diff --git a/src/internal.c b/src/internal.c index c12ec72d8..d8e482975 100644 --- a/src/internal.c +++ b/src/internal.c @@ -162,8 +162,10 @@ int IsAtLeastTLSv1_2(const WOLFSSL* ssl) { if (ssl->version.major == SSLv3_MAJOR && ssl->version.minor >=TLSv1_2_MINOR) return 1; +#ifdef WOLFSSL_DTLS if (ssl->version.major == DTLS_MAJOR && ssl->version.minor <= DTLSv1_2_MINOR) return 1; +#endif return 0; } @@ -1704,17 +1706,13 @@ void FreeCiphers(WOLFSSL* ssl) void InitCipherSpecs(CipherSpecs* cs) { + XMEMSET(cs, 0, sizeof(CipherSpecs)); + cs->bulk_cipher_algorithm = INVALID_BYTE; cs->cipher_type = INVALID_BYTE; cs->mac_algorithm = INVALID_BYTE; cs->kea = INVALID_BYTE; cs->sig_algo = INVALID_BYTE; - - cs->hash_size = 0; - cs->static_ecdh = 0; - cs->key_size = 0; - cs->iv_size = 0; - cs->block_size = 0; } void InitSuitesHashSigAlgo(Suites* suites, int haveECDSAsig, int haveRSAsig, @@ -1725,6 +1723,7 @@ void InitSuitesHashSigAlgo(Suites* suites, int haveECDSAsig, int haveRSAsig, (void)tls1_2; (void)keySz; +#if defined(HAVE_ECC) || defined(HAVE_ED25519) if (haveECDSAsig) { #ifdef WOLFSSL_SHA512 suites->hashSigAlgo[idx++] = sha512_mac; @@ -1748,6 +1747,7 @@ void InitSuitesHashSigAlgo(Suites* suites, int haveECDSAsig, int haveRSAsig, suites->hashSigAlgo[idx++] = ED25519_SA_MINOR; #endif } +#endif /* HAVE_ECC || HAVE_ED25519 */ if (haveRSAsig) { #ifdef WC_RSA_PSS @@ -1785,13 +1785,15 @@ void InitSuitesHashSigAlgo(Suites* suites, int haveECDSAsig, int haveRSAsig, #endif } +#ifdef HAVE_ANON if (haveAnon) { - #ifdef HAVE_ANON suites->hashSigAlgo[idx++] = sha_mac; suites->hashSigAlgo[idx++] = anonymous_sa_algo; - #endif } +#endif + (void)haveAnon; + (void)haveECDSAsig; suites->hashSigAlgoSz = (word16)idx; } @@ -1817,6 +1819,9 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA, (void)haveNTRU; (void)haveStaticECC; (void)haveECC; + (void)side; + (void)haveRSA; /* some builds won't read */ + (void)haveRSAsig; /* non ecc builds won't read */ if (suites == NULL) { WOLFSSL_MSG("InitSuites pointer error"); @@ -1826,15 +1831,15 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA, if (suites->setSuites) return; /* trust user settings, don't override */ +#ifndef NO_WOLFSSL_SERVER if (side == WOLFSSL_SERVER_END && haveStaticECC) { haveRSA = 0; /* can't do RSA with ECDSA key */ - (void)haveRSA; /* some builds won't read */ } if (side == WOLFSSL_SERVER_END && haveECDSAsig) { haveRSAsig = 0; /* can't have RSA sig if signed by ECDSA */ - (void)haveRSAsig; /* non ecc builds won't read */ } +#endif /* !NO_WOLFSSL_SERVER */ #ifdef WOLFSSL_DTLS if (pv.major == DTLS_MAJOR) { @@ -4435,10 +4440,12 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) #endif } +#ifdef HAVE_WRITE_DUP if (writeDup) { /* all done */ return 0; } +#endif /* hsHashes */ ret = InitHandshakeHashes(ssl); diff --git a/src/ssl.c b/src/ssl.c index 07a3e4a48..1bad2ff9a 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -50,8 +50,8 @@ #endif #endif -#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \ - defined(WOLFSSL_KEY_GEN) +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ + defined(HAVE_WEBSERVER) || defined(WOLFSSL_KEY_GEN) #include /* openssl headers