From fa21fb4a2778044531af1a81c46374b74ef3ed9b Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Mon, 12 Mar 2018 15:44:48 -0600 Subject: [PATCH 1/5] more aes macro key size guards --- wolfcrypt/src/pkcs7.c | 74 +++++++++++++++++++++++++++++++++++------ wolfssl/wolfcrypt/asn.h | 14 ++++++++ 2 files changed, 78 insertions(+), 10 deletions(-) diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index 2a4335b33..833ab544a 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -157,9 +157,15 @@ static int wc_PKCS7_GetOIDBlockSize(int oid) switch (oid) { #ifndef NO_AES + #ifdef WOLFSSL_AES_128 case AES128CBCb: + #endif + #ifdef WOLFSSL_AES_192 case AES192CBCb: + #endif + #ifdef WOLFSSL_AES_256 case AES256CBCb: + #endif blockSz = AES_BLOCK_SIZE; break; #endif @@ -185,20 +191,24 @@ static int wc_PKCS7_GetOIDKeySize(int oid) switch (oid) { #ifndef NO_AES + #ifdef WOLFSSL_AES_128 case AES128CBCb: case AES128_WRAP: blockKeySz = 16; break; - + #endif + #ifdef WOLFSSL_AES_192 case AES192CBCb: case AES192_WRAP: blockKeySz = 24; break; - + #endif + #ifdef WOLFSSL_AES_256 case AES256CBCb: case AES256_WRAP: blockKeySz = 32; break; + #endif #endif #ifndef NO_DES3 case DESb: @@ -2165,9 +2175,15 @@ static int wc_PKCS7_KariKeyWrap(byte* cek, word32 cekSz, byte* kek, switch (keyWrapAlgo) { #ifndef NO_AES + #ifdef WOLFSSL_AES_128 case AES128_WRAP: + #endif + #ifdef WOLFSSL_AES_192 case AES192_WRAP: + #endif + #ifdef WOLFSSL_AES_256 case AES256_WRAP: + #endif if (direction == AES_ENCRYPTION) { @@ -2669,9 +2685,15 @@ static int wc_CreateKeyAgreeRecipientInfo(PKCS7* pkcs7, const byte* cert, /* set direction based on keyWrapAlgo */ switch (keyWrapAlgo) { #ifndef NO_AES + #ifdef WOLFSSL_AES_128 case AES128_WRAP: + #endif + #ifdef WOLFSSL_AES_192 case AES192_WRAP: + #endif + #ifdef WOLFSSL_AES_256 case AES256_WRAP: + #endif direction = AES_ENCRYPTION; break; #endif @@ -3104,13 +3126,26 @@ static int wc_PKCS7_EncryptContent(int encryptOID, byte* key, int keySz, switch (encryptOID) { #ifndef NO_AES + #ifdef WOLFSSL_AES_128 case AES128CBCb: + #endif + #ifdef WOLFSSL_AES_192 case AES192CBCb: + #endif + #ifdef WOLFSSL_AES_256 case AES256CBCb: - if ( (encryptOID == AES128CBCb && keySz != 16 ) || - (encryptOID == AES192CBCb && keySz != 24 ) || - (encryptOID == AES256CBCb && keySz != 32 ) || - (ivSz != AES_BLOCK_SIZE) ) + #endif + if ( + #ifdef WOLFSSL_AES_128 + (encryptOID == AES128CBCb && keySz != 16 ) || + #endif + #ifdef WOLFSSL_AES_192 + (encryptOID == AES192CBCb && keySz != 24 ) || + #endif + #ifdef WOLFSSL_AES_256 + (encryptOID == AES256CBCb && keySz != 32 ) || + #endif + (ivSz != AES_BLOCK_SIZE) ) return BAD_FUNC_ARG; ret = wc_AesSetKey(&aes, key, keySz, iv, AES_ENCRYPTION); @@ -3168,13 +3203,26 @@ static int wc_PKCS7_DecryptContent(int encryptOID, byte* key, int keySz, switch (encryptOID) { #ifndef NO_AES + #ifdef WOLFSSL_AES_128 case AES128CBCb: + #endif + #ifdef WOLFSSL_AES_192 case AES192CBCb: + #endif + #ifdef WOLFSSL_AES_256 case AES256CBCb: - if ( (encryptOID == AES128CBCb && keySz != 16 ) || - (encryptOID == AES192CBCb && keySz != 24 ) || - (encryptOID == AES256CBCb && keySz != 32 ) || - (ivSz != AES_BLOCK_SIZE) ) + #endif + if ( + #ifdef WOLFSSL_AES_128 + (encryptOID == AES128CBCb && keySz != 16 ) || + #endif + #ifdef WOLFSSL_AES_192 + (encryptOID == AES192CBCb && keySz != 24 ) || + #endif + #ifdef WOLFSSL_AES_256 + (encryptOID == AES256CBCb && keySz != 32 ) || + #endif + (ivSz != AES_BLOCK_SIZE) ) return BAD_FUNC_ARG; ret = wc_AesSetKey(&aes, key, keySz, iv, AES_DECRYPTION); @@ -4172,9 +4220,15 @@ static int wc_PKCS7_DecodeKari(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz, /* set