Merge pull request #4830 from dgarske/no_hmac

Fixes for building without HMAC

src/ssl.c

@@ -28281,7 +28281,7 @@ WOLFSSL_ASN1_INTEGER* wolfSSL_d2i_ASN1_INTEGER(WOLFSSL_ASN1_INTEGER** a,
             }
         }
     }
-    
+
     if (err != 0) {
         wolfSSL_ASN1_INTEGER_free(ret);
         ret = NULL;
@@ -34406,7 +34406,7 @@ WOLFSSL_DH* wolfSSL_DH_get_2048_256(void)
             WOLFSSL_MSG("Error converting q hex to WOLFSSL_BIGNUM.");
             err = 1;
         }
-    }   
+    }
     if (err == 0) {
     #if defined(OPENSSL_ALL) || \
         defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L
@@ -45840,7 +45840,7 @@ err:
         current = &name->entry[i];
         if (current->set == 0)
             name->entrySz++;
-        
+
         if (wolfSSL_X509_NAME_ENTRY_create_by_NID(&current,
                             entry->nid,
                             wolfSSL_ASN1_STRING_type(entry->value),
@@ -45861,7 +45861,7 @@ err:
         else {
             ret = WOLFSSL_FAILURE;
         }
-        
+
         if (ret != WOLFSSL_SUCCESS) {
             WOLFSSL_MSG("Error adding the name entry");
             if (current->set == 0)

wolfcrypt/src/kdf.c

@@ -344,7 +344,7 @@ int wc_PRF_TLS(byte* digest, word32 digLen, const byte* secret, word32 secLen,
 #endif /* WOLFSSL_HAVE_PRF */
 
 
-#if defined(HAVE_HKDF)
+#if defined(HAVE_HKDF) && !defined(NO_HMAC)
 
     /* Extract data using HMAC, salt and input.
      * RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF)
@@ -470,7 +470,7 @@ int wc_PRF_TLS(byte* digest, word32 digLen, const byte* secret, word32 secLen,
         return ret;
     }
 
-#endif /* HAVE_HKDF */
+#endif /* HAVE_HKDF && !NO_HMAC */
 
 
 #ifdef WOLFSSL_WOLFSSH

wolfcrypt/src/pkcs12.c

@@ -27,7 +27,8 @@
 
 #include <wolfssl/wolfcrypt/settings.h>
 
-#if !defined(NO_ASN) && !defined(NO_PWDBASED) && defined(HAVE_PKCS12)
+#if defined(HAVE_PKCS12) && \
+    !defined(NO_ASN) && !defined(NO_PWDBASED) && !defined(NO_HMAC)
 
 #include <wolfssl/wolfcrypt/asn.h>
 #include <wolfssl/wolfcrypt/asn_public.h>
@@ -2491,4 +2492,4 @@ void* wc_PKCS12_GetHeap(WC_PKCS12* pkcs12)
 
 #undef ERROR_OUT
 
-#endif /* !NO_ASN && !NO_PWDBASED && HAVE_PKCS12 */
+#endif /* HAVE_PKCS12 && !NO_ASN && !NO_PWDBASED && !NO_HMAC */

wolfcrypt/src/pwdbased.c

@@ -171,7 +171,7 @@ int wc_PBKDF1(byte* output, const byte* passwd, int pLen, const byte* salt,
 
 #endif /* HAVE_PKCS5 */
 
-#ifdef HAVE_PBKDF2
+#if defined(HAVE_PBKDF2) && !defined(NO_HMAC)
 
 int wc_PBKDF2_ex(byte* output, const byte* passwd, int pLen, const byte* salt,
            int sLen, int iterations, int kLen, int hashType, void* heap, int devId)
@@ -279,7 +279,7 @@ int wc_PBKDF2(byte* output, const byte* passwd, int pLen, const byte* salt,
         hashType, NULL, INVALID_DEVID);
 }
 
-#endif /* HAVE_PBKDF2 */
+#endif /* HAVE_PBKDF2 && !NO_HMAC */
 
 #ifdef HAVE_PKCS12
 

wolfcrypt/src/wc_encrypt.c

@@ -474,24 +474,30 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt,
         return MEMORY_E;
 #endif
 
-    if (version == PKCS5v2)
+    switch (version) {
+#ifndef NO_HMAC
+    case PKCS5v2:
         ret = wc_PBKDF2(key, (byte*)password, passwordSz,
                         salt, saltSz, iterations, derivedLen, typeH);
+        break;
+#endif
 #ifndef NO_SHA
-    else if (version == PKCS5)
+    case PKCS5:
         ret = wc_PBKDF1(key, (byte*)password, passwordSz,
                         salt, saltSz, iterations, derivedLen, typeH);
+        break;
 #endif
 #ifdef HAVE_PKCS12
-    else if (version == PKCS12v1) {
+    case PKCS12v1:
+    {
         int  i, idx = 0;
         byte unicodePasswd[MAX_UNICODE_SZ];
 
         if ( (passwordSz * 2 + 2) > (int)sizeof(unicodePasswd)) {
             ForceZero(key, MAX_KEY_SIZE);
-#ifdef WOLFSSL_SMALL_STACK
+        #ifdef WOLFSSL_SMALL_STACK
             XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
+        #endif
             return UNICODE_SIZE_E;
         }
 