end, wolfssl internal headers next */ #include @@ -3189,7 +3189,8 @@ int wolfSSL_CertPemToDer(const unsigned char* pem, int pemSz, #endif /* NO_CERTS */ -#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ + defined(HAVE_WEBSERVER) static struct cipher{ unsigned char type; @@ -3527,7 +3528,7 @@ static INLINE int OurPasswordCb(char* passwd, int sz, int rw, void* userdata) return min((word32)sz, (word32)XSTRLEN((char*)userdata)); } -#endif /* OPENSSL_EXTRA || HAVE_WEBSERVER */ +#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL || HAVE_WEBSERVER */ #ifndef NO_CERTS @@ -3562,7 +3563,8 @@ int wolfSSL_KeyPemToDer(const unsigned char* pem, int pemSz, info->ctx = NULL; info->consumed = 0; -#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ + defined(HAVE_WEBSERVER) if (pass) { info->ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); if (info->ctx == NULL) { @@ -4469,7 +4471,8 @@ int wolfSSL_Init(void) } -#if (defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)) && !defined(NO_CERTS) +#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ + defined(HAVE_WEBSERVER)) && !defined(NO_CERTS) /* WOLFSSL_SUCCESS if ok, <= 0 else */ static int wolfssl_decrypt_buffer_key(DerBuffer* der, byte* password, @@ -4559,7 +4562,8 @@ static int wolfssl_decrypt_buffer_key(DerBuffer* der, byte* password, return WOLFSSL_FATAL_ERROR; } -#endif /* defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) */ +#endif /* defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || + defined(HAVE_WEBSERVER) */ #if defined(WOLFSSL_KEY_GEN) && defined(OPENSSL_EXTRA) @@ -4909,7 +4913,8 @@ int PemToDer(const unsigned char* buff, long longSz, int type, return 0; } -#if (defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)) && !defined(NO_PWDBASED) +#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ + defined(HAVE_WEBSERVER)) && !defined(NO_PWDBASED) if (encrypted_key || header == BEGIN_ENC_PRIV_KEY) { int passwordSz; #ifdef WOLFSSL_SMALL_STACK @@ -4953,7 +4958,8 @@ int PemToDer(const unsigned char* buff, long longSz, int type, } } } -#endif /* OPENSSL_EXTRA || HAVE_WEBSERVER || NO_PWDBASED */ +#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL || HAVE_WEBSERVER || + NO_PWDBASED */ return 0; } @@ -5183,7 +5189,8 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, return ret; } -#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ + defined(HAVE_WEBSERVER) /* for WOLFSSL_FILETYPE_PEM, PemToDer manage the decryption if required */ if (info->set && (format != WOLFSSL_FILETYPE_PEM)) { /* decrypt */ @@ -5224,7 +5231,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, return ret; } } -#endif /* OPENSSL_EXTRA || HAVE_WEBSERVER */ +#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL || HAVE_WEBSERVER */ #ifdef WOLFSSL_SMALL_STACK XFREE(info, heap, DYNAMIC_TYPE_ENCRYPTEDINFO); @@ -12503,7 +12510,8 @@ int wolfSSL_set_compression(WOLFSSL* ssl) } #endif /* OPENSSL_EXTRA */ -#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ + defined(HAVE_WEBSERVER) void wolfSSL_CTX_set_default_passwd_cb_userdata(WOLFSSL_CTX* ctx, void* userdata) @@ -12521,72 +12529,6 @@ int wolfSSL_set_compression(WOLFSSL* ssl) } } - int