direction based on key wrap algorithm */ switch (keyWrapOID) { #ifndef NO_AES + #ifdef WOLFSSL_AES_128 case AES128_WRAP: + #endif + #ifdef WOLFSSL_AES_192 case AES192_WRAP: + #endif + #ifdef WOLFSSL_AES_256 case AES256_WRAP: + #endif direction = AES_DECRYPTION; break; #endif diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index e76aff46b..853c12f5e 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -261,11 +261,19 @@ enum Hash_Sum { enum Block_Sum { +#ifdef WOLFSSL_AES_128 AES128CBCb = 414, +#endif +#ifdef WOLFSSL_AES_192 AES192CBCb = 434, +#endif +#ifdef WOLFSSL_AES_256 AES256CBCb = 454, +#endif +#ifndef NO_DES3 DESb = 69, DES3b = 652 +#endif }; @@ -279,9 +287,15 @@ enum Key_Sum { enum KeyWrap_Sum { +#ifdef WOLFSSL_AES_128 AES128_WRAP = 417, +#endif +#ifdef WOLFSSL_AES_192 AES192_WRAP = 437, +#endif +#ifdef WOLFSSL_AES_256 AES256_WRAP = 457 +#endif }; From 6b04ebe3a4b48404f3bbfebbf860af33a1b1d6a3 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Mon, 12 Mar 2018 16:12:10 -0600 Subject: [PATCH 2/5] fix for compiling with different build settings --- src/ssl.c | 8 ++++++++ wolfcrypt/src/asn.c | 4 ++++ 2 files changed, 12 insertions(+) diff --git a/src/ssl.c b/src/ssl.c index 75709d657..22911a1ad 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -30082,16 +30082,24 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) /* oidBlkType */ case oidBlkType: switch (oid) { + #ifdef WOLFSSL_AES_128 case AES128CBCb: return AES128CBCb; + #endif + #ifdef WOLFSSL_AES_192 case AES192CBCb: return AES192CBCb; + #endif + #ifdef WOLFSSL_AES_256 case AES256CBCb: return AES256CBCb; + #endif + #ifndef NO_DES3 case DESb: return NID_des; case DES3b: return NID_des3; + #endif } break; diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index d81f8d4b3..48aa63c33 100755 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -2432,15 +2432,19 @@ static int CheckAlgo(int first, int second, int* id, int* version) static int CheckAlgoV2(int oid, int* id) { switch (oid) { +#ifndef NO_DES3 case DESb: *id = PBE_SHA1_DES; return 0; case DES3b: *id = PBE_SHA1_DES3; return 0; +#endif +#ifdef WOLFSSL_AES_256 case AES256CBCb: *id = PBE_AES256_CBC; return 0; +#endif default: return ALGO_ID_E; From c41bc8205cf30c479dbbcd7318123c58e684c185 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Mon, 12 Mar 2018 16:41:26 -0600 Subject: [PATCH 3/5] account for build with no aes and no des3 --- wolfssl/wolfcrypt/asn.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 853c12f5e..b29636751 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -260,6 +260,7 @@ enum Hash_Sum { }; +#if !defined(NO_DES3) || !defined(NO_AES) enum Block_Sum { #ifdef WOLFSSL_AES_128 AES128CBCb = 414, @@ -275,6 +276,7 @@ enum Block_Sum { DES3b = 652 #endif }; +#endif /* !NO_DES3 || !NO_AES */ enum Key_Sum { @@ -286,6 +288,7 @@ enum Key_Sum { }; +#ifndef NO_AES enum KeyWrap_Sum { #ifdef WOLFSSL_AES_128 AES128_WRAP = 417, @@ -297,7 +300,7 @@ enum KeyWrap_Sum { AES256_WRAP = 457 #endif }; - +#endif /* !NO_AES */ enum Key_Agree { dhSinglePass_stdDH_sha1kdf_scheme = 464, From 8fb3ccacb7e7901013c745acfd7a8e7596371592 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Mon, 12 Mar 2018 18:05:24 -0600 Subject: [PATCH 4/5] opensslextra fixs and warning for unused variable --- src/ssl.c | 19 ++++++++++++++++++- wolfcrypt/src/asn.c | 1 + 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/src/ssl.c b/src/ssl.c index 22911a1ad..7c0ef5b76 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -29435,20 +29435,25 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) #endif /* HAVE_ECC */ /* oidBlkType */ + #ifdef