Merge pull request #3289 from dgarske/wpas_small

Fixes for building `--enable-wpas=small` with WPA Supplicant v2.7
2025-08-02 12:14:38 +02:00 · 2020-09-21 13:37:58 -07:00
parent 0f6d391ea1 9deb85ceb1
commit 1274a01dc7
5 changed files with 304 additions and 281 deletions
--- a/configure.ac
+++ b/configure.ac
@@ -645,26 +645,30 @@ then
    AM_CFLAGS="$AM_CFLAGS -DTEST_IPV6 -DWOLFSSL_IPV6"
 fi
-
+if test "$ENABLED_WPAS" = "small"
 then
    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WPAS_SMALL"
    AM_CFLAGS="$AM_CFLAGS -DKEEP_OUR_CERT"
    AM_CFLAGS="$AM_CFLAGS -DKEEP_PEER_CERT"
 fi
 if test "$ENABLED_WPAS" = "yes"
 then
    AM_CFLAGS="$AM_CFLAGS -DHAVE_SECRET_CALLBACK -DWOLFSSL_STATIC_RSA"
    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PUBLIC_MP -DWOLFSSL_PUBLIC_ECC_ADD_DBL"
    AM_CFLAGS="$AM_CFLAGS -DATOMIC_USER -DHAVE_EX_DATA -DWOLFSSL_KEEP_PEER_CERT"
    AM_CFLAGS="$AM_CFLAGS -DHAVE_EXT_CACHE"
    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_VERIFY_CB"
    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT -DWOLFSSL_DER_LOAD"
    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN -DWOLFSSL_DES_ECB"
    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WPAS"
 fi
-
+if test "$ENABLED_WPAS" != "no"
 if test "$ENABLED_WPAS" = "small"
 then
    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_VERIFY_CB"
    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_KEEP_SNI"
    AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA"
    AM_CFLAGS="$AM_CFLAGS -DHAVE_EXT_CACHE"
    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_EITHER_SIDE"
-    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WPAS_SMALL"
+    AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA_X509_SMALL"
    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PUBLIC_MP"
    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DER_LOAD"
    AM_CFLAGS="$AM_CFLAGS -DATOMIC_USER"
    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN"
    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DES_ECB"
 fi
 if test "$ENABLED_FORTRESS" = "yes"
@@ -2323,7 +2327,7 @@ AC_ARG_ENABLE([des3],
    [ ENABLED_DES3=no ]
    )
-if test "$ENABLED_OPENSSH" = "yes" || test "$ENABLED_QT" = "yes" || test "$ENABLED_OPENVPN" = "yes"
+if test "$ENABLED_OPENSSH" = "yes" || test "$ENABLED_QT" = "yes" || test "$ENABLED_OPENVPN" = "yes" || test "x$ENABLED_WPAS" != "xno"
 then
    ENABLED_DES3="yes"
 fi
@@ -2411,7 +2415,7 @@ AC_ARG_ENABLE([cmac],
    [ ENABLED_CMAC=no ]
    )
-if test "$ENABLED_WPAS" = "yes"
+if test "$ENABLED_WPAS" != "no"
 then
    ENABLED_CMAC=yes
 fi
@@ -2848,7 +2852,7 @@ AC_ARG_ENABLE([crl],
    )
-if test "x$ENABLED_NGINX" = "xyes" || test "x$ENABLED_HAPROXY" = "xyes" || test "x$ENABLED_OPENVPN" = "xyes"
+if test "x$ENABLED_NGINX" = "xyes" || test "x$ENABLED_HAPROXY" = "xyes" || test "x$ENABLED_OPENVPN" = "xyes" || test "x$ENABLED_WPAS" != "xno"
 then
    ENABLED_CRL=yes
 fi
@@ -3201,7 +3205,7 @@ AC_ARG_ENABLE([session-ticket],
    [ ENABLED_SESSION_TICKET=no ]
    )
-if test "x$ENABLED_NGINX" = "xyes" || test "$ENABLED_WPAS" != "no" || test "x$ENABLED_HAPROXY" = "xyes"