wolfSSL_num_locks(void) - { - return 0; - } - - void wolfSSL_set_locking_callback(void (*f)(int, int, const char*, int)) - { - WOLFSSL_ENTER("wolfSSL_set_locking_callback"); - - if (wc_SetMutexCb(f) != 0) { - WOLFSSL_MSG("Error when setting mutex call back"); - } - } - - - typedef unsigned long (idCb)(void); - static idCb* inner_idCb = NULL; - - unsigned long wolfSSL_thread_id(void) - { - if (inner_idCb != NULL) { - return inner_idCb(); - } - else { - return 0; - } - } - - - void wolfSSL_set_id_callback(unsigned long (*f)(void)) - { - inner_idCb = f; - } - - unsigned long wolfSSL_ERR_get_error(void) - { - WOLFSSL_ENTER("wolfSSL_ERR_get_error"); - -#if defined(WOLFSSL_NGINX) - { - unsigned long ret = wolfSSL_ERR_peek_error_line_data(NULL, NULL, - NULL, NULL); - wc_RemoveErrorNode(-1); - return ret; - } -#elif (defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE)) - { - int ret = wc_PullErrorNode(NULL, NULL, NULL); - - if (ret < 0) { - if (ret == BAD_STATE_E) return 0; /* no errors in queue */ - WOLFSSL_MSG("Error with pulling error node!"); - WOLFSSL_LEAVE("wolfSSL_ERR_get_error", ret); - ret = 0 - ret; /* return absolute value of error */ - - /* panic and try to clear out nodes */ - wc_ClearErrorNodes(); - } - - return (unsigned long)ret; - } -#else - return (unsigned long)(0 - NOT_COMPILED_IN); -#endif - } - #ifndef NO_MD5 int wolfSSL_EVP_BytesToKey(const WOLFSSL_EVP_CIPHER* type, @@ -12722,6 +12664,75 @@ int wolfSSL_set_compression(WOLFSSL* ssl) } #endif /* NO_MD5 */ +#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL || HAVE_WEBSERVER */ + + +#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) + int wolfSSL_num_locks(void) + { + return 0; + } + + void wolfSSL_set_locking_callback(void (*f)(int, int, const char*, int)) + { + WOLFSSL_ENTER("wolfSSL_set_locking_callback"); + + if (wc_SetMutexCb(f) != 0) { + WOLFSSL_MSG("Error when setting mutex call back"); + } + } + + + typedef unsigned long (idCb)(void); + static idCb* inner_idCb = NULL; + + unsigned long wolfSSL_thread_id(void) + { + if (inner_idCb != NULL) { + return inner_idCb(); + } + else { + return 0; + } + } + + + void wolfSSL_set_id_callback(unsigned long (*f)(void)) + { + inner_idCb = f; + } + + unsigned long wolfSSL_ERR_get_error(void) + { + WOLFSSL_ENTER("wolfSSL_ERR_get_error"); + +#if defined(WOLFSSL_NGINX) + { + unsigned long ret = wolfSSL_ERR_peek_error_line_data(NULL, NULL, + NULL, NULL); + wc_RemoveErrorNode(-1); + return ret; + } +#elif (defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE)) + { + int ret = wc_PullErrorNode(NULL, NULL, NULL); + + if (ret < 0) { + if (ret == BAD_STATE_E) return 0; /* no errors in queue */ + WOLFSSL_MSG("Error with pulling error node!"); + WOLFSSL_LEAVE("wolfSSL_ERR_get_error", ret); + ret = 0 - ret; /* return absolute value of error */ + + /* panic and try to clear out nodes */ + wc_ClearErrorNodes(); + } + + return (unsigned long)ret; + } +#else + return (unsigned long)(0 - NOT_COMPILED_IN); +#endif + } #endif /* OPENSSL_EXTRA || HAVE_WEBSERVER */ diff --git a/tests/api.c b/tests/api.c index c9729915e..fbb31abb6 100644 --- a/tests/api.c +++ b/tests/api.c @@ -2811,6 +2811,83 @@ static