should be ready, let's make sure
-server_ready=0
-while [ "$counter" -lt 20 ]; do
-    echo -e "waiting for openssl s_server ready..."
-    nc -z localhost $openssl_port
-    nc_result=$?
-    if [ $nc_result = 0 ]
+echo -e "\nTesting for buggy version of OpenSSL - TLS 1.3, PSK and session ticket"
+openssl_version=`$OPENSSL version`
+case $openssl_version in
+"OpenSSL 1.1.1 "*)
+    openssl_psk_resume_bug=yes
+    ;;
+"OpenSSL 1.0.2"*)
+    openssl_adh_reneg_bug=yes
+    ;;
+esac
+
+# check for wolfssl server
+wolfssl_server_avail=`$WOLFSSL_SERVER -?`
+case $wolfssl_server_avail in
+*"Server not compiled in!"*)
+    wolfssl_server_avail=
+    ;;
+esac
+# get wolfssl ciphers
+wolf_ciphers=`$WOLFSSL_CLIENT -e`
+# get wolfssl supported versions
+wolf_versions=`$WOLFSSL_CLIENT -V`
+wolf_versions="$wolf_versions:5" #5 will test without -v flag
+
+OIFS=$IFS # store old separator to reset
+IFS=$'\:' # set delimiter
+for version in $wolf_versions
+do
+    case $version in
+    1|2|3)
+        wolf_tls=yes
+        ;;
+    4)
+        wolf_tls13=yes
+        ;;
+    esac
+done
+IFS=$OIFS #restore separator
+
+#
+# Start OpenSSL servers
+#
+
+# Check if ECC certificates supported in wolfSSL
+wolf_ecc=`$WOLFSSL_CLIENT -A ./certs/ed25519/ca-ecc-cert.pem 2>&1`
+case $wolf_ecc in
+*"ca file"*)
+    wolf_ecc=""
+    ;;
+*)
+    ;;
+esac
+# Check if Ed25519 certificates supported in wolfSSL
+wolf_ed25519=`$WOLFSSL_CLIENT -A ./certs/ed25519/root-ed25519.pem 2>&1`
+case $wolf_ed25519 in
+*"ca file"*)
+    wolf_ed25519=""
+    ;;
+*)
+    ;;
+esac
+# Check if Ed25519 certificates supported in OpenSSL
+openssl_ed25519=`$OPENSSL s_client -cert ./certs/ed25519/client-ed25519.pem -key ./certs/ed25519/client-ed25519-priv.pem 2>&1`
+case $openssl_ed25519 in
+*"unable to load"*)
+    wolf_ed25519=""
+    ;;
+*)
+    ;;
+esac
+# Check if Ed448 certificates supported in wolfSSL
+wolf_ed448=`$WOLFSSL_CLIENT -A ./certs/ed448/root-ed448.pem 2>&1`
+case $wolf_ed448 in
+*"ca file"*)
+    wolf_ed448=""
+    ;;
+*)
+    ;;
+esac
+# Check if Ed448 certificates supported in OpenSSL
+openssl_ed448=`$OPENSSL s_client -cert ./certs/ed448/client-ed448.pem -key ./certs/ed448/client-ed448-priv.pem 2>&1`
+case $openssl_ed448 in
+*"unable to load"*)
+    wolf_ed448=""
+    ;;
+*)
+    ;;
+esac
+
+openssl_tls13=`$OPENSSL s_client -help 2>&1`
+case $openssl_tls13 in
+*no_tls1_3*)
+    ;;
+*)
+    openssl_tls13=
+    ;;
+esac
+
+# Check suites to determine support in wolfSSL
+OIFS=$IFS # store old separator to reset
+IFS=$'\:' # set delimiter
+for wolfSuite in $wolf_ciphers; do
+    case $wolfSuite in
+    *ECDHE-RSA-*)
+        ecdhe_avail=yes
+        wolf_rsa=yes
+        ;;
+    *DHE-RSA-*)
+        wolf_rsa=yes
+        ;;
+    *ECDH-RSA*)
+        wolf_ecdh_rsa=yes
+        ;;
+    *ECDHE-ECDSA*|*ECDH-ECDSA*)
+        wolf_ecdsa=yes
+        ;;
+    *ADH*)
+        wolf_anon=yes
+        ;;
+    *PSK*)
+        if [ "$wolf_psk" = "" ]
+        then
+            echo "Testing PSK"
+            wolf_psk=1
+        fi
+        if [ "$wolf_tls" != "" ]
+        then
+            wolf_tls_psk=yes
+        fi
+        ;;
+    *TLS13*)
+        ;;
+    *)
+        wolf_rsa=yes
+    esac
+done
+IFS=$OIFS #restore separator
+
+openssl_ciphers=`$OPENSSL ciphers ALL 2>&1`
+case $openssl_ciphers in
+*ADH*)
+    openssl_anon=yes
+    ;;
+esac
+
+# TLSv1 -> TLSv1.2 PSK secret
+psk_hex="1a2b3c4d"
+
+# If RSA cipher suites supported in wolfSSL then start servers
+if [ "$wolf_rsa" != "" -o "$wolf_tls_psk" != "" ]
+then
+    if [ "$wolf_rsa" != "" ]
     then
-        echo -e "openssl s_server ready!"
-        server_ready=1
-        break
+        cert_file="./certs/server-cert.pem"
+        key_file="./certs/server-key.pem"
+        ca_file="./certs/client-ca.pem"
+    else
+        cert_file=
+        key_file=
+        ca_file=
     fi
-    sleep 0.1
-    counter=$((counter+ 1))
-done
 