+if test "x$ENABLED_NGINX" = "xyes" || test "$ENABLED_WPAS" = "yes" || test "x$ENABLED_HAPROXY" = "xyes"
 then
    ENABLED_SESSION_TICKET=yes
 fi
@@ -3871,7 +3875,7 @@ AC_ARG_ENABLE([md4],
 if test "$ENABLED_MD4" = "no"
 then
    #turn on MD4 if using stunnel
-    if test "x$ENABLED_STUNNEL" = "xyes"
+    if test "x$ENABLED_STUNNEL" = "xyes" || test "x$ENABLED_WPAS" != "xno"
    then
        ENABLED_MD4="yes"
    else
@@ -4884,7 +4888,7 @@ AC_ARG_ENABLE([aeskeywrap],
    [ ENABLED_AESKEYWRAP=no ]
    )
-if test "$ENABLED_WPAS" = "yes" && test "$ENABLED_FIPS" = "no"
+if test "$ENABLED_WPAS" != "no" && test "$ENABLED_FIPS" = "no"
 then
    ENABLED_AESKEYWRAP="yes"
 fi
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -17658,258 +17658,266 @@ int wolfSSL_X509_NAME_entry_count(WOLFSSL_X509_NAME* name)
 }
 #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
 #if defined(OPENSSL_EXTRA) || \
    defined(KEEP_OUR_CERT) || defined(KEEP_PEER_CERT) || defined(SESSION_CERTS)
 /* return the next, if any, altname from the peer cert */
 WOLFSSL_ABI
 char* wolfSSL_X509_get_next_altname(WOLFSSL_X509* cert)
 {
    char* ret = NULL;
    WOLFSSL_ENTER("wolfSSL_X509_get_next_altname");
-#if defined(OPENSSL_ALL) || defined(KEEP_OUR_CERT) || defined(KEEP_PEER_CERT) || \
+    /* don't have any to work with */
-    defined(SESSION_CERTS)
+    if (cert == NULL || cert->altNames == NULL)
-    /* return the next, if any, altname from the peer cert */
+        return NULL;
    WOLFSSL_ABI
    char* wolfSSL_X509_get_next_altname(WOLFSSL_X509* cert)
    {
        char* ret = NULL;
        WOLFSSL_ENTER("wolfSSL_X509_get_next_altname");
-        /* don't have any to work with */
+    /* already went through them */
-        if (cert == NULL || cert->altNames == NULL)
+    if (cert->altNamesNext == NULL)
-            return NULL;
+        return NULL;
-        /* already went through them */
+    ret = cert->altNamesNext->name;
-        if (cert->altNamesNext == NULL)
+    cert->altNamesNext = cert->altNamesNext->next;
            return NULL;
-        ret = cert->altNamesNext->name;
+    return ret;
-        cert->altNamesNext = cert->altNamesNext->next;
+}
-        return ret;
+int wolfSSL_X509_get_signature(WOLFSSL_X509* x509,
    }
    int wolfSSL_X509_get_signature(WOLFSSL_X509* x509,
                                                 unsigned char* buf, int* bufSz)
    {
        WOLFSSL_ENTER("wolfSSL_X509_get_signature");
        if (x509 == NULL || bufSz == NULL || (*bufSz < (int)x509->sig.length &&
                    buf != NULL))
            return WOLFSSL_FATAL_ERROR;
        if (buf != NULL)
            XMEMCPY(buf, x509->sig.buffer, x509->sig.length);
        *bufSz = x509->sig.length;
        return WOLFSSL_SUCCESS;
    }
    /* Getter function that copies over the DER public key buffer to "buf" and
     * sets the size in bufSz. If "buf" is NULL then just bufSz is set to needed
     * buffer size. "bufSz" passed in should initially be set by the user to be
     * the size of "buf". This gets checked to make sure the buffer is large
     * enough to hold the public key.
     *
     * Note: this is the X.509 form of key with "header" info.
