diff --git a/configure.ac b/configure.ac index 2301a64ce..1bf5b8eb2 100644 --- a/configure.ac +++ b/configure.ac @@ -256,6 +256,21 @@ fi AM_CONDITIONAL([BUILD_LEANPSK], [test "x$ENABLED_LEANPSK" = "xyes"]) +# lean TLS build (TLS 1.2 client only (no client auth), ECC256, AES128 and SHA256 w/o Shamir) +AC_ARG_ENABLE([leantls], + [ --enable-leantls Enable Lean TLS build (default: disabled)], + [ ENABLED_LEANTLS=$enableval ], + [ ENABLED_LEANTLS=no ] + ) + +if test "$ENABLED_LEANTLS" = "yes" +then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LEANTLS -DNO_WRITEV -DHAVE_ECC -DTFM_ECC256 -DECC_USER_CURVES -DNO_WOLFSSL_SERVER -DNO_RABBIT -DNO_RSA -DNO_DSA -DNO_DH -DNO_PWDBASED -DNO_DES3 -DNO_MD5 -DNO_ERROR_STRINGS -DNO_OLD_TLS -DNO_RC4 -DNO_SESSION_CACHE -DNO_SHA -DUSE_SLOW_SHA -DUSE_SLOW_SHA2 -DNO_PSK -DNO_WOLFSSL_MEMORY" +fi + +AM_CONDITIONAL([BUILD_LEANTLS], [test "x$ENABLED_LEANTLS" = "xyes"]) + + # big cache AC_ARG_ENABLE([bigcache], [ --enable-bigcache Enable big session cache (default: disabled)], @@ -354,7 +369,7 @@ AC_ARG_ENABLE([sniffer], [ ENABLED_SNIFFER=no ] ) -# sniffer does't work in maxstrength mode +# sniffer doesn't work in maxstrength mode if test "$ENABLED_SNIFFER" = "yes" && test "$ENABLED_MAXSTRENGTH" = "yes" then AC_MSG_ERROR([cannot enable maxstrength in sniffer mode.]) @@ -380,8 +395,8 @@ AC_ARG_ENABLE([aesgcm], [ ENABLED_AESGCM=yes ] ) -# lean psk does't need gcm -if test "$ENABLED_LEANPSK" = "yes" +# leanpsk and leantls don't need gcm +if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes" then ENABLED_AESGCM=no fi @@ -566,8 +581,8 @@ AC_ARG_ENABLE([sha512], [ ENABLED_SHA512=$SHA512_DEFAULT ] ) -# lean psk does't need sha512 -if test "$ENABLED_LEANPSK" = "yes" +# leanpsk and leantls don't need sha512 +if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes" then ENABLED_SHA512=no fi @@ -723,7 +738,7 @@ AC_ARG_ENABLE([ecc], [ ENABLED_ECC=$ECC_DEFAULT ] ) -# lean psk does't need ecc +# lean psk doesn't need ecc if test "$ENABLED_LEANPSK" = "yes" then ENABLED_ECC=no @@ -742,12 +757,6 @@ fi AM_CONDITIONAL([BUILD_ECC], [test "x$ENABLED_ECC" = "xyes"]) -if test "$ENABLED_ECC" = "yes" && test "$ENABLED_SMALL" = "yes" -then - AC_MSG_ERROR([cannot enable ecc and small, ecc requires TLS which small turns off.]) -fi - - # for using memory optimization setting on both curve25519 and ed25519 ENABLED_CURVED25519_SMALL=no @@ -874,8 +883,8 @@ if test "$ENABLED_ERROR_STRINGS" = "no" then AM_CFLAGS="$AM_CFLAGS -DNO_ERROR_STRINGS" else - # turn off error strings if leanpsk on - if test "$ENABLED_LEANPSK" = "yes" + # turn off error strings if leanpsk or leantls on + if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes" then AM_CFLAGS="$AM_CFLAGS -DNO_ERROR_STRINGS" ENABLED_ERROR_STRINGS=no @@ -894,8 +903,8 @@ if test "$ENABLED_OLD_TLS" = "no" then AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS" else - # turn off old if leanpsk on - if test "$ENABLED_LEANPSK" = "yes" + # turn off old if leanpsk or leantls on + if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes" then AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS" ENABLED_OLD_TLS=no @@ -942,8 +951,8 @@ if test "$ENABLED_MEMORY" = "no" then AM_CFLAGS="$AM_CFLAGS -DNO_WOLFSSL_MEMORY" else - # turn off memory cb if leanpsk on - if test "$ENABLED_LEANPSK" = "yes" + # turn off memory cb if leanpsk or leantls on + if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes" then # but don't turn on NO_WOLFSSL_MEMORY because using own ENABLED_MEMORY=no @@ -964,8 +973,8 @@ if test "$ENABLED_RSA" = "no" then AM_CFLAGS="$AM_CFLAGS -DNO_RSA" else - # turn off RSA if leanpsk on - if test "$ENABLED_LEANPSK" = "yes" + # turn off RSA if leanpsk or leantls on + if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes" then AM_CFLAGS="$AM_CFLAGS -DNO_RSA" ENABLED_RSA=no @@ -991,8 +1000,8 @@ if test "$ENABLED_DH" = "no" then AM_CFLAGS="$AM_CFLAGS -DNO_DH" else - # turn off DH if leanpsk on - if test "$ENABLED_LEANPSK" = "yes" + # turn off DH if leanpsk or leantls on + if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes" then AM_CFLAGS="$AM_CFLAGS -DNO_DH" ENABLED_DH=no @@ -1137,8 +1146,8 @@ if test "$ENABLED_DES3" = "no" then AM_CFLAGS="$AM_CFLAGS -DNO_DES3" else - # turn off DES3 if leanpsk on - if test "$ENABLED_LEANPSK" = "yes" + # turn off DES3 if leanpsk or leantls on + if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes" then AM_CFLAGS="$AM_CFLAGS -DNO_DES3" ENABLED_DES3=no @@ -1180,8 +1189,8 @@ if test "$ENABLED_ARC4" = "no" then AM_CFLAGS="$AM_CFLAGS -DNO_RC4" else - # turn off ARC4 if leanpsk on - if test "$ENABLED_LEANPSK" = "yes" + # turn off ARC4 if leanpsk or leantls on + if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes" then AM_CFLAGS="$AM_CFLAGS -DNO_RC4" ENABLED_ARC4=no @@ -1202,8 +1211,8 @@ if test "$ENABLED_MD5" = "no" then AM_CFLAGS="$AM_CFLAGS -DNO_MD5 -DNO_OLD_TLS" else - # turn off MD5 if leanpsk on - if test "$ENABLED_LEANPSK" = "yes" + # turn off MD5 if leanpsk or leantls on + if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes" then AM_CFLAGS="$AM_CFLAGS -DNO_MD5 -DNO_OLD_TLS" ENABLED_MD5=no @@ -1224,8 +1233,8 @@ if test "$ENABLED_SHA" = "no" then AM_CFLAGS="$AM_CFLAGS -DNO_SHA -DNO_OLD_TLS" else - # turn off SHA if leanpsk on - if test "$ENABLED_LEANPSK" = "yes" + # turn off SHA if leanpsk or leantls on + if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes" then AM_CFLAGS="$AM_CFLAGS -DNO_SHA -DNO_OLD_TLS" ENABLED_SHA=no @@ -1332,8 +1341,8 @@ AC_ARG_ENABLE([poly1305], [ ENABLED_POLY1305=$POLY1305_DEFAULT] ) -# lean psk does't need poly1305 -if test "$ENABLED_LEANPSK" = "yes" +# leanpsk and leantls don't need poly1305 +if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes" then ENABLED_POLY1305=no fi @@ -1361,8 +1370,8 @@ AC_ARG_ENABLE([chacha], [ ENABLED_CHACHA=$CHACHA_DEFAULT] ) -# lean psk does't need chacha -if test "$ENABLED_LEANPSK" = "yes" +# leanpsk and leantls don't need chacha +if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes" then ENABLED_CHACHA=no fi @@ -1636,10 +1645,6 @@ AC_ARG_WITH([ntru], AM_CONDITIONAL([BUILD_NTRU], [test "x$ENABLED_NTRU" = "xyes"]) -if test "$ENABLED_NTRU" = "yes" && test "$ENABLED_SMALL" = "yes" -then - AC_MSG_ERROR([cannot enable ntru and small, ntru requires TLS which small turns off.]) -fi # SNI AC_ARG_ENABLE([sni], @@ -2237,7 +2242,9 @@ AC_ARG_ENABLE([examples], AS_IF([test "x$ENABLED_FILESYSTEM" = "xno"], [ENABLED_EXAMPLES="no"]) AS_IF([test "x$ENABLED_INLINE" = "xno"], [ENABLED_EXAMPLES="no"]) AS_IF([test "x$ENABLED_CRYPTONLY" = "xyes"], [ENABLED_EXAMPLES="no"]) -AM_CONDITIONAL([BUILD_EXAMPLES], [test "x$ENABLED_EXAMPLES" = "xyes"]) +AM_CONDITIONAL([BUILD_EXAMPLE_SERVERS], [test "x$ENABLED_EXAMPLES" = "xyes" && test "x$ENABLED_LEANTLS" = "xno"]) +AM_CONDITIONAL([BUILD_EXAMPLE_CLIENTS], [test "x$ENABLED_EXAMPLES" = "xyes"]) +AM_CONDITIONAL([BUILD_TESTS], [test "x$ENABLED_EXAMPLES" = "xyes" && test "x$ENABLED_LEANTLS" = "xno"]) # Enable wolfCrypt test and benchmark AC_ARG_ENABLE([crypttests], @@ -2759,6 +2766,7 @@ echo " * MD4: $ENABLED_MD4" echo " * PSK: $ENABLED_PSK" echo " * Poly1305: $ENABLED_POLY1305" echo " * LEANPSK: $ENABLED_LEANPSK" +echo " * LEANTLS: $ENABLED_LEANTLS" echo " * RSA: $ENABLED_RSA" echo " * DSA: $ENABLED_DSA" echo " * DH: $ENABLED_DH" diff --git a/examples/client/client.c b/examples/client/client.c index 021e97958..57f0a212d 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -148,11 +148,16 @@ int ClientBenchmarkConnections(WOLFSSL_CTX* ctx, char* host, word16 port, /* time passed in number of connects give average */ int times = benchmark; int loops = resumeSession ? 2 : 1; - int i = 0; + int i = 0; +#ifndef NO_SESSION_CACHE WOLFSSL_SESSION* benchSession = NULL; +#endif + (void)resumeSession; while (loops--) { + #ifndef NO_SESSION_CACHE int benchResume = resumeSession && loops == 0; + #endif double start = current_time(), avg; for (i = 0; i < times; i++) { @@ -163,25 +168,31 @@ int ClientBenchmarkConnections(WOLFSSL_CTX* ctx, char* host, word16 port, tcp_connect(&sockfd, host, port, doDTLS, ssl); + #ifndef NO_SESSION_CACHE if (benchResume) wolfSSL_set_session(ssl, benchSession); + #endif wolfSSL_set_fd(ssl, sockfd); if (wolfSSL_connect(ssl) != SSL_SUCCESS) err_sys("SSL_connect failed"); wolfSSL_shutdown(ssl); + #ifndef NO_SESSION_CACHE if (i == (times-1) && resumeSession) { benchSession = wolfSSL_get_session(ssl); } + #endif wolfSSL_free(ssl); CloseSocket(sockfd); } avg = current_time() - start; avg /= times; avg *= 1000; /* milliseconds */ + #ifndef NO_SESSION_CACHE if (benchResume) printf("wolfSSL_resume avg took: %8.3f milliseconds\n", avg); else + #endif printf("wolfSSL_connect avg took: %8.3f milliseconds\n", avg); } diff --git a/examples/client/include.am b/examples/client/include.am index 862cdfa08..876f6a28e 100644 --- a/examples/client/include.am +++ b/examples/client/include.am @@ -1,7 +1,7 @@ # vim:ft=automake # All paths should be given relative to the root -if BUILD_EXAMPLES +if BUILD_EXAMPLE_CLIENTS noinst_PROGRAMS += examples/client/client noinst_HEADERS += examples/client/client.h examples_client_client_SOURCES = examples/client/client.c diff --git a/examples/echoclient/include.am b/examples/echoclient/include.am index f0d5868c2..7f0bc47d1 100644 --- a/examples/echoclient/include.am +++ b/examples/echoclient/include.am @@ -3,7 +3,7 @@ # All paths should be given relative to the root -if BUILD_EXAMPLES +if BUILD_EXAMPLE_CLIENTS noinst_PROGRAMS += examples/echoclient/echoclient noinst_HEADERS += examples/echoclient/echoclient.h examples_echoclient_echoclient_SOURCES = examples/echoclient/echoclient.c diff --git a/examples/echoserver/include.am b/examples/echoserver/include.am index 767da6c46..516c40441 100644 --- a/examples/echoserver/include.am +++ b/examples/echoserver/include.am @@ -3,7 +3,7 @@ # All paths should be given relative to the root -if BUILD_EXAMPLES +if BUILD_EXAMPLE_SERVERS noinst_PROGRAMS += examples/echoserver/echoserver noinst_HEADERS += examples/echoserver/echoserver.h examples_echoserver_echoserver_SOURCES = examples/echoserver/echoserver.c diff --git a/examples/server/include.am b/examples/server/include.am index f42490591..8a3d75119 