+    openssl_suite="RSA"
+    start_openssl_server
+    openssl_port=$server_port
+    openssl_pid=$server_pid
+
+    wolfssl_suite="RSA"
+    if [ "$wolf_tls_psk" != "" ]
+    then
+        psk="-j"
+    fi
+echo "cert_file=$cert_file"
+    start_wolfssl_server
+    psk=
+    wolfssl_port=$server_port
+    wolfssl_pid=$server_pid
+fi
 
-if [ $server_ready = 0 ]
+# If ECDH-RSA cipher suites supported in wolfSSL then start servers
+if [ "$wolf_ecdh_rsa" != "" ]
 then
-    echo -e "Couldn't verify openssl server is running, timeout error"
-    do_cleanup
-    exit 1
+    cert_file="./certs/server-ecc-rsa.pem"
+    key_file="./certs/ecc-key.pem"
+    ca_file="./certs/client-ca.pem"
+
+    openssl_suite="ECDH-RSA"
+    start_openssl_server
+    ecdh_openssl_port=$server_port
+    ecdh_openssl_pid=$server_pid
+
+    wolfssl_suite="ECDH-RSA"
+    start_wolfssl_server
+    ecdh_wolfssl_port=$server_port
+    ecdh_wolfssl_pid=$server_pid
 fi
 
+if [ "$wolf_ecdsa" != "" -a "$wolf_ecc" != "" ]
+then
+    cert_file="./certs/server-ecc.pem"
+    key_file="./certs/ecc-key.pem"
+    ca_file="./certs/client-ca.pem"
+
+    openssl_suite="ECDH[E]-ECDSA"
+    start_openssl_server
+    ecdsa_openssl_port=$server_port
+    ecdsa_openssl_pid=$server_pid
+
+    wolfssl_suite="ECDH[E]-ECDSA"
+    start_wolfssl_server
+    ecdsa_wolfssl_port=$server_port
+    ecdsa_wolfssl_pid=$server_pid
+fi
+
+# If Ed25519 certificates supported in wolfSSL then start servers
+if [ "$wolf_ed25519" != "" ];
+then
+    cert_file="./certs/ed25519/server-ed25519.pem"
+    key_file="./certs/ed25519/server-ed25519-priv.pem"
+    ca_file="./certs/ed25519/root-ed25519.pem"
+
+    openssl_suite="Ed25519"
+    start_openssl_server
+    ed25519_openssl_port=$server_port
+    ed25519_openssl_pid=$server_pid
+
+    crl="-V"
+    wolfssl_suite="Ed25519"
+    start_wolfssl_server
+    ed25519_wolfssl_port=$server_port
+    ed25519_wolfssl_pid=$server_pid
+    crl=
+fi
+
+# If Ed448 certificates supported in wolfSSL then start servers
+if [ "$wolf_ed448" != "" ];
+then
+    cert_file="./certs/ed448/server-ed448.pem"
+    key_file="./certs/ed448/server-ed448-priv.pem"
+    ca_file="./certs/ed448/client-ed448.pem"
+
+    openssl_suite="Ed448"
+    start_openssl_server
+    ed448_openssl_port=$server_port
+    ed448_openssl_pid=$server_pid
+
+    crl="-V"
+    wolfssl_suite="Ed448"
+    start_wolfssl_server
+    ed448_wolfssl_port=$server_port
+    ed448_wolfssl_pid=$server_pid
+    crl=
+fi
+
+if [ "$wolf_tls13" != "" -a "$wolf_psk" != "" ]
+then
+    cert_file="./certs/server-cert.pem"
+    key_file="./certs/server-key.pem"
+
+    psk_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
+    openssl_suite="TLSv1.3_PSK"
+    start_openssl_server
+    tls13_psk_openssl_port=$server_port
+    tls13_psk_openssl_pid=$server_pid
+
+    psk="-s"
+    wolfssl_suite="TLSv1.3_PSK"
+    start_wolfssl_server
+    tls13_psk_wolfssl_port=$server_port
+    tls13_psk_wolfssl_pid=$server_pid
+fi
+if [ "$wolf_anon" != "" -a "$openssl_anon" ]
+then
+    cert_file=""
+    key_file=""
+    ca_file=""
+
+    wolfssl_suite="Anon"
+    psk="-a" # anonymous not psk
+    start_wolfssl_server
+    anon_wolfssl_port=$server_port
+    anon_wolfssl_pid=$server_pid
+fi
+
+for s in $servers
+do
+    f2=${s%:*}
+    server_name=${f2%:*}
+    server_port=${s##*:}
+    check_server_ready
+done
+
 OIFS=$IFS # store old separator to reset
 IFS=$'\:' # set delimiter
 set -f # no globbing
 
-wolf_versions=`./examples/client/client -V`
-wolf_versions="$wolf_versions:4" #:4 will test without -v flag
-
-wolf_temp_suites_total=0
-wolf_temp_suites_tested=0
+wolf_temp_cases_total=0
+wolf_temp_cases_tested=0
 
