Merge pull request #312 from dgarske/LeanTls

New LeanTLS configure option

configure.ac

@@ -256,6 +256,21 @@ fi
 AM_CONDITIONAL([BUILD_LEANPSK], [test "x$ENABLED_LEANPSK" = "xyes"])
 
 
+# lean TLS build (TLS 1.2 client only (no client auth), ECC256, AES128 and SHA256 w/o Shamir)
+AC_ARG_ENABLE([leantls],
+    [  --enable-leantls        Enable Lean TLS build (default: disabled)],
+    [ ENABLED_LEANTLS=$enableval ],
+    [ ENABLED_LEANTLS=no ]
+    )
+
+if test "$ENABLED_LEANTLS" = "yes"
+then
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LEANTLS -DNO_WRITEV -DHAVE_ECC -DTFM_ECC256 -DECC_USER_CURVES -DNO_WOLFSSL_SERVER -DNO_RABBIT -DNO_RSA -DNO_DSA -DNO_DH -DNO_PWDBASED -DNO_DES3 -DNO_MD5 -DNO_ERROR_STRINGS -DNO_OLD_TLS -DNO_RC4 -DNO_SESSION_CACHE -DNO_SHA -DUSE_SLOW_SHA -DUSE_SLOW_SHA2 -DNO_PSK -DNO_WOLFSSL_MEMORY"
+fi
+
+AM_CONDITIONAL([BUILD_LEANTLS], [test "x$ENABLED_LEANTLS" = "xyes"])
+
+
 # big cache
 AC_ARG_ENABLE([bigcache],
     [  --enable-bigcache       Enable big session cache (default: disabled)],
@@ -354,7 +369,7 @@ AC_ARG_ENABLE([sniffer],
    [ ENABLED_SNIFFER=no ]
    )
 
-# sniffer does't work in maxstrength mode
+# sniffer doesn't work in maxstrength mode
 if test "$ENABLED_SNIFFER" = "yes" && test "$ENABLED_MAXSTRENGTH" = "yes"
 then
     AC_MSG_ERROR([cannot enable maxstrength in sniffer mode.])
@@ -380,8 +395,8 @@ AC_ARG_ENABLE([aesgcm],
     [ ENABLED_AESGCM=yes ]
     )
 
-# lean psk does't need gcm
-if test "$ENABLED_LEANPSK" = "yes"
+# leanpsk and leantls don't need gcm
+if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
 then
     ENABLED_AESGCM=no
 fi
@@ -566,8 +581,8 @@ AC_ARG_ENABLE([sha512],
     [ ENABLED_SHA512=$SHA512_DEFAULT ]
     )
 
-# lean psk does't need sha512
-if test "$ENABLED_LEANPSK" = "yes"
+# leanpsk and leantls don't need sha512
+if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
 then
     ENABLED_SHA512=no
 fi
@@ -723,7 +738,7 @@ AC_ARG_ENABLE([ecc],
     [ ENABLED_ECC=$ECC_DEFAULT ]
     )
 
-# lean psk does't need ecc
+# lean psk doesn't need ecc
 if test "$ENABLED_LEANPSK" = "yes"
 then
     ENABLED_ECC=no
@@ -742,12 +757,6 @@ fi
 AM_CONDITIONAL([BUILD_ECC], [test "x$ENABLED_ECC" = "xyes"])
 
 
-if test "$ENABLED_ECC" = "yes" && test "$ENABLED_SMALL" = "yes"
-then
-    AC_MSG_ERROR([cannot enable ecc and small, ecc requires TLS which small turns off.])
-fi
-
-
 # for using memory optimization setting on both curve25519 and ed25519
 ENABLED_CURVED25519_SMALL=no
 