100644 --- a/examples/server/include.am +++ b/examples/server/include.am @@ -3,7 +3,7 @@ # All paths should be given relative to the root -if BUILD_EXAMPLES +if BUILD_EXAMPLE_SERVERS noinst_PROGRAMS += examples/server/server noinst_HEADERS += examples/server/server.h examples_server_server_SOURCES = examples/server/server.c diff --git a/scripts/include.am b/scripts/include.am index 5866a554e..19e05feaf 100644 --- a/scripts/include.am +++ b/scripts/include.am @@ -8,7 +8,7 @@ if BUILD_SNIFFTEST dist_noinst_SCRIPTS+= scripts/sniffer-testsuite.test endif -if BUILD_EXAMPLES +if BUILD_EXAMPLE_SERVERS dist_noinst_SCRIPTS+= scripts/resume.test EXTRA_DIST+= scripts/benchmark.test @@ -19,12 +19,6 @@ dist_noinst_SCRIPTS+= scripts/crl-revoked.test scripts/crl-revoked.log: scripts/resume.log endif -if !BUILD_IPV6 -dist_noinst_SCRIPTS+= scripts/external.test -dist_noinst_SCRIPTS+= scripts/google.test -#dist_noinst_SCRIPTS+= scripts/openssl.test -endif - if BUILD_OCSP dist_noinst_SCRIPTS+= scripts/ocsp.test endif @@ -47,6 +41,14 @@ endif endif +if BUILD_EXAMPLE_CLIENTS +if !BUILD_IPV6 +dist_noinst_SCRIPTS+= scripts/external.test +dist_noinst_SCRIPTS+= scripts/google.test +#dist_noinst_SCRIPTS+= scripts/openssl.test +endif +endif + if BUILD_PSK dist_noinst_SCRIPTS+= scripts/psk.test endif diff --git a/src/internal.c b/src/internal.c index 7cebc84d4..b5023a9f9 100644 --- a/src/internal.c +++ b/src/internal.c @@ -142,10 +142,9 @@ static int SSL_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz, #ifndef NO_CERTS static int BuildCertHashes(WOLFSSL* ssl, Hashes* hashes); -#endif - static void PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, word32 hashSigAlgoSz); +#endif #ifdef HAVE_QSH int QSH_Init(WOLFSSL* ssl); @@ -10594,7 +10593,7 @@ int SetCipherList(Suites* suites, const char* list) return ret; } - +#ifndef NO_CERTS static void PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, word32 hashSigAlgoSz) { @@ -10630,7 +10629,7 @@ static void PickHashSigAlgo(WOLFSSL* ssl, } } } - +#endif #ifdef WOLFSSL_CALLBACKS diff --git a/tests/include.am b/tests/include.am index e0a82a405..63768e663 100644 --- a/tests/include.am +++ b/tests/include.am @@ -3,7 +3,7 @@ # All paths should be given relative to the root -if BUILD_EXAMPLES +if BUILD_TESTS check_PROGRAMS += tests/unit.test noinst_PROGRAMS += tests/unit.test tests_unit_test_SOURCES = \ diff --git a/testsuite/include.am b/testsuite/include.am index 86b6f9784..ed2604427 100644 --- a/testsuite/include.am +++ b/testsuite/include.am @@ -3,7 +3,7 @@ # All paths should be given relative to the root -if BUILD_EXAMPLES +if BUILD_TESTS check_PROGRAMS += testsuite/testsuite.test noinst_PROGRAMS += testsuite/testsuite.test testsuite_testsuite_test_SOURCES = \ diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index d63806f5b..c65e3c713 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -4908,7 +4908,7 @@ int ParseCert(DecodedCert* cert, int type, int verify, void* cm) #endif -#ifdef WOLFCRYPT_ONLY +#if defined(WOLFCRYPT_ONLY) || defined(NO_CERTS) /* dummy functions, not using wolfSSL so don't need actual ones */ Signer* GetCA(void* signers, byte* hash) @@ -4927,7 +4927,7 @@ Signer* GetCAByName(void* signers, byte* hash) } #endif /* NO_SKID */ -#endif /* WOLFCRYPT_ONLY */ +#endif /* WOLFCRYPT_ONLY || NO_CERTS */ #ifndef NO_ASN_TIME int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)