+# Testing of OpenSSL support for version requires a running OpenSSL server
 for version in $wolf_versions;
 do
     echo -e "version = $version"
     # get openssl ciphers depending on version
     # -s flag for only supported ciphers
-    case $version in "0")
-        openssl_ciphers=`$OPENSSL ciphers "SSLv3"`
+    case $version in
+    "0")
+        openssl_ciphers=`$OPENSSL ciphers "SSLv3" 2>&1`
 
         # double check that can actually do a sslv3 connection using
         # client-cert.pem to send but any file with EOF works
         $OPENSSL s_client -ssl3 -no_ign_eof -host localhost -port $openssl_port < ./certs/client-cert.pem
         sslv3_sup=$?
-
         if [ $sslv3_sup != 0 ]
         then
             echo -e "Not testing SSLv3. No OpenSSL support for 'SSLv3' modifier"
-            testing_summary="$testing_summary SSLv3\tNo\tN/A\tN/A\t (No OpenSSL Support for cipherstring)\n"
+            testing_summary="${testing_summary}SSLv3\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
             continue
         fi
+        openssl_version="-ssl3"
         ;;
     "1")
-        openssl_ciphers=`$OPENSSL ciphers -s "TLSv1"`
+        proto_check=`echo "hell" | $OPENSSL s_client -connect localhost:$openssl_port -tls1 2>&1`
+        tlsv1_sup=$?
+        if [ $tlsv1_sup != 0 ]
+        then
+            echo -e "Not testing TLSv1. No OpenSSL support for '-tls1'"
+            testing_summary="${testing_summary}TLSv1\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL Support)\n"
+            continue
+        fi
+        openssl_ciphers=`$OPENSSL ciphers -s "TLSv1" 2>&1`
         tlsv1_sup=$?
         if [ $tlsv1_sup != 0 ]
         then
             echo -e "Not testing TLSv1. No OpenSSL support for 'TLSv1' modifier"
-            testing_summary="$testing_summary TLSv1\tNo\tN/A\tN/A\t (No OpenSSL Support for cipherstring)\n"
+            testing_summary="${testing_summary}TLSv1\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
             continue
         fi
+        openssl_version="-tls1"
         ;;
     "2")
-        openssl_ciphers=`$OPENSSL ciphers -s "TLSv1.1"`
+        # Same ciphers for TLSv1.1 as TLSv1
+        proto_check=`echo "hello" | $OPENSSL s_client -connect localhost:$openssl_port -tls1_1 2>&1`
         tlsv1_1_sup=$?
         if [ $tlsv1_1_sup != 0 ]
         then
             echo -e "Not testing TLSv1.1. No OpenSSL support for 'TLSv1.1' modifier"
-            testing_summary="${testing_summary}TLSv1.1\tNo\tN/A\tN/A\t (No OpenSSL Support for cipherstring)\n"
+            testing_summary="${testing_summary}TLSv1.1\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
+            continue
+        fi
+        openssl_ciphers=`$OPENSSL ciphers -s "TLSv1" 2>&1`
+        tlsv1_sup=$?
+        if [ $tlsv1_sup != 0 ]
+        then
+            echo -e "Not testing TLSv1. No OpenSSL support for 'TLSv1' modifier"
+            testing_summary="${testing_summary}TLSv1\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
             continue
         fi
+        openssl_version="-tls1_1"
         ;;
     "3")
-        openssl_ciphers=`$OPENSSL ciphers -s "TLSv1.2"`
+        openssl_ciphers=`$OPENSSL ciphers -s "TLSv1.2" 2>&1`
         tlsv1_2_sup=$?
         if [ $tlsv1_2_sup != 0 ]
         then
             echo -e "Not testing TLSv1.2. No OpenSSL support for 'TLSv1.2' modifier"
-            testing_summary="$testing_summary TLSv1.2\tNo\tN/A\tN/A\t (No OpenSSL Support for cipherstring)\n"
+            testing_summary="${testing_summary}TLSv1.2\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
             continue
         fi
+        openssl_version="-tls1_2"
+        ;;
+    "4")
+        openssl_ciphers=`$OPENSSL ciphers -tls1_3 2>&1`
+        tlsv1_3_sup=$?
+        if [ $tlsv1_3_sup != 0 ]
+        then
+            echo -e "Not testing TLSv1.3. No OpenSSL support for 'TLSv1.3' modifier"
+            testing_summary="${testing_summary}TLSv1.3\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
+            continue
+        fi
+        ecc_support=`$WOLFSSL_CLIENT -? 2>&1 | grep 'ECC named groups'`
+        openssl_version="-tls1_3"
+        ;;
+    "d(downgrade)")
+        version="d"
+        openssl_version=""
         ;;
-    "4") #test all suites
-        openssl_ciphers=`$OPENSSL ciphers -s "ALL"`
+    "e(either)")
+        continue
+        ;;
+    "5") #test all suites
+        openssl_ciphers=`$OPENSSL ciphers -s "ALL" 2>&1`
         all_sup=$?
         if [ $all_sup != 0 ]
         then
             echo -e "Not testing ALL. No OpenSSL support for ALL modifier"
-            testing_summary="$testing_summary ALL\tNo\tN/A\tN/A\t (No OpenSSL Support for cipherstring)\n"
+            testing_summary="${testing_summary}ALL\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
             continue
         fi
+        openssl_version=""
+        ;;
+    "")
+        openssl_ciphers=`$OPENSSL ciphers 2>&1`
+        all_sup=$?
+        if [ $all_sup != 0 ]
+        then
+            echo -e "Not testing ALL. No OpenSSL support for ALL modifier"
+            testing_summary="${testing_summary}ALL\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
+            continue
+        fi
+        openssl_version=""
         ;;
     esac
 
