diff --git a/configure.ac b/configure.ac index e307cbf45..62dc1ab0d 100644 --- a/configure.ac +++ b/configure.ac @@ -1826,6 +1826,11 @@ else then AM_CFLAGS="$AM_CFLAGS -DNO_ASN -DNO_CERTS -DNO_BIG_INT" ENABLED_ASN=no + else + if test "$ENABLED_ASN" = "nocrypt" + then + AM_CFLAGS="$AM_CFLAGS -DNO_ASN_CRYPT" + fi fi fi diff --git a/src/internal.c b/src/internal.c index a9fe023cd..17f5c2673 100644 --- a/src/internal.c +++ b/src/internal.c @@ -15414,15 +15414,6 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e) case NTRU_DECRYPT_ERROR: return "NTRU decrypt error"; - case ZLIB_INIT_ERROR: - return "zlib init error"; - - case ZLIB_COMPRESS_ERROR: - return "zlib compress error"; - - case ZLIB_DECOMPRESS_ERROR: - return "zlib decompress error"; - case GETTIME_ERROR: return "gettimeofday() error"; diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index c29a25460..7e0e3d595 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -2336,7 +2336,7 @@ int wc_CheckPrivateKey(byte* key, word32 keySz, DecodedCert* der) return BAD_FUNC_ARG; } - #if !defined(NO_RSA) + #if !defined(NO_RSA) && !defined(NO_ASN_CRYPT) /* test if RSA key */ if (der->keyOID == RSAk) { #ifdef WOLFSSL_SMALL_STACK @@ -2404,9 +2404,9 @@ int wc_CheckPrivateKey(byte* key, word32 keySz, DecodedCert* der) #endif } else - #endif /* NO_RSA */ + #endif /* !NO_RSA && !NO_ASN_CRYPT */ - #if defined(HAVE_ECC) && defined(HAVE_ECC_KEY_EXPORT) + #if defined(HAVE_ECC) && defined(HAVE_ECC_KEY_EXPORT) && !defined(NO_ASN_CRYPT) if (der->keyOID == ECDSAk) { #ifdef WOLFSSL_SMALL_STACK ecc_key* key_pair = NULL; @@ -2469,9 +2469,9 @@ int wc_CheckPrivateKey(byte* key, word32 keySz, DecodedCert* der) #endif } else - #endif /* HAVE_ECC */ + #endif /* HAVE_ECC && HAVE_ECC_KEY_EXPORT && !NO_ASN_CRYPT */ - #ifdef HAVE_ED25519 + #if defined(HAVE_ED25519) && !defined(NO_ASN_CRYPT) if (der->keyOID == ED25519k) { #ifdef WOLFSSL_SMALL_STACK ed25519_key* key_pair = NULL; @@ -2512,7 +2512,7 @@ int wc_CheckPrivateKey(byte* key, word32 keySz, DecodedCert* der) #endif } else - #endif + #endif /* HAVE_ED25519 && !NO_ASN_CRYPT */ { ret = 0; } @@ -2624,7 +2624,7 @@ int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, word32* oidSz, *algoID = 0; - #ifndef NO_RSA + #if !defined(NO_RSA) && !defined(NO_ASN_CRYPT) { RsaKey rsa; @@ -2637,8 +2637,8 @@ int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, word32* oidSz, } wc_FreeRsaKey(&rsa); } - #endif /* NO_RSA */ - #ifdef HAVE_ECC + #endif /* !NO_RSA && !NO_ASN_CRYPT */ + #if defined(HAVE_ECC) && !defined(NO_ASN_CRYPT) if (*algoID == 0) { ecc_key ecc; @@ -2659,8 +2659,8 @@ int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, word32* oidSz, } wc_ecc_free(&ecc); } -#endif /* HAVE_ECC */ -#ifdef HAVE_ED25519 +#endif /* HAVE_ECC && !NO_ASN_CRYPT */ +#if defined(HAVE_ED25519) && !defined(NO_ASN_CRYPT) if (*algoID != RSAk && *algoID != ECDSAk) { ed25519_key ed25519; @@ -2679,7 +2679,7 @@ int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, word32* oidSz, WOLFSSL_MSG("GetKeyOID wc_ed25519_init failed"); } } -#endif +#endif /* HAVE_ED25519 && !NO_ASN_CRYPT */ /* if flag is not set then is neither RSA or ECC key that could be * found */ @@ -5382,6 +5382,7 @@ void FreeSignatureCtx(SignatureCtx* sigCtx) sigCtx->plain = NULL; } #endif +#ifndef NO_ASN_CRYPT if (sigCtx->key.ptr) { switch (sigCtx->keyOID) { #ifndef NO_RSA @@ -5407,11 +5408,13 @@ void FreeSignatureCtx(SignatureCtx* sigCtx) } /* switch (keyOID) */ sigCtx->key.ptr = NULL; } +#endif /* reset state, we are done */ sigCtx->state = SIG_STATE_BEGIN; } +#ifndef NO_ASN_CRYPT static int HashForSignature(const byte* buf, word32 bufSz, word32 sigOID, byte* digest, int* typeH, int* digestSz, int verify) { @@ -5498,6 +5501,7 @@ static int HashForSignature(const byte* buf, word32 bufSz, word32 sigOID, return ret; } +#endif /* !NO_ASN_CRYPT */ /* Return codes: 0=Success, Negative (see error-crypt.h), ASN_SIG_CONFIRM_E */ static int ConfirmSignature(SignatureCtx* sigCtx, @@ -5519,6 +5523,7 @@ static int ConfirmSignature(SignatureCtx* sigCtx, WOLFSSL_ENTER("ConfirmSignature"); +#ifndef NO_ASN_CRYPT switch (sigCtx->state) { case SIG_STATE_BEGIN: { @@ -5796,6 +5801,8 @@ static int ConfirmSignature(SignatureCtx* sigCtx, exit_cs: +#endif /* !NO_ASN_CRYPT */ + WOLFSSL_LEAVE("ConfirmSignature", ret); if (ret != WC_PENDING_E) { @@ -9348,7 +9355,7 @@ static word32 SetUTF8String(word32 len, byte* output) #endif /* WOLFSSL_CERT_REQ */ -#endif /*WOLFSSL_CERT_GEN */ +#endif /* WOLFSSL_CERT_GEN */ #if defined(HAVE_ECC) && defined(HAVE_ECC_KEY_EXPORT) @@ -9482,7 +9489,7 @@ int wc_EccPublicKeyToDer(ecc_key* key, byte* output, word32 inLen, return SetEccPublicKey(output, key, with_AlgCurve); } -#endif /* HAVE_ECC */ +#endif /* HAVE_ECC && HAVE_ECC_KEY_EXPORT */ #if defined(HAVE_ED25519) && (defined(WOLFSSL_CERT_GEN) || \ defined(WOLFSSL_KEY_GEN)) @@ -11769,7 +11776,7 @@ int wc_SetAuthKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey) } -#ifndef NO_FILESYSTEM +#if !defined(NO_FILESYSTEM) && !defined(NO_ASN_CRYPT) /* Set SKID from public key file in PEM */ int wc_SetSubjectKeyId(Cert *cert, const char* file) @@ -11869,7 +11876,7 @@ int wc_SetSubjectKeyId(Cert *cert, const char* file) return ret; } -#endif /* NO_FILESYSTEM */ +#endif /* !NO_FILESYSTEM && !NO_ASN_CRYPT */ /* Set AKID from certificate contains in buffer (DER encoded) */ int wc_SetAuthKeyIdFromCert(Cert *cert, const byte *der, int derSz) @@ -13015,7 +13022,7 @@ int wc_EccPublicKeyDecode(const byte* input, word32* inOutIdx, return 0; } -#if defined(HAVE_ECC_KEY_EXPORT) +#if defined(HAVE_ECC_KEY_EXPORT) && !defined(NO_ASN_CRYPT) /* build DER formatted ECC key, include optional public key if requested, * return