@@ -874,8 +883,8 @@ if test "$ENABLED_ERROR_STRINGS" = "no"
 then
     AM_CFLAGS="$AM_CFLAGS -DNO_ERROR_STRINGS"
 else
-    # turn off error strings if leanpsk on
-    if test "$ENABLED_LEANPSK" = "yes"
+    # turn off error strings if leanpsk or leantls on
+    if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
     then
         AM_CFLAGS="$AM_CFLAGS -DNO_ERROR_STRINGS"
         ENABLED_ERROR_STRINGS=no
@@ -894,8 +903,8 @@ if test "$ENABLED_OLD_TLS" = "no"
 then
     AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"
 else
-    # turn off old if leanpsk on
-    if test "$ENABLED_LEANPSK" = "yes"
+    # turn off old if leanpsk or leantls on
+    if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
     then
         AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"
         ENABLED_OLD_TLS=no
@@ -942,8 +951,8 @@ if test "$ENABLED_MEMORY" = "no"
 then
     AM_CFLAGS="$AM_CFLAGS -DNO_WOLFSSL_MEMORY"
 else
-    # turn off memory cb if leanpsk on
-    if test "$ENABLED_LEANPSK" = "yes"
+    # turn off memory cb if leanpsk or leantls on
+    if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
     then
         # but don't turn on NO_WOLFSSL_MEMORY because using own
         ENABLED_MEMORY=no
@@ -964,8 +973,8 @@ if test "$ENABLED_RSA" = "no"
 then
     AM_CFLAGS="$AM_CFLAGS -DNO_RSA"
 else
-    # turn off RSA if leanpsk on
-    if test "$ENABLED_LEANPSK" = "yes"
+    # turn off RSA if leanpsk or leantls on
+    if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
     then
         AM_CFLAGS="$AM_CFLAGS -DNO_RSA"
         ENABLED_RSA=no
@@ -991,8 +1000,8 @@ if test "$ENABLED_DH" = "no"
 then
     AM_CFLAGS="$AM_CFLAGS -DNO_DH"
 else
-    # turn off DH if leanpsk on
-    if test "$ENABLED_LEANPSK" = "yes"
+    # turn off DH if leanpsk or leantls on
+    if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
     then
         AM_CFLAGS="$AM_CFLAGS -DNO_DH"
         ENABLED_DH=no
@@ -1137,8 +1146,8 @@ if test "$ENABLED_DES3" = "no"
 then
     AM_CFLAGS="$AM_CFLAGS -DNO_DES3"
 else
-    # turn off DES3 if leanpsk on
-    if test "$ENABLED_LEANPSK" = "yes"
+    # turn off DES3 if leanpsk or leantls on
+    if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
     then
         AM_CFLAGS="$AM_CFLAGS -DNO_DES3"
         ENABLED_DES3=no
@@ -1180,8 +1189,8 @@ if test "$ENABLED_ARC4" = "no"
 then
     AM_CFLAGS="$AM_CFLAGS -DNO_RC4"
 else
-    # turn off ARC4 if leanpsk on
-    if test "$ENABLED_LEANPSK" = "yes"
+    # turn off ARC4 if leanpsk or leantls on
+    if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
     then
         AM_CFLAGS="$AM_CFLAGS -DNO_RC4"
         ENABLED_ARC4=no
@@ -1202,8 +1211,8 @@ if test "$ENABLED_MD5" = "no"
 then
     AM_CFLAGS="$AM_CFLAGS -DNO_MD5 -DNO_OLD_TLS"
 else
-    # turn off MD5 if leanpsk on
-    if test "$ENABLED_LEANPSK" = "yes"
+    # turn off MD5 if leanpsk or leantls on
+    if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
     then
         AM_CFLAGS="$AM_CFLAGS -DNO_MD5 -DNO_OLD_TLS"
         ENABLED_MD5=no
@@ -1224,8 +1233,8 @@ if test "$ENABLED_SHA" = "no"
 then
     AM_CFLAGS="$AM_CFLAGS -DNO_SHA -DNO_OLD_TLS"
 else
-    # turn off SHA if leanpsk on
-    if test "$ENABLED_LEANPSK" = "yes"
+    # turn off SHA if leanpsk or leantls on
+    if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
     then
         AM_CFLAGS="$AM_CFLAGS -DNO_SHA -DNO_OLD_TLS"
         ENABLED_SHA=no
@@ -1332,8 +1341,8 @@ AC_ARG_ENABLE([poly1305],
     [ ENABLED_POLY1305=$POLY1305_DEFAULT]
     )
 
-# lean psk does't need poly1305
-if test "$ENABLED_LEANPSK" = "yes"
+# leanpsk and leantls don't need poly1305
+if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
 then
     ENABLED_POLY1305=no
 fi
@@ -1361,8 +1370,8 @@ AC_ARG_ENABLE([chacha],
     [ ENABLED_CHACHA=$CHACHA_DEFAULT]
     )
 
-# lean psk does't need chacha
-if test "$ENABLED_LEANPSK" = "yes"
+# leanpsk and leantls don't need chacha
+if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
 then
     ENABLED_CHACHA=no
 fi
@@ -1636,10 +1645,6 @@ AC_ARG_WITH([ntru],
 
 AM_CONDITIONAL([BUILD_NTRU], [test "x$ENABLED_NTRU" = "xyes"])
 
-if test "$ENABLED_NTRU" = "yes" && test "$ENABLED_SMALL" = "yes"
-then
-    AC_MSG_ERROR([cannot enable ntru and small, ntru requires TLS which small turns off.])
-fi
 
