diff --git a/configure.ac b/configure.ac index e8be4a18d..a78430fed 100644 --- a/configure.ac +++ b/configure.ac @@ -578,7 +578,11 @@ AC_ARG_ENABLE([harden], if test "$ENABLED_HARDEN" = "yes" then - AM_CFLAGS="$AM_CFLAGS -DTFM_TIMING_RESISTANT -DECC_TIMING_RESISTANT -DWC_RSA_BLINDING" + AM_CFLAGS="$AM_CFLAGS -DTFM_TIMING_RESISTANT -DECC_TIMING_RESISTANT" + if test "$ENABLED_RNG" = "yes" + then + AM_CFLAGS="$AM_CFLAGS -DWC_RSA_BLINDING" + fi else AM_CFLAGS="$AM_CFLAGS -DWC_NO_HARDEN" fi diff --git a/examples/client/client.c b/examples/client/client.c index 12462269f..faf425f0d 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -510,6 +510,7 @@ static int ClientBenchmarkThroughput(WOLFSSL_CTX* ctx, char* host, word16 port, else { err_sys("wc_InitRng failed"); } + (void)rng; /* for WC_NO_RNG case */ } else { err_sys("Client buffer malloc failed"); diff --git a/src/ssl.c b/src/ssl.c index 1c55d0d84..b31d21903 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -95,7 +95,6 @@ #if defined(WOLFCRYPT_HAVE_SRP) && !defined(NO_SHA256) \ && !defined(WC_NO_RNG) #include - #include #endif #endif @@ -21845,11 +21844,6 @@ int wolfSSL_RAND_write_file(const char* fname) #include #endif -/* at compile time check for HASH DRBG and throw warning if not found */ -#ifndef HAVE_HASHDRBG - #warning HAVE_HASHDRBG is needed for wolfSSL_RAND_egd to seed -#endif - /* This collects entropy from the path nm and seeds the global PRNG with it. * Makes a call to wolfSSL_RAND_Init which is not thread safe. * @@ -21859,7 +21853,8 @@ int wolfSSL_RAND_write_file(const char* fname) */ int wolfSSL_RAND_egd(const char* nm) { -#if defined(USE_WOLFSSL_IO) && !defined(USE_WINDOWS_API) && !defined(HAVE_FIPS) +#if defined(USE_WOLFSSL_IO) && !defined(USE_WINDOWS_API) && !defined(HAVE_FIPS) && \ + defined(HAVE_HASHDRBG) struct sockaddr_un rem; int fd; int ret = WOLFSSL_SUCCESS; @@ -21993,13 +21988,13 @@ int wolfSSL_RAND_egd(const char* nm) else { return ret; } -#else /* defined(USE_WOLFSSL_IO) && !defined(USE_WINDOWS_API) && !HAVE_FIPS */ +#else WOLFSSL_MSG("Type of socket needed is not available"); - WOLFSSL_MSG("\tor using FIPS mode where RNG API is not available"); + WOLFSSL_MSG("\tor using mode where DRBG API is not available"); (void)nm; return WOLFSSL_FATAL_ERROR; -#endif /* defined(USE_WOLFSSL_IO) && !defined(USE_WINDOWS_API) */ +#endif /* USE_WOLFSSL_IO && !USE_WINDOWS_API && !HAVE_FIPS && HAVE_HASHDRBG */ } #endif /* !FREERTOS_TCP */ diff --git a/tests/api.c b/tests/api.c index 7e3623a87..c29f97b83 100644 --- a/tests/api.c +++ b/tests/api.c @@ -12773,7 +12773,7 @@ static int test_wc_ecc_make_key (void) { int ret = 0; -#if defined(HAVE_ECC) +#if defined(HAVE_ECC) && !defined(WC_NO_RNG) WC_RNG rng; ecc_key key; @@ -12853,7 +12853,7 @@ static int test_wc_ecc_check_key (void) { int ret = 0; -#if defined(HAVE_ECC) +#if defined(HAVE_ECC) && !defined(WC_NO_RNG) WC_RNG rng; ecc_key key; @@ -12900,7 +12900,7 @@ static int test_wc_ecc_size (void) { int ret = 0; -#if defined(HAVE_ECC) +#if defined(HAVE_ECC) && !defined(WC_NO_RNG) WC_RNG rng; ecc_key key; @@ -12946,7 +12946,7 @@ static int test_wc_ecc_signVerify_hash (void) { int ret = 0; -#if defined(HAVE_ECC) && defined(HAVE_ECC_SIGN) && !defined(NO_ASN) +#if defined(HAVE_ECC) && defined(HAVE_ECC_SIGN) && !defined(NO_ASN) && !defined(WC_NO_RNG) WC_RNG rng; ecc_key key; int signH = WOLFSSL_FATAL_ERROR; @@ -13056,7 +13056,7 @@ static int test_wc_ecc_shared_secret (void) { int ret = 0; -#if defined(HAVE_ECC) && defined(HAVE_ECC_DHE) +#if defined(HAVE_ECC) && defined(HAVE_ECC_DHE) && !defined(WC_NO_RNG) ecc_key key, pubKey; WC_RNG rng; int keySz = KEY16; @@ -13123,7 +13123,7 @@ static int test_wc_ecc_export_x963 (void) { int ret = 0; -#if defined(HAVE_ECC) && defined(HAVE_ECC_KEY_EXPORT) +#if defined(HAVE_ECC) && defined(HAVE_ECC_KEY_EXPORT) && !defined(WC_NO_RNG) ecc_key key; WC_RNG rng; byte out[ECC_ASN963_MAX_BUF_SZ]; @@ -13185,7 +13185,7 @@ static int test_wc_ecc_export_x963_ex (void) { int ret = 0; -#if defined(HAVE_ECC) && defined(HAVE_ECC_KEY_EXPORT) +#if defined(HAVE_ECC) && defined(HAVE_ECC_KEY_EXPORT) && !defined(WC_NO_RNG) ecc_key key; WC_RNG rng; byte out[ECC_ASN963_MAX_BUF_SZ]; @@ -13284,7 +13284,7 @@ static int test_wc_ecc_import_x963 (void) int ret = 0; #if defined(HAVE_ECC) && defined(HAVE_ECC_KEY_IMPORT) && \ - defined(HAVE_ECC_KEY_EXPORT) + defined(HAVE_ECC_KEY_EXPORT) && !defined(WC_NO_RNG) ecc_key pubKey, key; WC_RNG rng; byte x963[ECC_ASN963_MAX_BUF_SZ]; @@ -13348,7 +13348,7 @@ static int ecc_import_private_key (void) int ret = 0; #if defined(HAVE_ECC) && defined(HAVE_ECC_KEY_IMPORT) && \ - defined(HAVE_ECC_KEY_EXPORT) + defined(HAVE_ECC_KEY_EXPORT) && !defined(WC_NO_RNG) ecc_key key, keyImp; WC_RNG rng; byte privKey[ECC_PRIV_KEY_BUF]; /* Raw private key.*/ @@ -13419,7 +13419,7 @@ static int test_wc_ecc_export_private_only (void) { int ret = 0; -#if defined(HAVE_ECC) && defined(HAVE_ECC_KEY_EXPORT) +#if defined(HAVE_ECC) && defined(HAVE_ECC_KEY_EXPORT) && !defined(WC_NO_RNG) ecc_key key; WC_RNG rng; byte out[ECC_PRIV_KEY_BUF]; @@ -13616,7 +13616,7 @@ static int test_wc_ecc_sig_size (void) { int ret = 0; -#ifdef HAVE_ECC +#if defined(HAVE_ECC) && !defined(WC_NO_RNG) ecc_key key; WC_RNG rng; int keySz = KEY16; @@ -13657,7 +13657,7 @@ static int test_wc_ecc_ctx_new (void) { int ret = 0; -#if defined(HAVE_ECC) && defined(HAVE_ECC_ENCRYPT) +#if defined(HAVE_ECC) && defined(HAVE_ECC_ENCRYPT) && !defined(WC_NO_RNG) WC_RNG rng; ecEncCtx* cli = NULL; ecEncCtx* srv = NULL; @@ -13708,7 +13708,7 @@ static int test_wc_ecc_ctx_reset (void) { int ret = 0; -#if defined(HAVE_ECC) && defined(HAVE_ECC_ENCRYPT) +#if defined(HAVE_ECC) && defined(HAVE_ECC_ENCRYPT) && !defined(WC_NO_RNG) ecEncCtx* ctx = NULL; WC_RNG rng; @@ -13757,7 +13757,7 @@ static int test_wc_ecc_ctx_set_peer_salt (void) { int ret = 0; -#if defined(HAVE_ECC) && defined(HAVE_ECC_ENCRYPT) +#if defined(HAVE_ECC) && defined(HAVE_ECC_ENCRYPT) && !defined(WC_NO_RNG) WC_RNG rng; ecEncCtx* cliCtx = NULL; ecEncCtx* servCtx = NULL; @@ -13829,7 +13829,7 @@ static int test_wc_ecc_ctx_set_info (void) { int ret = 0; -#if defined(HAVE_ECC) && defined(HAVE_ECC_ENCRYPT) +#if defined(HAVE_ECC) && defined(HAVE_ECC_ENCRYPT) && !defined(WC_NO_RNG) ecEncCtx* ctx = NULL; WC_RNG rng; const