feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

wolfssl/wolfcrypt/wolfmath.h: don't include an MPI header if NO_BIG_INT is

Browse Source 
defined, and issue a #error if no MPI backend gate is defined and NO_BIG_INT
   is not defined either.

configure.ac:
* add support for FIPS lean-aesgcm[-{ready,dev}].
* implement handler for --enable-sha256.
* move setup for WOLFSSL_FIPS_DEV and WOLFSSL_FIPS_READY into the applicable
    per-flavor sections.
* fix sensing of $ENABLED_AESGCM in FIPS setup clauses to pivot on `!= "no"`
    rather than `= "yes"`, to accommodate "4bit" and other non-"yes" values.
* fix SNI_DEFAULT to be "no" if $ENABLED_TLS = no.
* fix ENABLED_DHDEFAULTPARAMS default to be $ENABLED_DH rather than yes.

wc_encrypt.c: add missing gates in wc_CryptKey() for NO_SHA256.

wolfcrypt/test/test.c: gating fixes for NO_SHA256.

wolfcrypt/benchmark/benchmark.c: basic fixes for building/running with
  --disable-rng (-DWC_NO_RNG).

With the above additions and fixes, it's now a clean build, test, and benchmark,
  with --disable-sha256 --enable-cryptonly --disable-hashdrbg --disable-rng
  --disable-hmac, though RSA/DH/ECC benches are disabled.
This commit is contained in:
Daniel Pouzzner
2025-03-20 20:00:23 -05:00
parent 18ac695bb2
commit b544354306
5 changed files with 299 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