 # SNI
 AC_ARG_ENABLE([sni],
@@ -2237,7 +2242,9 @@ AC_ARG_ENABLE([examples],
 AS_IF([test "x$ENABLED_FILESYSTEM" = "xno"], [ENABLED_EXAMPLES="no"])
 AS_IF([test "x$ENABLED_INLINE" = "xno"], [ENABLED_EXAMPLES="no"])
 AS_IF([test "x$ENABLED_CRYPTONLY" = "xyes"], [ENABLED_EXAMPLES="no"])
-AM_CONDITIONAL([BUILD_EXAMPLES], [test "x$ENABLED_EXAMPLES" = "xyes"])
+AM_CONDITIONAL([BUILD_EXAMPLE_SERVERS], [test "x$ENABLED_EXAMPLES" = "xyes" && test "x$ENABLED_LEANTLS" = "xno"])
+AM_CONDITIONAL([BUILD_EXAMPLE_CLIENTS], [test "x$ENABLED_EXAMPLES" = "xyes"])
+AM_CONDITIONAL([BUILD_TESTS], [test "x$ENABLED_EXAMPLES" = "xyes" && test "x$ENABLED_LEANTLS" = "xno"])
 
 # Enable wolfCrypt test and benchmark
 AC_ARG_ENABLE([crypttests],
@@ -2759,6 +2766,7 @@ echo "   * MD4:                        $ENABLED_MD4"
 echo "   * PSK:                        $ENABLED_PSK"
 echo "   * Poly1305:                   $ENABLED_POLY1305"
 echo "   * LEANPSK:                    $ENABLED_LEANPSK"
+echo "   * LEANTLS:                    $ENABLED_LEANTLS"
 echo "   * RSA:                        $ENABLED_RSA"
 echo "   * DSA:                        $ENABLED_DSA"
 echo "   * DH:                         $ENABLED_DH"

examples/client/client.c

@@ -148,11 +148,16 @@ int ClientBenchmarkConnections(WOLFSSL_CTX* ctx, char* host, word16 port,
     /* time passed in number of connects give average */
     int times = benchmark;
     int loops = resumeSession ? 2 : 1;
-    int i = 0;
+    int i = 0;    
+#ifndef NO_SESSION_CACHE
     WOLFSSL_SESSION* benchSession = NULL;
+#endif
+    (void)resumeSession;
 
     while (loops--) {
+    #ifndef NO_SESSION_CACHE
         int benchResume = resumeSession && loops == 0;
+    #endif
         double start = current_time(), avg;
 
         for (i = 0; i < times; i++) {
@@ -163,25 +168,31 @@ int ClientBenchmarkConnections(WOLFSSL_CTX* ctx, char* host, word16 port,
 
             tcp_connect(&sockfd, host, port, doDTLS, ssl);
 
+    #ifndef NO_SESSION_CACHE
             if (benchResume)
                 wolfSSL_set_session(ssl, benchSession);
+    #endif
             wolfSSL_set_fd(ssl, sockfd);
             if (wolfSSL_connect(ssl) != SSL_SUCCESS)
                 err_sys("SSL_connect failed");
 
             wolfSSL_shutdown(ssl);
+    #ifndef NO_SESSION_CACHE
             if (i == (times-1) && resumeSession) {
                 benchSession = wolfSSL_get_session(ssl);
             }
+    #endif
             wolfSSL_free(ssl);
             CloseSocket(sockfd);
         }
         avg = current_time() - start;
         avg /= times;
         avg *= 1000;   /* milliseconds */
+    #ifndef NO_SESSION_CACHE
         if (benchResume)
             printf("wolfSSL_resume  avg took: %8.3f milliseconds\n", avg);
         else
+    #endif
             printf("wolfSSL_connect avg took: %8.3f milliseconds\n", avg);
     }
 

examples/client/include.am

@@ -1,7 +1,7 @@
 # vim:ft=automake
 # All paths should be given relative to the root
 