     * return WOLFSSL_SUCCESS on success
     */
    int wolfSSL_X509_get_pubkey_buffer(WOLFSSL_X509* x509,
                                                unsigned char* buf, int* bufSz)
-    {
+{
-    #ifdef WOLFSSL_SMALL_STACK
+    WOLFSSL_ENTER("wolfSSL_X509_get_signature");
-        DecodedCert* cert;
+    if (x509 == NULL || bufSz == NULL || (*bufSz < (int)x509->sig.length &&
-    #else
+                buf != NULL))
-        DecodedCert cert[1];
+        return WOLFSSL_FATAL_ERROR;
    #endif
        word32 idx;
        const byte*  der;
        int length = 0;
        int    ret, derSz = 0;
        int badDate = 0;
        const byte* pubKeyX509 = NULL;
        int   pubKeyX509Sz = 0;
-        WOLFSSL_ENTER("wolfSSL_X509_get_pubkey_buffer");
+    if (buf != NULL)
-        if (x509 == NULL || bufSz == NULL) {
+        XMEMCPY(buf, x509->sig.buffer, x509->sig.length);
-            WOLFSSL_LEAVE("wolfSSL_X509_get_pubkey_buffer", BAD_FUNC_ARG);
+    *bufSz = x509->sig.length;
    return WOLFSSL_SUCCESS;
 }
 /* Getter function that copies over the DER public key buffer to "buf" and
    * sets the size in bufSz. If "buf" is NULL then just bufSz is set to needed
    * buffer size. "bufSz" passed in should initially be set by the user to be
    * the size of "buf". This gets checked to make sure the buffer is large
    * enough to hold the public key.
    *
    * Note: this is the X.509 form of key with "header" info.
    * return WOLFSSL_SUCCESS on success
    */
 int wolfSSL_X509_get_pubkey_buffer(WOLFSSL_X509* x509,
                                            unsigned char* buf, int* bufSz)
 {
 #ifdef WOLFSSL_SMALL_STACK
    DecodedCert* cert;
 #else
    DecodedCert cert[1];
 #endif
    word32 idx;
    const byte*  der;
    int length = 0;
    int    ret, derSz = 0;
    int badDate = 0;
    const byte* pubKeyX509 = NULL;
    int   pubKeyX509Sz = 0;
    WOLFSSL_ENTER("wolfSSL_X509_get_pubkey_buffer");
    if (x509 == NULL || bufSz == NULL) {
        WOLFSSL_LEAVE("wolfSSL_X509_get_pubkey_buffer", BAD_FUNC_ARG);
        return WOLFSSL_FATAL_ERROR;
    }
 #ifdef WOLFSSL_SMALL_STACK
    cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert),
                                    x509->heap, DYNAMIC_TYPE_TMP_BUFFER);
    if (cert == NULL) {
        WOLFSSL_LEAVE("wolfSSL_X509_get_pubkey_buffer", MEMORY_E);
        return WOLFSSL_FATAL_ERROR;
    }
 #endif
    der = wolfSSL_X509_get_der(x509, &derSz);
    InitDecodedCert(cert, der, derSz, NULL);
    ret = wc_GetPubX509(cert, 0, &badDate);
    if (ret >= 0) {
        idx = cert->srcIdx;
        pubKeyX509 = cert->source + cert->srcIdx;
        ret = GetSequence(cert->source, &cert->srcIdx, &length,
                cert->maxIdx);
        pubKeyX509Sz = length + (cert->srcIdx - idx);
    }
    FreeDecodedCert(cert);
 #ifdef WOLFSSL_SMALL_STACK
    XFREE(cert, x509->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
    if (ret < 0) {
        WOLFSSL_LEAVE("wolfSSL_X509_get_pubkey_buffer", ret);
        return WOLFSSL_FATAL_ERROR;
    }
    if (buf != NULL) {
        if (pubKeyX509Sz > *bufSz) {
            WOLFSSL_LEAVE("wolfSSL_X509_get_pubkey_buffer", BUFFER_E);
            return WOLFSSL_FATAL_ERROR;
        }
        XMEMCPY(buf, pubKeyX509, pubKeyX509Sz);
    }
    *bufSz = pubKeyX509Sz;
    return WOLFSSL_SUCCESS;
 }
-    #ifdef WOLFSSL_SMALL_STACK
+/* Getter function for the public key OID value
-        cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert),
+    * return public key OID stored in WOLFSSL_X509 structure */
-                                       x509->heap, DYNAMIC_TYPE_TMP_BUFFER);
+int wolfSSL_X509_get_pubkey_type(WOLFSSL_X509* x509)
-        if (cert == NULL) {
+{