     for wolfSuite in $wolf_ciphers; do
         echo -e "trying wolfSSL cipher suite $wolfSuite"
-        wolf_temp_suites_total=$((wolf_temp_suites_total + 1))
+        wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
+        open_temp_cases_total=$((open_temp_cases_total + 1))
         matchSuite=0;
+        tls13_suite=
+
+        case $wolfSuite in
+        "TLS13-AES128-GCM-SHA256")
+            cmpSuite="TLS_AES_128_GCM_SHA256"
+            tls13_suite="yes"
+            ;;
+        "TLS13-AES256-GCM-SHA384")
+            cmpSuite="TLS_AES_256_GCM_SHA384"
+            tls13_suite="yes"
+            ;;
+        "TLS13-CHACHA20-POLY1305-SHA256")
+            cmpSuite="TLS_CHACHA20_POLY1305_SHA256"
+            tls13_suite="yes"
+            ;;
+        "TLS13-AES128-CCM-SHA256")
+            cmpSuite="TLS_AES_128_CCM_SHA256"
+            tls13_suite="yes"
+            ;;
+        "TLS13-AES128-CCM-8-SHA256")
+            cmpSuite="TLS_AES_128_CCM_8_SHA256"
+            tls13_suite="yes"
+            ;;
+        "TLS13-SHA256-SHA256")
+            continue
+            ;;
+        "TLS13-SHA384-SHA384")
+            continue
+            ;;
+        "TLS13-"*)
+            echo -e "Suite = $wolfSuite not recognized!"
+            echo -e "Add translation of wolfSSL name to OpenSSL"
+            do_cleanup
+            exit 1
+            ;;
+        *)
+            cmpSuite=$wolfSuite
+            ;;
+        esac
 
-        case ":$openssl_ciphers:" in *":$wolfSuite:"*) # add extra : for edge cases
-            echo -e "Matched to OpenSSL suite support"
-            matchSuite=1;;
+        case ":$openssl_ciphers:" in *":$cmpSuite:"*) # add extra : for edge cases
+            case "$cmpSuite" in
+            "TLS_"*)
+                if [ "$version" != "4" -a "$version" != "d" ]
+                then
+                    echo -e "TLS 1.3 cipher suite but not TLS 1.3 protocol"
+                    matchSuite=0
+                else
+                    echo -e "Matched to OpenSSL suite support"
+                    matchSuite=1
+                fi
+                ;;
+            *)
+                if [ "$version" = "d" -a "$wolfdowngrade" = "4" ]
+                then
+                    echo -e "Not TLS 1.3 cipher suite but TLS 1.3 downgrade"
+                    matchSuite=0
+                elif [ "$version" != "4" ]
+                then
+                    echo -e "Matched to OpenSSL suite support"
+                    matchSuite=1
+                else
+                    echo -e "Not TLS 1.3 cipher suite but TLS 1.3 protocol"
+                    matchSuite=0
+                fi
+                ;;
+            esac
+            ;;
         esac
 
