diff --git a/configure.ac b/configure.ac index e5f0cecb9..64b2f80cf 100644 --- a/configure.ac +++ b/configure.ac @@ -194,7 +194,7 @@ then AM_CFLAGS="$AM_CFLAGS -DHAVE_AES_DECRYPT -DHAVE_AES_ECB -DWOLFSSL_ALT_NAMES -DWOLFSSL_DER_LOAD -DKEEP_OUR_CERT -DKEEP_PEER_CERT -DHAVE_CRL_IO -DHAVE_IO_TIMEOUT" # Enable DH const table speedups (eliminates `-lm` math lib dependency) - AM_CFLAGS="$AM_CFLAGS -DHAVE_FFDHE_2048 -DHAVE_FFDHE_3072 -DFP_MAX_BITS=6144" + AM_CFLAGS="$AM_CFLAGS -DHAVE_FFDHE_2048 -DHAVE_FFDHE_3072 -DFP_MAX_BITS=8192" fi AM_CONDITIONAL([BUILD_ALL], [test "x$ENABLED_ALL" = "xyes"]) diff --git a/examples/server/server.c b/examples/server/server.c index 4eda55701..9d19773f6 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -1889,6 +1889,8 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) wolfSSL_CTX_EnableOCSP(ctx, WOLFSSL_OCSP_NO_NONCE); } #endif +#ifndef NO_RSA +/* All the OSCP Stapling test certs are RSA. */ #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) if (wolfSSL_CTX_EnableOCSPStapling(ctx) != WOLFSSL_SUCCESS) @@ -1900,6 +1902,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) if (SSL_CTX_load_verify_locations(ctx, "certs/ocsp/intermediate3-ca-cert.pem", 0) != WOLFSSL_SUCCESS) err_sys_ex(runWithErrors, "can't load ca file, Please run from wolfSSL home dir"); #endif +#endif #ifdef HAVE_PK_CALLBACKS if (pkCallbacks) diff --git a/scripts/include.am b/scripts/include.am index 7cf8df579..3fc4208c6 100644 --- a/scripts/include.am +++ b/scripts/include.am @@ -15,6 +15,9 @@ dist_noinst_SCRIPTS+= scripts/resume.test EXTRA_DIST+= scripts/benchmark.test EXTRA_DIST+= scripts/memtest.sh +# The CRL and OCSP tests use RSA certificates. +if BUILD_RSA + if BUILD_CRL # make revoked test rely on completion of resume test dist_noinst_SCRIPTS+= scripts/crl-revoked.test @@ -46,6 +49,8 @@ endif endif +endif + if BUILD_PSK dist_noinst_SCRIPTS+= scripts/psk.test endif diff --git a/src/ssl.c b/src/ssl.c index ae1449ea7..766f55e5d 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -26559,6 +26559,8 @@ static int EncryptDerKey(byte *der, int *derSz, const EVP_CIPHER* cipher, #endif /* WOLFSSL_KEY_GEN || WOLFSSL_PEM_TO_DER */ #if defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN) + +#ifndef NO_RSA /* Takes a WOLFSSL_RSA key and writes it out to a WOLFSSL_BIO * * bio the WOLFSSL_BIO to write to @@ -26639,6 +26641,8 @@ int wolfSSL_PEM_write_bio_RSAPrivateKey(WOLFSSL_BIO* bio, WOLFSSL_RSA* key, return ret; } +#endif /* NO_RSA */ + int wolfSSL_PEM_write_bio_PrivateKey(WOLFSSL_BIO* bio, WOLFSSL_EVP_PKEY* key, const WOLFSSL_EVP_CIPHER* cipher, @@ -26666,9 +26670,11 @@ int wolfSSL_PEM_write_bio_PrivateKey(WOLFSSL_BIO* bio, WOLFSSL_EVP_PKEY* key, keyDer = (byte*)key->pkey.ptr; switch (key->type) { +#ifndef NO_RSA case EVP_PKEY_RSA: type = PRIVATEKEY_TYPE; break; +#endif #ifndef NO_DSA case EVP_PKEY_DSA: @@ -29920,8 +29926,7 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) } -#if defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA) -/* needed SetName function from asn.c is wrapped by NO_RSA */ +#if defined(WOLFSSL_CERT_GEN) /* helper function for CopyX509NameToCertName() * * returns WOLFSSL_SUCCESS on success @@ -35598,6 +35603,8 @@ int wolfSSL_X509_get_signature_nid(const WOLFSSL_X509 *x) #endif /* OPENSSL_EXTRA */ #if defined(OPENSSL_ALL) + +#ifndef