290
configure.ac
View File

@ -529,9 +529,16 @@ AS_CASE([$ENABLED_FIPS],
ENABLED_FIPS="yes"
# for dev, DEF_SP_MATH and DEF_FAST_MATH follow non-FIPS defaults (currently sp-math-all)
],
[lean-aesgcm|lean-aesgcm-ready|lean-aesgcm-dev],[
FIPS_VERSION="$ENABLED_FIPS"
HAVE_FIPS_VERSION_MAJOR=7
HAVE_FIPS_VERSION_MINOR=0
HAVE_FIPS_VERSION_PATCH=0
ENABLED_FIPS="yes"
],
[
AS_IF([test "$ENABLED_FIPS" = "yes"],[ENABLED_FIPS="(unset)"],[ENABLED_FIPS=\"$ENABLED_FIPS\"])
AC_MSG_ERROR([Invalid value for --enable-fips $ENABLED_FIPS (main options: v1, v2, v5, v6, ready, dev, rand, no, disabled)])
AC_MSG_ERROR([Invalid value for --enable-fips $ENABLED_FIPS (main options: v1, v2, v5, v6, ready, dev, rand, lean-aesgcm, no, disabled)])
])
if test -z "$HAVE_FIPS_VERSION_MAJOR"
@ -3913,6 +3920,19 @@ then
fi
# SHA256
AC_ARG_ENABLE([sha256],
[AS_HELP_STRING([--enable-sha256],[Enable wolfSSL SHA256 support (default: enabled)])],
[ ENABLED_SHA256=$enableval ],
[ ENABLED_SHA256=yes ]
)
if test "$ENABLED_SHA256" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DNO_SHA256"
fi
# set sha224 default
SHA224_DEFAULT=no
if test "$host_cpu" = "x86_64" || test "$host_cpu" = "aarch64" || test "$host_cpu" = "amd64"
@ -3921,7 +3941,7 @@ then
( test "x$ENABLED_FIPS" = "xno" ||
( test "$HAVE_FIPS_VERSION" = 2 && test "$HAVE_FIPS_VERSION_MINOR" != 1 ) )
then
SHA224_DEFAULT=yes
SHA224_DEFAULT=$ENABLED_SHA256
fi
fi
@ -3934,6 +3954,10 @@ AC_ARG_ENABLE([sha224],
if test "$ENABLED_SHA224" = "yes"
then
if test "$ENABLED_SHA256" = "no"
then
AC_MSG_ERROR([Enabling SHA224 requires enabling SHA256.])
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA224"
fi
@ -5448,13 +5472,14 @@ AC_ARG_ENABLE([aeskeywrap],
# FIPS feature and macro setup
AS_IF([test "$FIPS_VERSION" = "dev"],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_FIPS_DEV"])
AS_IF([test "$FIPS_VERSION" = "ready"],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_FIPS_READY"])
AS_CASE([$FIPS_VERSION],
[v6|ready|dev],[ # FIPS 140-3 SRTP-KDF
AS_IF([test "$FIPS_VERSION" = "dev"],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_FIPS_DEV"])
AS_IF([test "$FIPS_VERSION" = "ready"],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_FIPS_READY"])
AM_CFLAGS="$AM_CFLAGS \
-DHAVE_FIPS \
-DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION \
@ -5473,7 +5498,7 @@ AS_CASE([$FIPS_VERSION],
-DHAVE_FFDHE_6144 \
-DHAVE_FFDHE_8192"
# KCAPI API does not support custom k for sign, don't force enable ECC key sizes and do not use seed callback
# KCAPI API does not support custom k for sign, don't force enable ECC key sizes and don't use seed callback
AS_IF([test "x$ENABLED_KCAPI_ECC" = "xno"],
[AM_CFLAGS="$AM_CFLAGS \
-DWC_RNG_SEED_CB \
@ -5617,10 +5642,10 @@ AS_CASE([$FIPS_VERSION],
(test "$FIPS_VERSION" != "dev" || test "$enable_aesxts_stream" != "no")],
[ENABLED_AESXTS_STREAM="yes"])
AS_IF([(test "$ENABLED_AESCCM" = "yes" && test "$HAVE_AESCCM_PORT" != "yes") ||
(test "$ENABLED_AESCTR" = "yes" && test "$HAVE_AESCTR_PORT" != "yes") ||
(test "$ENABLED_AESGCM" = "yes" && test "$HAVE_AESGCM_PORT" != "yes") ||
(test "$ENABLED_AESOFB" = "yes" && test "$HAVE_AESOFB_PORT" != "yes")],
AS_IF([(test "$ENABLED_AESCCM" != "no" && test "$HAVE_AESCCM_PORT" != "yes") ||
(test "$ENABLED_AESCTR" != "no" && test "$HAVE_AESCTR_PORT" != "yes") ||
(test "$ENABLED_AESGCM" != "no" && test "$HAVE_AESGCM_PORT" != "yes") ||
(test "$ENABLED_AESOFB" != "no" && test "$HAVE_AESOFB_PORT" != "yes")],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB"])
AS_IF([test "x$ENABLED_AESKEYWRAP" != "xyes" &&
@ -5633,6 +5658,225 @@ AS_CASE([$FIPS_VERSION],
ENABLED_OLD_TLS="no"; AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"])
],
[lean-aesgcm|lean-aesgcm-ready|lean-aesgcm-dev],[
AS_IF([test "$FIPS_VERSION" = "lean-aesgcm-dev"],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_FIPS_DEV"])
AS_IF([test "$FIPS_VERSION" = "lean-aesgcm-ready"],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_FIPS_READY"])