void test_wolfSSL_PKCS12(void) #endif /* OPENSSL_EXTRA */ } + +#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \ + !defined(NO_DES3) && !defined(NO_FILESYSTEM) && \ + !defined(NO_ASN) && !defined(NO_PWDBASED) && !defined(NO_RSA) +/* for PKCS8 test case */ +static INLINE int PKCS8TestCallBack(char* passwd, int sz, int rw, void* userdata) +{ + int flag = 0; + + (void)rw; + if (userdata != NULL) { + flag = *((int*)userdata); /* user set data */ + } + + switch (flag) { + case 1: /* flag set for specific WOLFSSL_CTX structure, note userdata + * can be anything the user wishes to be passed to the callback + * associated with the WOLFSSL_CTX */ + strncpy(passwd, "yassl123", sz); + return 8; + + default: + return BAD_FUNC_ARG; + } +} +#endif + +/* Testing functions dealing with PKCS8 */ +static void test_wolfSSL_PKCS8(void) +{ +#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \ + !defined(NO_DES3) && !defined(NO_FILESYSTEM) && \ + !defined(NO_ASN) && !defined(NO_PWDBASED) && !defined(NO_RSA) + byte buffer[FOURK_BUF]; + byte der[FOURK_BUF]; + char file[] = "./certs/server-keyPkcs8Enc.pem"; + FILE *f; + int flag = 1; + int bytes; + WOLFSSL_CTX* ctx; + + printf(testingFmt, "wolfSSL_PKCS8()"); + + f = fopen(file, "rb"); + AssertNotNull(f); + bytes = (int)fread(buffer, 1, sizeof(buffer), f); + fclose(f); + + /* Note that wolfSSL_Init() or wolfCrypt_Init() has been called before these + * function calls */ + + AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method())); + wolfSSL_CTX_set_default_passwd_cb(ctx, &PKCS8TestCallBack); + wolfSSL_CTX_set_default_passwd_cb_userdata(ctx, (void*)&flag); + AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes, + SSL_FILETYPE_PEM), SSL_SUCCESS); + + /* this next case should fail if setting the user flag to a value other + * than 1 due to the password callback functions return value */ + flag = 0; + wolfSSL_CTX_set_default_passwd_cb_userdata(ctx, (void*)&flag); + AssertIntNE(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes, + SSL_FILETYPE_PEM), SSL_SUCCESS); + + wolfSSL_CTX_free(ctx); + + /* decrypt PKCS8 PEM to key in DER format with not using WOLFSSL_CTX */ + AssertIntGT(wolfSSL_KeyPemToDer(buffer, bytes, der, FOURK_BUF, "yassl123"), + 0); + + /* test that error value is returned with a bad password */ + AssertIntLT(wolfSSL_KeyPemToDer(buffer, bytes, der, FOURK_BUF, "bad"), 0); + + printf(resultFmt, passed); +#endif /* OPENSSL_EXTRA */ +} + /* Testing functions dealing with PKCS5 */ static void test_wolfSSL_PKCS5(void) { @@ -17546,6 +17623,7 @@ void ApiTest(void) /* X509 tests */ test_wolfSSL_X509_NAME_get_entry(); test_wolfSSL_PKCS12(); + test_wolfSSL_PKCS8(); test_wolfSSL_PKCS5(); /*OCSP Stapling. */ diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index d96ea4625..9769dfed7 100755 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -1211,7 +1211,9 @@ static const byte extExtKeyUsageOid[] = {85, 29, 37}; static const byte extNameConsOid[] = {85, 29, 30}; /* certAuthInfoType */ -static const byte extAuthInfoOcspOid[] = {43, 6, 1, 5, 5, 7, 48, 1}; +#ifdef HAVE_OCSP + static const byte extAuthInfoOcspOid[] = {43, 6, 1, 5, 5, 7, 48, 1}; +#endif