NO_RSA int wolfSSL_EVP_PKEY_assign_RSA(EVP_PKEY* pkey, WOLFSSL_RSA* key) { if (pkey == NULL || key == NULL) @@ -35609,6 +35616,7 @@ int wolfSSL_EVP_PKEY_assign_RSA(EVP_PKEY* pkey, WOLFSSL_RSA* key) return WOLFSSL_SUCCESS; } +#endif int wolfSSL_EVP_PKEY_assign_EC_KEY(EVP_PKEY* pkey, WOLFSSL_EC_KEY* key) { @@ -36189,12 +36197,16 @@ int wolfSSL_X509_REQ_sign(WOLFSSL_X509 *req, WOLFSSL_EVP_PKEY *pkey, Cert cert; byte der[2048]; int derSz = sizeof(der); - void* key; - int type; + void* key = NULL; + int type = -1; int sigType; int hashType; +#ifndef NO_RSA RsaKey rsa; +#endif +#ifdef HAVE_ECC ecc_key ecc; +#endif WC_RNG rng; word32 idx = 0; @@ -36257,6 +36269,7 @@ int wolfSSL_X509_REQ_sign(WOLFSSL_X509 *req, WOLFSSL_EVP_PKEY *pkey, return WOLFSSL_FAILURE; /* Create a public key object from requests public key. */ +#ifndef NO_RSA if (req->pubKeyOID == RSAk) { type = RSA_TYPE; ret = wc_InitRsaKey(&rsa, req->heap); @@ -36270,7 +36283,9 @@ int wolfSSL_X509_REQ_sign(WOLFSSL_X509 *req, WOLFSSL_EVP_PKEY *pkey, } key = (void*)&rsa; } - else { +#endif +#ifdef HAVE_ECC + if (req->pubKeyOID == ECDSAk) { type = ECC_TYPE; ret = wc_ecc_init(&ecc); if (ret != 0) @@ -36283,6 +36298,9 @@ int wolfSSL_X509_REQ_sign(WOLFSSL_X509 *req, WOLFSSL_EVP_PKEY *pkey, } key = (void*)&ecc; } +#endif + if (key == NULL) + return WOLFSSL_FAILURE; /* Make the body of the certificate request. */ ret = wc_MakeCertReq_ex(&cert, der, derSz, type, key); @@ -36290,21 +36308,29 @@ int wolfSSL_X509_REQ_sign(WOLFSSL_X509 *req, WOLFSSL_EVP_PKEY *pkey, return WOLFSSL_FAILURE; /* Dispose of the public key object. */ +#ifndef NO_RSA if (req->pubKeyOID == RSAk) wc_FreeRsaKey(&rsa); - else +#endif +#ifdef HAVE_ECC + if (req->pubKeyOID == ECDSAk) wc_ecc_free(&ecc); +#endif idx = 0; /* Get the private key object and type from pkey. */ +#ifndef NO_RSA if (pkey->type == EVP_PKEY_RSA) { type = RSA_TYPE; key = pkey->rsa->internal; } - else { +#endif +#ifdef HAVE_ECC + if (pkey->type == EVP_PKEY_EC) { type = ECC_TYPE; key = pkey->ecc->internal; } +#endif /* Sign the certificate request body. */ ret = wc_InitRng(&rng); diff --git a/tests/api.c b/tests/api.c index 5383d4352..24486f134 100644 --- a/tests/api.c +++ b/tests/api.c @@ -744,7 +744,7 @@ static void test_wolfSSL_CTX_use_certificate_file(void) #endif } -#if defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) +#if (defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO)) && !defined(NO_RSA) static int test_wolfSSL_CTX_use_certificate_ASN1(void) { #if !defined(NO_CERTS) && !defined(NO_WOLFSSL_SERVER) && !defined(NO_ASN) @@ -765,7 +765,7 @@ static int test_wolfSSL_CTX_use_certificate_ASN1(void) return WOLFSSL_SUCCESS; #endif } -#endif /* OPENSSL_ALL || WOLFSSL_ASIO */ +#endif /* (OPENSSL_ALL || WOLFSSL_ASIO) && !NO_RSA */ /* Test function for wolfSSL_CTX_use_certificate_buffer. Load cert into * context using buffer. @@ -880,10 +880,12 @@ static void test_wolfSSL_CTX_load_verify_locations(void) { #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_WOLFSSL_CLIENT) WOLFSSL_CTX *ctx; +#ifndef NO_RSA WOLFSSL_CERT_MANAGER* cm; #ifdef PERSIST_CERT_CACHE int cacheSz; #endif +#endif #if !defined(NO_WOLFSSL_DIR) && !defined(WOLFSSL_TIRTOS) const char* load_certs_path = "./certs/external"; const char* load_no_certs_path = "./examples"; @@ -908,9 +910,8 @@ static void test_wolfSSL_CTX_load_verify_locations(void) /* load ca cert */ #ifdef NO_RSA AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, NULL), ASN_UNKNOWN_OID_E); -#else +#else /* Skip the following test without RSA certs. */ AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, NULL), WOLFSSL_SUCCESS); -#endif #ifdef PERSIST_CERT_CACHE /* Get cert cache size */ @@ -925,11 +926,7 @@ static void test_wolfSSL_CTX_load_verify_locations(void) #endif /* load ca cert again */ -#ifdef NO_RSA - AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, NULL), ASN_UNKNOWN_OID_E); -#else AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, NULL), WOLFSSL_SUCCESS); -#endif /* Test getting CERT_MANAGER */ AssertNotNull(cm = wolfSSL_CTX_GetCertManager(ctx)); @@ -941,6 +938,7 @@ static void test_wolfSSL_CTX_load_verify_locations(void) /* Verify no certs (result is less than cacheSz) */ AssertIntGT(cacheSz, wolfSSL_CTX_get_cert_cache_memsize(ctx)); #endif +#endif #if !defined(NO_WOLFSSL_DIR) && !defined(WOLFSSL_TIRTOS) /* Test loading CA certificates using a path */ @@ -1067,7 +1065,8 @@ static int test_wolfSSL_CertManagerLoadCABuffer(void) static void test_wolfSSL_CertManagerCRL(void) { -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && defined(HAVE_CRL) +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && defined(HAVE_CRL) && \ + !defined(NO_RSA) const char* ca_cert = "./certs/ca-cert.pem"; const char* crl1 = "./certs/crl/crl.pem"; @@ -1097,7 +1096,7 @@ static void test_wolfSSL_CTX_load_verify_chain_buffer_format(void) { #if !defined(NO_CERTS) && !defined(NO_WOLFSSL_CLIENT) && \ defined(USE_CERT_BUFFERS_2048) && defined(OPENSSL_EXTRA) && \ -defined(WOLFSSL_CERT_GEN) +defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA) WOLFSSL_CTX* ctx; @@ -1246,9 +1245,11 @@ static void test_wolfSSL_CTX_der_load_verify_locations(void) /* Case 5 filePath empty */ AssertIntEQ(wolfSSL_CTX_der_load_verify_locations(ctx, emptyPath, WOLFSSL_FILETYPE_ASN1), WOLFSSL_FAILURE); +#ifndef NO_RSA /* Case 6 success case */ AssertIntEQ(wolfSSL_CTX_der_load_verify_locations(ctx, derCert, WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); +#endif wolfSSL_CTX_free(ctx); #endif @@ -16354,7 +16355,11 @@ static void test_wc_PKCS7_Degenerate(void) AssertNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, devId)); AssertIntEQ(wc_PKCS7_Init(pkcs7, HEAP_HINT, INVALID_DEVID), 0); AssertIntEQ(wc_PKCS7_InitWithCert(pkcs7, NULL, 0), 0); +#ifndef NO_RSA AssertIntEQ(wc_PKCS7_VerifySignedData(pkcs7, der, derSz), 0); +#else + AssertIntNE(wc_PKCS7_VerifySignedData(pkcs7, der, derSz), 0); +#endif wc_PKCS7_Free(pkcs7); /* test with turning off degenerate cases */ @@ -16589,7 +16594,11 @@ static void test_wc_PKCS7_BER(void) AssertNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, devId)); AssertIntEQ(wc_PKCS7_Init(pkcs7, HEAP_HINT, INVALID_DEVID), 0); AssertIntEQ(wc_PKCS7_InitWithCert(pkcs7, NULL, 0), 0); +#ifndef NO_RSA AssertIntEQ(wc_PKCS7_VerifySignedData(pkcs7, der, derSz), 0); +#else + AssertIntNE(wc_PKCS7_VerifySignedData(pkcs7, der, derSz), 0); +#endif wc_PKCS7_Free(pkcs7); #ifndef NO_DES3 @@ -16599,7 +16608,11 @@ static void test_wc_PKCS7_BER(void) derSz = (word32)ret; XFCLOSE(f); AssertNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, devId)); +#ifndef