         if [ $matchSuite = 0 ]
@@ -269,56 +883,230 @@ do
         # check for psk suite and turn on client psk if so
         psk=""
         adh=""
-        port=$openssl_port
+        crl=""
+        cert=""
+        key=""
         caCert=""
         case $wolfSuite in
         *ECDH-RSA*)
-            port=$ecdh_port ;;
+            cert="./certs/client-cert.pem"
+            key="./certs/client-key.pem"
+            caCert="./certs/ca-cert.pem"
+            port=$ecdh_openssl_port
+            do_wolfssl_client
+            port=$ecdh_wolfssl_port
+            do_openssl_client
+            ;;
         *ECDHE-ECDSA*|*ECDH-ECDSA*)
-            caCert="-A./certs/ca-ecc-cert.pem" ;;
+            if [ "$wolf_ecc" != "" ]
+            then
+                cert="./certs/client-cert.pem"
+                key="./certs/client-key.pem"
+                caCert="./certs/ca-ecc-cert.pem"
+
+                port=$ecdsa_openssl_port
+                do_wolfssl_client
+                port=$ecdsa_wolfssl_port
+                do_openssl_client
+            else
+                wolf_temp_cases_total=$((wolf_temp_cases_total - 1))
+            fi
+            if [ $ed25519_openssl_pid != $no_pid -a "$version" != "0" -a "$version" != "1" -a "$version" != "2" ]
+            then
+                cert="./certs/ed25519/server-ed25519.pem"
+                key="./certs/ed25519/server-ed25519-priv.pem"
+                caCert="./certs/ed25519/server-ed25519.pem"
+
+                wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
+                port=$ed25519_openssl_port
+                crl="-C"
+                do_wolfssl_client
+                open_temp_cases_total=$((open_temp_cases_total + 1))
+                port=$ed25519_wolfssl_port
+                do_openssl_client
+            fi
+            if [ $ed448_openssl_pid != $no_pid -a "$version" != "0" -a "$version" != "1" -a "$version" != "2" ]
+            then
+                cert="./certs/ed448/client-ed448.pem"
+                key="./certs/ed448/client-ed448-priv.pem"
+                caCert="./certs/ed448/server-ed448.pem"
+
+                wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
+                port=$ed448_openssl_port
+                crl="-C"
+                do_wolfssl_client
+                open_temp_cases_total=$((open_temp_cases_total + 1))
+                port=$ed448_wolfssl_port
+                do_openssl_client
+            fi
+            ;;
+        *DHE-PSK*)
+            cert="./certs/client-cert.pem"
+            key="./certs/client-key.pem"
+            caCert="./certs/ca-cert.pem"
+
+            port=$openssl_port
+            psk="-s"
+            do_wolfssl_client
+
+            # Skip when no RSA as some versions of OpenSSL can't handle no
+            # signature
+            if [ "$wolf_rsa" != "" ]
+            then
+                port=$wolfssl_port
+                openssl_psk="-psk=1a2b3c4d"
+                do_openssl_client
+            fi
+            ;;
         *PSK*)
-            psk="-s " ;;
+            cert="./certs/client-cert.pem"
+            key="./certs/client-key.pem"
+            caCert="./certs/ca-cert.pem"
+
+            port=$openssl_port
+            psk="-s"
+            do_wolfssl_client
+            port=$wolfssl_port
+            openssl_psk="-psk=1a2b3c4d"
+            do_openssl_client
+            ;;
         *ADH*)
-            adh="-a " ;;
-        esac
+            cert="./certs/client-cert.pem"
+            key="./certs/client-key.pem"
+            caCert="./certs/ca-cert.pem"
 
-        if [ $version -lt 4 ]
-        then
-            ./examples/client/client -p $port -g -r -l $wolfSuite -v $version $psk $adh $caCert
-        else
-            # do all versions
-            ./examples/client/client -p $port -g -r -l $wolfSuite $psk $adh $caCert
-        fi
+            if [ "$version" != "0" -a "$version" != "1" -a "$version" != "2" -a "$openssl_adh_reneg_bug" != "" ]
+            then
+                continue
+            fi
 
-        client_result=$?
+            port=$openssl_port
+            adh="-a"
+            do_wolfssl_client
+            port=$anon_wolfssl_port
+            do_openssl_client
+            ;;
+        TLS13*)
+            if [ $version != "4" -a $version != "d" -a $version != " " -a $version != "5" ]
+            then
+                continue
+            fi
+            tls13_cipher=yes
+            # RSA
+            if [ $openssl_pid != $no_pid -a "$ecdhe_avail" = "yes" ]
+            then
+                cert="./certs/client-cert.pem"
+                key="./certs/client-key.pem"
+                caCert="./certs/ca-cert.pem"
 
-        if [ $client_result != 0 ]
-        then
-            echo -e "client failed! Suite = $wolfSuite version = $version"
-            do_cleanup
-            exit 1
-        fi
-        wolf_temp_suites_tested=$((wolf_temp_suites_tested+1))
+                port=$openssl_port
+                do_wolfssl_client
+                port=$wolfssl_port
+                do_openssl_client
+            fi
+            # PSK
+            if [ "$wolf_psk" != "" -a $wolfSuite = "TLS13-AES128-GCM-SHA256" ]
+            then
+                cert="./certs/client-cert.pem"
+                key="./certs/client-key.pem"
+                caCert="./certs/ca-cert.pem"
+
+                wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
+                port=$tls13_psk_openssl_port
+                psk="-s"
+                do_wolfssl_client
+                psk=""
+                openssl_psk="-psk=0123456789abcdef0123456789abcdef"
+                open_temp_cases_total=$((open_temp_cases_total + 1))
+                port=$wolfssl_port
+                do_openssl_client
+                open_temp_cases_total=$((open_temp_cases_total + 1))
+                port=$tls13_psk_wolfssl_port
+                do_openssl_client
+                openssl_psk=""
+            fi
+            # ECDSA
+            if [ $ecdsa_openssl_pid != $no_pid -a "$wolf_ecc" != "" ]
+            then
+                cert="./certs/client-ecc-cert.pem"
+                key="./certs/ecc-client-key.pem"
+                caCert="./certs/ca-ecc-cert.pem"
+
+                wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
+                port=$ecdsa_openssl_port
+                caCert="./certs/ca-ecc-cert.pem"
+                do_wolfssl_client
+                open_temp_cases_total=$((open_temp_cases_total + 1))
+                port=$ecdsa_wolfssl_port
+                caCert="./certs/ca-ecc-cert.pem"
+                do_openssl_client
+            fi
+            # Ed25519
+            if [ $ed25519_openssl_pid != $no_pid ]
+            then
+                cert="./certs/ed25519/server-ed25519.pem"
+                key="./certs/ed25519/server-ed25519-priv.pem"
+                caCert="./certs/ed25519/server-ed25519.pem"
+
+                wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
+                port=$ed25519_openssl_port
+                crl="-C"
+                do_wolfssl_client
+                open_temp_cases_total=$((open_temp_cases_total + 1))
+                port=$ed25519_wolfssl_port
+                do_openssl_client
+            fi
+            # Ed448
+            if [ $ed448_openssl_pid != $no_pid ]
+            then
+                cert="./certs/ed448/client-ed448.pem"
+                key="./certs/ed448/client-ed448-priv.pem"
+                caCert="./certs/ed448/server-ed448.pem"
 