static const byte extAuthInfoCaIssuerOid[] = {43, 6, 1, 5, 5, 7, 48, 2}; /* certPolicyType */ @@ -1534,19 +1536,23 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz) oid = extExtKeyUsageOid; *oidSz = sizeof(extExtKeyUsageOid); break; + #ifndef IGNORE_NAME_CONSTRAINTS case NAME_CONS_OID: oid = extNameConsOid; *oidSz = sizeof(extNameConsOid); break; + #endif } break; case oidCertAuthInfoType: switch (id) { + #ifdef HAVE_OCSP case AIA_OCSP_OID: oid = extAuthInfoOcspOid; *oidSz = sizeof(extAuthInfoOcspOid); break; + #endif case AIA_CA_ISSUER_OID: oid = extAuthInfoCaIssuerOid; *oidSz = sizeof(extAuthInfoCaIssuerOid); @@ -2388,10 +2394,14 @@ static int CheckAlgo(int first, int second, int* id, int* version) if (first == 1) { switch (second) { +#if !defined(NO_SHA) + #ifndef NO_RC4 case PBE_SHA1_RC4_128: *id = PBE_SHA1_RC4_128; *version = PKCS12v1; return 0; + #endif + #ifndef NO_DES3 case PBE_SHA1_DES: *id = PBE_SHA1_DES; *version = PKCS12v1; @@ -2400,6 +2410,8 @@ static int CheckAlgo(int first, int second, int* id, int* version) *id = PBE_SHA1_DES3; *version = PKCS12v1; return 0; + #endif +#endif /* !NO_SHA */ default: return ALGO_ID_E; } @@ -2414,12 +2426,18 @@ static int CheckAlgo(int first, int second, int* id, int* version) } switch (second) { +#ifndef NO_DES3 + #ifndef NO_MD5 case 3: /* see RFC 2898 for ids */ *id = PBE_MD5_DES; return 0; + #endif + #ifndef NO_SHA case 10: *id = PBE_SHA1_DES; return 0; + #endif +#endif /* !NO_DES3 */ default: return ALGO_ID_E; @@ -2433,7 +2451,7 @@ static int CheckAlgoV2(int oid, int* id) { (void)id; /* not used if AES and DES3 disabled */ switch (oid) { -#ifndef NO_DES3 +#if !defined(NO_DES3) && !defined(NO_SHA) case DESb: *id = PBE_SHA1_DES; return 0; @@ -2477,11 +2495,14 @@ static int CryptKey(const char* password, int passwordSz, byte* salt, WOLFSSL_ENTER("CryptKey()"); switch (id) { + #ifndef NO_DES3 + #ifndef NO_MD5 case PBE_MD5_DES: typeH = WC_MD5; derivedLen = 16; /* may need iv for v1.5 */ break; - + #endif + #ifndef NO_SHA case PBE_SHA1_DES: typeH = WC_SHA; derivedLen = 16; /* may need iv for v1.5 */ @@ -2491,17 +2512,20 @@ static int CryptKey(const char* password, int passwordSz, byte* salt, typeH = WC_SHA; derivedLen = 32; /* may need iv for v1.5 */ break; - + #endif /* !NO_SHA */ + #endif /* !NO_DES3 */ + #if !defined(NO_SHA) && !defined(NO_RC4) case PBE_SHA1_RC4_128: typeH = WC_SHA; derivedLen = 16; break; - + #endif + #ifdef WOLFSSL_AES_256 case PBE_AES256_CBC: typeH = WC_SHA256; derivedLen = 32; break; - + #endif default: WOLFSSL_MSG("Unknown/Unsupported encrypt/decrypt id"); return ALGO_ID_E; @@ -2563,6 +2587,7 @@ static int CryptKey(const char* password, int passwordSz, byte* salt, switch (id) { #ifndef NO_DES3 + #if !defined(NO_SHA) || !defined(NO_MD5) case PBE_MD5_DES: case PBE_SHA1_DES: { @@ -2593,7 +2618,9 @@ static int CryptKey(const char* password, int passwordSz, byte* salt, } break; } + #endif /* !NO_SHA || !NO_MD5 */ + #ifndef NO_SHA case PBE_SHA1_DES3: { Des3 des; @@ -2635,8 +2662,9 @@ static int CryptKey(const char* password, int passwordSz, byte* salt, } break; } + #endif /* !NO_SHA */ #endif -#ifndef NO_RC4 +#if !defined(NO_RC4) && !defined(NO_SHA) case