length on success, negative on error */ static int wc_BuildEccKeyDer(ecc_key* key, byte* output, word32 inLen, @@ -13133,7 +13140,7 @@ static int wc_BuildEccKeyDer(ecc_key* key, byte* output, word32 inLen, return totalSz; } - +#ifndef NO_ASN_CRYPT /* Write a Private ecc key, including public to DER format, * length on success else < 0 */ int wc_EccKeyToDer(ecc_key* key, byte* output, word32 inLen) @@ -13148,6 +13155,7 @@ int wc_EccPrivateKeyToDer(ecc_key* key, byte* output, word32 inLen) { return wc_BuildEccKeyDer(key, output, inLen, 0); } +#endif /* !NO_ASN_CRYPT */ /* Write only private ecc key to unencrypted PKCS#8 format. * @@ -14451,6 +14459,79 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm) #endif /* HAVE_CRL */ + + +#ifdef WOLFSSL_CERT_PIV + +int wc_ParseCertPIV(wc_CertPIV* piv, const byte* buf, word32 totalSz) +{ + int length = 0; + word32 idx = 0; + + WOLFSSL_ENTER("wc_ParseCertPIV"); + + if (piv == NULL || buf == NULL || totalSz == 0) + return BAD_FUNC_ARG; + + XMEMSET(piv, 0, sizeof(wc_CertPIV)); + + /* Certificate - Total Length (0A 82 05FA) */ + if (GetASNHeader(buf, ASN_PIV_CERT, &idx, &length, totalSz) >= 0) { + /* Certificate Buffer (53 82 05F6) */ + if (GetASNHeader(buf, ASN_APPLICATION | ASN_PRINTABLE_STRING, &idx, + &length, totalSz) < 0) { + return ASN_PARSE_E; + } + /* PIV Certificate (70 82 05ED) */ + if (GetASNHeader(buf, ASN_PIV_TAG_CERT, &idx, &length, + totalSz) < 0) { + return ASN_PARSE_E; + } + + /* Capture certificate buffer pointer and length */ + piv->cert = &buf[idx]; + piv->certSz = length; + idx += length; + + /* PIV Certificate Info (71 01 00) */ + if (GetASNHeader(buf, ASN_PIV_TAG_CERT_INFO, &idx, &length, + totalSz) >= 0) { + if (length >= 1) { + piv->compression = (buf[idx] & ASN_PIV_CERT_INFO_COMPRESSED); + piv->isX509 = (buf[idx] & ASN_PIV_CERT_INFO_ISX509); + } + idx += length; + } + + /* PIV Error Detection (FE 00) */ + if (GetASNHeader(buf, ASN_PIV_TAG_ERR_DET, &idx, &length, + totalSz) >= 0) { + piv->certErrDet = &buf[idx]; + piv->certErrDetSz = length; + idx += length; + } + } + + /* Nonce (0B 14) */ + if (GetASNHeader(buf, ASN_PIV_NONCE, &idx, &length, totalSz) >= 0) { + piv->nonce = &buf[idx]; + piv->nonceSz = length; + idx += length; + } + + /* Signed Nonce (0C 82 0100) */ + if (GetASNHeader(buf, ASN_PIV_SIGNED_NONCE, &idx, &length, totalSz) >= 0) { + piv->signedNonce = &buf[idx]; + piv->signedNonceSz = length; + idx += length; + } + + return 0; +} + +#endif /* WOLFSSL_CERT_PIV */ + + #undef ERROR_OUT #endif /* !NO_ASN */ diff --git a/wolfcrypt/src/compress.c b/wolfcrypt/src/compress.c index 68eb4c0ef..8a21b2461 100644 --- a/wolfcrypt/src/compress.c +++ b/wolfcrypt/src/compress.c @@ -121,13 +121,26 @@ int wc_Compress(byte* out, word32 outSz, const byte* in, word32 inSz, word32 fla } -int wc_DeCompress(byte* out, word32 outSz, const byte* in, word32 inSz) +/* windowBits: +* deflateInit() and inflateInit(), as well as deflateInit2() and inflateInit2() + with windowBits in 0..15 all process zlib-wrapped deflate data. + (See RFC 1950 and RFC 1951.) +* deflateInit2() and inflateInit2() with negative windowBits in -1..