+                wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
+                port=$ed448_openssl_port
+                crl="-C"
+                do_wolfssl_client
+                open_temp_cases_total=$((open_temp_cases_total + 1))
+                port=$ed448_wolfssl_port
+                do_openssl_client
+            fi
+            tls13_cipher=
+            ;;
+        *)
+            cert="./certs/client-cert.pem"
+            key="./certs/client-key.pem"
+            caCert="./certs/ca-cert.pem"
+
+            port=$openssl_port
+            do_wolfssl_client
+            port=$wolfssl_port
+            do_openssl_client
+            ;;
+        esac
     done
-    wolf_suites_tested=$((wolf_temp_suites_tested+wolf_suites_tested))
-    wolf_suites_total=$((wolf_temp_suites_total+wolf_suites_total))
-    echo -e "wolfSSL suites tested with version:$version  $wolf_temp_suites_tested"
+    wolf_cases_tested=$((wolf_temp_cases_tested+wolf_cases_tested))
+    wolf_cases_total=$((wolf_temp_cases_total+wolf_cases_total))
+    echo -e "wolfSSL cases tested with version:$version  $wolf_temp_cases_tested"
+    open_cases_tested=$((open_temp_cases_tested+open_cases_tested))
+    open_cases_total=$((open_temp_cases_total+open_cases_total))
+    echo -e "OpenSSL cases tested with version:$version  $open_temp_cases_tested"
     version_name
-    testing_summary="$testing_summary$versionName\tYes\t$wolf_temp_suites_total\t$wolf_temp_suites_tested\n"
-    wolf_temp_suites_total=0
-    wolf_temp_suites_tested=0
+    testing_summary="$testing_summary$versionName\tYes\t$wolf_temp_cases_total\t$wolf_temp_cases_tested\t$open_temp_cases_total\t$open_temp_cases_tested\n"
+    wolf_temp_cases_total=0
+    wolf_temp_cases_tested=0
+    open_temp_cases_total=0
+    open_temp_cases_tested=0
+    wolfdowngrade="$version"
 done
 IFS=$OIFS #restore separator
 
-kill -9 $server_pid
-if  [ $ecdh_server_pid != $no_pid ]
-then
-    kill -9 $ecdh_server_pid
-fi
+do_cleanup
 
-echo -e "wolfSSL total suites   $wolf_suites_total"
-echo -e "wolfSSL suites tested  $wolf_suites_tested"
+echo -e "wolfSSL total cases   $wolf_cases_total"
+echo -e "wolfSSL cases tested  $wolf_cases_tested"
+echo -e "OpenSSL total cases   $open_cases_total"
+echo -e "OpenSSL cases tested  $open_cases_tested"
 echo -e "\nSuccess!\n\n\n\n"
 echo -e "$testing_summary"
 exit 0

src/internal.c

@@ -20980,14 +20980,14 @@ exit_dpk:
 /* Persistable DoServerKeyExchange arguments */
 typedef struct DskeArgs {
     byte*  output; /* not allocated */
-#if !defined(NO_DH) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
-                                                             defined(HAVE_ED448)
+#if !defined(NO_DH) || defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
+                                                          defined(HAVE_CURVE448)
     byte*  verifySig;
 #endif
     word32 idx;
     word32 begin;
-#if !defined(NO_DH) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
-                                                             defined(HAVE_ED448)
+#if !defined(NO_DH) || defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
+                                                          defined(HAVE_CURVE448)
     word16 verifySigSz;
 #endif
     word16 sigSz;
@@ -21005,8 +21005,8 @@ static void FreeDskeArgs(WOLFSSL* ssl, void* pArgs)
     (void)ssl;
     (void)args;
 