PBE_SHA1_RC4_128: { Arc4 dec; @@ -2647,6 +2675,7 @@ static int CryptKey(const char* password, int passwordSz, byte* salt, } #endif #ifndef NO_AES + #ifdef WOLFSSL_AES_256 case PBE_AES256_CBC: { Aes dec; @@ -2665,6 +2694,7 @@ static int CryptKey(const char* password, int passwordSz, byte* salt, ForceZero(&dec, sizeof(Aes)); break; } + #endif /* WOLFSSL_AES_256 */ #endif default: @@ -3179,6 +3209,7 @@ int EncryptContent(byte* input, word32 inputSz, byte* out, word32* outSz, if (out == NULL) { sz = inputSz; switch (id) { + #if !defined(NO_DES3) && (!defined(NO_MD5) || !defined(NO_SHA)) case PBE_MD5_DES: case PBE_SHA1_DES: case PBE_SHA1_DES3: @@ -3187,10 +3218,11 @@ int EncryptContent(byte* input, word32 inputSz, byte* out, word32* outSz, sz &= 0xfffffff8; sz += 8; break; - + #endif /* !NO_DES3 && (!NO_MD5 || !NO_SHA) */ + #if !defined(NO_RC4) && !defined(NO_SHA) case PBE_SHA1_RC4_128: break; - + #endif case -1: break; @@ -5029,6 +5061,7 @@ static int SetCurve(ecc_key* key, byte* output) #endif /* HAVE_ECC */ +#ifdef HAVE_ECC static INLINE int IsSigAlgoECDSA(int algoOID) { /* ECDSA sigAlgo must not have ASN1 NULL parameters */ @@ -5039,6 +5072,7 @@ static INLINE int IsSigAlgoECDSA(int algoOID) return 0; } +#endif WOLFSSL_LOCAL word32 SetAlgoID(int algoOID, byte* output, int type, int curveSz) { @@ -5048,8 +5082,14 @@ WOLFSSL_LOCAL word32 SetAlgoID(int algoOID, byte* output, int type, int curveSz) byte seqArray[MAX_SEQ_SZ + 1]; /* add object_id to end */ tagSz = (type == oidHashType || - (type == oidSigType && !IsSigAlgoECDSA(algoOID) && - algoOID != ED25519k) || + (type == oidSigType + #ifdef HAVE_ECC + && !IsSigAlgoECDSA(algoOID) + #endif + #ifdef HAVE_ED25519 + && algoOID != ED25519k + #endif + ) || (type == oidKeyType && algoOID == RSAk)) ? 2 : 0; algoName = OidFromId(algoOID, type, &algoSz); @@ -7791,7 +7831,13 @@ int wc_InitCert(Cert* cert) XMEMSET(cert, 0, sizeof(Cert)); cert->version = 2; /* version 3 is hex 2 */ +#ifndef NO_SHA cert->sigType = CTC_SHAwRSA; +#elif !defined(NO_SHA256) + cert->sigType = CTC_SHA256wRSA; +#else + cert->sigType = 0; +#endif cert->daysValid = 500; cert->selfSigned = 1; cert->keyType = RSA_KEY; diff --git a/wolfcrypt/src/coding.c b/wolfcrypt/src/coding.c index fd3cb57e1..5a3296d2e 100644 --- a/wolfcrypt/src/coding.c +++ b/wolfcrypt/src/coding.c @@ -347,8 +347,9 @@ int Base64_Encode_NoNl(const byte* in, word32 inLen, byte* out, word32* outLen) #endif /* defined(WOLFSSL_BASE64_ENCODE) */ -#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(HAVE_FIPS) \ - || defined(HAVE_ECC_CDH) || defined(HAVE_SELFTEST) +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ + defined(HAVE_WEBSERVER) || defined(HAVE_FIPS) || \ + defined(HAVE_ECC_CDH) || defined(HAVE_SELFTEST) static const byte hexDecode[] = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, diff --git a/wolfcrypt/src/dh.c b/wolfcrypt/src/dh.c index 0ce4c8bfa..21508c19d 100644 --- a/wolfcrypt/src/dh.c +++ b/wolfcrypt/src/dh.c @@ -568,6 +568,7 @@ void wc_FreeDhKey(DhKey* key) #endif +#ifndef WOLFSSL_NO_DH186 /* validate that (L,N) match allowed sizes from SP 800-56A, Section 5.5.1.1. * modLen - represents