char* optInfo = "Optional Test Info."; @@ -13881,7 +13881,8 @@ static int test_wc_ecc_encryptDecrypt (void) { int ret = 0; -#if defined(HAVE_ECC) && defined(HAVE_ECC_ENCRYPT) && defined(WOLFSSL_AES_128) +#if defined(HAVE_ECC) && defined(HAVE_ECC_ENCRYPT) && defined(WOLFSSL_AES_128) \ + && !defined(WC_NO_RNG) ecc_key srvKey, cliKey; WC_RNG rng; const char* msg = "EccBlock Size 16"; @@ -14026,7 +14027,7 @@ static int test_wc_ecc_pointFns (void) { int ret = 0; -#if defined(HAVE_ECC) && defined(HAVE_ECC_KEY_EXPORT) +#if defined(HAVE_ECC) && defined(HAVE_ECC_KEY_EXPORT) && !defined(WC_NO_RNG) ecc_key key; WC_RNG rng; ecc_point* point = NULL; @@ -14200,7 +14201,7 @@ static int test_wc_ecc_shared_secret_ssh (void) { int ret = 0; -#if defined(HAVE_ECC) && defined(HAVE_ECC_DHE) +#if defined(HAVE_ECC) && defined(HAVE_ECC_DHE) && !defined(WC_NO_RNG) ecc_key key, key2; WC_RNG rng; int keySz = KEY32; @@ -14282,7 +14283,8 @@ static int test_wc_ecc_verify_hash_ex (void) { int ret = 0; -#if defined(HAVE_ECC) && defined(HAVE_ECC_SIGN) && defined(WOLFSSL_PUBLIC_MP) +#if defined(HAVE_ECC) && defined(HAVE_ECC_SIGN) && defined(WOLFSSL_PUBLIC_MP) \ + && !defined(WC_NO_RNG) ecc_key key; WC_RNG rng; mp_int r; @@ -14411,7 +14413,7 @@ static int test_wc_ecc_mulmod (void) { int ret = 0; -#if defined(HAVE_ECC) && \ +#if defined(HAVE_ECC) && !defined(WC_NO_RNG) && \ !(defined(WOLFSSL_ATECC508A) || defined(WOLFSSL_VALIDATE_ECC_IMPORT)) ecc_key key1, key2, key3; WC_RNG rng; @@ -14492,7 +14494,7 @@ static int test_wc_ecc_is_valid_idx (void) { int ret = 0; -#if defined(HAVE_ECC) +#if defined(HAVE_ECC) && !defined(WC_NO_RNG) ecc_key key; WC_RNG rng; int iVal = -2; @@ -20897,6 +20899,9 @@ static int test_wc_RNG_GenerateBlock(void) wc_FreeRng(&rng); + (void)rng; /* for WC_NO_RNG case */ + (void)key; + return ret; } #endif diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 075879c5b..01bc370a9 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -2690,6 +2690,9 @@ int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, word32* oidSz, (void)curveOID; (void)oidSz; + (void)tmpIdx; + (void)keySz; + (void)heap; return 1; } @@ -2927,6 +2930,8 @@ int UnTraditionalEnc(byte* key, word32 keySz, byte* out, word32* outSz, sz = SetSequence(totalSz, out); XMEMMOVE(out + sz, out + MAX_SEQ_SZ, totalSz); + (void)rng; + return totalSz + sz; } @@ -3275,6 +3280,8 @@ int EncryptContent(byte* input, word32 inputSz, byte* out, word32* outSz, XFREE(saltTmp, heap, DYNAMIC_TYPE_TMP_BUFFER); #endif + (void)rng; + return totalSz; } diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c index ce7eecc8b..e6603889d 100644 --- a/wolfcrypt/src/rsa.c +++ b/wolfcrypt/src/rsa.c @@ -957,9 +957,9 @@ static int wc_RsaPad_ex(const byte* input, word32 inputLen, byte* pkcsBlock, { int ret; -#ifndef WC_NO_RNG switch (padType) { +#ifndef WC_NO_RNG case WC_RSA_PKCSV15_PAD: /*WOLFSSL_MSG("wolfSSL Using RSA PKCSV15 padding");*/ ret = RsaPad(input, inputLen, pkcsBlock, pkcsBlockLen, @@ -981,6 +981,7 @@ static int wc_RsaPad_ex(const byte* input, word32 inputLen, byte* pkcsBlock, hType, mgf, saltLen, bits, heap); break; #endif +#endif /* !WC_NO_RNG */ #ifdef