From 0f4ce03c28ba7984ce09009fefb376bbe6aa4e33 Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 2 May 2025 14:18:29 -0700 Subject: [PATCH] Fixes for `NO_AES_192` and `NO_AES_256`. Added CI test. Fixed bad BUILD_ logic for `ADH-AES256-GCM-SHA384`. --- .github/workflows/os-check.yml | 1 + src/quic.c | 4 + src/ssl_crypto.c | 13 +++- tests/api.c | 137 ++++++++++++++++++++------------- tests/api/test_aes.c | 5 +- tests/api/test_aes.h | 4 +- tests/api/test_dtls.c | 2 + tests/suites.c | 2 +- wolfcrypt/src/pkcs7.c | 4 - wolfcrypt/test/test.c | 39 +++++++--- wolfssl/internal.h | 9 ++- 11 files changed, 139 insertions(+), 81 deletions(-) diff --git a/.github/workflows/os-check.yml b/.github/workflows/os-check.yml index 190a26b62..71f8093fc 100644 --- a/.github/workflows/os-check.yml +++ b/.github/workflows/os-check.yml @@ -42,6 +42,7 @@ jobs: --enable-psk --enable-aesccm --enable-nullcipher CPPFLAGS=-DWOLFSSL_STATIC_RSA', '--enable-ascon --enable-experimental', '--enable-ascon CPPFLAGS=-DWOLFSSL_ASCON_UNROLL --enable-experimental', + '--enable-all CPPFLAGS=''-DNO_AES_192 -DNO_AES_256'' ', ] name: make check if: github.repository_owner == 'wolfssl' diff --git a/src/quic.c b/src/quic.c index 5791a7d7c..4c90a8393 100644 --- a/src/quic.c +++ b/src/quic.c @@ -989,12 +989,16 @@ const WOLFSSL_EVP_CIPHER* wolfSSL_quic_get_aead(WOLFSSL* ssl) switch (cipher->cipherSuite) { #if !defined(NO_AES) && defined(HAVE_AESGCM) + #ifdef WOLFSSL_AES_128 case TLS_AES_128_GCM_SHA256: evp_cipher = wolfSSL_EVP_aes_128_gcm(); break; + #endif + #ifdef WOLFSSL_AES_256 case TLS_AES_256_GCM_SHA384: evp_cipher = wolfSSL_EVP_aes_256_gcm(); break; + #endif #endif #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) case TLS_CHACHA20_POLY1305_SHA256: diff --git a/src/ssl_crypto.c b/src/ssl_crypto.c index 474430449..de34cee1e 100644 --- a/src/ssl_crypto.c +++ b/src/ssl_crypto.c @@ -2149,8 +2149,17 @@ int wolfSSL_CMAC_Init(WOLFSSL_CMAC_CTX* ctx, const void *key, size_t keySz, ret = 0; } /* Only AES-CBC ciphers are supported. */ - if ((ret == 1) && (cipher != EVP_AES_128_CBC) && - (cipher != EVP_AES_192_CBC) && (cipher != EVP_AES_256_CBC)) { + if ((ret == 1) + #ifdef WOLFSSL_AES_128 + && (cipher != EVP_AES_128_CBC) + #endif + #ifdef WOLFSSL_AES_192 + && (cipher != EVP_AES_192_CBC) + #endif + #ifdef WOLFSSL_AES_256 + && (cipher != EVP_AES_256_CBC) + #endif + ) { WOLFSSL_MSG("wolfSSL_CMAC_Init: requested cipher is unsupported"); ret = 0; } diff --git a/tests/api.c b/tests/api.c index 17f5c68d7..4215d62c5 100644 --- a/tests/api.c +++ b/tests/api.c @@ -7400,7 +7400,7 @@ static int test_wolfSSL_EVP_CIPHER_CTX(void) /* TODO: Expand and enable this when EVP_chacha20_poly1305 is supported */ #if defined(HAVE_SESSION_TICKET) && defined(OPENSSL_EXTRA) && \ - defined(HAVE_AES_CBC) + defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256) typedef struct openssl_key_ctx { byte name[WOLFSSL_TICKET_NAME_SZ]; /* server name */ @@ -7644,7 +7644,7 @@ int test_ssl_memio_setup(test_ssl_memio_ctx *ctx) if (!ctx->s_cb.ticNoInit && (ctx->s_ctx != NULL)) { #if defined(HAVE_SESSION_TICKET) && \ ((defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) || defined(HAVE_AESGCM)) -#if defined(OPENSSL_EXTRA) && defined(HAVE_AES_CBC) +#if defined(OPENSSL_EXTRA) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256) OpenSSLTicketInit(); wolfSSL_CTX_set_tlsext_ticket_key_cb(ctx->s_ctx, myTicketEncCbOpenSSL); #elif defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) @@ -7898,7 +7898,7 @@ void test_ssl_memio_cleanup(test_ssl_memio_ctx* ctx) if (!ctx->s_cb.ticNoInit) { #if defined(HAVE_SESSION_TICKET) && \ ((defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) || defined(HAVE_AESGCM)) -#if defined(OPENSSL_EXTRA) && defined(HAVE_AES_CBC) +#if defined(OPENSSL_EXTRA) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256) OpenSSLTicketCleanup(); #elif defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) TicketCleanup(); @@ -8141,7 +8141,7 @@ static THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args) if (cbf == NULL || !cbf->ticNoInit) { #if defined(HAVE_SESSION_TICKET) && \ ((defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) || defined(HAVE_AESGCM)) -#if defined(OPENSSL_EXTRA) && defined(HAVE_AES_CBC) +#if defined(OPENSSL_EXTRA) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256) OpenSSLTicketInit(); wolfSSL_CTX_set_tlsext_ticket_key_cb(ctx, myTicketEncCbOpenSSL); #elif defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) @@ -8388,7 +8388,7 @@ done: if (cbf == NULL || !cbf->ticNoInit) { #if defined(HAVE_SESSION_TICKET) && \ ((defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) || defined(HAVE_AESGCM)) -#if defined(OPENSSL_EXTRA) && defined(HAVE_AES_CBC) +#if defined(OPENSSL_EXTRA) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256) OpenSSLTicketCleanup(); #elif defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) TicketCleanup(); @@ -13134,7 +13134,8 @@ static int test_wolfSSL_PKCS12(void) #if defined(OPENSSL_EXTRA) && !defined(NO_DES3) && !defined(NO_FILESYSTEM) && \ !defined(NO_STDIO_FILESYSTEM) && !defined(NO_TLS) && \ !defined(NO_ASN) && !defined(NO_PWDBASED) && !defined(NO_RSA) && \ - !defined(NO_SHA) && defined(HAVE_PKCS12) && !defined(NO_BIO) + !defined(NO_SHA) && defined(HAVE_PKCS12) && !defined(NO_BIO) && \ + defined(WOLFSSL_AES_256) byte buf[6000]; char file[] = "./certs/test-servercert.p12"; char order[] = "./certs/ecc-rsa-server.p12"; @@ -13838,6 +13839,7 @@ static int test_wolfSSL_PKCS8_ED25519(void) { EXPECT_DECLS; #if !defined(NO_ASN) && defined(HAVE_PKCS8) && defined(HAVE_AES_CBC) && \ + defined(WOLFSSL_AES_256) && \ defined(WOLFSSL_ENCRYPTED_KEYS) && defined(HAVE_ED25519) && \ defined(HAVE_ED25519_KEY_IMPORT) const byte encPrivKey[] = \ @@ -13878,6 +13880,7 @@ static int test_wolfSSL_PKCS8_ED448(void) { EXPECT_DECLS; #if !defined(NO_ASN) && defined(HAVE_PKCS8) && defined(HAVE_AES_CBC) && \ + defined(WOLFSSL_AES_256) && \ defined(WOLFSSL_ENCRYPTED_KEYS) && defined(HAVE_ED448) && \ defined(HAVE_ED448_KEY_IMPORT) const byte encPrivKey[] = \ @@ -17109,7 +17112,7 @@ static int test_wc_PKCS7_VerifySignedData_ECC(void) #if defined(HAVE_PKCS7) && !defined(NO_AES) && defined(HAVE_AES_CBC) && \ - !defined(NO_AES_256) + defined(WOLFSSL_AES_256) static const byte defKey[] = { 0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08, 0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08, @@ -17207,7 +17210,7 @@ static int myCEKwrapFunc(PKCS7* pkcs7, byte* cek, word32 cekSz, byte* keyId, return BAD_KEYWRAP_ALG_E; }; } -#endif /* HAVE_PKCS7 && !NO_AES && HAVE_AES_CBC && !NO_AES_256 */ +#endif /* HAVE_PKCS7 && !NO_AES && HAVE_AES_CBC && WOLFSSL_AES_256 */ #if defined(HAVE_PKCS7) && defined(ASN_BER_TO_DER) @@ -17465,15 +17468,15 @@ static int test_wc_PKCS7_EncodeDecodeEnvelopedData(void) rsaCert, rsaCertSz, rsaPrivKey, rsaPrivKeySz}, #endif /* NO_DES3 */ #if !defined(NO_AES) && defined(HAVE_AES_CBC) - #ifndef NO_AES_128 + #ifdef WOLFSSL_AES_128 {(byte*)input, (word32)(sizeof(input)/sizeof(char)), DATA, AES128CBCb, 0, 0, rsaCert, rsaCertSz, rsaPrivKey, rsaPrivKeySz}, #endif - #ifndef NO_AES_192 + #ifdef WOLFSSL_AES_192 {(byte*)input, (word32)(sizeof(input)/sizeof(char)), DATA, AES192CBCb, 0, 0, rsaCert, rsaCertSz, rsaPrivKey, rsaPrivKeySz}, #endif - #ifndef NO_AES_256 + #ifdef WOLFSSL_AES_256 {(byte*)input, (word32)(sizeof(input)/sizeof(char)), DATA, AES256CBCb, 0, 0, rsaCert, rsaCertSz, rsaPrivKey, rsaPrivKeySz}, #endif @@ -17482,17 +17485,17 @@ static int test_wc_PKCS7_EncodeDecodeEnvelopedData(void) #endif /* NO_RSA */ #if defined(HAVE_ECC) #if !defined(NO_AES) && defined(HAVE_AES_CBC) - #if !defined(NO_SHA) && !defined(NO_AES_128) + #if !defined(NO_SHA) && defined(WOLFSSL_AES_128) {(byte*)input, (word32)(sizeof(input)/sizeof(char)), DATA, AES128CBCb, AES128_WRAP, dhSinglePass_stdDH_sha1kdf_scheme, eccCert, eccCertSz, eccPrivKey, eccPrivKeySz}, #endif - #if !defined(NO_SHA256) && !defined(NO_AES_256) + #if !defined(NO_SHA256) && defined(WOLFSSL_AES_256) {(byte*)input, (word32)(sizeof(input)/sizeof(char)), DATA, AES256CBCb, AES256_WRAP, dhSinglePass_stdDH_sha256kdf_scheme, eccCert, eccCertSz, eccPrivKey, eccPrivKeySz}, #endif - #if defined(WOLFSSL_SHA512) && !defined(NO_AES_256) + #if defined(WOLFSSL_SHA512) && defined(WOLFSSL_AES_256) {(byte*)input, (word32)(sizeof(input)/sizeof(char)), DATA, AES256CBCb, AES256_WRAP, dhSinglePass_stdDH_sha512kdf_scheme, eccCert, eccCertSz, eccPrivKey, eccPrivKeySz}, @@ -17715,7 +17718,7 @@ static int test_wc_PKCS7_EncodeDecodeEnvelopedData(void) wc_PKCS7_Free(pkcs7); pkcs7 = NULL; -#if !defined(NO_AES) && defined(HAVE_AES_CBC) && !defined(NO_AES_256) +#if !defined(NO_AES) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256) /* test of decrypt callback with KEKRI enveloped data */ { int envelopedSz = 0; @@ -17746,7 +17749,7 @@ static int test_wc_PKCS7_EncodeDecodeEnvelopedData(void) wc_PKCS7_Free(pkcs7); pkcs7 = NULL; } -#endif /* !NO_AES && !NO_AES_256 */ +#endif /* !NO_AES && WOLFSSL_AES_256 */ #ifndef NO_RSA XFREE(rsaCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); @@ -17833,20 +17836,20 @@ static int test_wc_PKCS7_EncodeEncryptedData(void) }; #endif #if !defined(NO_AES) && defined(HAVE_AES_CBC) - #ifndef NO_AES_128 + #ifdef WOLFSSL_AES_128 byte aes128Key[] = { 0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08, 0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08 }; #endif - #ifndef NO_AES_192 + #ifdef WOLFSSL_AES_192 byte aes192Key[] = { 0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08, 0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08, 0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08 }; #endif - #ifndef NO_AES_256 + #ifdef WOLFSSL_AES_256 byte aes256Key[] = { 0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08, 0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08, @@ -17863,17 +17866,17 @@ static int test_wc_PKCS7_EncodeEncryptedData(void) {data, (word32)sizeof(data), DATA, DESb, desKey, sizeof(desKey)}, #endif /* !NO_DES3 */ #if !defined(NO_AES) && defined(HAVE_AES_CBC) - #ifndef NO_AES_128 + #ifdef WOLFSSL_AES_128 {data, (word32)sizeof(data), DATA, AES128CBCb, aes128Key, sizeof(aes128Key)}, #endif - #ifndef NO_AES_192 + #ifdef WOLFSSL_AES_192 {data, (word32)sizeof(data), DATA, AES192CBCb, aes192Key, sizeof(aes192Key)}, #endif - #ifndef NO_AES_256 + #ifdef WOLFSSL_AES_256 {data, (word32)sizeof(data), DATA, AES256CBCb, aes256Key, sizeof(aes256Key)}, #endif @@ -18375,7 +18378,7 @@ static int test_wc_PKCS7_signed_enveloped(void) { EXPECT_DECLS; #if defined(HAVE_PKCS7) && !defined(NO_RSA) && !defined(NO_AES) && \ - !defined(NO_FILESYSTEM) + defined(WOLFSSL_AES_256) && !defined(NO_FILESYSTEM) XFILE f = XBADFILE; PKCS7* pkcs7 = NULL; #ifdef HAVE_AES_CBC @@ -18437,7 +18440,7 @@ static int test_wc_PKCS7_signed_enveloped(void) pkcs7 = NULL; DoExpectIntEQ(wc_FreeRng(&rng), 0); -#ifdef HAVE_AES_CBC +#if defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256) /* create envelope */ ExpectNotNull(pkcs7 = wc_PKCS7_New(NULL, 0)); ExpectIntEQ(wc_PKCS7_InitWithCert(pkcs7, cert, (word32)certSz), 0); @@ -33026,7 +33029,7 @@ static int test_wolfSSL_PKCS8_d2i(void) } #if defined(OPENSSL_ALL) && \ !defined(NO_BIO) && !defined(NO_PWDBASED) && defined(HAVE_PKCS8) && \ - defined(HAVE_AES_CBC) + defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256) ExpectNotNull(bio = BIO_new(BIO_s_mem())); /* Write PKCS#8 PEM to BIO. */ ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(bio, pkey, NULL, NULL, 0, NULL, @@ -33039,18 +33042,26 @@ static int test_wolfSSL_PKCS8_d2i(void) BIO_free(bio); bio = NULL; ExpectNotNull(bio = BIO_new(BIO_s_mem())); - /* Write Encrypted PKCS#8 PEM to BIO. */ + /* Write Encrypted PKCS#8 PEM to BIO (test write 0 then 379) */ bytes = 379; ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(bio, pkey, EVP_aes_256_cbc(), NULL, 0, NoPasswordCallBack, (void*)"yassl123"), 0); ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(bio, pkey, EVP_aes_256_cbc(), NULL, 