L, the size of p in bits * divLen - represents N, the size of q in bits @@ -698,6 +699,7 @@ static int GeneratePrivateDh186(DhKey* key, WC_RNG* rng, byte* priv, return err; } +#endif /* WOLFSSL_NO_DH186 */ static int GeneratePrivateDh(DhKey* key, WC_RNG* rng, byte* priv, @@ -706,13 +708,16 @@ static int GeneratePrivateDh(DhKey* key, WC_RNG* rng, byte* priv, int ret = 0; word32 sz = 0; +#ifndef WOLFSSL_NO_DH186 if (mp_iszero(&key->q) == MP_NO) { /* q param available, use NIST FIPS 186-4, "B.1.1 Key Pair * Generation Using Extra Random Bits" */ ret = GeneratePrivateDh186(key, rng, priv, privSz); - } else { + } else +#endif + { sz = mp_unsigned_bin_size(&key->p); diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index fd8f67b44..7984945b3 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -3414,9 +3414,12 @@ int wc_PKCS7_EncodeEnvelopedData(PKCS7* pkcs7, byte* output, word32 outputSz) outerContentTypeSz = wc_SetContentType(ENVELOPED_DATA, outerContentType); /* version, defined as 0 in RFC 2315 */ +#ifdef HAVE_ECC if (pkcs7->publicKeyOID == ECDSAk) { verSz = SetMyVersion(2, ver, 0); - } else { + } else +#endif + { verSz = SetMyVersion(0, ver, 0); } diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 0ce97404f..a80bed2ec 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2350,27 +2350,27 @@ struct WOLFSSL_CTX { Suites* suites; /* make dynamic, user may not need/set */ void* heap; /* for user memory overrides */ byte verifyDepth; - byte verifyPeer; - byte verifyNone; - byte failNoCert; - byte failNoCertxPSK; /* fail if no cert with the exception of PSK*/ - byte sessionCacheOff; - byte sessionCacheFlushOff; + byte verifyPeer:1; + byte verifyNone:1; + byte failNoCert:1; + byte failNoCertxPSK:1; /* fail if no cert with the exception of PSK*/ + byte sessionCacheOff:1; + byte sessionCacheFlushOff:1; #ifdef HAVE_EXT_CACHE - byte internalCacheOff; + byte internalCacheOff:1; #endif - byte sendVerify; /* for client side */ - byte haveRSA; /* RSA available */ - byte haveECC; /* ECC available */ - byte haveDH; /* server DH parms set by user */ - byte haveNTRU; /* server private NTRU key loaded */ - byte haveECDSAsig; /* server cert signed w/ ECDSA */ - byte haveStaticECC; /* static server ECC private key */ - byte partialWrite; /* only one msg per write call */ - byte quietShutdown; /* don't send close notify */ - byte groupMessages; /* group handshake messages before sending */ + byte sendVerify; /* for client side (can not be single bit) */ + byte haveRSA:1; /* RSA available */ + byte haveECC:1; /* ECC available */ + byte haveDH:1; /* server DH parms set by user */ + byte haveNTRU:1; /* server private NTRU key loaded */ + byte haveECDSAsig:1; /* server cert signed w/ ECDSA */ + byte haveStaticECC:1; /* static server ECC private key */ + byte partialWrite:1; /* only one msg per write call */ + byte quietShutdown:1; /* don't send close notify */ + byte groupMessages:1; /* group handshake messages before sending */ byte minDowngrade; /* minimum downgrade version */ - byte haveEMS; /* have extended master secret extension */ + byte haveEMS:1; /* have extended master secret extension */ byte useClientOrder:1; /* Use