-            WOLFSSL_LEAVE("wolfSSL_X509_get_pubkey_buffer", MEMORY_E);
+    if (x509 == NULL)
-            return WOLFSSL_FATAL_ERROR;
+        return WOLFSSL_FAILURE;
-        }
+    return x509->pubKeyOID;
-    #endif
+}
-        der = wolfSSL_X509_get_der(x509, &derSz);
+#endif /* OPENSSL_EXTRA || KEEP_OUR_CERT || KEEP_PEER_CERT || SESSION_CERTS */
        InitDecodedCert(cert, der, derSz, NULL);
        ret = wc_GetPubX509(cert, 0, &badDate);
        if (ret >= 0) {
            idx = cert->srcIdx;
            pubKeyX509 = cert->source + cert->srcIdx;
            ret = GetSequence(cert->source, &cert->srcIdx, &length,
                    cert->maxIdx);
            pubKeyX509Sz = length + (cert->srcIdx - idx);
        }
-        FreeDecodedCert(cert);
+#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL) || \
-    #ifdef WOLFSSL_SMALL_STACK
+    defined(KEEP_OUR_CERT) || defined(KEEP_PEER_CERT) || defined(SESSION_CERTS)
        XFREE(cert, x509->heap, DYNAMIC_TYPE_TMP_BUFFER);
    #endif
-        if (ret < 0) {
+/* write X509 serial number in unsigned binary to buffer
-            WOLFSSL_LEAVE("wolfSSL_X509_get_pubkey_buffer", ret);
+    buffer needs to be at least EXTERNAL_SERIAL_SIZE (32) for all cases
-            return WOLFSSL_FATAL_ERROR;
+    return WOLFSSL_SUCCESS on success */
-        }
+int wolfSSL_X509_get_serial_number(WOLFSSL_X509* x509,
-
+                                    byte* in, int* inOutSz)
-        if (buf != NULL) {
+{
-            if (pubKeyX509Sz > *bufSz) {
+    WOLFSSL_ENTER("wolfSSL_X509_get_serial_number");
-                WOLFSSL_LEAVE("wolfSSL_X509_get_pubkey_buffer", BUFFER_E);
+    if (x509 == NULL || inOutSz == NULL) {
-                return WOLFSSL_FATAL_ERROR;
+        WOLFSSL_MSG("Null argument passed in");
-            }
+        return BAD_FUNC_ARG;
            XMEMCPY(buf, pubKeyX509, pubKeyX509Sz);
        }
        *bufSz = pubKeyX509Sz;
        return WOLFSSL_SUCCESS;
    }
-
+    if (in != NULL) {
-    /* Getter function for the public key OID value
+        if (*inOutSz < x509->serialSz) {
-     * return public key OID stored in WOLFSSL_X509 structure */
+            WOLFSSL_MSG("Serial buffer too small");
-    int wolfSSL_X509_get_pubkey_type(WOLFSSL_X509* x509)
+            return BUFFER_E;
    {
        if (x509 == NULL)
            return WOLFSSL_FAILURE;
        return x509->pubKeyOID;
    }
    /* write X509 serial number in unsigned binary to buffer
       buffer needs to be at least EXTERNAL_SERIAL_SIZE (32) for all cases
       return WOLFSSL_SUCCESS on success */
    int wolfSSL_X509_get_serial_number(WOLFSSL_X509* x509,
                                       byte* in, int* inOutSz)
    {
        WOLFSSL_ENTER("wolfSSL_X509_get_serial_number");
        if (x509 == NULL || inOutSz == NULL) {
            WOLFSSL_MSG("Null argument passed in");
            return BAD_FUNC_ARG;
        }
-
+        XMEMCPY(in, x509->serial, x509->serialSz);
        if (in != NULL) {
            if (*inOutSz < x509->serialSz) {
                WOLFSSL_MSG("Serial buffer too small");
                return BUFFER_E;
            }
            XMEMCPY(in, x509->serial, x509->serialSz);
        }
        *inOutSz = x509->serialSz;
        return WOLFSSL_SUCCESS;
    }
    *inOutSz = x509->serialSz;
    return WOLFSSL_SUCCESS;
 }
-    /* not an openssl compatibility function - getting for derCert */
+/* not an openssl compatibility function - getting for derCert */
-    const byte* wolfSSL_X509_get_der(WOLFSSL_X509* x509, int* outSz)
+const byte* wolfSSL_X509_get_der(WOLFSSL_X509* x509, int* outSz)
-    {
+{
-        WOLFSSL_ENTER("wolfSSL_X509_get_der");
+    WOLFSSL_ENTER("wolfSSL_X509_get_der");
