diff --git a/README b/README index efcab65e7..111dc3503 100644 --- a/README +++ b/README @@ -162,8 +162,8 @@ Release 3.6.0 of wolfSSL has bug fixes and new features including: - ECC make key crash fix on RNG failure, ECC users must update. - Improvements to usage of time code. - Improvements to VS solution files. -- GNU Binutils 2.24 ld has problems with some debug builds, to fix an ld error - add -fdebug-types-section to C_EXTRA_FLAGS +- GNU Binutils 2.24 (and late 2.23) ld has problems with some debug builds, + to fix an ld error add C_EXTRA_FLAGS="-fdebug-types-section -g1". - No high level security fixes that requires an update though we always recommend updating to the latest (except note 14, ecc RNG failure) diff --git a/src/crl.c b/src/crl.c index dde30a28e..5cdfbb20a 100644 --- a/src/crl.c +++ b/src/crl.c @@ -96,7 +96,7 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl) /* Free all CRL Entry resources */ static void FreeCRL_Entry(CRL_Entry* crle) { - RevokedCert* tmp = crle->certs; + RevokedCert* tmp = crle->certs; WOLFSSL_ENTER("FreeCRL_Entry"); @@ -195,7 +195,7 @@ int CheckCertCRL(WOLFSSL_CRL* crl, DecodedCert* cert) ret = CRL_CERT_REVOKED; break; } - rc = rc->next; + rc = rc->next; } } @@ -221,7 +221,7 @@ int CheckCertCRL(WOLFSSL_CRL* crl, DecodedCert* cert) } - return ret; + return ret; } @@ -356,16 +356,16 @@ static int SwapLists(WOLFSSL_CRL* crl) int ret; CRL_Entry* newList; #ifdef WOLFSSL_SMALL_STACK - WOLFSSL_CRL* tmp; + WOLFSSL_CRL* tmp; #else WOLFSSL_CRL tmp[1]; #endif - + #ifdef WOLFSSL_SMALL_STACK tmp = (WOLFSSL_CRL*)XMALLOC(sizeof(WOLFSSL_CRL), NULL, DYNAMIC_TYPE_TMP_BUFFER); if (tmp == NULL) return MEMORY_E; -#endif +#endif if (InitCRL(tmp, crl->cm) < 0) { WOLFSSL_MSG("Init tmp CRL failed"); @@ -536,7 +536,7 @@ static void* DoMonitor(void* arg) for (;;) { struct kevent event; int numEvents = kevent(crl->mfd, &change, 1, &event, 1, NULL); - + WOLFSSL_MSG("Got kevent"); if (numEvents == -1) { @@ -678,7 +678,7 @@ static void* DoMonitor(void* arg) FD_SET(crl->mfd, &readfds); result = select(max(notifyFd, crl->mfd) + 1, &readfds, NULL, NULL,NULL); - + WOLFSSL_MSG("Got notify event"); if (result < 0) { @@ -695,7 +695,7 @@ static void* DoMonitor(void* arg) if (length < 0) { WOLFSSL_MSG("notify read problem, continue"); continue; - } + } if (SwapLists(crl) < 0) { WOLFSSL_MSG("SwapLists problem, continue"); @@ -789,7 +789,7 @@ static int StartMonitorCRL(WOLFSSL_CRL* crl) #ifndef NO_FILESYSTEM -/* Load CRL path files of type, SSL_SUCCESS on ok */ +/* Load CRL path files of type, SSL_SUCCESS on ok */ int LoadCRL(WOLFSSL_CRL* crl, const char* path, int type, int monitor) { struct dirent* entry; @@ -832,14 +832,14 @@ int LoadCRL(WOLFSSL_CRL* crl, const char* path, int type, int monitor) if (s.st_mode & S_IFREG) { if (type == SSL_FILETYPE_PEM) { - if (strstr(entry->d_name, ".pem") == NULL) { + if (XSTRSTR(entry->d_name, ".pem") == NULL) { WOLFSSL_MSG("not .pem file, skipping"); continue; } } else { - if (strstr(entry->d_name, ".der") == NULL && - strstr(entry->d_name, ".crl") == NULL) { + if (XSTRSTR(entry->d_name, ".der") == NULL && + XSTRSTR(entry->d_name, ".crl") == NULL) { WOLFSSL_MSG("not .der or .crl file, skipping"); continue; @@ -858,27 +858,36 @@ int LoadCRL(WOLFSSL_CRL* crl, const char* path, int type, int monitor) #endif if (monitor & WOLFSSL_CRL_MONITOR) { + word32 pathLen; + char* pathBuf; + WOLFSSL_MSG("monitor path requested"); - if (type == SSL_FILETYPE_PEM) { - crl->monitors[0].path = strdup(path); - crl->monitors[0].type = SSL_FILETYPE_PEM; - if (crl->monitors[0].path == NULL) - ret = MEMORY_E; - } else { - crl->monitors[1].path = strdup(path); - crl->monitors[1].type = SSL_FILETYPE_ASN1; - if (crl->monitors[1].path == NULL) - ret = MEMORY_E; + pathLen = (word32)XSTRLEN(path); + pathBuf = (char*)XMALLOC(pathLen+1, NULL, DYNAMIC_TYPE_CRL_MONITOR); + if (pathBuf) { + XSTRNCPY(pathBuf, path, pathLen); + pathBuf[pathLen] = '\0'; /* Null Terminate */ + + if (type == SSL_FILETYPE_PEM) { + crl->monitors[0].path = pathBuf; + crl->monitors[0].type = SSL_FILETYPE_PEM; + } else { + crl->monitors[1].path = pathBuf; + crl->monitors[1].type = SSL_FILETYPE_ASN1; + } + + if (monitor & WOLFSSL_CRL_START_MON) { + WOLFSSL_MSG("start monitoring requested"); + + ret = StartMonitorCRL(crl); + } + } + else { + ret = MEMORY_E; } - - if (monitor & WOLFSSL_CRL_START_MON) { - WOLFSSL_MSG("start monitoring requested"); - - ret = StartMonitorCRL(crl); - } } - + closedir(dir); return ret; diff --git a/src/ssl.c b/src/ssl.c index dd2d392f0..5e462e1c0 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -2785,7 +2785,7 @@ static int wolfssl_decrypt_buffer_key(DerBuffer* der, byte* password, ret = wc_Des3_CbcDecryptWithKey(der->buffer, der->buffer, der->length, key, info->iv); #endif /* NO_DES3 */ -#ifndef NO_AES +#if !defined(NO_AES) && defined(HAVE_AES_CBC) if (XSTRNCMP(info->name, EVP_AES_128_CBC, EVP_AES_SIZE) == 0) ret = wc_AesCbcDecryptWithKey(der->buffer, der->buffer, der->length, key, AES_128_KEY_SIZE, info->iv); @@ -2795,7 +2795,7 @@ static int wolfssl_decrypt_buffer_key(DerBuffer* der, byte* password, else if (XSTRNCMP(info->name, EVP_AES_256_CBC, EVP_AES_SIZE) == 0) ret = wc_AesCbcDecryptWithKey(der->buffer, der->buffer, der->length, key, AES_256_KEY_SIZE, info->iv); -#endif /* NO_AES */ +#endif /* !NO_AES && HAVE_AES_CBC */ #ifdef WOLFSSL_SMALL_STACK XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); @@ -9123,6 +9123,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) switch (ctx->cipherType) { #ifndef NO_AES +#ifdef HAVE_AES_CBC case AES_128_CBC_TYPE : case AES_192_CBC_TYPE : case AES_256_CBC_TYPE : @@ -9132,7 +9133,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) else ret = wc_AesCbcDecrypt(&ctx->cipher.aes, dst, src, len); break; - +#endif /* HAVE_AES_CBC */ #ifdef WOLFSSL_AES_COUNTER case AES_128_CTR_TYPE : case AES_192_CTR_TYPE : @@ -9140,7 +9141,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) WOLFSSL_MSG("AES CTR"); wc_AesCtrEncrypt(&ctx->cipher.aes, dst, src, len); break; -#endif +#endif /* WOLFSSL_AES_COUNTER */ #endif /* NO_AES */ #ifndef NO_DES3 diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c index 4bddb3a37..ef39a28e8 100644 --- a/wolfcrypt/benchmark/benchmark.c +++ b/wolfcrypt/benchmark/benchmark.c @@ -256,7 +256,7 @@ int benchmark_test(void *args) (void)args; #endif -#ifdef USE_WOLFSSL_MEMORY +#if defined(USE_WOLFSSL_MEMORY) && defined(WOLFSSL_TRACK_MEMORY) InitMemoryTracker(); #endif @@ -290,20 +290,21 @@ int benchmark_test(void *args) #endif #ifndef NO_AES +#ifdef HAVE_AES_CBC bench_aes(0); bench_aes(1); #endif #ifdef HAVE_AESGCM bench_aesgcm(); #endif - #ifdef WOLFSSL_AES_COUNTER bench_aesctr(); #endif - #ifdef HAVE_AESCCM bench_aesccm(); #endif +#endif /* !NO_AES */ + #ifdef HAVE_CAMELLIA bench_camellia(); #endif @@ -399,7 +400,7 @@ int benchmark_test(void *args) wc_FreeRng(&rng); #endif -#ifdef USE_WOLFSSL_MEMORY +#if defined(USE_WOLFSSL_MEMORY) && defined(WOLFSSL_TRACK_MEMORY) ShowMemoryTracker(); #endif @@ -428,6 +429,7 @@ static const char blockType[] = "megs"; /* used