@@ -505,19 +511,21 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt,
 
         ret =  wc_PKCS12_PBKDF(key, unicodePasswd, idx, salt, saltSz,
                             iterations, derivedLen, typeH, 1);
-        if (id != PBE_SHA1_RC4_128)
+        if (id != PBE_SHA1_RC4_128) {
             ret += wc_PKCS12_PBKDF(cbcIv, unicodePasswd, idx, salt, saltSz,
                                 iterations, 8, typeH, 2);
+        }
+        break;
     }
 #endif /* HAVE_PKCS12 */
-    else {
+    default:
         ForceZero(key, MAX_KEY_SIZE);
 #ifdef WOLFSSL_SMALL_STACK
         XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
         WOLFSSL_MSG("Unknown/Unsupported PKCS version");
         return ALGO_ID_E;
-    }
+    } /* switch (version) */
 
     if (ret != 0) {
         ForceZero(key, MAX_KEY_SIZE);
@@ -713,4 +721,4 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt,
 }
 
 #endif /* HAVE_PKCS8 || HAVE_PKCS12 */
-#endif /* !NO_PWDBASED */
+#endif /* !NO_PWDBASED && !NO_ASN */

wolfcrypt/test/test.c

@@ -402,8 +402,9 @@ WOLFSSL_TEST_SUBROUTINE int  hmac_sha256_test(void);
 WOLFSSL_TEST_SUBROUTINE int  hmac_sha384_test(void);
 WOLFSSL_TEST_SUBROUTINE int  hmac_sha512_test(void);
 WOLFSSL_TEST_SUBROUTINE int  hmac_sha3_test(void);
-#ifdef HAVE_HKDF
+#if defined(HAVE_HKDF) && !defined(NO_HMAC)
-/* WOLFSSL_TEST_SUBROUTINE */ static int  hkdf_test(void);
+/* hkdf_test has issue with WOLFSSL_TEST_SUBROUTINE set on Xilinx with afalg */
+static int  hkdf_test(void);
 #endif
 WOLFSSL_TEST_SUBROUTINE int  sshkdf_test(void);
 WOLFSSL_TEST_SUBROUTINE int  x963kdf_test(void);
@@ -987,7 +988,7 @@ options: [-s max_relative_stack_bytes] [-m max_relative_heap_memory_bytes]\n\
             TEST_PASS("HMAC-SHA3   test passed!\n");
     #endif
 
-    #ifdef HAVE_HKDF
+    #if defined(HAVE_HKDF) && !defined(NO_HMAC)
         PRIVATE_KEY_UNLOCK();
         if ( (ret = hkdf_test()) != 0)
             return err_sys("HMAC-KDF    test failed!\n", ret);
@@ -19885,7 +19886,7 @@ WOLFSSL_TEST_SUBROUTINE int pkcs12_test(void)
 }
 #endif /* HAVE_PKCS12 */
 
-#if defined(HAVE_PBKDF2) && !defined(NO_SHA256)
+#if defined(HAVE_PBKDF2) && !defined(NO_SHA256) && !defined(NO_HMAC)
 WOLFSSL_TEST_SUBROUTINE int pbkdf2_test(void)
 {
     char passwd[] = "passwordpassword";
@@ -19910,7 +19911,7 @@ WOLFSSL_TEST_SUBROUTINE int pbkdf2_test(void)
     return 0;
 
 }
-#endif /* HAVE_PBKDF2 && !NO_SHA256 */
+#endif /* HAVE_PBKDF2 && !NO_SHA256 && !NO_HMAC */
 
 #if defined(HAVE_PBKDF1) && !defined(NO_SHA)
 WOLFSSL_TEST_SUBROUTINE int pbkdf1_test(void)
@@ -19948,7 +19949,7 @@ WOLFSSL_TEST_SUBROUTINE int pwdbased_test(void)
    if (ret != 0)
       return ret;
 #endif
-#if defined(HAVE_PBKDF2) && !defined(NO_SHA256)
+#if defined(HAVE_PBKDF2) && !defined(NO_SHA256) && !defined(NO_HMAC)
    ret = pbkdf2_test();
    if (ret != 0)
       return ret;
@@ -19970,12 +19971,13 @@ WOLFSSL_TEST_SUBROUTINE int pwdbased_test(void)
 
 #if defined(HAVE_HKDF) && !defined(NO_HMAC)
 