-        if (x509 == NULL || x509->derCert == NULL || outSz == NULL)
+    if (x509 == NULL || x509->derCert == NULL || outSz == NULL)
-            return NULL;
+        return NULL;
-        *outSz = (int)x509->derCert->length;
+    *outSz = (int)x509->derCert->length;
-        return x509->derCert->buffer;
+    return x509->derCert->buffer;
-    }
+}
-    /* used by JSSE (not a standard compatibility function) */
+#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL || KEEP_OUR_CERT || KEEP_PEER_CERT || SESSION_CERTS */
    /* this is not thread safe */
    WOLFSSL_ABI
    const byte* wolfSSL_X509_notBefore(WOLFSSL_X509* x509)
    {
        static byte notBeforeData[CTC_DATE_SIZE]; /* temp buffer for date */
        WOLFSSL_ENTER("wolfSSL_X509_notBefore");
-        if (x509 == NULL)
+#ifdef OPENSSL_EXTRA
            return NULL;
-        XMEMSET(notBeforeData, 0, sizeof(notBeforeData));
+/* used by JSSE (not a standard compatibility function) */
-        notBeforeData[0] = (byte)x509->notBefore.type;
+/* this is not thread safe */
-        notBeforeData[1] = (byte)x509->notBefore.length;
+WOLFSSL_ABI
-        XMEMCPY(&notBeforeData[2], x509->notBefore.data, x509->notBefore.length);
+const byte* wolfSSL_X509_notBefore(WOLFSSL_X509* x509)
 {
    static byte notBeforeData[CTC_DATE_SIZE]; /* temp buffer for date */
    WOLFSSL_ENTER("wolfSSL_X509_notBefore");
-        return notBeforeData;
+    if (x509 == NULL)
-    }
+        return NULL;
    /* used by JSSE (not a standard compatibility function) */
    /* this is not thread safe */
    WOLFSSL_ABI
    const byte* wolfSSL_X509_notAfter(WOLFSSL_X509* x509)
    {
        static byte notAfterData[CTC_DATE_SIZE]; /* temp buffer for date */
        WOLFSSL_ENTER("wolfSSL_X509_notAfter");
-        if (x509 == NULL)
+    XMEMSET(notBeforeData, 0, sizeof(notBeforeData));
-            return NULL;
+    notBeforeData[0] = (byte)x509->notBefore.type;
    notBeforeData[1] = (byte)x509->notBefore.length;
    XMEMCPY(&notBeforeData[2], x509->notBefore.data, x509->notBefore.length);
-        XMEMSET(notAfterData, 0, sizeof(notAfterData));
+    return notBeforeData;
-        notAfterData[0] = (byte)x509->notAfter.type;
+}
        notAfterData[1] = (byte)x509->notAfter.length;
        XMEMCPY(&notAfterData[2], x509->notAfter.data, x509->notAfter.length);
-        return notAfterData;
+/* used by JSSE (not a standard compatibility function) */
-    }
+/* this is not thread safe */
 WOLFSSL_ABI
 const byte* wolfSSL_X509_notAfter(WOLFSSL_X509* x509)
 {
    static byte notAfterData[CTC_DATE_SIZE]; /* temp buffer for date */
    WOLFSSL_ENTER("wolfSSL_X509_notAfter");
-    #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) && !defined(NO_WOLFSSL_STUB)
+    if (x509 == NULL)
-    WOLFSSL_ASN1_TIME* wolfSSL_X509_gmtime_adj(WOLFSSL_ASN1_TIME *s, long adj)
+        return NULL;
-    {
+
-        (void) s;
+    XMEMSET(notAfterData, 0, sizeof(notAfterData));
-        (void) adj;
+    notAfterData[0] = (byte)x509->notAfter.type;
-        WOLFSSL_STUB("wolfSSL_X509_gmtime_adj");
+    notAfterData[1] = (byte)x509->notAfter.length;
    XMEMCPY(&notAfterData[2], x509->notAfter.data, x509->notAfter.length);
    return notAfterData;
 }
 #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) && !defined(NO_WOLFSSL_STUB)
 WOLFSSL_ASN1_TIME* wolfSSL_X509_gmtime_adj(WOLFSSL_ASN1_TIME *s, long adj)
 {
    (void) s;
    (void) adj;
    WOLFSSL_STUB("wolfSSL_X509_gmtime_adj");
    return NULL;
 }
 #endif
 /* get the buffer to be signed (tbs) from the WOLFSSL_X509 certificate
    *
    * outSz : gets set to the size of the buffer
    * returns a pointer to the internal buffer at the location of TBS on
    *         on success and NULL on failure.