AM_CFLAGS="$AM_CFLAGS \
-DHAVE_FIPS \
-DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION \
-DHAVE_FIPS_VERSION_MAJOR=$HAVE_FIPS_VERSION_MAJOR \
-DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR \
-DHAVE_FIPS_VERSION_PATCH=$HAVE_FIPS_VERSION_PATCH \
-DNO_BIG_INT \
-DWC_RNG_SEED_CB"
# optimizations section
# protocol section
AS_IF([test "$ENABLED_CRYPTONLY" != "yes" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_cryptonly" != "no")],
[ENABLED_CRYPTONLY="yes"; enable_cryptonly="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_ONLY"])
AS_IF([test "$ENABLED_TLS" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_tls" != "yes")],
[ENABLED_TLS="no"; enable_tls="no"; AM_CFLAGS="$AM_CFLAGS -DNO_TLS"])
AS_IF([test "$ENABLED_TLSV12" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_tlsv12" != "yes")],
[ENABLED_TLSV12="no"; enable_tlsv12="no"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_TLS12"])
AS_IF([test "$ENABLED_ASN" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_asn" != "yes")],
[ENABLED_ASN="no"; enable_asn="no"; AM_CFLAGS="$AM_CFLAGS -DNO_ASN -DNO_ASN_CRYPT"])
AS_IF([test "$ENABLED_SEND_HRR_COOKIE" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_hrrcookie" != "yes")],
[ENABLED_SEND_HRR_COOKIE="no"; enable_hrrcookie="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_SEND_HRR_COOKIE"])
AS_IF([test "$ENABLED_WOLFSSH" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_ssh" != "yes")],
[ENABLED_WOLFSSH="no"; enable_ssh="no"])
AS_IF([test "$ENABLED_HKDF" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_hkdf" != "yes")],
[enable_hkdf="no"; ENABLED_HKDF="no"; AM_CFLAGS="$AM_CFLAGS -UHAVE_HKDF"])
AS_IF([test "$ENABLED_PWDBASED" != "yes" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_pwdbased" != "no")],
[enable_pwdbased="yes"; ENABLED_PWDBASED="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_PBKDF2"])
AS_IF([test "$ENABLED_SRTP" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_srtp" != "yes")],
[enable_srtp="no"; ENABLED_SRTP="no"])
AS_IF([test "$ENABLED_SRTP_KDF" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_srtp_kdf" != "yes")],
[enable_srtp_kdf="no"; ENABLED_SRTP_KDF="no"])
AS_IF([test "$ENABLED_PKCS8" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_pkcs8" != "yes")],
[enable_pkcs8="no"; ENABLED_PKCS8="no"; AM_CFLAGS="$AM_CFLAGS -DNO_PKCS8"])
# public key section
AS_IF([test "$ENABLED_SP_MATH_ALL" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_sp_math_all" != "yes")],
[enable_sp_math_all="no"; ENABLED_SP_MATH_ALL="no"])
AS_IF([test "$ENABLED_KEYGEN" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_keygen" != "yes")],
[enable_keygen="no"; ENABLED_KEYGEN="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_KEY_GEN"])
AS_IF([test "$ENABLED_COMPKEY" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_compkey" != "yes")],
[enable_compkey="no"; ENABLED_COMPKEY="no"])
AS_IF([test "$ENABLED_RSA" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_rsa" != "yes")],
[enable_rsa="no"; ENABLED_RSA="no"; AM_CFLAGS="$AM_CFLAGS -DNO_RSA"])
AS_IF([test "$ENABLED_RSAPSS" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_rsapss" != "yes")],
[enable_rsapss="no"; ENABLED_RSAPSS="no"; AM_CFLAGS="$AM_CFLAGS -UWC_RSA_PSS"])
AS_IF([test "$ENABLED_DH" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_dh" != "yes")],
[enable_dh="no"; ENABLED_DH="no"; AM_CFLAGS="$AM_CFLAGS -DNO_DH"])
AS_IF([test "$ENABLED_ECC" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_ecc" != "yes")],
[enable_ecc="no"; ENABLED_ECC="no"; ENABLED_ECCMINSZ="n/a"; ENABLED_ECC_SHAMIR="no"; AM_CFLAGS="$AM_CFLAGS -UHAVE_ECC -UTFM_ECC256 -UECC_MIN_KEY_SZ -UECC_SHAMIR"])
AS_IF([test "$ENABLED_ED25519" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_ed25519" != "yes")],
[enable_ed25519="no"; ENABLED_ED25519="no"; AM_CFLAGS="$AM_CFLAGS -UHAVE_ED25519 -UHAVE_ED25519_KEY_IMPORT"])