in printf output */ #ifndef NO_AES +#ifdef HAVE_AES_CBC void bench_aes(int show) { Aes enc; @@ -472,8 +474,7 @@ void bench_aes(int show) wc_AesFreeCavium(&enc); #endif } -#endif - +#endif /* HAVE_AES_CBC */ #if defined(HAVE_AESGCM) || defined(HAVE_AESCCM) static byte additional[13]; @@ -533,7 +534,8 @@ void bench_aesgcm(void) printf("\n"); #endif } -#endif +#endif /* HAVE_AESGCM */ + #ifdef WOLFSSL_AES_COUNTER void bench_aesctr(void) @@ -563,8 +565,7 @@ void bench_aesctr(void) SHOW_INTEL_CYCLES printf("\n"); } -#endif - +#endif /* WOLFSSL_AES_COUNTER */ #ifdef HAVE_AESCCM @@ -596,7 +597,8 @@ void bench_aesccm(void) SHOW_INTEL_CYCLES printf("\n"); } -#endif +#endif /* HAVE_AESCCM */ +#endif /* !NO_AES */ #ifdef HAVE_POLY1305 diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c index 0123bbedd..38565ec19 100644 --- a/wolfcrypt/src/aes.c +++ b/wolfcrypt/src/aes.c @@ -43,6 +43,7 @@ int wc_AesSetIV(Aes* aes, const byte* iv) } +#ifdef HAVE_AES_CBC int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz) { return AesCbcEncrypt_fips(aes, out, in, sz); @@ -54,6 +55,7 @@ int wc_AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz) return AesCbcDecrypt_fips(aes, out, in, sz); } #endif /* HAVE_AES_DECRYPT */ +#endif /* HAVE_AES_CBC */ /* AES-CTR */ #ifdef WOLFSSL_AES_COUNTER @@ -252,12 +254,14 @@ void wc_AesFreeCavium(Aes* aes) static int wc_AesCaviumSetKey(Aes* aes, const byte* key, word32 length, const byte* iv); + #ifdef HAVE_AES_CBC static int wc_AesCaviumCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 length); #ifdef HAVE_AES_DECRYPT static int wc_AesCaviumCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 length); #endif /* HAVE_AES_DECRYPT */ + #endif /* HAVE_AES_CBC */ #elif defined(WOLFSSL_NRF51_AES) /* Use built-in AES hardware - AES 128 ECB Encrypt Only */ #include "wolfssl/wolfcrypt/port/nrf51.h" @@ -271,6 +275,7 @@ void wc_AesFreeCavium(Aes* aes) #endif /* HAVE_AES_DECRYPT */ #else + /* using wolfCrypt software AES implementation */ #define NEED_AES_TABLES #endif @@ -996,6 +1001,7 @@ static int haveAESNI = 0; /* tell C compiler these are asm functions in case any mix up of ABI underscore prefix between clang/gcc/llvm etc */ +#ifdef HAVE_AES_CBC void AES_CBC_encrypt(const unsigned char* in, unsigned char* out, unsigned char* ivec, unsigned long length, const unsigned char* KS, int nr) @@ -1006,8 +1012,9 @@ void AES_CBC_decrypt(const unsigned char* in, unsigned char* out, unsigned char* ivec, unsigned long length, const unsigned char* KS, int nr) XASM_LINK("AES_CBC_decrypt"); -#endif - +#endif /* HAVE_AES_DECRYPT */ +#endif /* HAVE_AES_CBC */ + void AES_ECB_encrypt(const unsigned char* in, unsigned char* out, unsigned long length, const unsigned char* KS, int nr) XASM_LINK("AES_ECB_encrypt"); @@ -1098,6 +1105,8 @@ static int AES_set_decrypt_key(const unsigned char* userKey, const int bits, #endif /* HAVE_AES_DECRYPT */ #endif /* WOLFSSL_AESNI */ +#if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) ||\ + defined(HAVE_AESGCM) static void wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock) { @@ -1277,8 +1286,10 @@ static void wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock) XMEMCPY(outBlock + 2 * sizeof(s0), &s2, sizeof(s2)); XMEMCPY(outBlock + 3 * sizeof(s0), &s3, sizeof(s3)); } +#endif /* HAVE_AES_CBC || WOLFSSL_AES_DIRECT || HAVE_AESGCM */ #ifdef HAVE_AES_DECRYPT +#if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) static void wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock) { word32 s0, s1, s2, s3; @@ -1438,6 +1449,8 @@ static void wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock) XMEMCPY(outBlock + 3 * sizeof(s0), &s3, sizeof(s3)); } #endif /* HAVE_AES_DECRYPT */ +#endif /* HAVE_AES_CBC || WOLFSSL_AES_DIRECT */ + #endif /* NEED_AES_TABLES */ @@ -1842,6 +1855,7 @@ int wc_AesSetIV(Aes* aes, const byte* iv) /* AES-CBC */ +#ifdef HAVE_AES_CBC #ifdef STM32F2_CRYPTO int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz) { @@ -2470,6 +2484,7 @@ int wc_AesSetIV(Aes* aes, const byte* iv) #endif #endif /* STM32F2_CRYPTO, AES-CBC block */ +#endif /* HAVE_AES_CBC */ /* AES-CTR */ #ifdef WOLFSSL_AES_COUNTER @@ -4246,7 +4261,7 @@ static int wc_AesCaviumSetKey(Aes* aes, const byte* key, word32 length, return wc_AesSetIV(aes, iv); } - +#ifdef HAVE_AES_CBC static int wc_AesCaviumCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 length) { @@ -4316,6 +4331,7 @@ static int wc_AesCaviumCbcDecrypt(Aes* aes, byte* out, const byte* in, return 0; } #endif /* HAVE_AES_DECRYPT */ +#endif /* HAVE_AES_CBC */ #endif /* HAVE_CAVIUM */ diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c index 853b3ddf5..506946388 100644 --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c @@ -5281,6 +5281,7 @@ int wc_ecc_decrypt(ecc_key* privKey, ecc_key* pubKey, const byte* msg, if (ret == 0) { switch (ctx->encAlgo) { + #ifdef HAVE_AES_CBC case ecAES_128_CBC: { Aes aes; @@ -5291,7 +5292,7 @@ int wc_ecc_decrypt(ecc_key* privKey, ecc_key* pubKey, const byte* msg, ret = wc_AesCbcDecrypt(&aes, out, msg, msgSz-digestSz); } break; - + #endif default: ret = BAD_FUNC_ARG; break; diff --git a/wolfcrypt/src/wc_encrypt.c b/wolfcrypt/src/wc_encrypt.c index db8390ddc..4fde7daf2 100644 --- a/wolfcrypt/src/wc_encrypt.c +++ b/wolfcrypt/src/wc_encrypt.c @@ -30,7 +30,7 @@ #include -#ifndef NO_AES +#if !defined(NO_AES) && defined(HAVE_AES_CBC) int wc_AesCbcDecryptWithKey(byte* out, const byte* in, word32 inSz, const byte* key, word32 keySz, const byte* iv) { @@ -84,7 +84,7 @@ int wc_AesCbcEncryptWithKey(byte* out, const byte* in, word32 inSz, return ret; } -#endif /* !NO_AES */ +#endif /* !NO_AES && HAVE_AES_CBC */ #ifndef NO_DES3 diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 6d844df43..434d5645d 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -262,7 +262,7 @@ int wolfcrypt_test(void* args) ((func_args*)args)->return_code = -1; /* error state */ -#ifdef USE_WOLFSSL_MEMORY +#if defined(USE_WOLFSSL_MEMORY) && defined(WOLFSSL_TRACK_MEMORY) InitMemoryTracker(); #endif @@ -594,7 +594,7 @@ int wolfcrypt_test(void* args) printf( "PKCS7signed test passed!\n"); #endif -#ifdef USE_WOLFSSL_MEMORY +#if defined(USE_WOLFSSL_MEMORY) && defined(WOLFSSL_TRACK_MEMORY) ShowMemoryTracker(); #endif @@ -2616,11 +2616,13 @@ int des3_test(void) #ifndef NO_AES int aes_test(void) { +#if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_COUNTER) Aes enc; Aes dec; byte cipher[AES_BLOCK_SIZE * 4]; byte plain [AES_BLOCK_SIZE * 4]; +#endif int ret = 0; #ifdef HAVE_AES_CBC diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index ed76ceb11..a24579cb7 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -1075,12 +1075,16 @@ static char *fgets(char *buff, int sz, FILE *fp) #define AES_MAX_KEY_SIZE 256 #endif #ifndef NO_AES_DECRYPT - #undef HAVE_AES_DECRYPT + #undef HAVE_AES_DECRYPT #define HAVE_AES_DECRYPT #endif #ifndef NO_AES_CBC #undef HAVE_AES_CBC #define HAVE_AES_CBC + #else + #ifndef WOLFCRYPT_ONLY + #error "AES CBC is required for TLS and can only be disabled for WOLFCRYPT_ONLY builds" + #endif #endif #endif