diff --git a/configure.ac b/configure.ac index 684232f3a..2e1004558 100644 --- a/configure.ac +++ b/configure.ac @@ -472,7 +472,8 @@ then fi # Enable DH const table speedups (eliminates `-lm` math lib dependency) - AM_CFLAGS="$AM_CFLAGS -DHAVE_FFDHE_2048 -DHAVE_FFDHE_3072 -DFP_MAX_BITS=8192" + AM_CFLAGS="$AM_CFLAGS -DHAVE_FFDHE_2048 -DHAVE_FFDHE_3072" + DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS=4096 # Enable multiple attribute additions such as DC AM_CFLAGS="-DWOLFSSL_MULTI_ATTRIB $AM_CFLAGS" @@ -581,7 +582,8 @@ then AM_CFLAGS="$AM_CFLAGS -DHAVE_AES_DECRYPT -DHAVE_AES_ECB -DWOLFSSL_ALT_NAMES -DWOLFSSL_DER_LOAD" # Enable DH const table speedups (eliminates `-lm` math lib dependency) - AM_CFLAGS="$AM_CFLAGS -DHAVE_FFDHE_2048 -DHAVE_FFDHE_3072 -DFP_MAX_BITS=8192" + AM_CFLAGS="$AM_CFLAGS -DHAVE_FFDHE_2048 -DHAVE_FFDHE_3072" + DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS=4096 # Enable multiple attribute additions such as DC AM_CFLAGS="-DWOLFSSL_MULTI_ATTRIB $AM_CFLAGS" @@ -1062,7 +1064,8 @@ fi if test "$ENABLED_BUMP" = "yes" then - AM_CFLAGS="$AM_CFLAGS -DLARGE_STATIC_BUFFERS -DWOLFSSL_CERT_GEN -DWOLFSSL_KEY_GEN -DHUGE_SESSION_CACHE -DFP_MAX_BITS=8192 -DWOLFSSL_DER_LOAD -DWOLFSSL_ALT_NAMES -DWOLFSSL_TEST_CERT" + AM_CFLAGS="$AM_CFLAGS -DLARGE_STATIC_BUFFERS -DWOLFSSL_CERT_GEN -DWOLFSSL_KEY_GEN -DHUGE_SESSION_CACHE -DWOLFSSL_DER_LOAD -DWOLFSSL_ALT_NAMES -DWOLFSSL_TEST_CERT" + DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS=4096 fi ENABLED_SLOWMATH="yes" @@ -4328,11 +4331,11 @@ if test "$ENABLED_HAPROXY" = "yes" then AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAPROXY -DOPENSSL_COMPATIBLE_DEFAULTS" AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SIGNER_DER_CERT" - # --enable-all defines its own FP_MAX_BITS - if test "$ENABLED_ALL" != "yes" - then - AM_CFLAGS="$AM_CFLAGS -DFP_MAX_BITS=16384" - fi + # --enable-all defines its own DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS + if test -z "$DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS" + then + DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS=8192 + fi # Requires opensslextra and opensslall if test "x$ENABLED_OPENSSLALL" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno" then @@ -4340,26 +4343,26 @@ then ENABLED_OPENSSLEXTRA="yes" AM_CFLAGS="-DOPENSSL_EXTRA -DOPENSSL_ALL $AM_CFLAGS" fi - + if test "x$ENABLED_CERTGEN" = "xno" then ENABLED_CERTGEN="yes" AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_GEN" fi - + if test "x$ENABLED_CERTREQ" = "xno" then ENABLED_CERTREQ="yes" AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_REQ" fi - + # Requires sessioncerts make sure on if test "x$ENABLED_SESSIONCERTS" = "xno" then ENABLED_SESSIONCERTS="yes" AM_CFLAGS="$AM_CFLAGS -DSESSION_CERTS" fi - + fi if test "$ENABLED_SIGNAL" = "yes" @@ -4520,7 +4523,7 @@ then # Requires Secure Renegotiation if test "x$ENABLED_SECURE_RENEGOTIATION" = "xno" then - AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SECURE_RENEGOTIATION -DHAVE_SERVER_RENEGOTIATION_INFO" + AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SECURE_RENEGOTIATION -DHAVE_SERVER_RENEGOTIATION_INFO" fi fi @@ -4705,7 +4708,7 @@ AC_ARG_ENABLE([libest], [ ENABLED_LIBEST=$enableval ], [ ENABLED_LIBEST=no ] ) - + if test "$ENABLED_LIBEST" = "yes" then AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA -DHAVE_LIBEST -DWOLFSSL_ALT_NAMES" @@ -4727,13 +4730,13 @@ then ENABLED_OCSP="yes" AM_CFLAGS="$AM_CFLAGS -DHAVE_OCSP" fi - + # Requires PKCS7 if test "x$ENABLED_PKCS7" = "xno" then ENABLED_PKCS7="yes" fi - + # Requires Certificate Generation and Request if test "x$ENABLED_CERTGEN" = "xno" then @@ -4750,34 +4753,34 @@ then ENABLED_CERTEXT="yes" AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_EXT" fi - + # Requires CRL if test "x$ENABLED_CRL" = "xno" then ENABLED_CRL="yes" AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL" fi - - if test "x$ENABLED_SRP" = "xno" - then + + if test "x$ENABLED_SRP" = "xno" + then ENABLED_SRP="yes" - AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_HAVE_SRP" - fi - + AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_HAVE_SRP" + fi + # Enable prereqs if not already enabled if test "x$ENABLED_KEYGEN" = "xno" then ENABLED_KEYGEN="yes" AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN" fi - + # Requires sessioncerts make sure on if test "x$ENABLED_SESSIONCERTS" = "xno" then ENABLED_SESSIONCERTS="yes" AM_CFLAGS="$AM_CFLAGS -DSESSION_CERTS" fi - + if test "x$ENABLED_DSA" = "xno" then AC_MSG_WARN([Enabling DSA with --enable-dsa is recommended for libest]) @@ -5511,7 +5514,10 @@ do AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_INT_LARGE_COMBA" ;; 256 | 384 | 521 | 1024 | 2048 | 3072 | 4096) - AM_CFLAGS="$AM_CFLAGS -DSP_INT_BITS=$v" + if test -z "$DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS" -o "$DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS" -lt "$v" + then + DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS="$v" + fi ENABLED_SP_MATH_ALL="yes" ;; nomalloc) @@ -6020,6 +6026,62 @@ then AM_CFLAGS="$AM_CFLAGS -DHAVE_DH_DEFAULT_PARAMS" fi + +AC_ARG_WITH([max-rsa-bits], + [AS_HELP_STRING([--with-max-rsa-bits=number],[number of bits to support for RSA, DH, and DSA keys])], + [WITH_MAX_CLASSIC_ASYM_KEY_BITS=$withval], + [WITH_MAX_CLASSIC_ASYM_KEY_BITS="$DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS"]) + +if test -n "$WITH_MAX_CLASSIC_ASYM_KEY_BITS"; then + if test "$WITH_MAX_CLASSIC_ASYM_KEY_BITS" -lt 1024 -o "$WITH_MAX_CLASSIC_ASYM_KEY_BITS" -gt 16384; then + AC_MSG_ERROR([--with-max-rsa-bits argument must be between 1024 and 16384 inclusive]) + fi + AM_CFLAGS="$AM_CFLAGS -DRSA_MAX_SIZE=$WITH_MAX_CLASSIC_ASYM_KEY_BITS" + MPI_MAX_KEY_BITS=$WITH_MAX_CLASSIC_ASYM_KEY_BITS +fi + +AC_ARG_WITH([max-ecc-bits], + [AS_HELP_STRING([--with-max-ecc-bits=number],[number of bits to support for ECC algorithms])], + [WITH_MAX_ECC_BITS=$withval], + [WITH_MAX_ECC_BITS="$DEFAULT_MAX_ECC_BITS"]) + +if test -n "$WITH_MAX_ECC_BITS"; then + if test "$WITH_MAX_ECC_BITS" -lt 112 -o "$WITH_MAX_ECC_BITS" -gt 1024; then + AC_MSG_ERROR([--with-max-ecc-bits