From 56c562a5167f8cd2ae8fced6eb3e92b36f6d3b45 Mon Sep 17 00:00:00 2001 From: David Garske Date: Mon, 7 Feb 2022 15:05:50 -0800 Subject: [PATCH] Fixes for building with `./configure --enable-opensslextra --enable-cryptonly CFLAGS="-DNO_HMAC" && make`. Found this testing a customers configuration with latest. Also fixes some trailing whitespace. --- src/ssl.c | 8 ++++---- wolfcrypt/src/kdf.c | 4 ++-- wolfcrypt/src/pkcs12.c | 5 +++-- wolfcrypt/src/pwdbased.c | 4 ++-- wolfcrypt/src/wc_encrypt.c | 26 +++++++++++++++++--------- wolfcrypt/test/test.c | 34 ++++++++++++++++++++++------------ wolfssl/openssl/compat_types.h | 2 ++ wolfssl/openssl/hmac.h | 2 +- wolfssl/wolfcrypt/hmac.h | 8 +++----- 9 files changed, 56 insertions(+), 37 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 373eb7d19..9743b78c4 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -28267,7 +28267,7 @@ WOLFSSL_ASN1_INTEGER* wolfSSL_d2i_ASN1_INTEGER(WOLFSSL_ASN1_INTEGER** a, } } } - + if (err != 0) { wolfSSL_ASN1_INTEGER_free(ret); ret = NULL; @@ -34392,7 +34392,7 @@ WOLFSSL_DH* wolfSSL_DH_get_2048_256(void) WOLFSSL_MSG("Error converting q hex to WOLFSSL_BIGNUM."); err = 1; } - } + } if (err == 0) { #if defined(OPENSSL_ALL) || \ defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L @@ -45826,7 +45826,7 @@ err: current = &name->entry[i]; if (current->set == 0) name->entrySz++; - + if (wolfSSL_X509_NAME_ENTRY_create_by_NID(¤t, entry->nid, wolfSSL_ASN1_STRING_type(entry->value), @@ -45847,7 +45847,7 @@ err: else { ret = WOLFSSL_FAILURE; } - + if (ret != WOLFSSL_SUCCESS) { WOLFSSL_MSG("Error adding the name entry"); if (current->set == 0) diff --git a/wolfcrypt/src/kdf.c b/wolfcrypt/src/kdf.c index 874b62fb1..8d580f8a1 100644 --- a/wolfcrypt/src/kdf.c +++ b/wolfcrypt/src/kdf.c @@ -344,7 +344,7 @@ int wc_PRF_TLS(byte* digest, word32 digLen, const byte* secret, word32 secLen, #endif /* WOLFSSL_HAVE_PRF */ -#if defined(HAVE_HKDF) +#if defined(HAVE_HKDF) && !defined(NO_HMAC) /* Extract data using HMAC, salt and input. * RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF) @@ -470,7 +470,7 @@ int wc_PRF_TLS(byte* digest, word32 digLen, const byte* secret, word32 secLen, return ret; } -#endif /* HAVE_HKDF */ +#endif /* HAVE_HKDF && !NO_HMAC */ #ifdef WOLFSSL_WOLFSSH diff --git a/wolfcrypt/src/pkcs12.c b/wolfcrypt/src/pkcs12.c index 7f29a2cbf..b9825aa57 100644 --- a/wolfcrypt/src/pkcs12.c +++ b/wolfcrypt/src/pkcs12.c @@ -27,7 +27,8 @@ #include -#if !defined(NO_ASN) && !defined(NO_PWDBASED) && defined(HAVE_PKCS12) +#if defined(HAVE_PKCS12) && \ + !defined(NO_ASN) && !defined(NO_PWDBASED) && !defined(NO_HMAC) #include #include @@ -2491,4 +2492,4 @@ void* wc_PKCS12_GetHeap(WC_PKCS12* pkcs12) #undef ERROR_OUT -#endif /* !NO_ASN && !NO_PWDBASED && HAVE_PKCS12 */ +#endif /* HAVE_PKCS12 && !NO_ASN && !NO_PWDBASED && !NO_HMAC */ diff --git a/wolfcrypt/src/pwdbased.c b/wolfcrypt/src/pwdbased.c index 756b4e2c1..b4f516062 100644 --- a/wolfcrypt/src/pwdbased.c +++ b/wolfcrypt/src/pwdbased.c @@ -171,7 +171,7 @@ int wc_PBKDF1(byte* output, const byte* passwd, int pLen, const byte* salt, #endif /* HAVE_PKCS5 */ -#ifdef HAVE_PBKDF2 +#if defined(HAVE_PBKDF2) && !defined(NO_HMAC) int wc_PBKDF2_ex(byte* output, const byte* passwd, int pLen, const byte* salt, int sLen, int iterations, int kLen, int hashType, void* heap, int devId) @@ -279,7 +279,7 @@ int wc_PBKDF2(byte* output, const byte* passwd, int pLen, const byte* salt, hashType, NULL, INVALID_DEVID); } -#endif /* HAVE_PBKDF2 */ +#endif /* HAVE_PBKDF2 && !NO_HMAC */ #ifdef HAVE_PKCS12 diff --git a/wolfcrypt/src/wc_encrypt.c b/wolfcrypt/src/wc_encrypt.c index dcaf0e513..311140f13 100644 --- a/wolfcrypt/src/wc_encrypt.c +++ b/wolfcrypt/src/wc_encrypt.c @@ -474,24 +474,30 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt, return MEMORY_E; #endif - if (version == PKCS5v2) + switch (version) { +#ifndef NO_HMAC + case PKCS5v2: ret = wc_PBKDF2(key, (byte*)password, passwordSz, salt, saltSz, iterations, derivedLen, typeH); + break; +#endif #ifndef NO_SHA - else if (version == PKCS5) + case PKCS5: ret = wc_PBKDF1(key, (byte*)password, passwordSz, salt, saltSz, iterations, derivedLen, typeH); + break; #endif #ifdef HAVE_PKCS12 - else if (version == PKCS12v1) { + case PKCS12v1: + { int i, idx = 0; byte unicodePasswd[MAX_UNICODE_SZ]; if ( (passwordSz * 2 + 2) > (int)sizeof(unicodePasswd)) { ForceZero(key, MAX_KEY_SIZE); -#ifdef WOLFSSL_SMALL_STACK + #ifdef WOLFSSL_SMALL_STACK XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); -#endif + #endif return UNICODE_SIZE_E; } @@ -505,19 +511,21 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt, ret = wc_PKCS12_PBKDF(key, unicodePasswd, idx, salt, saltSz, iterations, derivedLen, typeH, 1); - if (id != PBE_SHA1_RC4_128) + if (id != PBE_SHA1_RC4_128) { ret += wc_PKCS12_PBKDF(cbcIv, unicodePasswd, idx, salt, saltSz, iterations, 8, typeH, 2); + } + break; } #endif /* HAVE_PKCS12 */ - else { + default: ForceZero(key, MAX_KEY_SIZE); #ifdef WOLFSSL_SMALL_STACK XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif WOLFSSL_MSG("Unknown/Unsupported PKCS version"); return ALGO_ID_E; - } + } /* switch (version) */ if (ret != 0) { ForceZero(key, MAX_KEY_SIZE); @@ -713,4 +721,4 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt, } #endif /* HAVE_PKCS8 || HAVE_PKCS12 */ -#endif /* !NO_PWDBASED */ +#endif /* !NO_PWDBASED && !NO_ASN */ diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index e9de88aff..ce6ceaf24 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -402,8 +402,9 @@ WOLFSSL_TEST_SUBROUTINE int hmac_sha256_test(void); WOLFSSL_TEST_SUBROUTINE int hmac_sha384_test(void); WOLFSSL_TEST_SUBROUTINE int hmac_sha512_test(void); WOLFSSL_TEST_SUBROUTINE int hmac_sha3_test(void); -#ifdef HAVE_HKDF -/* WOLFSSL_TEST_SUBROUTINE */ static int hkdf_test(void); +#if defined(HAVE_HKDF) && !defined(NO_HMAC) +/* hkdf_test has issue with WOLFSSL_TEST_SUBROUTINE set on Xilinx with afalg */ +static int hkdf_test(void); #endif WOLFSSL_TEST_SUBROUTINE int sshkdf_test(void); WOLFSSL_TEST_SUBROUTINE int x963kdf_test(void); @@ -987,7 +988,7 @@ options: [-s max_relative_stack_bytes] [-m max_relative_heap_memory_bytes]\n\ TEST_PASS("HMAC-SHA3 test passed!\n"); #endif - #ifdef HAVE_HKDF + #if defined(HAVE_HKDF) && !defined(NO_HMAC) PRIVATE_KEY_UNLOCK(); if ( (ret = hkdf_test()) != 0) return err_sys("HMAC-KDF test failed!\n", ret); @@ -19885,7 +19886,7 @@ WOLFSSL_TEST_SUBROUTINE int pkcs12_test(void) } #endif /* HAVE_PKCS12 */ -#if defined(HAVE_PBKDF2) && !defined(NO_SHA256) +#if defined(HAVE_PBKDF2) && !defined(NO_SHA256) && !defined(NO_HMAC) WOLFSSL_TEST_SUBROUTINE int pbkdf2_test(void) { char passwd[] = "passwordpassword"; @@ -19910,7 +19911,7 @@ WOLFSSL_TEST_SUBROUTINE int pbkdf2_test(void) return 0; } -#endif /* HAVE_PBKDF2 && !NO_SHA256 */ +#endif /* HAVE_PBKDF2 && !NO_SHA256 && !NO_HMAC */ #if defined(HAVE_PBKDF1) && !defined(NO_SHA) WOLFSSL_TEST_SUBROUTINE int pbkdf1_test(void) @@ -19948,7 +19949,7 @@ WOLFSSL_TEST_SUBROUTINE int pwdbased_test(void) if (ret != 0) return ret; #endif -#if defined(HAVE_PBKDF2) && !defined(NO_SHA256) +#if defined(HAVE_PBKDF2) && !defined(NO_SHA256) && !defined(NO_HMAC) ret = pbkdf2_test(); if (ret != 0) return ret; @@ -19970,12 +19971,13 @@ WOLFSSL_TEST_SUBROUTINE int pwdbased_test(void) #if defined(HAVE_HKDF) && !defined(NO_HMAC) -/* WOLFSSL_TEST_SUBROUTINE */ static int hkdf_test(void) +/* hkdf_test has issue with WOLFSSL_TEST_SUBROUTINE set on Xilinx with afalg */ +static int hkdf_test(void) { int ret = 0; #if !defined(NO_SHA) || !defined(NO_SHA256) - int L = 42; + int L; byte okm1[42]; byte ikm1[22] = { 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, @@ -20019,8 +20021,12 @@ WOLFSSL_TEST_SUBROUTINE int pwdbased_test(void) #endif #endif /* !NO_SHA256 */ + XMEMSET(okm1, 0, sizeof(okm1)); + L = (int)sizeof(okm1); + #ifndef NO_SHA - ret = wc_HKDF(WC_SHA, ikm1, 22, NULL, 0, NULL, 0, okm1, L); + ret = wc_HKDF(WC_SHA, ikm1, (word32)sizeof(ikm1), NULL, 0, NULL, 0, + okm1, L); if (ret != 0) return -9700; @@ -20029,7 +20035,9 @@ WOLFSSL_TEST_SUBROUTINE int pwdbased_test(void) #ifndef HAVE_FIPS /* fips can't have key size under 14 bytes, salt is key too */ - ret = wc_HKDF(WC_SHA, ikm1, 11, salt1, 13, info1, 10, okm1, L); + L = (int)sizeof(okm1); + ret = wc_HKDF(WC_SHA, ikm1, 11, salt1, (word32)sizeof(salt1), + info1, (word32)sizeof(info1), okm1, L); if (ret != 0) return -9702; @@ -20039,7 +20047,8 @@ WOLFSSL_TEST_SUBROUTINE int pwdbased_test(void) #endif /* !NO_SHA */ #ifndef NO_SHA256 - ret = wc_HKDF(WC_SHA256, ikm1, 22, NULL, 0, NULL, 0, okm1, L); + ret = wc_HKDF(WC_SHA256, ikm1, (word32)sizeof(ikm1), NULL, 0, NULL, 0, + okm1, L); if (ret != 0) return -9704; @@ -20048,7 +20057,8 @@ WOLFSSL_TEST_SUBROUTINE int pwdbased_test(void) #ifndef HAVE_FIPS /* fips can't have key size under 14 bytes, salt is key too */ - ret = wc_HKDF(WC_SHA256, ikm1, 22, salt1, 13, info1, 10, okm1, L); + ret = wc_HKDF(WC_SHA256, ikm1, (word32)sizeof(ikm1), + salt1, (word32)sizeof(salt1), info1, (word32)sizeof(info1), okm1, L); if (ret != 0) return -9706; diff --git a/wolfssl/openssl/compat_types.h b/wolfssl/openssl/compat_types.h index 52764cf1a..a26f24b29 100644 --- a/wolfssl/openssl/compat_types.h +++ b/wolfssl/openssl/compat_types.h @@ -30,12 +30,14 @@ #include #include +#ifndef NO_HMAC typedef struct WOLFSSL_HMAC_CTX { Hmac hmac; int type; word32 save_ipad[WC_HMAC_BLOCK_SIZE / sizeof(word32)]; /* same block size all*/ word32 save_opad[WC_HMAC_BLOCK_SIZE / sizeof(word32)]; } WOLFSSL_HMAC_CTX; +#endif typedef char WOLFSSL_EVP_MD; typedef struct WOLFSSL_EVP_PKEY WOLFSSL_EVP_PKEY; diff --git a/wolfssl/openssl/hmac.h b/wolfssl/openssl/hmac.h index a7fa373e2..a698c8c42 100644 --- a/wolfssl/openssl/hmac.h +++ b/wolfssl/openssl/hmac.h @@ -21,7 +21,7 @@ -/* hmac.h defines mini hamc openssl compatibility layer +/* hmac.h defines mini hmac openssl compatibility layer * */ diff --git a/wolfssl/wolfcrypt/hmac.h b/wolfssl/wolfcrypt/hmac.h index 76a7d81f4..c2f6387f3 100644 --- a/wolfssl/wolfcrypt/hmac.h +++ b/wolfssl/wolfcrypt/hmac.h @@ -23,13 +23,13 @@ \file wolfssl/wolfcrypt/hmac.h */ -#ifndef NO_HMAC - #ifndef WOLF_CRYPT_HMAC_H #define WOLF_CRYPT_HMAC_H #include +#ifndef NO_HMAC + #if defined(HAVE_FIPS) && \ (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) /* for fips @wc_fips */ @@ -223,7 +223,5 @@ WOLFSSL_API int wc_HKDF(int type, const byte* inKey, word32 inKeySz, } /* extern "C" */ #endif -#endif /* WOLF_CRYPT_HMAC_H */ - #endif /* NO_HMAC */ - +#endif /* WOLF_CRYPT_HMAC_H */