NO_RSA AssertIntEQ(wc_PKCS7_InitWithCert(pkcs7, der, derSz), 0); +#else + AssertIntNE(wc_PKCS7_InitWithCert(pkcs7, der, derSz), 0); +#endif AssertNotNull(f = XFOPEN("./certs/1024/client-key.der", "rb")); AssertIntGT((ret = (int)fread(der, 1, sizeof(der), f)), 0); @@ -16607,8 +16620,13 @@ static void test_wc_PKCS7_BER(void) XFCLOSE(f); pkcs7->privateKey = der; pkcs7->privateKeySz = derSz; +#ifndef NO_RSA AssertIntGT(wc_PKCS7_DecodeEnvelopedData(pkcs7, berContent, sizeof(berContent), decoded, sizeof(decoded)), 0); +#else + AssertIntEQ(wc_PKCS7_DecodeEnvelopedData(pkcs7, berContent, + sizeof(berContent), decoded, sizeof(decoded)), NOT_COMPILED_IN); +#endif wc_PKCS7_Free(pkcs7); #endif /* !NO_DES3 */ @@ -17671,7 +17689,8 @@ static void test_wolfSSL_PEM_PrivateKey(void) #endif /* key is DES encrypted */ - #if !defined(NO_DES3) && defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_FILESYSTEM) + #if !defined(NO_DES3) && defined(WOLFSSL_ENCRYPTED_KEYS) && \ + !defined(NO_RSA) && !defined(NO_FILESYSTEM) { pem_password_cb* passwd_cb; void* passwd_cb_userdata; @@ -18766,7 +18785,7 @@ static void test_wolfSSL_CTX_set_srp_password(void) static void test_wolfSSL_X509_STORE(void) { -#if defined(OPENSSL_EXTRA) && defined(HAVE_CRL) +#if defined(OPENSSL_EXTRA) && defined(HAVE_CRL) && !defined(NO_RSA) X509_STORE *store; X509_CRL *crl; X509 *x509; @@ -19243,7 +19262,8 @@ static void test_wolfSSL_set_options(void) * PRE: OPENSSL and HAVE_CERTIFICATE_STATUS_REQUEST defined. */ static void test_wolfSSL_set_tlsext_status_type(void){ - #if defined(OPENSSL_EXTRA) && defined(HAVE_CERTIFICATE_STATUS_REQUEST) + #if defined(OPENSSL_EXTRA) && defined(HAVE_CERTIFICATE_STATUS_REQUEST) && \ + !defined(NO_RSA) SSL* ssl; SSL_CTX* ctx; @@ -19257,7 +19277,7 @@ static void test_wolfSSL_set_tlsext_status_type(void){ == SSL_SUCCESS); SSL_free(ssl); SSL_CTX_free(ctx); - #endif /* OPENSSL_EXTRA && HAVE_CERTIFICATE_STATUS_REQUEST */ + #endif /* OPENSSL_EXTRA && HAVE_CERTIFICATE_STATUS_REQUEST && !NO_RSA */ } static void test_wolfSSL_PEM_read_bio(void) @@ -20546,12 +20566,14 @@ static void test_wolfSSL_d2i_PUBKEY(void) #endif } -#if defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) +#if (defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO)) && !defined(NO_RSA) static void test_wolfSSL_d2i_PrivateKeys_bio(void) { BIO* bio = NULL; EVP_PKEY* pkey = NULL; +#ifndef NO_RSA RSA* rsa = NULL; +#endif WOLFSSL_CTX* ctx; #if defined(WOLFSSL_KEY_GEN) @@ -20624,13 +20646,14 @@ static void test_wolfSSL_d2i_PrivateKeys_bio(void) AssertNotNull(bio = BIO_new(BIO_s_mem())); AssertNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); +#ifndef NO_RSA /* Tests bad parameters */ AssertNull(d2i_RSAPrivateKey_bio(NULL, NULL)); /* RSA not set yet, expecting to fail*/ AssertIntEQ(SSL_CTX_use_RSAPrivateKey(ctx, rsa), BAD_FUNC_ARG); -#if defined(USE_CERT_BUFFERS_2048) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) +#if defined(USE_CERT_BUFFERS_2048) && defined(WOLFSSL_KEY_GEN) /* set RSA using bio*/ AssertIntGT(BIO_write(bio, client_key_der_2048, sizeof_client_key_der_2048), 0); @@ -20642,13 +20665,13 @@ static void test_wolfSSL_d2i_PrivateKeys_bio(void) AssertIntEQ(wolfSSL_i2d_RSAPrivateKey(NULL, NULL), BAD_FUNC_ARG); AssertIntEQ(wolfSSL_i2d_RSAPrivateKey(rsa, &bufPtr), sizeof_client_key_der_2048); +#endif /* USE_CERT_BUFFERS_2048 WOLFSSL_KEY_GEN */ RSA_free(rsa); -#endif +#endif /* NO_RSA */ SSL_CTX_free(ctx); ctx = NULL; BIO_free(bio); bio = NULL; - (void)rsa; printf(resultFmt, passed); } #endif /* OPENSSL_ALL || WOLFSSL_ASIO */ @@ -21849,7 +21872,7 @@ static void test_wc_GetPkcs8TraditionalOffset(void) static void test_wc_SetSubjectRaw(void) { #if !defined(NO_ASN) && !