AS_IF([test "$ENABLED_CURVE25519" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_curve25519" != "yes")],
[enable_curve25519="no"; ENABLED_CURVE25519="no"; AM_CFLAGS="$AM_CFLAGS -UHAVE_CURVE25519"])
AS_IF([test "$ENABLED_ED448" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_ed448" != "yes")],
[enable_ed448="no"; ENABLED_ED448="no"; AM_CFLAGS="$AM_CFLAGS -UHAVE_ED448 -UHAVE_ED448_KEY_IMPORT"])
AS_IF([test "$ENABLED_CURVE448" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_curve448" != "yes")],
[enable_curve448="no"; ENABLED_CURVE448="no"; AM_CFLAGS="$AM_CFLAGS -UHAVE_CURVE448"])
AS_IF([test "$ENABLED_ED25519_STREAM" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_ed25519_stream" != "yes")],
[enable_ed25519_stream="no"; ENABLED_ED25519_STREAM="no"])
AS_IF([test "$ENABLED_ED448_STREAM" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_ed448_stream" != "yes")],
[enable_ed448_stream="no"; ENABLED_ED448_STREAM="no"])
AS_IF([test "$ENABLED_ECCCUSTCURVES" != "no" &&
test "$FIPS_VERSION" != "lean-aesgcm-dev"],
[ENABLED_ECCCUSTCURVES="no"])
# Hashing section
AS_IF([test "$ENABLED_SHA" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_sha" != "yes")],
[enable_sha="no"; ENABLED_SHA="no"; AM_CFLAGS="$AM_CFLAGS -DNO_SHA"])
AS_IF([test "$ENABLED_SHA256" = "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_sha256" != "no")],
[enable_sha256="yes"; ENABLED_SHA256="yes"; AM_CFLAGS="$AM_CFLAGS -UNO_SHA256"])
AS_IF([test "$ENABLED_SHA3" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_sha3" != "yes")],
[enable_sha3="no"; ENABLED_SHA3="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_SHA3"])
AS_IF([test "$ENABLED_SHA224" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_sha224" != "yes")],
[enable_sha224="no"; ENABLED_SHA224="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_SHA224"])
AS_IF([test "$ENABLED_SHA384" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_sha384" != "yes")],
[enable_sha384="no"; ENABLED_SHA384="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_SHA384 -UWOLFSSL_SHA384"])
AS_IF([test "$ENABLED_SHA512" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_sha512" != "yes")],
[enable_sha512="no"; ENABLED_SHA512="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_SHA512 -UWOLFSSL_SHA384"])
# SHA512-224 and SHA512-256 are SHA-2 algorithms not in our FIPS algorithm list
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256"
AS_IF([test "$ENABLED_SHAKE128" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_shake128" != "yes")],
[enable_shake128="no"; ENABLED_SHAKE128="no"])
AS_IF([test "$ENABLED_SHAKE256" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_shake256" != "yes")],
[enable_shake256="no"; ENABLED_SHAKE256="no"])
AS_IF([test "$ENABLED_MD5" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_md5" != "yes")],
[enable_md5="no"; ENABLED_MD5="no"; AM_CFLAGS="$AM_CFLAGS -DNO_MD5"])
# Aes section
AS_IF([test "$ENABLED_AESCBC" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aescbc" != "yes")],
[enable_aescbc="no"; ENABLED_AESCBC="no"; AM_CFLAGS="$AM_CFLAGS -DNO_AES_CBC"])
AS_IF([test "$ENABLED_AESCCM" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aesccm" != "yes")],
[enable_aesccm="no"; ENABLED_AESCCM="no"; AM_CFLAGS="$AM_CFLAGS -UHAVE_AESCCM"])
AS_IF([test "$ENABLED_AESCTR" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aesctr" != "yes")],
[enable_aesctr="no"; ENABLED_AESCTR="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_AES_COUNTER"])
AS_IF([test "$ENABLED_CMAC" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_cmac" != "yes")],
[enable_cmac="no"; ENABLED_CMAC="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_CMAC"])
AS_IF([test "$ENABLED_AESGCM" = "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aesgcm" != "no")],
[ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"; AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_AESGCM"])
AS_IF([test "$ENABLED_AESGCM_STREAM" != "yes" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aesgcm_stream" != "no")],