0, PasswordCallBack, (void*)"yassl123"), bytes); + + /* invalid cases to stderr */ + #ifdef WOLFSSL_AES_128 ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, pkey, EVP_aes_128_cbc(), NULL, 0, PasswordCallBack, (void*)"yassl123"), bytes); ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, pkey, EVP_aes_128_cbc(), (char*)"yassl123", 8, PasswordCallBack, NULL), bytes); + #endif ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, pkey, EVP_aes_256_cbc(), NULL, 0, PasswordCallBack, (void*)"yassl123"), bytes); + ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, pkey, EVP_aes_256_cbc(), + (char*)"yassl123", 8, PasswordCallBack, NULL), bytes); + + /* read/decode private key with password */ ExpectNotNull(evpPkey = PEM_read_bio_PrivateKey(bio, NULL, PasswordCallBack, (void*)"yassl123")); EVP_PKEY_free(evpPkey); @@ -34570,6 +34581,7 @@ static int test_wolfSSL_CMAC(void) ExpectNotNull(cmacCtx = CMAC_CTX_new()); ExpectNotNull(CMAC_CTX_get0_cipher_ctx(cmacCtx)); ExpectIntEQ(CMAC_Init(NULL, NULL, 0, NULL, NULL), 0); + #ifdef WOLFSSL_AES_192 ExpectIntEQ(CMAC_Init(NULL, key, AES_192_KEY_SIZE, EVP_aes_192_cbc(), NULL), 0); ExpectIntEQ(CMAC_Init(cmacCtx, NULL, AES_192_KEY_SIZE, EVP_aes_192_cbc(), @@ -34578,6 +34590,7 @@ static int test_wolfSSL_CMAC(void) ExpectIntEQ(CMAC_Init(cmacCtx, key, AES_128_KEY_SIZE, EVP_aes_192_cbc(), NULL), 0); ExpectIntEQ(CMAC_Init(cmacCtx, key, AES_192_KEY_SIZE, NULL, NULL), 0); + #endif #if defined(HAVE_AESGCM) && defined(WOLFSSL_AES_128) /* Only AES-CBC supported. */ ExpectIntEQ(CMAC_Init(cmacCtx, key, AES_128_KEY_SIZE, EVP_aes_128_gcm(), @@ -34593,6 +34606,7 @@ static int test_wolfSSL_CMAC(void) CMAC_CTX_free(cmacCtx); /* Test AES-256-CBC */ +#ifdef WOLFSSL_AES_256 cmacCtx = NULL; ExpectNotNull(cmacCtx = CMAC_CTX_new()); ExpectIntEQ(CMAC_Init(cmacCtx, key, AES_256_KEY_SIZE, EVP_aes_256_cbc(), @@ -34600,8 +34614,10 @@ static int test_wolfSSL_CMAC(void) ExpectIntEQ(CMAC_Update(cmacCtx, key, AES_128_KEY_SIZE), 1); ExpectIntEQ(CMAC_Final(cmacCtx, out, NULL), 1); CMAC_CTX_free(cmacCtx); +#endif /* Test AES-192-CBC */ +#ifdef WOLFSSL_AES_192 cmacCtx = NULL; ExpectNotNull(cmacCtx = CMAC_CTX_new()); ExpectIntEQ(CMAC_Init(cmacCtx, key, AES_192_KEY_SIZE, EVP_aes_192_cbc(), @@ -34609,6 +34625,7 @@ static int test_wolfSSL_CMAC(void) ExpectIntEQ(CMAC_Update(cmacCtx, key, AES_128_KEY_SIZE), 1); ExpectIntEQ(CMAC_Final(cmacCtx, out, NULL), 1); CMAC_CTX_free(cmacCtx); +#endif cmacCtx = NULL; ExpectNotNull(cmacCtx = CMAC_CTX_new()); @@ -34897,8 +34914,8 @@ static int test_wolfSSL_DES_ede3_cbc_encrypt(void) static int test_wolfSSL_AES_encrypt(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_AES) && defined(HAVE_AES_ECB) \ - && !defined(WOLFSSL_NO_OPENSSL_AES_LOW_LEVEL_API) +#if defined(OPENSSL_EXTRA) && !defined(NO_AES) && defined(HAVE_AES_ECB) && \ + defined(WOLFSSL_AES_256) && !defined(WOLFSSL_NO_OPENSSL_AES_LOW_LEVEL_API) AES_KEY enc; AES_KEY dec; const byte msg[] = { @@ -34948,8 +34965,8 @@ static int test_wolfSSL_AES_encrypt(void) static int test_wolfSSL_AES_ecb_encrypt(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_AES) && defined(HAVE_AES_ECB) \ - && !defined(WOLFSSL_NO_OPENSSL_AES_LOW_LEVEL_API) +#if defined(OPENSSL_EXTRA) && !defined(NO_AES) && defined(HAVE_AES_ECB) && \ + defined(WOLFSSL_AES_256) && !defined(WOLFSSL_NO_OPENSSL_AES_LOW_LEVEL_API) AES_KEY aes; const byte msg[] = { @@ -35262,14 +35279,12 @@ static int test_wolfSSL_AES_cfb128_encrypt(void) 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a }; const byte exp[] = { - 0x16, 0xc9, 0x90, 0x6c, 0x04, 0x0c, 0xd1, 0x2f, - 0x84, 0x7b, 0x18, 0xed, 0xed, 0x6a, 0xb5, 0xfd + 0x2c, 0x4e, 0xc4, 0x58, 0x4b, 0xf3, 0xb3, 0xad, + 0xd0, 0xe6, 0xf1, 0x80, 0x43, 0x59, 0x54, 0x6b }; const byte key[] = { 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe, - 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81, - 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7, - 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4 + 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81 }; const byte ivData[] = { 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81, @@ -35653,7 +35668,7 @@ static int test_wolfSSL_OBJ(void) int boolRet; EVP_PKEY *pkey = NULL; const char *p12_f[] = { - #if !defined(NO_DES3) && !defined(NO_RSA) + #if !defined(NO_AES) && defined(WOLFSSL_AES_256) && !defined(NO_RSA) "./certs/test-servercert.p12", #endif NULL}; @@ -41454,19 +41469,25 @@ static int test_wolfSSL_EVP_CIPHER_CTX_key_length(void) int i; int nids[] = { #ifdef HAVE_AES_CBC - NID_aes_128_cbc, - NID_aes_256_cbc, + NID_aes_128_cbc, + #ifdef WOLFSSL_AES_256 + NID_aes_256_cbc, + #endif #endif #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) #ifdef HAVE_AESGCM - NID_aes_128_gcm, - NID_aes_256_gcm, + NID_aes_128_gcm, + #ifdef WOLFSSL_AES_256 + NID_aes_256_gcm, + #endif #endif #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ #ifdef WOLFSSL_AES_COUNTER - NID_aes_128_ctr, - NID_aes_256_ctr, + NID_aes_128_ctr, + #ifdef WOLFSSL_AES_256 + NID_aes_256_ctr, + #endif #endif #ifndef NO_DES3 NID_des_cbc, @@ -41476,18 +41497,24 @@ static int test_wolfSSL_EVP_CIPHER_CTX_key_length(void) int key_lengths[] = { #ifdef HAVE_AES_CBC AES_128_KEY_SIZE, + #ifdef WOLFSSL_AES_256 AES_256_KEY_SIZE, + #endif #endif #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) #ifdef HAVE_AESGCM AES_128_KEY_SIZE, + #ifdef WOLFSSL_AES_256 AES_256_KEY_SIZE, + #endif #endif #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ #ifdef WOLFSSL_AES_COUNTER AES_128_KEY_SIZE, + #ifdef WOLFSSL_AES_256 AES_256_KEY_SIZE, + #endif #endif #ifndef NO_DES3 DES_KEY_SIZE, @@ -41613,7 +41640,7 @@ static int test_wolfSSL_EVP_md4(void) static int test_wolfSSL_EVP_aes_256_gcm(void) { EXPECT_DECLS; -#ifdef HAVE_AESGCM +#if defined(HAVE_AESGCM) && defined(WOLFSSL_AES_256) ExpectNotNull(wolfSSL_EVP_aes_256_gcm()); #endif return EXPECT_RESULT(); @@ -41622,7 +41649,7 @@ static int test_wolfSSL_EVP_aes_256_gcm(void) static int test_wolfSSL_EVP_aes_192_gcm(void) { EXPECT_DECLS; -#ifdef HAVE_AESGCM +#if defined(HAVE_AESGCM) && defined(WOLFSSL_AES_192) ExpectNotNull(wolfSSL_EVP_aes_192_gcm()); #endif return EXPECT_RESULT(); @@ -41631,7 +41658,7 @@ static int test_wolfSSL_EVP_aes_192_gcm(void) static int test_wolfSSL_EVP_aes_256_ccm(void) { EXPECT_DECLS; -#ifdef HAVE_AESCCM +#if defined(HAVE_AESCCM) && defined(WOLFSSL_AES_256) ExpectNotNull(wolfSSL_EVP_aes_256_ccm()); #endif return EXPECT_RESULT(); @@ -41640,7 +41667,7 @@ static int test_wolfSSL_EVP_aes_256_ccm(void) static int test_wolfSSL_EVP_aes_192_ccm(void) { EXPECT_DECLS; -#ifdef HAVE_AESCCM +#if defined(HAVE_AESCCM) && defined(WOLFSSL_AES_192) ExpectNotNull(wolfSSL_EVP_aes_192_ccm()); #endif return EXPECT_RESULT(); @@ -41649,7 +41676,7 @@ static int test_wolfSSL_EVP_aes_192_ccm(void) static int test_wolfSSL_EVP_aes_128_ccm(void) { EXPECT_DECLS; -#ifdef HAVE_AESCCM +#if defined(HAVE_AESCCM) && defined(WOLFSSL_AES_128) ExpectNotNull(wolfSSL_EVP_aes_128_ccm()); #endif return EXPECT_RESULT(); @@ -42198,7 +42225,7 @@ static int test_evp_cipher_aes_gcm(void) EXPECT_DECLS; #if defined(HAVE_AESGCM) && ((!defined(HAVE_FIPS) && \ !defined(HAVE_SELFTEST)) || (defined(HAVE_FIPS_VERSION) && \ - (HAVE_FIPS_VERSION >= 2))) + (HAVE_FIPS_VERSION >= 2))) && defined(WOLFSSL_AES_256) /* * This test checks data at various points in the encrypt/decrypt process * against known values produced using the same test with OpenSSL. This @@ -49682,7 +49709,7 @@ static int test_wolfssl_EVP_aes_gcm_zeroLen(void) { EXPECT_DECLS; #if defined(OPENSSL_EXTRA) && !defined(NO_AES) && defined(HAVE_AESGCM) && \ - !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) + !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) && defined(WOLFSSL_AES_256) /* Zero length plain text */ byte key[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, @@ -50035,7 +50062,7 @@ static int test_wolfssl_EVP_aes_ccm_zeroLen(void) { EXPECT_DECLS; #if defined(OPENSSL_EXTRA) && !defined(NO_AES) && defined(HAVE_AESCCM) && \ - !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) + !