WOLFSSL_AES_128 case AES128CBCb: sName = "AES-128-CBC"; type = oidBlkType; break; - + #endif + #ifdef WOLFSSL_AES_192 case AES192CBCb: sName = "AES-192-CBC"; type = oidBlkType; break; + #endif + #ifdef WOLFSSL_AES_256 case AES256CBCb: sName = "AES-256-CBC"; type = oidBlkType; break; + #endif #ifndef NO_DES3 case NID_des: @@ -29607,20 +29612,26 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) break; /* oidKeyWrapType */ + #ifdef WOLFSSL_AES_128 case AES128_WRAP: sName = "AES-128 wrap"; type = oidKeyWrapType; break; + #endif + #ifdef WOLFSSL_AES_192 case AES192_WRAP: sName = "AES-192 wrap"; type = oidKeyWrapType; break; + #endif + #ifdef WOLFSSL_AES_256 case AES256_WRAP: sName = "AES-256 wrap"; type = oidKeyWrapType; break; + #endif /* oidCmsKeyAgreeType */ #ifndef NO_SHA @@ -30203,12 +30214,18 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) /* oidKeyWrapType */ case oidKeyWrapType: switch (oid) { + #ifdef WOLFSSL_AES_128 case AES128_WRAP: return AES128_WRAP; + #endif + #ifdef WOLFSSL_AES_192 case AES192_WRAP: return AES192_WRAP; + #endif + #ifdef WOLFSSL_AES_256 case AES256_WRAP: return AES256_WRAP; + #endif } break; diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 48aa63c33..8f3fbac79 100755 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -2431,6 +2431,7 @@ static int CheckAlgo(int first, int second, int* id, int* version) < 0 on error */ static int CheckAlgoV2(int oid, int* id) { + (void)id; /* not used if AES and DES3 disabled */ switch (oid) { #ifndef NO_DES3 case DESb: From a207cae0f4738bc5ce9379c41f81c9c3a203de42 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Wed, 14 Mar 2018 17:24:23 -0600 Subject: [PATCH 5/5] add some more macro guards to reduce size --- wolfcrypt/src/pkcs7.c | 40 +++++++++++++++++++++++++++++----------- 1 file changed, 29 insertions(+), 11 deletions(-) diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index 833ab544a..fd8f67b44 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -737,53 +737,68 @@ static int wc_PKCS7_SignedDataGetEncAlgoId(PKCS7* pkcs7, int* digEncAlgoId, algoType = oidSigType; switch (pkcs7->hashOID) { + #ifndef NO_SHA case SHAh: algoId = CTC_SHAwRSA; break; - + #endif + #ifdef WOLFSSL_SHA224 case SHA224h: algoId = CTC_SHA224wRSA; break; - + #endif + #ifndef NO_SHA256 case SHA256h: algoId = CTC_SHA256wRSA; break; - + #endif + #ifdef WOLFSSL_SHA384 case SHA384h: algoId = CTC_SHA384wRSA; break; - + #endif + #ifdef WOLFSSL_SHA512 case SHA512h: algoId = CTC_SHA512wRSA; break; + #endif } - } else if (pkcs7->publicKeyOID == ECDSAk) { + } +#ifdef HAVE_ECC + else if (pkcs7->publicKeyOID == ECDSAk) { algoType = oidSigType; switch (pkcs7->hashOID) { + #ifndef NO_SHA case SHAh: algoId = CTC_SHAwECDSA; break; - + #endif + #ifdef WOLFSSL_SHA224 case SHA224h: algoId = CTC_SHA224wECDSA; break; - + #endif + #ifndef NO_SHA256 case SHA256h: algoId = CTC_SHA256wECDSA; break; - + #endif + #ifdef WOLFSSL_SHA384 case SHA384h: algoId = CTC_SHA384wECDSA; break; - + #endif + #ifdef WOLFSSL_SHA512 case SHA512h: algoId = CTC_SHA512wECDSA; break; + #endif } } +#endif /* HAVE_ECC */ if (algoId == 0) { WOLFSSL_MSG("Invalid signature algorithm type"); @@ -4456,8 +4471,11 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg, return ASN_PARSE_E; /* TODO :: make this more accurate */ - if ((pkcs7->publicKeyOID == RSAk && version != 0) || - (pkcs7->publicKeyOID == ECDSAk && version != 2)) { + if ((pkcs7->publicKeyOID == RSAk && version != 0) + #ifdef HAVE_ECC + || (pkcs7->publicKeyOID == ECDSAk && version != 2) + #endif + ) { WOLFSSL_MSG("PKCS#7 envelopedData needs to be of version 0"); return ASN_VERSION_E; }