[ENABLED_AESGCM_STREAM="yes"])
AS_IF([test "$ENABLED_AESOFB" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aesofb" != "yes")],
[enable_aesofb="no"; ENABLED_AESOFB="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_AES_OFB"])
AS_IF([test "$ENABLED_AESCFB" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aescfb" != "yes")],
[enable_aescfb="no"; ENABLED_AESCFB="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_AES_CFB"])
AS_IF([test "$ENABLED_AESXTS" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aesxts" != "yes")],
[enable_aesxts="no"; ENABLED_AESXTS="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_AES_XTS"])
AS_IF([test "$ENABLED_AESXTS" = "yes" && test "$ENABLED_AESNI" = "yes"],
[AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_AES_XTS"])
AS_IF([test "$ENABLED_AESXTS_STREAM" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aesxts_stream" != "yes")],
[enable_aesxts_stream="no"; ENABLED_AESXTS_STREAM="no"])
AS_IF([(test "$ENABLED_AESCCM" != "no" && test "$HAVE_AESCCM_PORT" != "yes") ||
(test "$ENABLED_AESCTR" != "no" && test "$HAVE_AESCTR_PORT" != "yes") ||
(test "$ENABLED_AESGCM" != "no" && test "$HAVE_AESGCM_PORT" != "yes") ||
(test "$ENABLED_AESOFB" != "no" && test "$HAVE_AESOFB_PORT" != "yes")],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB"])
AS_IF([test "$ENABLED_AESKEYWRAP" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aeskeywrap" != "yes")],
[enable_aeskeywrap="no"; ENABLED_AESKEYWRAP="no"; AM_CFLAGS="$AM_CFLAGS -UHAVE_AES_KEYWRAP"])
# Old TLS requires MD5 + HMAC, which is not allowed under FIPS 140-3
AS_IF([test "$ENABLED_OLD_TLS" != "no"],
[AC_MSG_WARN([Forcing off oldtls for FIPS ${FIPS_VERSION}.])
ENABLED_OLD_TLS="no"; AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"])
],
[v5*], [ # FIPS 140-3
AM_CFLAGS="$AM_CFLAGS \
@ -5773,11 +6017,11 @@ AS_CASE([$FIPS_VERSION],
[AC_MSG_WARN([Forcing off srtp-kdf for FIPS ${FIPS_VERSION}.])
ENABLED_SRTP_KDF="no"])
AS_IF([(test "$ENABLED_AESCCM" = "yes" && test "$HAVE_AESCCM_PORT" != "yes") ||
(test "$ENABLED_AESCTR" = "yes" && test "$HAVE_AESCTR_PORT" != "yes") ||
(test "$ENABLED_AESGCM" = "yes" && test "$HAVE_AESGCM_PORT" != "yes") ||
(test "$ENABLED_AESOFB" = "yes" && test "$HAVE_AESOFB_PORT" != "yes") ||
(test "$ENABLED_AESXTS" = "yes" && test "$HAVE_AESXTS_PORT" != "yes")],
AS_IF([(test "$ENABLED_AESCCM" != "no" && test "$HAVE_AESCCM_PORT" != "yes") ||
(test "$ENABLED_AESCTR" != "no" && test "$HAVE_AESCTR_PORT" != "yes") ||
(test "$ENABLED_AESGCM" != "no" && test "$HAVE_AESGCM_PORT" != "yes") ||
(test "$ENABLED_AESOFB" != "no" && test "$HAVE_AESOFB_PORT" != "yes") ||
(test "$ENABLED_AESXTS" != "no" && test "$HAVE_AESXTS_PORT" != "yes")],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB"])
],
@ -6418,6 +6662,12 @@ if test "$host_cpu" = "x86_64" || test "$host_cpu" = "x86" || test "$host_cpu" =
then
SNI_DEFAULT=yes
fi
if test "$ENABLED_TLS" = "no"
then
SNI_DEFAULT=no
fi
AC_ARG_ENABLE([sni],
[AS_HELP_STRING([--enable-sni],[Enable SNI (default: enabled on x86_64/x86/aarch64/amd64)])],
[ ENABLED_SNI=$enableval ],
@ -9013,11 +9263,10 @@ fi
AC_ARG_ENABLE([defaultdhparams],
[AS_HELP_STRING([--enable-defaultdhparams],[Enables option for default dh parameters (default: disabled)])],
[ ENABLED_DHDEFAULTPARAMS=$enableval ],
[ ENABLED_DHDEFAULTPARAMS=yes ]
[ ENABLED_DHDEFAULTPARAMS=$ENABLED_DH ]
)
if test "x$ENABLED_DH" = "xyes" && test "x$ENABLED_DHDEFAULTPARAMS" = "xyes" && test "x$ENABLED_QT" != "xyes"
if test "x$ENABLED_DHDEFAULTPARAMS" = "xyes" && test "x$ENABLED_QT" != "xyes"
then
ENABLED_DHDEFAULTPARAMS=yes
AM_CFLAGS="$AM_CFLAGS -DHAVE_DH_DEFAULT_PARAMS"
fi
@ -10605,6 +10854,7 @@ echo " * MD5: $ENABLED_MD5"
echo " * RIPEMD: $ENABLED_RIPEMD"
echo " * SHA: $ENABLED_SHA"
echo " * SHA-224: $ENABLED_SHA224"
echo " * SHA-256: $ENABLED_SHA256"
echo " * SHA-384: $ENABLED_SHA384"
echo " * SHA-512: $ENABLED_SHA512"
echo " * SHA3: $ENABLED_SHA3"