-#if !defined(NO_DH) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
-                                                             defined(HAVE_ED448)
+#if !defined(NO_DH) || defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
+                                                          defined(HAVE_CURVE448)
     if (args->verifySig) {
         XFREE(args->verifySig, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
         args->verifySig = NULL;
@@ -21643,8 +21643,8 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input,
                 case diffie_hellman_kea:
                 case ecc_diffie_hellman_kea:
                 {
-            #if defined(NO_DH) && !defined(HAVE_ECC) && !defined(HAVE_ED25519) \
-                                                     && !defined(HAVE_ED448)
+            #if defined(NO_DH) && !defined(HAVE_ECC) && \
+                            !defined(HAVE_CURVE25519) && !defined(HAVE_CURVE448)
                     ERROR_OUT(NOT_COMPILED_IN, exit_dske);
             #else
                     enum wc_HashType hashType;
@@ -21816,8 +21816,8 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input,
                 case diffie_hellman_kea:
                 case ecc_diffie_hellman_kea:
                 {
-            #if defined(NO_DH) && !defined(HAVE_ECC) && !defined(HAVE_ED25519) \
-                                                     && !defined(HAVE_ED448)
+            #if defined(NO_DH) && !defined(HAVE_ECC) && \
+                            !defined(HAVE_CURVE25519) && !defined(HAVE_CURVE448)
                     ERROR_OUT(NOT_COMPILED_IN, exit_dske);
             #else
                     if (ssl->options.usingAnon_cipher) {
@@ -21990,8 +21990,8 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input,
                 case diffie_hellman_kea:
                 case ecc_diffie_hellman_kea:
                 {
-            #if defined(NO_DH) && !defined(HAVE_ECC) && !defined(HAVE_ED25519) \
-                                                     && !defined(HAVE_ED448)
+            #if defined(NO_DH) && !defined(HAVE_ECC) && \
+                            !defined(HAVE_CURVE25519) && !defined(HAVE_CURVE448)
                     ERROR_OUT(NOT_COMPILED_IN, exit_dske);
             #else
                     if (ssl->options.usingAnon_cipher) {
@@ -24835,7 +24835,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
     typedef struct SskeArgs {
         byte*  output; /* not allocated */
     #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) || \
-                                           (!defined(NO_DH) && !defined(NO_RSA))
+                                                                !defined(NO_RSA)
         byte*  sigDataBuf;
     #endif
     #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
@@ -24850,7 +24850,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
         word32 length;
         word32 sigSz;
     #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) || \
-                                           (!defined(NO_DH) && !defined(NO_RSA))
+                                                                !defined(NO_RSA)
         word32 sigDataSz;
     #endif
     #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
@@ -25994,8 +25994,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
                         break;
                     }
                 #endif /* (HAVE_ECC || CURVE25519 || CURVE448) && !NO_PSK */
-                #if defined(HAVE_ECC) || defined(HAVE_ED25519) || \
-                                                             defined(HAVE_ED448)
+                #if defined(HAVE_ECC)  || defined(HAVE_CURVE25519) || \
+                                                          defined(HAVE_CURVE448)
                     case ecc_diffie_hellman_kea:
                     {
                         /* Sign hash to create signature */

src/ssl.c

@@ -52,7 +52,7 @@
 #if !defined(WOLFSSL_ALLOW_NO_SUITES) && !defined(WOLFCRYPT_ONLY)
     #if defined(NO_DH) && !defined(HAVE_ECC) && !defined(WOLFSSL_STATIC_RSA) \
                 && !defined(WOLFSSL_STATIC_DH) && !defined(WOLFSSL_STATIC_PSK) \
-                && !defined(HAVE_ED25519) && !defined(HAVE_ED448)
+                && !defined(HAVE_CURVE25519) && !defined(HAVE_CURVE448)
         #error "No cipher suites defined because DH disabled, ECC disabled, and no static suites defined. Please see top of README"
     #endif
     #ifdef WOLFSSL_CERT_GEN

src/tls.c

@@ -4288,7 +4288,11 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
     TLSX*           extension = NULL;
     SupportedCurve* curve     = NULL;
     word32          oid       = 0;
+#if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_ED25519) || \
+                              defined(HAVE_CURVE448) || defined(HAVE_ED448) || \
+                                (!defined(NO_RSA) && defined(WOLFSSL_STATIC_DH))
     word32          pkOid     = 0;
+#endif /* HAVE_ECC || HAVE_ED25519 || HAVE_ED448 || (!NO_RSA && STATIC_DH) */
     word32          defOid    = 0;
     word32          defSz     = 80; /* Maximum known curve size is 66. */
     word32          nextOid   = 0;
@@ -4300,7 +4304,21 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
     int             key       = 0; /* validate key       */
 
     (void)oid;
+    (void)pkOid;
 
+    if (first == CHACHA_BYTE) {
+        switch (second) {
+            case TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256:
+            case TLS_PSK_WITH_CHACHA20_POLY1305_SHA256:
+            case TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256:
+            case TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256:
+                return 1; /* no suite restriction */
+            case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:
+            case TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256:
+            case TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256:
+                break;
+        }
+    }
     if (first == ECC_BYTE || first == CHACHA_BYTE)
         extension = TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS);
     if (!extension)
@@ -4379,7 +4397,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
         #endif /* !NO_ECC_SECP */
     #endif /* !NO_ECC256 || HAVE_ALL_CURVES */
 #endif
-        #ifdef HAVE_CURVE25519
+        #if defined(HAVE_CURVE25519) || defined(HAVE_ED25519)
             case WOLFSSL_ECC_X25519:
                 oid = ECC_X25519_OID;
             #ifdef HAVE_ED25519
@@ -4406,7 +4424,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
         #endif /* HAVE_ECC_BRAINPOOL */
     #endif
 #endif
-        #ifdef HAVE_CURVE448
+        #if defined(HAVE_CURVE448) || defined(HAVE_ED448)
             case WOLFSSL_ECC_X448:
                 oid = ECC_X448_OID;
             #ifdef HAVE_ED448
@@ -4482,6 +4500,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
 
         if (first == ECC_BYTE) {
             switch (second) {
+#if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)
                 /* ECDHE_ECDSA */
                 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
                 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
@@ -4498,7 +4517,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
                     ephmSuite = 1;
                 break;
 