-15 process + raw deflate data with no header or trailer. +* deflateInit2() and inflateInit2() with windowBits in 16..31, i.e. 16 + added to 0..15, process gzip-wrapped deflate data (RFC 1952). +* inflateInit2() with windowBits in 32..47 (32 added to 0..15) will + automatically detect either a gzip or zlib header (but not raw deflate + data), and decompress accordingly. +*/ +int wc_DeCompress_ex(byte* out, word32 outSz, const byte* in, word32 inSz, + int windowBits) /* * out - pointer to destination buffer * outSz - size of destination buffer * in - pointer to source buffer to compress * inSz - size of source to compress - * flags - flags to control how compress operates + * windowBits - flags to control how decompress operates * * return: * negative - error code @@ -150,10 +163,11 @@ int wc_DeCompress(byte* out, word32 outSz, const byte* in, word32 inSz) stream.zfree = (free_func)myFree; stream.opaque = (voidpf)0; - if (inflateInit2(&stream, DEFLATE_DEFAULT_WINDOWBITS) != Z_OK) + if (inflateInit2(&stream, windowBits) != Z_OK) return DECOMPRESS_INIT_E; - if (inflate(&stream, Z_FINISH) != Z_STREAM_END) { + result = inflate(&stream, Z_FINISH); + if (result != Z_STREAM_END) { inflateEnd(&stream); return DECOMPRESS_E; } @@ -167,5 +181,11 @@ int wc_DeCompress(byte* out, word32 outSz, const byte* in, word32 inSz) } +int wc_DeCompress(byte* out, word32 outSz, const byte* in, word32 inSz) +{ + return wc_DeCompress_ex(out, outSz, in, inSz, DEFLATE_DEFAULT_WINDOWBITS); +} + + #endif /* HAVE_LIBZ */ diff --git a/wolfcrypt/src/cryptodev.c b/wolfcrypt/src/cryptodev.c index 6e88c850b..55b7f00fa 100644 --- a/wolfcrypt/src/cryptodev.c +++ b/wolfcrypt/src/cryptodev.c @@ -330,4 +330,13 @@ int wc_CryptoDev_AesGcmDecrypt(Aes* aes, byte* out, } #endif /* !NO_AES && HAVE_AESGCM */ +/* call to support callback for entire buffer hash */ +int wc_CryptoDev_Sha256Hash(const byte* data, word32 len, byte* hash) +{ + (void)data; + (void)len; + (void)hash; + return NOT_COMPILED_IN; +} + #endif /* WOLF_CRYPTO_DEV */ diff --git a/wolfcrypt/src/error.c b/wolfcrypt/src/error.c index 87eb05d0c..a2b435945 100644 --- a/wolfcrypt/src/error.c +++ b/wolfcrypt/src/error.c @@ -483,10 +483,19 @@ const char* wc_GetErrorString(int error) return "DH Check Private Key failure"; case WC_AFALG_SOCK_E: - return "AF_ALG socket error"; + return "AF_ALG socket error"; case WC_DEVCRYPTO_E: - return "Error with /dev/crypto"; + return "Error with /dev/crypto"; + + case ZLIB_INIT_ERROR: + return "zlib init error"; + + case ZLIB_COMPRESS_ERROR: + return "zlib