WC_RSA_NO_PADDING case WC_RSA_NO_PAD: @@ -1003,9 +1004,6 @@ static int wc_RsaPad_ex(const byte* input, word32 inputLen, byte* pkcsBlock, WOLFSSL_MSG("Unknown RSA Pad Type"); ret = RSA_PAD_E; } -#else - ret = NOT_COMPILED_IN; -#endif /* silence warning if not used with padding scheme */ (void)input; diff --git a/wolfssl/test.h b/wolfssl/test.h index 0a8849c6b..3a540041a 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -2858,6 +2858,7 @@ static WC_INLINE const char* mymktemp(char *tempfn, int len, int num) tempfn[len] = '\0'; wc_FreeRng(&rng); + (void)rng; /* for WC_NO_RNG case */ return tempfn; } @@ -2969,10 +2970,12 @@ static WC_INLINE word16 GetRandomPort(void) /* Generate random port for testing */ WC_RNG rng; if (wc_InitRng(&rng) == 0) { - wc_RNG_GenerateBlock(&rng, (byte*)&port, sizeof(port)); - port |= 0xC000; /* Make sure its in the 49152 - 65535 range */ + if (wc_RNG_GenerateBlock(&rng, (byte*)&port, sizeof(port)) == 0) { + port |= 0xC000; /* Make sure its in the 49152 - 65535 range */ + } wc_FreeRng(&rng); } + (void)rng; /* for WC_NO_RNG case */ return port; } diff --git a/wolfssl/wolfcrypt/random.h b/wolfssl/wolfcrypt/random.h index 0d8db723c..b95d410d6 100644 --- a/wolfssl/wolfcrypt/random.h +++ b/wolfssl/wolfcrypt/random.h @@ -66,8 +66,8 @@ #endif /* make sure Hash DRBG is enabled, unless WC_NO_HASHDRBG is defined - or CUSTOM_RAND_GENERATE_BLOCK is defined*/ -#if !defined(WC_NO_HASHDRBG) || !defined(CUSTOM_RAND_GENERATE_BLOCK) + or CUSTOM_RAND_GENERATE_BLOCK is defined */ +#if !defined(WC_NO_HASHDRBG) && !defined(CUSTOM_RAND_GENERATE_BLOCK) #undef HAVE_HASHDRBG #define HAVE_HASHDRBG #ifndef WC_RESEED_INTERVAL @@ -106,7 +106,9 @@ #include #elif defined(HAVE_WNR) /* allow whitewood as direct RNG source using wc_GenerateSeed directly */ -#else +#elif defined(HAVE_INTEL_RDRAND) + /* Intel RDRAND or RDSEED */ +#elif !defined(WC_NO_RNG) #error No RNG source defined! #endif @@ -188,13 +190,14 @@ WOLFSSL_API int wc_RNG_GenerateBlock(WC_RNG*, byte*, word32 sz); WOLFSSL_API int wc_RNG_GenerateByte(WC_RNG*, byte*); WOLFSSL_API int wc_FreeRng(WC_RNG*); #else +#include #define wc_InitRng(rng) NOT_COMPILED_IN #define wc_InitRng_ex(rng, h, d) NOT_COMPILED_IN #define wc_InitRngNonce(rng, n, s) NOT_COMPILED_IN #define wc_InitRngNonce_ex(rng, n, s, h, d) NOT_COMPILED_IN #define wc_RNG_GenerateBlock(rng, b, s) NOT_COMPILED_IN #define wc_RNG_GenerateByte(rng, b) NOT_COMPILED_IN -#define wc_FreeRng(rng) NOT_COMPILED_IN +#define wc_FreeRng(rng) (void)NOT_COMPILED_IN #endif diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 8407c9598..86b2f773e 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -1743,7 +1743,8 @@ extern void uITRON4_free(void *p) ; #ifndef WC_NO_HARDEN #if (defined(USE_FAST_MATH) && !defined(TFM_TIMING_RESISTANT)) || \ (defined(HAVE_ECC) && !defined(ECC_TIMING_RESISTANT)) || \ - (!defined(NO_RSA) && !defined(WC_RSA_BLINDING) && !defined(HAVE_FIPS)) + (!defined(NO_RSA) && !defined(WC_RSA_BLINDING) && !defined(HAVE_FIPS) && \ + !defined(WC_NO_RNG)) #ifndef _MSC_VER #warning "For timing resistance / side-channel attack prevention consider using harden options"