-if BUILD_EXAMPLES
+if BUILD_EXAMPLE_CLIENTS
 noinst_PROGRAMS += examples/client/client
 noinst_HEADERS += examples/client/client.h
 examples_client_client_SOURCES      = examples/client/client.c

examples/echoclient/include.am

@@ -3,7 +3,7 @@
 # All paths should be given relative to the root
 
 
-if BUILD_EXAMPLES
+if BUILD_EXAMPLE_CLIENTS
 noinst_PROGRAMS += examples/echoclient/echoclient
 noinst_HEADERS += examples/echoclient/echoclient.h
 examples_echoclient_echoclient_SOURCES      = examples/echoclient/echoclient.c

examples/echoserver/include.am

@@ -3,7 +3,7 @@
 # All paths should be given relative to the root
 
 
-if BUILD_EXAMPLES
+if BUILD_EXAMPLE_SERVERS
 noinst_PROGRAMS += examples/echoserver/echoserver
 noinst_HEADERS += examples/echoserver/echoserver.h
 examples_echoserver_echoserver_SOURCES      = examples/echoserver/echoserver.c

examples/server/include.am

@@ -3,7 +3,7 @@
 # All paths should be given relative to the root
 
 
-if BUILD_EXAMPLES
+if BUILD_EXAMPLE_SERVERS
 noinst_PROGRAMS += examples/server/server
 noinst_HEADERS += examples/server/server.h
 examples_server_server_SOURCES      = examples/server/server.c

scripts/include.am

@@ -8,7 +8,7 @@ if BUILD_SNIFFTEST
 dist_noinst_SCRIPTS+= scripts/sniffer-testsuite.test
 endif
 
-if BUILD_EXAMPLES
+if BUILD_EXAMPLE_SERVERS
 
 dist_noinst_SCRIPTS+= scripts/resume.test
 EXTRA_DIST+= scripts/benchmark.test
@@ -19,12 +19,6 @@ dist_noinst_SCRIPTS+= scripts/crl-revoked.test
 scripts/crl-revoked.log: scripts/resume.log
 endif
 
-if !BUILD_IPV6
-dist_noinst_SCRIPTS+= scripts/external.test
-dist_noinst_SCRIPTS+= scripts/google.test
-#dist_noinst_SCRIPTS+= scripts/openssl.test
-endif
-
 if BUILD_OCSP
 dist_noinst_SCRIPTS+= scripts/ocsp.test
 endif
@@ -47,6 +41,14 @@ endif
 
 endif
 
+if BUILD_EXAMPLE_CLIENTS
+if !BUILD_IPV6
+dist_noinst_SCRIPTS+= scripts/external.test
+dist_noinst_SCRIPTS+= scripts/google.test
+#dist_noinst_SCRIPTS+= scripts/openssl.test
+endif
+endif
+
 if BUILD_PSK
 dist_noinst_SCRIPTS+= scripts/psk.test
 endif

src/internal.c

@@ -142,10 +142,9 @@ static int SSL_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz,
 
 #ifndef NO_CERTS
 static int BuildCertHashes(WOLFSSL* ssl, Hashes* hashes);
-#endif
-
 static void PickHashSigAlgo(WOLFSSL* ssl,
                                 const byte* hashSigAlgo, word32 hashSigAlgoSz);
+#endif
 
 #ifdef HAVE_QSH
     int QSH_Init(WOLFSSL* ssl);
@@ -10594,7 +10593,7 @@ int SetCipherList(Suites* suites, const char* list)
     return ret;
 }
 
-
+#ifndef NO_CERTS
 static void PickHashSigAlgo(WOLFSSL* ssl,
                              const byte* hashSigAlgo, word32 hashSigAlgoSz)
 {
@@ -10630,7 +10629,7 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
         }
     }
 }
-
+#endif
 
 #ifdef WOLFSSL_CALLBACKS
 

tests/include.am

@@ -3,7 +3,7 @@
 # All paths should be given relative to the root
 
 
-if BUILD_EXAMPLES
+if BUILD_TESTS
 check_PROGRAMS += tests/unit.test
 noinst_PROGRAMS += tests/unit.test
 tests_unit_test_SOURCES = \

testsuite/include.am

@@ -3,7 +3,7 @@
 # All paths should be given relative to the root
 
 
-if BUILD_EXAMPLES
+if BUILD_TESTS
 check_PROGRAMS += testsuite/testsuite.test
 noinst_PROGRAMS += testsuite/testsuite.test
 testsuite_testsuite_test_SOURCES = \

wolfcrypt/src/asn.c

@@ -4908,7 +4908,7 @@ int ParseCert(DecodedCert* cert, int type, int verify, void* cm)
 #endif
 
 
-#ifdef WOLFCRYPT_ONLY
+#if defined(WOLFCRYPT_ONLY) || defined(NO_CERTS)
 
 /* dummy functions, not using wolfSSL so don't need actual ones */
 Signer* GetCA(void* signers, byte* hash)
@@ -4927,7 +4927,7 @@ Signer* GetCAByName(void* signers, byte* hash)
 }
 #endif /* NO_SKID */
 
-#endif /* WOLFCRYPT_ONLY */
+#endif /* WOLFCRYPT_ONLY || NO_CERTS */
 
 #ifndef NO_ASN_TIME
 int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)