compress error"; + + case ZLIB_DECOMPRESS_ERROR: + return "zlib decompress error"; default: return "unknown error number"; diff --git a/wolfcrypt/src/tfm.c b/wolfcrypt/src/tfm.c index d54bbc200..6ee58c0b6 100644 --- a/wolfcrypt/src/tfm.c +++ b/wolfcrypt/src/tfm.c @@ -2324,7 +2324,7 @@ int fp_to_unsigned_bin(fp_int *a, unsigned char *b) #ifdef WOLFSSL_SMALL_STACK XFREE(t, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif - return FP_OKAY; + return FP_OKAY; } int fp_unsigned_bin_size(fp_int *a) diff --git a/wolfssl/error-ssl.h b/wolfssl/error-ssl.h index 939fba8a3..04c4a8552 100644 --- a/wolfssl/error-ssl.h +++ b/wolfssl/error-ssl.h @@ -66,9 +66,6 @@ enum wolfSSL_ErrorCodes { CLIENT_ID_ERROR = -331, /* psk client identity error */ SERVER_HINT_ERROR = -332, /* psk server hint error */ PSK_KEY_ERROR = -333, /* psk key error */ - ZLIB_INIT_ERROR = -334, /* zlib init error */ - ZLIB_COMPRESS_ERROR = -335, /* zlib compression error */ - ZLIB_DECOMPRESS_ERROR = -336, /* zlib decompression error */ GETTIME_ERROR = -337, /* gettimeofday failed ??? */ GETITIMER_ERROR = -338, /* getitimer failed ??? */ diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 1c7d1b245..31ff20069 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -58,6 +58,9 @@ #include #include /* public interface */ +#if defined(NO_SHA) && defined(NO_SHA256) + #define WC_SHA256_DIGEST_SIZE 32 +#endif #ifdef __cplusplus extern "C" { @@ -85,6 +88,7 @@ enum ASN_Tags { ASN_UTF8STRING = 0x0c, ASN_SEQUENCE = 0x10, ASN_SET = 0x11, + ASN_PRINTABLE_STRING = 0x13, ASN_UTC_TIME = 0x17, ASN_OTHER_TYPE = 0x00, ASN_RFC822_TYPE = 0x01, @@ -99,6 +103,7 @@ enum ASN_Tags { /* ASN_Flags - Bitmask */ ASN_CONSTRUCTED = 0x20, + ASN_APPLICATION = 0x40, ASN_CONTEXT_SPECIFIC = 0x80, }; @@ -137,7 +142,7 @@ enum DN_Tags { #define WOLFSSL_BUS_CAT "/businessCategory=" #define WOLFSSL_JOI_C "/jurisdictionC=" #define WOLFSSL_JOI_ST "/jurisdictionST=" -#define WOLFSSL_EMAIL_ADDR "/emailAddress=" +#define WOLFSSL_EMAIL_ADDR "/emailAddress=" /* NIDs */ enum @@ -186,6 +191,24 @@ enum ECC_TYPES ECC_PREFIX_1 = 161 }; +#ifdef WOLFSSL_CERT_PIV + enum PIV_Tags { + ASN_PIV_CERT = 0x0A, + ASN_PIV_NONCE = 0x0B, + ASN_PIV_SIGNED_NONCE = 0x0C, + + ASN_PIV_TAG_CERT = 0x70, + ASN_PIV_TAG_CERT_INFO = 0x71, + ASN_PIV_TAG_MSCUID = 0x72, + ASN_PIV_TAG_ERR_DET = 0xFE, + + /* certificate info masks */ + ASN_PIV_CERT_INFO_COMPRESSED = 0x03, + ASN_PIV_CERT_INFO_ISX509 = 0x04, + }; +#endif /* WOLFSSL_CERT_PIV */ + + #define ASN_JOI_PREFIX "\x2b\x06\x01\x04\x01\x82\x37\x3c\x02\x01" #define ASN_JOI_C 0x3 #define ASN_JOI_ST 0x2 @@ -896,11 +919,17 @@ struct TrustedPeerCert { #define WOLFSSL_ASN_API WOLFSSL_LOCAL #endif - -#ifdef NO_SHA - #define CalcHashId(data, len, hash) wc_Sha256Hash(data, len, hash) +/* Macro for calculating hashId */ +#if defined(NO_SHA) && defined(NO_SHA256) + #ifdef