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA) && \ - defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_EXT) + defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_EXT) && !defined(NO_RSA) const char* joiCertFile = "./certs/test/cert-ext-joi.pem"; WOLFSSL_X509* x509; int peerCertSz; @@ -21891,7 +21914,7 @@ static void test_wc_GetSubjectRaw(void) static void test_wc_SetIssuerRaw(void) { #if !defined(NO_ASN) && !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA) && \ - defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_EXT) + defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_EXT) && !defined(NO_RSA) const char* joiCertFile = "./certs/test/cert-ext-joi.pem"; WOLFSSL_X509* x509; int peerCertSz; @@ -21917,7 +21940,7 @@ static void test_wc_SetIssuerRaw(void) static void test_wc_SetIssueBuffer(void) { #if !defined(NO_ASN) && !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA) && \ - defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_EXT) + defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_EXT) && !defined(NO_RSA) const char* joiCertFile = "./certs/test/cert-ext-joi.pem"; WOLFSSL_X509* x509; int peerCertSz; @@ -23253,7 +23276,8 @@ static void test_wolfSSL_X509_CRL(void) static void test_wolfSSL_PEM_read_X509(void) { -#if defined(OPENSSL_EXTRA) && defined(HAVE_CRL) && !defined(NO_FILESYSTEM) +#if defined(OPENSSL_EXTRA) && defined(HAVE_CRL) && !defined(NO_FILESYSTEM) && \ + !defined(NO_RSA) X509 *x509 = NULL; XFILE fp; @@ -23870,7 +23894,7 @@ void ApiTest(void) test_wolfSSL_DES_ncbc(); test_wolfSSL_AES_cbc_encrypt(); -#if defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) +#if (defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO)) && !defined(NO_RSA) AssertIntEQ(test_wolfSSL_CTX_use_certificate_ASN1(), WOLFSSL_SUCCESS); test_wolfSSL_d2i_PrivateKeys_bio(); #endif /* OPENSSL_ALL || WOLFSSL_ASIO */ diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index ae350a378..c32a9b6ed 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -8685,7 +8685,10 @@ byte GetEntropy(ENTROPY_CMD cmd, byte* out) static const char* eccKeyDerFile = CERT_ROOT "ecc-key.der"; #endif #ifdef WOLFSSL_CERT_GEN - static const char* eccKeyPubFile = CERT_ROOT "ecc-keyPub.der"; + #ifndef NO_RSA + /* eccKeyPubFile is used in a test that requires RSA. */ + static const char* eccKeyPubFile = CERT_ROOT "ecc-keyPub.der"; + #endif static const char* eccCaKeyFile = CERT_ROOT "ca-ecc-key.der"; static const char* eccCaCertFile = CERT_ROOT "ca-ecc-cert.pem"; #ifdef ENABLE_ECC384_CERT_GEN_TEST @@ -8836,7 +8839,7 @@ static const CertName certDefaultName = { static const char certKeyUsage[] = "digitalSignature,nonRepudiation"; #endif - #if defined(WOLFSSL_CERT_REQ) || defined(HAVE_NTRU) + #if (defined(WOLFSSL_CERT_REQ) || defined(HAVE_NTRU)) && !defined(NO_RSA) static const char certKeyUsage2[] = "digitalSignature,nonRepudiation,keyEncipherment,keyAgreement"; #endif