argument must be between 112 and 1024 inclusive]) + fi + AM_CFLAGS="$AM_CFLAGS -DMAX_ECC_BITS=$WITH_MAX_ECC_BITS" +fi + +if test -n "$MPI_MAX_KEY_BITS" -o -n "$WITH_MAX_ECC_BITS"; then + if test -n "$MAX_MPI_KEY_BITS" -a -n "$WITH_MAX_ECC_BITS"; then + if test -n "$MAX_MPI_KEY_BITS" -lt "$WITH_MAX_ECC_BITS"; then + MPI_MAX_KEY_BITS="$WITH_MAX_ECC_BITS" + fi + elif test -n "$WITH_MAX_ECC_BITS"; then + MPI_MAX_KEY_BITS="$WITH_MAX_ECC_BITS" + fi + if test "$MPI_MAX_KEY_BITS" -gt 1024; then + AM_CFLAGS="$AM_CFLAGS -DFP_MAX_BITS=$((MPI_MAX_KEY_BITS * 2)) -DSP_INT_BITS=$MPI_MAX_KEY_BITS" + fi +fi + + +AC_ARG_ENABLE([context-extra-user-data], + [AS_HELP_STRING([--enable-context-extra-user-data],[Enables option for storing user-defined data in TLS API contexts, with optional argument the number of slots to allocate (default: disabled)])], + [ ENABLED_EX_DATA=$enableval ], + [ ENABLED_EX_DATA=no ] + ) +case "$ENABLED_EX_DATA" in +no) ;; +yes) AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA" + ;; +[[1-9]]|[[1-9]][[0-9]]) AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA -DMAX_EX_DATA=$ENABLED_EX_DATA" + ;; +*) AC_MSG_ERROR([Invalid argument to --enable-context-extra-user-data -- must be yes, no, or a number from 1 to 99]) + ;; +esac + + # User Settings AC_ARG_ENABLE([usersettings], [AS_HELP_STRING([--enable-usersettings],[Use your own user_settings.h and do not add Makefile CFLAGS (default: disabled)])], diff --git a/tests/api.c b/tests/api.c index 4421e6f25..da02a769c 100644 --- a/tests/api.c +++ b/tests/api.c @@ -35767,8 +35767,8 @@ static void test_wolfSSL_RSA(void) */ AssertNull(RSA_generate_key(-1, 3, NULL, NULL)); - AssertNull(RSA_generate_key(511, 3, NULL, NULL)); /* RSA_MIN_SIZE - 1 */ - AssertNull(RSA_generate_key(4097, 3, NULL, NULL)); /* RSA_MAX_SIZE + 1 */ + AssertNull(RSA_generate_key(RSA_MIN_SIZE - 1, 3, NULL, NULL)); + AssertNull(RSA_generate_key(RSA_MAX_SIZE + 1, 3, NULL, NULL)); AssertNull(RSA_generate_key(2048, 0, NULL, NULL)); @@ -46004,7 +46004,7 @@ static void test_wolfSSL_DH(void) #endif /* OPENSSL_EXTRA && !NO_DH */ } -static void test_wolfSSL_ERR_strings() +static void test_wolfSSL_ERR_strings(void) { const char* err1 = "unsupported cipher suite"; const char* err2 = "wolfSSL PEM routines"; diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 29039b702..bfdb605c8 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1195,8 +1195,8 @@ enum { #if (WOLFSSL_MAX_DHKEY_BITS % 8) #error DH maximum bit size must be multiple of 8 #endif -#if (WOLFSSL_MAX_DHKEY_BITS > 16000) - #error DH maximum bit size must not be greater than 16000 +#if (WOLFSSL_MAX_DHKEY_BITS > 16384) + #error DH maximum bit size must not be greater than 16384 #endif #define MAX_DHKEY_SZ (WOLFSSL_MAX_DHKEY_BITS / 8) diff --git a/wolfssl/test.h b/wolfssl/test.h index 7d72319ad..d897a11e3 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -1235,14 +1235,14 @@ static WC_INLINE int wolfsentry_store_endpoints( wolfsentry_data->remote.sa_family = wolfsentry_data->local.sa_family = remote->sin6_family; wolfsentry_data->remote.sa_port = ntohs(remote->sin6_port); wolfsentry_data->local.sa_port = ntohs(local->sin6_port); - if (WOLFSENTRY_CHECK_BITS(flags, WOLFSENTRY_ROUTE_FLAG_SA_REMOTE_ADDR_WILDCARD)) { + if (WOLFSENTRY_MASKIN_BITS(flags, WOLFSENTRY_ROUTE_FLAG_SA_REMOTE_ADDR_WILDCARD)) { wolfsentry_data->remote.addr_len = 0; XMEMSET(wolfsentry_data->remote.addr, 0, sizeof remote->sin6_addr); } else { wolfsentry_data->remote.addr_len = sizeof remote->sin6_addr * BITS_PER_BYTE; XMEMCPY(wolfsentry_data->remote.addr, &remote->sin6_addr, sizeof remote->sin6_addr); } - if (WOLFSENTRY_CHECK_BITS(flags, WOLFSENTRY_ROUTE_FLAG_SA_LOCAL_ADDR_WILDCARD)) { + if (WOLFSENTRY_MASKIN_BITS(flags, WOLFSENTRY_ROUTE_FLAG_SA_LOCAL_ADDR_WILDCARD)) { wolfsentry_data->local.addr_len = 0; XMEMSET(wolfsentry_data->local.addr, 0, sizeof local->sin6_addr); } else { @@ -1256,14 +1256,14 @@ static WC_INLINE int wolfsentry_store_endpoints( wolfsentry_data->remote.sa_family = wolfsentry_data->local.sa_family = remote->sin_family; wolfsentry_data->remote.sa_port = ntohs(remote->sin_port); wolfsentry_data->local.sa_port = ntohs(local->sin_port); - if (WOLFSENTRY_CHECK_BITS(flags, WOLFSENTRY_ROUTE_FLAG_SA_REMOTE_ADDR_WILDCARD)) { + if (WOLFSENTRY_MASKIN_BITS(flags, WOLFSENTRY_ROUTE_FLAG_SA_REMOTE_ADDR_WILDCARD)) { wolfsentry_data->remote.addr_len = 0; XMEMSET(wolfsentry_data->remote.addr, 0, sizeof remote->sin_addr); } else { wolfsentry_data->remote.addr_len = sizeof remote->sin_addr * BITS_PER_BYTE; XMEMCPY(wolfsentry_data->remote.addr, &remote->sin_addr, sizeof remote->sin_addr); } - if (WOLFSENTRY_CHECK_BITS(flags, WOLFSENTRY_ROUTE_FLAG_SA_LOCAL_ADDR_WILDCARD)) { + if (WOLFSENTRY_MASKIN_BITS(flags, WOLFSENTRY_ROUTE_FLAG_SA_LOCAL_ADDR_WILDCARD)) { wolfsentry_data->local.addr_len = 0; XMEMSET(wolfsentry_data->local.addr, 0, sizeof local->sin_addr); } else { @@ -1315,9 +1315,9 @@ static int wolfSentry_NetworkFilterCallback( &action_results); if (ret >= 0) { - if (WOLFSENTRY_CHECK_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT)) + if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT)) *decision = WOLFSSL_NETFILTER_REJECT; - else if (WOLFSENTRY_CHECK_BITS(action_results, WOLFSENTRY_ACTION_RES_ACCEPT)) + else if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_ACCEPT)) *decision = WOLFSSL_NETFILTER_ACCEPT; else *decision = WOLFSSL_NETFILTER_PASS; @@ -1423,7 +1423,7 @@ static int wolfsentry_setup( if (ret < 0) return ret; - if (WOLFSENTRY_CHECK_BITS(route_flags, WOLFSENTRY_ROUTE_FLAG_DIRECTION_OUT)) { + if (WOLFSENTRY_MASKIN_BITS(route_flags, WOLFSENTRY_ROUTE_FLAG_DIRECTION_OUT)) { struct { struct wolfsentry_sockaddr sa; byte buf[16]; @@ -1472,7 +1472,7 @@ static int wolfsentry_setup( WOLFSENTRY_ERROR_FMT_ARGS(ret)); return ret; } - } else if (WOLFSENTRY_CHECK_BITS(route_flags, WOLFSENTRY_ROUTE_FLAG_DIRECTION_IN)) { + } else if (WOLFSENTRY_MASKIN_BITS(route_flags, WOLFSENTRY_ROUTE_FLAG_DIRECTION_IN)) { struct { struct wolfsentry_sockaddr sa; byte buf[16]; @@ -1580,9 +1580,9 @@ static WC_INLINE int