-/* WOLFSSL_TEST_SUBROUTINE */ static int hkdf_test(void)
+/* hkdf_test has issue with WOLFSSL_TEST_SUBROUTINE set on Xilinx with afalg */
+static int hkdf_test(void)
 {
     int ret = 0;
 
 #if !defined(NO_SHA) || !defined(NO_SHA256)
-    int L = 42;
+    int L;
     byte okm1[42];
     byte ikm1[22] = { 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
                       0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
@@ -20019,8 +20021,12 @@ WOLFSSL_TEST_SUBROUTINE int pwdbased_test(void)
 #endif
 #endif /* !NO_SHA256 */
 
+    XMEMSET(okm1, 0, sizeof(okm1));
+    L = (int)sizeof(okm1);
+
 #ifndef NO_SHA
-    ret = wc_HKDF(WC_SHA, ikm1, 22, NULL, 0, NULL, 0, okm1, L);
+    ret = wc_HKDF(WC_SHA, ikm1, (word32)sizeof(ikm1), NULL, 0, NULL, 0,
+        okm1, L);
     if (ret != 0)
         return -9700;
 
@@ -20029,7 +20035,9 @@ WOLFSSL_TEST_SUBROUTINE int pwdbased_test(void)
 
 #ifndef HAVE_FIPS
     /* fips can't have key size under 14 bytes, salt is key too */
-    ret = wc_HKDF(WC_SHA, ikm1, 11, salt1, 13, info1, 10, okm1, L);
+    L = (int)sizeof(okm1);
+    ret = wc_HKDF(WC_SHA, ikm1, 11, salt1, (word32)sizeof(salt1),
+        info1, (word32)sizeof(info1), okm1, L);
     if (ret != 0)
         return -9702;
 
@@ -20039,7 +20047,8 @@ WOLFSSL_TEST_SUBROUTINE int pwdbased_test(void)
 #endif /* !NO_SHA */
 
 #ifndef NO_SHA256
-    ret = wc_HKDF(WC_SHA256, ikm1, 22, NULL, 0, NULL, 0, okm1, L);
+    ret = wc_HKDF(WC_SHA256, ikm1, (word32)sizeof(ikm1), NULL, 0, NULL, 0,
+        okm1, L);
     if (ret != 0)
         return -9704;
 
@@ -20048,7 +20057,8 @@ WOLFSSL_TEST_SUBROUTINE int pwdbased_test(void)
 
 #ifndef HAVE_FIPS
     /* fips can't have key size under 14 bytes, salt is key too */
-    ret = wc_HKDF(WC_SHA256, ikm1, 22, salt1, 13, info1, 10, okm1, L);
+    ret = wc_HKDF(WC_SHA256, ikm1, (word32)sizeof(ikm1),
+        salt1, (word32)sizeof(salt1), info1, (word32)sizeof(info1), okm1, L);
     if (ret != 0)
         return -9706;
 

wolfssl/openssl/compat_types.h

@@ -30,12 +30,14 @@
 #include <wolfssl/wolfcrypt/types.h>
 #include <wolfssl/wolfcrypt/hmac.h>
 
+#ifndef NO_HMAC
 typedef struct WOLFSSL_HMAC_CTX {
     Hmac hmac;
     int  type;
     word32  save_ipad[WC_HMAC_BLOCK_SIZE  / sizeof(word32)];  /* same block size all*/
     word32  save_opad[WC_HMAC_BLOCK_SIZE  / sizeof(word32)];
 } WOLFSSL_HMAC_CTX;
+#endif
 
 typedef char   WOLFSSL_EVP_MD;
 typedef struct WOLFSSL_EVP_PKEY     WOLFSSL_EVP_PKEY;

wolfssl/openssl/hmac.h

@@ -21,7 +21,7 @@
 
 
 
-/*  hmac.h defines mini hamc openssl compatibility layer
+/*  hmac.h defines mini hmac openssl compatibility layer
  *
  */
 

wolfssl/wolfcrypt/hmac.h

@@ -23,13 +23,13 @@
     \file wolfssl/wolfcrypt/hmac.h
 */
 
-#ifndef NO_HMAC
-
 #ifndef WOLF_CRYPT_HMAC_H
 #define WOLF_CRYPT_HMAC_H
 
 #include <wolfssl/wolfcrypt/hash.h>
 
+#ifndef NO_HMAC
+
 #if defined(HAVE_FIPS) && \
         (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
 /* for fips @wc_fips */
@@ -223,7 +223,5 @@ WOLFSSL_API int wc_HKDF(int type, const byte* inKey, word32 inKeySz,
     } /* extern "C" */
 #endif
 
-#endif /* WOLF_CRYPT_HMAC_H */
-
 #endif /* NO_HMAC */
-
+#endif /* WOLF_CRYPT_HMAC_H */