20
wolfcrypt/benchmark/benchmark.c
View File

@ -3634,9 +3634,9 @@ static void* benchmarks_do(void* args)
bench_scrypt();
#endif
#ifndef NO_RSA
#if !defined(NO_RSA) && !defined(WC_NO_RNG)
#ifndef HAVE_RENESAS_SYNC
#ifdef WOLFSSL_KEY_GEN
#if defined(WOLFSSL_KEY_GEN)
if (bench_all || (bench_asym_algs & BENCH_RSA_KEYGEN)) {
#ifndef NO_SW_BENCH
if (((word32)bench_asym_algs == 0xFFFFFFFFU) ||
@ -3656,7 +3656,7 @@ static void* benchmarks_do(void* args)
}
#endif
}
#endif
#endif /* WOLFSSL_KEY_GEN */
if (bench_all || (bench_asym_algs & BENCH_RSA)) {
#ifndef NO_SW_BENCH
bench_rsa(0);
@ -3677,9 +3677,9 @@ static void* benchmarks_do(void* args)
}
#endif
#endif
#endif
#endif /* !NO_RSA && !WC_NO_RNG */
#ifndef NO_DH
#if !defined(NO_DH) && !defined(WC_NO_RNG)
if (bench_all || (bench_asym_algs & BENCH_DH)) {
#ifndef NO_SW_BENCH
bench_dh(0);
@ -3761,7 +3761,7 @@ static void* benchmarks_do(void* args)
#endif
#endif /* if defined(WOLFSSL_HAVE_XMSS) && !defined(WOLFSSL_XMSS_VERIFY_ONLY) */
#ifdef HAVE_ECC
#if defined(HAVE_ECC) && !defined(WC_NO_RNG)
if (bench_all || (bench_asym_algs & BENCH_ECC_MAKEKEY) ||
(bench_asym_algs & BENCH_ECC) ||
(bench_asym_algs & BENCH_ECC_ALL) ||
@ -9370,7 +9370,7 @@ exit:
#endif /* !NO_RSA */
#ifndef NO_DH
#if !defined(NO_DH) && !defined(WC_NO_RNG)
#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) && \
!defined(USE_CERT_BUFFERS_3072) && !defined(USE_CERT_BUFFERS_4096)
@ -9650,7 +9650,7 @@ exit:
WC_FREE_VAR(priv2, HEAP_HINT);
WC_FREE_ARRAY(agree, BENCH_MAX_PENDING, HEAP_HINT);
}
#endif /* !NO_DH */
#endif /* !NO_DH && !WC_NO_RNG */
#ifdef WOLFSSL_HAVE_MLKEM
static void bench_mlkem_keygen(int type, const char* name, int keySize,
@ -11047,7 +11047,7 @@ void bench_xmss(int hash)
}
#endif /* if defined(WOLFSSL_HAVE_XMSS) && !defined(WOLFSSL_XMSS_VERIFY_ONLY) */
#ifdef HAVE_ECC
#if defined(HAVE_ECC) && !defined(WC_NO_RNG)
/* Maximum ECC name plus null terminator:
* "ECC [%15s]" and "ECDHE [%15s]" and "ECDSA [%15s]" */
@ -11940,7 +11940,7 @@ exit:
(void)name;
}
#endif /* WOLFSSL_SM2 */
#endif /* HAVE_ECC */
#endif /* HAVE_ECC && && !defined(WC_NO_RNG) */
#ifdef HAVE_CURVE25519
void bench_curve25519KeyGen(int useDeviceID)