tcp_connect_with_wolfSentry( WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(ret)); decision = WOLFSSL_NETFILTER_PASS; } else { - if (WOLFSENTRY_CHECK_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT)) + if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT)) decision = WOLFSSL_NETFILTER_REJECT; - else if (WOLFSENTRY_CHECK_BITS(action_results, WOLFSENTRY_ACTION_RES_ACCEPT)) + else if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_ACCEPT)) decision = WOLFSSL_NETFILTER_ACCEPT; else decision = WOLFSSL_NETFILTER_PASS; diff --git a/wolfssl/wolfcrypt/ecc.h b/wolfssl/wolfcrypt/ecc.h index a0de8df6b..16b5d96df 100644 --- a/wolfssl/wolfcrypt/ecc.h +++ b/wolfssl/wolfcrypt/ecc.h @@ -86,31 +86,40 @@ /* Determine max ECC bits based on enabled curves */ #if defined(WOLFCRYPT_HAVE_SAKKE) - #define MAX_ECC_BITS 1024 + #define MAX_ECC_BITS_NEEDED 1024 #elif defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES) - #define MAX_ECC_BITS 521 + #define MAX_ECC_BITS_NEEDED 521 #elif defined(HAVE_ECC512) - #define MAX_ECC_BITS 512 + #define MAX_ECC_BITS_NEEDED 512 #elif defined(HAVE_ECC384) - #define MAX_ECC_BITS 384 + #define MAX_ECC_BITS_NEEDED 384 #elif defined(HAVE_ECC320) - #define MAX_ECC_BITS 320 + #define MAX_ECC_BITS_NEEDED 320 #elif !defined(NO_ECC256) - #define MAX_ECC_BITS 256 + #define MAX_ECC_BITS_NEEDED 256 #elif defined(HAVE_ECC239) - #define MAX_ECC_BITS 239 + #define MAX_ECC_BITS_NEEDED 239 #elif defined(HAVE_ECC224) - #define MAX_ECC_BITS 224 + #define MAX_ECC_BITS_NEEDED 224 #elif defined(HAVE_ECC192) - #define MAX_ECC_BITS 192 + #define MAX_ECC_BITS_NEEDED 192 #elif defined(HAVE_ECC160) - #define MAX_ECC_BITS 160 + #define MAX_ECC_BITS_NEEDED 160 #elif defined(HAVE_ECC128) - #define MAX_ECC_BITS 128 + #define MAX_ECC_BITS_NEEDED 128 #elif defined(HAVE_ECC112) - #define MAX_ECC_BITS 112 + #define MAX_ECC_BITS_NEEDED 112 #endif +#ifndef MAX_ECC_BITS + #define MAX_ECC_BITS MAX_ECC_BITS_NEEDED +#else + #if MAX_ECC_BITS_NEEDED > MAX_ECC_BITS + #error configured MAX_ECC_BITS is less than required by enabled curves. + #endif +#endif + + /* calculate max ECC bytes */ #if ((MAX_ECC_BITS * 2) % 8) == 0 #define MAX_ECC_BYTES (MAX_ECC_BITS / 8) diff --git a/wolfssl/wolfcrypt/rsa.h b/wolfssl/wolfcrypt/rsa.h index 76fe046da..ad6db4f80 100644 --- a/wolfssl/wolfcrypt/rsa.h +++ b/wolfssl/wolfcrypt/rsa.h @@ -94,10 +94,13 @@ RSA keys can be used to encrypt, decrypt, sign and verify data. extern "C" { #endif -enum { - RSA_MIN_SIZE = 512, - RSA_MAX_SIZE = 4096, -}; +#ifndef RSA_MIN_SIZE +#define RSA_MIN_SIZE 512 +#endif + +#ifndef RSA_MAX_SIZE +#define RSA_MAX_SIZE 4096 +#endif /* avoid redefinition of structs */ #if !defined(HAVE_FIPS) || \ diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 5c62e5758..d85af55e6 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -2412,7 +2412,9 @@ extern void uITRON4_free(void *p) ; #endif #if defined(HAVE_EX_DATA) || defined(FORTRESS) + #ifndef MAX_EX_DATA #define MAX_EX_DATA 5 /* allow for five items of ex_data */ + #endif #endif #ifdef NO_WOLFSSL_SMALL_STACK