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) && defined(WOLFSSL_AES_256) /* Zero length plain text */ byte key[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, @@ -61694,7 +61721,7 @@ static int test_extra_alerts_wrong_cs(void) #endif #if defined(WOLFSSL_TLS13) && !defined(WOLFSSL_NO_TLS12) && \ - defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) + defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && defined(WOLFSSL_AES_256) #define TEST_CS_DOWNGRADE_CLIENT "ECDHE-RSA-AES256-GCM-SHA384" @@ -64988,7 +65015,8 @@ static int test_dtls13_frag_ch_pq(void) } #if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && defined(WOLFSSL_DTLS) \ - && defined(WOLFSSL_DTLS_MTU) && defined(WOLFSSL_DTLS_CH_FRAG) + && defined(WOLFSSL_DTLS_MTU) && defined(WOLFSSL_DTLS_CH_FRAG) && \ + defined(WOLFSSL_AES_256) static int test_dtls_frag_ch_count_records(byte* b, int len) { DtlsRecordLayerHeader* dtlsRH; @@ -65011,7 +65039,8 @@ static int test_dtls_frag_ch(void) { EXPECT_DECLS; #if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && defined(WOLFSSL_DTLS13) \ - && defined(WOLFSSL_DTLS_MTU) && defined(WOLFSSL_DTLS_CH_FRAG) + && defined(WOLFSSL_DTLS_MTU) && defined(WOLFSSL_DTLS_CH_FRAG) && \ + defined(WOLFSSL_AES_256) WOLFSSL_CTX *ctx_c = NULL; WOLFSSL_CTX *ctx_s = NULL; WOLFSSL *ssl_c = NULL; @@ -66758,7 +66787,7 @@ TEST_CASE testCases[] = { /* AES cipher and GMAC. */ TEST_AES_DECLS, -#if defined(WOLFSSL_AES_EAX) && \ +#if defined(WOLFSSL_AES_EAX) && defined(WOLFSSL_AES_256) && \ (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5, 3)) && !defined(HAVE_SELFTEST) TEST_AES_EAX_DECLS, #endif /* WOLFSSL_AES_EAX */ diff --git a/tests/api/test_aes.c b/tests/api/test_aes.c index 173b59167..4af2ed9a7 100644 --- a/tests/api/test_aes.c +++ b/tests/api/test_aes.c @@ -756,7 +756,8 @@ int test_wc_AesGcmMixedEncDecLongIV(void) EXPECT_DECLS; #if (!defined(HAVE_FIPS) || \ (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))) && \ - !defined(NO_AES) && defined(HAVE_AESGCM) && defined(WOLFSSL_AESGCM_STREAM) + !defined(NO_AES) && defined(HAVE_AESGCM) && defined(WOLFSSL_AES_256) && \ + defined(WOLFSSL_AESGCM_STREAM) const byte key[] = { 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, @@ -1419,7 +1420,7 @@ int test_wc_AesCcmEncryptDecrypt(void) return EXPECT_RESULT(); } /* END test_wc_AesCcmEncryptDecrypt */ -#if defined(WOLFSSL_AES_EAX) && \ +#if defined(WOLFSSL_AES_EAX) && defined(WOLFSSL_AES_256) && \ (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5, 3)) && !defined(HAVE_SELFTEST) /******************************************************************************* diff --git a/tests/api/test_aes.h b/tests/api/test_aes.h index 22b24732a..185617ae5 100644 --- a/tests/api/test_aes.h +++ b/tests/api/test_aes.h @@ -35,7 +35,7 @@ int test_wc_AesGcmMixedEncDecLongIV(void); int test_wc_AesGcmStream(void); int test_wc_AesCcmSetKey(void); int test_wc_AesCcmEncryptDecrypt(void); -#if defined(WOLFSSL_AES_EAX) && \ +#if defined(WOLFSSL_AES_EAX) && defined(WOLFSSL_AES_256) && \ (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5, 3)) && !defined(HAVE_SELFTEST) int test_wc_AesEaxVectors(void); int test_wc_AesEaxEncryptAuth(void); @@ -58,7 +58,7 @@ int test_wc_GmacUpdate(void); TEST_DECL_GROUP("aes", test_wc_AesCcmSetKey), \ TEST_DECL_GROUP("aes", test_wc_AesCcmEncryptDecrypt) -#if defined(WOLFSSL_AES_EAX) && \ +#if defined(WOLFSSL_AES_EAX) && defined(WOLFSSL_AES_256) && \ (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5, 3)) && !defined(HAVE_SELFTEST) #define TEST_AES_EAX_DECLS \ TEST_DECL_GROUP("aes-eax", test_wc_AesEaxVectors), \ diff --git a/tests/api/test_dtls.c b/tests/api/test_dtls.c index 85d30da22..b4fd570da 100644 --- a/tests/api/test_dtls.c +++ b/tests/api/test_dtls.c @@ -67,7 +67,9 @@ int test_dtls12_basic_connection_id(void) #endif #ifndef NO_PSK "DHE-PSK-AES128-CBC-SHA256", + #ifdef WOQLFSSL_AES_256 "DHE-PSK-AES256-GCM-SHA384", + #endif #ifdef HAVE_NULL_CIPHER "DHE-PSK-NULL-SHA256", #endif diff --git a/tests/suites.c b/tests/suites.c index 60b89e335..25be0995e 100644 --- a/tests/suites.c +++ b/tests/suites.c @@ -1208,7 +1208,7 @@ int SuiteTest(int argc, char** argv) } XSTRLCPY(argv0[2], "", sizeof(argv0[2])); #endif -#ifdef WOLFSSL_EXTRA_ALERTS +#if defined(WOLFSSL_EXTRA_ALERTS) && defined(WOLFSSL_AES_256) /* failure tests */ args.argc = 3; XSTRLCPY(argv0[1], "tests/test-dtls-fails-cipher.conf", sizeof(argv0[1])); diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index a8545ba0a..b7394e320 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -13106,11 +13106,9 @@ int wc_PKCS7_EncodeAuthEnvelopedData(wc_PKCS7* pkcs7, byte* output, #ifdef HAVE_AESGCM #ifdef WOLFSSL_AES_128 case AES128GCMb: - FALL_THROUGH; #endif #ifdef WOLFSSL_AES_192 case AES192GCMb: - FALL_THROUGH; #endif #ifdef WOLFSSL_AES_256 case AES256GCMb: @@ -13125,11 +13123,9 @@ int wc_PKCS7_EncodeAuthEnvelopedData(wc_PKCS7* pkcs7, byte* output, #ifdef HAVE_AESCCM #ifdef WOLFSSL_AES_128 case AES128CCMb: - FALL_THROUGH; #endif #ifdef WOLFSSL_AES_192 case AES192CCMb: - FALL_THROUGH; #endif #ifdef WOLFSSL_AES_256 case AES256CCMb: diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 452dd4509..e046c83fd 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -620,7 +620,8 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t sshkdf_test(void); WOLFSSL_TEST_SUBROUTINE wc_test_ret_t tls13_kdf_test(void); #endif WOLFSSL_TEST_SUBROUTINE wc_test_ret_t x963kdf_test(void); -#if defined(HAVE_HPKE) && defined(HAVE_ECC) && defined(HAVE_AESGCM) +#if defined(HAVE_HPKE) && defined(HAVE_ECC) && defined(HAVE_AESGCM) && \ + defined(WOLFSSL_AES_256) WOLFSSL_TEST_SUBROUTINE wc_test_ret_t hpke_test(void); #endif #ifdef WC_SRTP_KDF @@ -1934,7 +1935,8 @@ options: [-s max_relative_stack_bytes] [-m max_relative_heap_memory_bytes]\n\ TEST_PASS("X963-KDF test passed!\n"); #endif -#if defined(HAVE_HPKE) && defined(HAVE_ECC) && defined(HAVE_AESGCM) +#if defined(HAVE_HPKE) && defined(HAVE_ECC) && defined(HAVE_AESGCM) && \ + defined(WOLFSSL_AES_256) PRIVATE_KEY_UNLOCK(); if ( (ret = hpke_test()) != 0) TEST_FAIL("HPKE test failed!\n", ret); @@ -10135,6 +10137,7 @@ EVP_TEST_END: if (XMEMCMP(plain + 6, plain1 + 6, WC_AES_BLOCK_SIZE)) ERROR_OUT(WC_TEST_RET_ENC_NC, out); #endif /* HAVE_AES_DECRYPT */ +#endif /* WOLFSSL_AES_256 */ out: @@ -10151,7 +10154,6 @@ EVP_TEST_END: wc_AesFree(dec); #endif #endif -#endif /* WOLFSSL_AES_256 */ return ret; } @@ -14158,10 +14160,14 @@ static wc_test_ret_t aes_ecb_test(Aes* enc, Aes* dec, byte* cipher, byte* plain) /* keys padded to block size (16 bytes) */ WOLFSSL_SMALL_STACK_STATIC const byte key_128[] = "0123456789abcdef "; +#ifdef WOLFSSL_AES_192 WOLFSSL_SMALL_STACK_STATIC const byte key_192[] = "0123456789abcdef01234567 "; +#endif +#ifdef WOLFSSL_AES_256 WOLFSSL_SMALL_STACK_STATIC const byte key_256[] = "0123456789abcdef0123456789abcdef "; +#endif WOLFSSL_SMALL_STACK_STATIC const byte iv[] = "1234567890abcdef "; WOLFSSL_SMALL_STACK_STATIC const byte msg[] = { 0x6e, 0x6f, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74, @@ -14171,15 +14177,17 @@ static wc_test_ret_t aes_ecb_test(Aes* enc, Aes* dec, byte* cipher, byte* plain) 0xd0, 0xc9, 0xd9, 0xc9, 0x40, 0xe8, 0x97, 0xb6, 0xc8, 0x8c, 0x33, 0x3b, 0xb5, 0x8f, 0x85, 0xd1 }; +#ifdef WOLFSSL_AES_192 WOLFSSL_SMALL_STACK_STATIC const byte verify_ecb_192[WC_AES_BLOCK_SIZE] = { 0x06, 0x57, 0xee, 0x78, 0x3f, 0x96, 0x00, 0xb1, 0xec, 0x76, 0x94, 0x30, 0x29, 0xbe, 0x15, 0xab }; +#endif +#ifdef WOLFSSL_AES_256 WOLFSSL_SMALL_STACK_STATIC const byte verify_ecb_256[WC_AES_BLOCK_SIZE] = { 0xcd, 0xf2, 0x81, 0x3e, 0x73, 0x3e, 0xf7, 0x33, 0x3d, 0x18, 0xfd, 0x41, 0x85, 0x37, 0x04, 0x82 }; - WOLFSSL_SMALL_STACK_STATIC const byte niKey[] = { 0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe, 0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81, @@ -14194,6 +14202,7 @@ static wc_test_ret_t aes_ecb_test(Aes* enc, Aes* dec, byte* cipher, byte* plain) 0xf3,0xee,0xd1,0xbd,0xb5,0xd2,0xa0,0x3c, 0x06,0x4b,0x5a,0x7e,0x3d,0xb1,0x81,0xf8 }; +#endif int i; struct { @@ -14204,9 +14213,13 @@ static wc_test_ret_t aes_ecb_test(Aes* enc, Aes* dec, byte* cipher, byte* plain) const byte* verify; } testVec[] = { { key_128, 16, iv, msg, verify_ecb_128 }, +#ifdef WOLFSSL_AES_192 { key_192, 24, iv, msg, verify_ecb_192 }, +#endif +#ifdef WOLFSSL_AES_256 { key_256, 32, iv, msg, verify_ecb_256 }, { niKey, 32, NULL, niPlain, niCipher } +#endif }; #define AES_ECB_TEST_LEN (int)(sizeof(testVec) / sizeof(*testVec)) @@ -14440,7 +14453,8 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t aes_cbc_test(void) } #endif /* WOLFSSL_AES_128 */ -#if defined(WOLFSSL_AESNI) && defined(HAVE_AES_DECRYPT) +#if defined(WOLFSSL_AESNI) && defined(HAVE_AES_DECRYPT) && \ + defined(WOLFSSL_AES_256) { WOLFSSL_SMALL_STACK_STATIC const byte bigMsg[] = { /* "All work and no play makes Jack a dull boy. " */ @@ -14621,7 +14635,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t aes_cbc_test(void) if (ret != 0) goto out; } -#endif /* WOLFSSL_AESNI && HAVE_AES_DECRYPT */ +#endif /* WOLFSSL_AESNI && HAVE_AES_DECRYPT && WOLFSSL_AES_256 */ /* Test of AES IV state with encrypt/decrypt */ #if defined(WOLFSSL_AES_128) && !defined(HAVE_RENESAS_SYNC) @@ -28776,7 +28790,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t x963kdf_test(void) #if defined(HAVE_HPKE) && \ (defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)) && \ - defined(HAVE_AESGCM) + defined(HAVE_AESGCM) && defined(WOLFSSL_AES_256) static wc_test_ret_t hpke_test_single(Hpke* hpke) { @@ -29091,7 +29105,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t hpke_test(void) return ret; } -#endif /* HAVE_HPKE && HAVE_ECC && HAVE_AESGCM */ +#endif /* HAVE_HPKE && HAVE_ECC && HAVE_AESGCM && WOLFSSL_AES_256 */ #if defined(WC_SRTP_KDF) typedef struct Srtp_Kdf_Tv { @@ -52174,7 +52188,7 @@ static wc_test_ret_t pkcs7enveloped_run_vectors(byte* rsaCert, word32 rsaCertSz, #endif #endif -#if !defined(NO_AES) && defined(HAVE_AES_CBC) && !defined(NO_AES_128) +#if !defined(NO_AES) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_128) /* ori (OtherRecipientInfo) recipient types */ ADD_PKCS7ENVELOPEDVECTOR( data, (word32)sizeof(data), DATA, AES128CBCb, 0, 0, NULL, 0, NULL, 0, @@ -53249,7 +53263,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t pkcs7authenveloped_test(void) #endif /* HAVE_AESGCM || HAVE_AESCCM */ -#if !defined(NO_AES) && defined(HAVE_AES_CBC) +#if !defined(NO_AES) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256) static const byte p7DefKey[] = { 0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08, 0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08, @@ -53681,7 +53695,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t pkcs7callback_test(byte* cert, word32 cert return ret; } -#endif /* !NO_AES && HAVE_AES_CBC */ +#endif /* !NO_AES && HAVE_AES_CBC && WOLFSSL_AES_256 */ #ifndef NO_PKCS7_ENCRYPTED_DATA @@ -55284,7 +55298,8 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t pkcs7signed_test(void) eccClientCertBuf, (word32)eccClientCertBufSz, eccClientPrivKeyBuf, (word32)eccClientPrivKeyBufSz); -#if !defined(NO_RSA) && !defined(NO_AES) && defined(HAVE_AES_CBC) +#if !defined(NO_RSA) && !defined(NO_AES) && defined(HAVE_AES_CBC) && \ + defined(WOLFSSL_AES_256) if (ret >= 0) ret = pkcs7callback_test( rsaClientCertBuf, (word32)rsaClientCertBufSz, diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 9cdbdb697..a87fab2ec 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -532,12 +532,13 @@ #endif #if defined(HAVE_ANON) && !defined(NO_TLS) && !defined(NO_DH) && \ - !defined(NO_AES) && !defined(NO_SHA) && defined(WOLFSSL_AES_128) - #ifdef HAVE_AES_CBC + !defined(NO_AES) + #if !defined(NO_SHA) && defined(HAVE_AES_CBC) && \ + defined(WOLFSSL_AES_128) #define BUILD_TLS_DH_anon_WITH_AES_128_CBC_SHA #endif - - #if defined(WOLFSSL_SHA384) && defined(HAVE_AESGCM) + #if defined(WOLFSSL_SHA384) && defined(HAVE_AESGCM) && \ + defined(WOLFSSL_AES_256) #define BUILD_TLS_DH_anon_WITH_AES_256_GCM_SHA384 #endif #endif