-#ifdef WOLFSSL_STATIC_DH
+    #ifdef WOLFSSL_STATIC_DH
                 /* ECDH_ECDSA */
                 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA:
                 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA:
@@ -4519,7 +4538,8 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
                     sig |= ssl->pkCurveOID == pkOid;
                     key |= ssl->pkCurveOID == oid;
                 break;
-#endif /* WOLFSSL_STATIC_DH */
+    #endif /* WOLFSSL_STATIC_DH */
+#endif /* HAVE_ECC || HAVE_ED25519 || HAVE_ED448 */
 #ifndef NO_RSA
                 /* ECDHE_RSA */
                 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
@@ -4535,7 +4555,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
                     ephmSuite = 1;
                 break;
 
-#ifdef WOLFSSL_STATIC_DH
+    #ifdef WOLFSSL_STATIC_DH
                 /* ECDH_RSA */
                 case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA:
                 case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA:
@@ -4556,7 +4576,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
                     sig = 1;
                     key |= ssl->pkCurveOID == pkOid;
                 break;
-#endif /* WOLFSSL_STATIC_DH */
+    #endif /* WOLFSSL_STATIC_DH */
 #endif
                 default:
                     if (oid == ECC_X25519_OID && defOid == oid) {
@@ -4578,6 +4598,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
         /* ChaCha20-Poly1305 ECC cipher suites */
         if (first == CHACHA_BYTE) {
             switch (second) {
+#if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)
                 /* ECDHE_ECDSA */
                 case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 :
                 case TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 :
@@ -4585,6 +4606,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
                     key |= ssl->ecdhCurveOID == oid;
                     ephmSuite = 1;
                 break;
+#endif /* HAVE_ECC || HAVE_ED25519 || HAVE_ED448 */
 #ifndef NO_RSA
                 /* ECDHE_RSA */
                 case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 :

tests/test-ed25519.conf

@@ -3,6 +3,7 @@
 -l ECDHE-ECDSA-AES128-GCM-SHA256
 -c ./certs/ed25519/server-ed25519.pem
 -k ./certs/ed25519/server-ed25519-key.pem
+-d
 
 # client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
 -v 3
@@ -15,6 +16,7 @@
 -l ECDHE-ECDSA-AES128-GCM-SHA256
 -c ./certs/ed25519/server-ed25519.pem
 -k ./certs/ed25519/server-ed25519-priv.pem
+-d
 
 # client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
 -v 3
@@ -44,6 +46,7 @@
 -l TLS13-AES128-GCM-SHA256
 -c ./certs/ed25519/server-ed25519.pem
 -k ./certs/ed25519/server-ed25519-key.pem
+-d
 
 # client TLSv1.3 TLS13-AES128-GCM-SHA256
 -v 4

tests/test-ed448.conf

@@ -3,6 +3,7 @@
 -l ECDHE-ECDSA-AES128-GCM-SHA256
 -c ./certs/ed448/server-ed448.pem
 -k ./certs/ed448/server-ed448-priv.pem
+-d
 
 # client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
 -v 3
@@ -32,6 +33,7 @@
 -l TLS13-AES128-GCM-SHA256
 -c ./certs/ed448/server-ed448.pem
 -k ./certs/ed448/server-ed448-priv.pem
+-d
 
 # client TLSv1.3 TLS13-AES128-GCM-SHA256
 -v 4

wolfssl/internal.h

@@ -861,11 +861,13 @@
 
 #if defined(BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256) || \
     defined(BUILD_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256) || \
+    defined(BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) || \
     defined(BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) || \
     defined(BUILD_TLS_PSK_WITH_AES_128_GCM_SHA256) || \
     defined(BUILD_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256) || \
     defined(BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384) || \
     defined(BUILD_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384) || \
+    defined(BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) || \
     defined(BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) || \
     defined(BUILD_TLS_PSK_WITH_AES_256_GCM_SHA384) || \
     defined(BUILD_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384) || \
@@ -1168,7 +1170,8 @@ enum {
 #ifndef MAX_PSK_ID_LEN
     /* max psk identity/hint supported */
     #if defined(WOLFSSL_TLS13)
-        #define MAX_PSK_ID_LEN 256
+        /* OpenSSL has a 1472 byte sessiont ticket */
+        #define MAX_PSK_ID_LEN 1536
     #else
         #define MAX_PSK_ID_LEN 128
     #endif

wolfssl/test.h

@@ -1961,7 +1961,7 @@ static WC_INLINE int StackSizeCheck(func_args* args, thread_func tf)
     int            ret, i, used;
     void*          status;
     unsigned char* myStack = NULL;
-    int            stackSize = 1024*152;
+    int            stackSize = 1024*176;
     pthread_attr_t myAttr;
     pthread_t      threadId;
 
@@ -2915,7 +2915,7 @@ static WC_INLINE int myEd448Verify(WOLFSSL* ssl, const byte* sig, word32 sigSz,
         ret = wc_ed448_import_public(key, keySz, &myKey);
         if (ret == 0) {
             ret = wc_ed448_verify_msg(sig, sigSz, msg, msgSz, result, &myKey,
-                                                                      NULL, 0);
+                                                                       NULL, 0);
         }
         wc_ed448_free(&myKey);
     }