4
wolfcrypt/src/wc_encrypt.c
View File

@ -455,10 +455,12 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt,
#if defined(WOLFSSL_AES_256)
case PBE_AES256_CBC:
switch(shaOid) {
#ifndef NO_SHA256
case HMAC_SHA256_OID:
typeH = WC_SHA256;
derivedLen = 32;
break;
#endif
#ifndef NO_SHA
default:
typeH = WC_SHA;
@ -471,10 +473,12 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt,
#if defined(WOLFSSL_AES_128)
case PBE_AES128_CBC:
switch(shaOid) {
#ifndef NO_SHA256
case HMAC_SHA256_OID:
typeH = WC_SHA256;
derivedLen = 16;
break;
#endif
#ifndef NO_SHA
default:
typeH = WC_SHA;

14
wolfcrypt/test/test.c
View File

@ -19565,7 +19565,7 @@ static wc_test_ret_t rsa_export_key_test(RsaKey* key)
}
#endif /* !HAVE_FIPS && !NO_ASN && !WOLFSSL_RSA_VERIFY_ONLY */
#ifndef NO_SIG_WRAPPER
#if !defined(NO_SIG_WRAPPER) && !defined(NO_SHA256)
static wc_test_ret_t rsa_sig_test(RsaKey* key, word32 keyLen, int modLen, WC_RNG* rng)
{
wc_test_ret_t ret;
@ -19753,7 +19753,7 @@ static wc_test_ret_t rsa_sig_test(RsaKey* key, word32 keyLen, int modLen, WC_RNG
return 0;
}
#endif /* !NO_SIG_WRAPPER */
#endif /* !NO_SIG_WRAPPER && !NO_SHA256 */
#ifdef WC_RSA_NONBLOCK
static wc_test_ret_t rsa_nb_test(RsaKey* key, const byte* in, word32 inLen, byte* out,
@ -22109,10 +22109,12 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t rsa_test(void)
ERROR_OUT(WC_TEST_RET_ENC_EC(ret), exit_rsa);
#endif
#ifndef NO_SIG_WRAPPER
#if !defined(NO_SIG_WRAPPER) && !defined(NO_SHA256)
ret = rsa_sig_test(key, sizeof *key, modLen, &rng);
if (ret != 0)
goto exit_rsa;
#else
(void)modLen;
#endif
#ifdef WC_RSA_NONBLOCK
@ -27063,7 +27065,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t scrypt_test(void)
}
#endif
#ifdef HAVE_PKCS12
#if defined(HAVE_PKCS12) && !defined(NO_SHA256)
WOLFSSL_TEST_SUBROUTINE wc_test_ret_t pkcs12_pbkdf_test(void)
{
WOLFSSL_SMALL_STACK_STATIC const byte passwd[] = { 0x00, 0x73, 0x00, 0x6d, 0x00, 0x65, 0x00, 0x67,
@ -27117,7 +27119,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t pkcs12_pbkdf_test(void)
return 0;
}
#endif /* HAVE_PKCS12 */
#endif /* HAVE_PKCS12 && !NO_SHA256 */
#if defined(HAVE_PBKDF2) && !defined(NO_SHA256) && !defined(NO_HMAC)
WOLFSSL_TEST_SUBROUTINE wc_test_ret_t pbkdf2_test(void)
@ -27196,7 +27198,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t pwdbased_test(void)
if (ret != 0)
return ret;
#endif
#ifdef HAVE_PKCS12
#if defined(HAVE_PKCS12) && !defined(NO_SHA256)
ret = pkcs12_pbkdf_test();
if (ret != 0)
return ret;

10
wolfssl/wolfcrypt/wolfmath.h
View File

@ -40,15 +40,19 @@ This library provides big integer math functions.
#endif
#if defined(USE_FAST_MATH)
#if defined(NO_BIG_INT)
/* MPI globally disabled -- no PK algorithms supported. */
#elif defined(WOLFSSL_SP_MATH_ALL) || defined(WOLFSSL_SP_MATH)
#include <wolfssl/wolfcrypt/sp_int.h>
#elif defined(USE_FAST_MATH)
#include <wolfssl/wolfcrypt/tfm.h>
#elif defined(USE_INTEGER_HEAP_MATH)
#include <wolfssl/wolfcrypt/integer.h>
#else
#include <wolfssl/wolfcrypt/sp_int.h>
#error No MPI back end active, and NO_BIG_INT is not defined.
#endif
#if !defined(NO_BIG_INT) || defined(WOLFSSL_SP_MATH)
#if !defined(NO_BIG_INT)
#include <wolfssl/wolfcrypt/random.h>
#endif