WOLF_CRYPTO_DEV + #define CalcHashId(data, len, hash) wc_CryptoDevSha256Hash(data, len, hash) + #else + #define CalcHashId(data, len, hash) NOT_COMPILED_IN + #endif +#elif defined(NO_SHA) + #define CalcHashId(data, len, hash) wc_Sha256Hash(data, len, hash) #else - #define CalcHashId(data, len, hash) wc_ShaHash(data, len, hash) + #define CalcHashId(data, len, hash) wc_ShaHash(data, len, hash) #endif diff --git a/wolfssl/wolfcrypt/asn_public.h b/wolfssl/wolfcrypt/asn_public.h index 1ace83395..9c5a1cf09 100644 --- a/wolfssl/wolfcrypt/asn_public.h +++ b/wolfssl/wolfcrypt/asn_public.h @@ -479,6 +479,27 @@ WOLFSSL_API int wc_GetTime(void* timePtr, word32 timeSize); #endif +#ifdef WOLFSSL_CERT_PIV + +typedef struct _wc_CertPIV { + const byte* cert; + word32 certSz; + const byte* certErrDet; + word32 certErrDetSz; + const byte* nonce; + word32 nonceSz; + const byte* signedNonce; + word32 signedNonceSz; + + /* flags */ + word16 compression:2; + word16 isX509:1; +} wc_CertPIV; + +WOLFSSL_API int wc_ParseCertPIV(wc_CertPIV* cert, const byte* buf, word32 totalSz); +#endif /* WOLFSSL_CERT_PIV */ + + #ifdef __cplusplus } /* extern "C" */ #endif diff --git a/wolfssl/wolfcrypt/compress.h b/wolfssl/wolfcrypt/compress.h index a35c3b0c9..4586d2aec 100644 --- a/wolfssl/wolfcrypt/compress.h +++ b/wolfssl/wolfcrypt/compress.h @@ -38,10 +38,13 @@ #define COMPRESS_FIXED 1 +#define LIBZ_WINBITS_GZIP 16 + WOLFSSL_API int wc_Compress(byte*, word32, const byte*, word32, word32); WOLFSSL_API int wc_DeCompress(byte*, word32, const byte*, word32); - +WOLFSSL_API int wc_DeCompress_ex(byte* out, word32 outSz, const byte* in, + word32 inSz, int windowBits); #ifdef __cplusplus } /* extern "C" */ diff --git a/wolfssl/wolfcrypt/cryptodev.h b/wolfssl/wolfcrypt/cryptodev.h index 1b717e6fa..7f3035fe2 100644 --- a/wolfssl/wolfcrypt/cryptodev.h +++ b/wolfssl/wolfcrypt/cryptodev.h @@ -175,6 +175,8 @@ WOLFSSL_LOCAL int wc_CryptoDev_AesGcmDecrypt(Aes* aes, byte* out, #endif /* !NO_AES && HAVE_AESGCM */ +WOLFSSL_LOCAL int wc_CryptoDev_Sha256Hash(const byte* data, word32 len, byte* hash); + #endif /* WOLF_CRYPTO_DEV */ #ifdef __cplusplus diff --git a/wolfssl/wolfcrypt/error-crypt.h b/wolfssl/wolfcrypt/error-crypt.h index b55df1231..1efc4259b 100644 --- a/wolfssl/wolfcrypt/error-crypt.h +++ b/wolfssl/wolfcrypt/error-crypt.h @@ -216,7 +216,11 @@ enum { WC_AFALG_SOCK_E = -264, /* AF_ALG socket error */ WC_DEVCRYPTO_E = -265, /* /dev/crypto error */ - WC_LAST_E = -265, /* Update this to indicate last error */ + ZLIB_INIT_ERROR = -266, /* zlib init error */ + ZLIB_COMPRESS_ERROR = -267, /* zlib compression error */ + ZLIB_DECOMPRESS_ERROR = -268, /* zlib decompression error */ + + WC_LAST_E = -268, /* Update this to indicate last error */ MIN_CODE_E = -300 /* errors -101 - -299 */ /* add new companion error id strings for any new error codes