client's cipher preference order */ #ifdef WOLFSSL_TLS13 byte noTicketTls13:1; /* Server won't create new Ticket */ @@ -2436,9 +2436,12 @@ struct WOLFSSL_CTX { #ifdef HAVE_ANON byte haveAnon; /* User wants to allow Anon suites */ #endif /* HAVE_ANON */ -#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ + defined(HAVE_WEBSERVER) pem_password_cb* passwd_cb; void* userdata; +#endif +#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) WOLFSSL_X509_STORE x509_store; /* points to ctx->cm */ WOLFSSL_X509_STORE* x509_store_pt; /* take ownership of external store */ byte readAhead; diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 908503449..bfb9eb61a 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -715,12 +715,18 @@ struct DecodedCert { extern const char* const BEGIN_CERT; extern const char* const END_CERT; -extern const char* const BEGIN_CERT_REQ; -extern const char* const END_CERT_REQ; -extern const char* const BEGIN_DSA_PARAM; -extern const char* const END_DSA_PARAM; -extern const char* const BEGIN_DH_PARAM; -extern const char* const END_DH_PARAM; +#ifdef WOLFSSL_CERT_REQ + extern const char* const BEGIN_CERT_REQ; + extern const char* const END_CERT_REQ; +#endif +#ifndef NO_DSA + extern const char* const BEGIN_DSA_PARAM; + extern const char* const END_DSA_PARAM; +#endif +#ifndef NO_DH + extern const char* const BEGIN_DH_PARAM; + extern const char* const END_DH_PARAM; +#endif extern const char* const BEGIN_X509_CRL; extern const char* const END_X509_CRL; extern const char* const BEGIN_RSA_PRIV; @@ -729,14 +735,20 @@ extern const char* const BEGIN_PRIV_KEY; extern const char* const END_PRIV_KEY; extern const char* const BEGIN_ENC_PRIV_KEY; extern const char* const END_ENC_PRIV_KEY; -extern const char* const BEGIN_EC_PRIV; -extern const char* const END_EC_PRIV; -extern const char* const BEGIN_DSA_PRIV; -extern const char* const END_DSA_PRIV; +#ifdef HAVE_ECC + extern const char* const BEGIN_EC_PRIV; + extern const char* const END_EC_PRIV; +#endif +#if defined(HAVE_ECC) || defined(HAVE_ED25519) || !defined(NO_DSA) + extern const char* const BEGIN_DSA_PRIV; + extern const char* const END_DSA_PRIV; +#endif extern const char* const BEGIN_PUB_KEY; extern const char* const END_PUB_KEY; -extern const char* const BEGIN_EDDSA_PRIV; -extern const char* const END_EDDSA_PRIV; +#ifdef HAVE_ED25519 + extern const char* const BEGIN_EDDSA_PRIV; + extern const char* const END_EDDSA_PRIV; +#endif #ifdef NO_SHA #define SIGNER_DIGEST_SIZE WC_SHA256_DIGEST_SIZE diff --git a/wolfssl/wolfcrypt/coding.h b/wolfssl/wolfcrypt/coding.h index 44da37676..fbf3c02c2 100644 --- a/wolfssl/wolfcrypt/coding.h +++ b/wolfssl/wolfcrypt/coding.h @@ -63,8 +63,9 @@ WOLFSSL_API int Base64_Decode(const byte* in, word32 inLen, byte* out, word32* outLen); #endif -#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(HAVE_FIPS) \ - || defined(HAVE_ECC_CDH) || defined(HAVE_SELFTEST) +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ + defined(HAVE_WEBSERVER) || defined(HAVE_FIPS) || \ + defined(HAVE_ECC_CDH) || defined(HAVE_SELFTEST) WOLFSSL_API int Base16_Decode(const byte* in, word32 inLen, byte* out, word32* outLen); WOLFSSL_API