    */
 const unsigned char* wolfSSL_X509_get_tbs(WOLFSSL_X509* x509, int* outSz)
 {
    int sz = 0, len;
    unsigned int idx = 0, tmpIdx;
    const unsigned char* der = NULL;
    const unsigned char* tbs = NULL;
    if (x509 == NULL || outSz == NULL) {
        return NULL;
    }
    #endif
-    /* get the buffer to be signed (tbs) from the WOLFSSL_X509 certificate
+    der = wolfSSL_X509_get_der(x509, &sz);
-     *
+    if (der == NULL) {
-     * outSz : gets set to the size of the buffer
+        return NULL;
     * returns a pointer to the internal buffer at the location of TBS on
     *         on success and NULL on failure.
     */
    const unsigned char* wolfSSL_X509_get_tbs(WOLFSSL_X509* x509, int* outSz)
    {
        int sz = 0, len;
        unsigned int idx = 0, tmpIdx;
        const unsigned char* der = NULL;
        const unsigned char* tbs = NULL;
        if (x509 == NULL || outSz == NULL) {
            return NULL;
        }
        der = wolfSSL_X509_get_der(x509, &sz);
        if (der == NULL) {
            return NULL;
        }
        if (GetSequence(der, &idx, &len, sz) < 0) {
            return NULL;
        }
        tbs = der + idx;
        tmpIdx = idx;
        if (GetSequence(der, &idx, &len, sz) < 0) {
            return NULL;
        }
        *outSz = len + (idx - tmpIdx);
        return tbs;
    }
-    int wolfSSL_X509_version(WOLFSSL_X509* x509)
+    if (GetSequence(der, &idx, &len, sz) < 0) {
-    {
+        return NULL;
        WOLFSSL_ENTER("wolfSSL_X509_version");
        if (x509 == NULL)
            return 0;
        return x509->version;
    }
    tbs = der + idx;
    tmpIdx = idx;
    if (GetSequence(der, &idx, &len, sz) < 0) {
        return NULL;
    }
    *outSz = len + (idx - tmpIdx);
    return tbs;
 }
 int wolfSSL_X509_version(WOLFSSL_X509* x509)
 {
    WOLFSSL_ENTER("wolfSSL_X509_version");
    if (x509 == NULL)
        return 0;
    return x509->version;
 }
 #ifdef WOLFSSL_SEP
@@ -18001,6 +18009,7 @@ byte* wolfSSL_X509_get_hw_serial_number(WOLFSSL_X509* x509,byte* in,
 }
 #endif /* WOLFSSL_SEP */
 #endif /* OPENSSL_EXTRA */
 /* require OPENSSL_EXTRA since wolfSSL_X509_free is wrapped by OPENSSL_EXTRA */
 #if !defined(NO_CERTS) && defined(OPENSSL_EXTRA)
@@ -18181,7 +18190,7 @@ void wolfSSL_sk_X509_free(WOLF_STACK_OF(WOLFSSL_X509)* sk)
 #endif /* !NO_CERTS && (OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL) */
-#if defined(OPENSSL_ALL) || defined (WOLFSSL_QT)
+#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
 /* return 1 on success 0 on fail */
 int wolfSSL_sk_ACCESS_DESCRIPTION_push(WOLF_STACK_OF(ACCESS_DESCRIPTION)* sk,
                                              WOLFSSL_ACCESS_DESCRIPTION* access)
@@ -18288,9 +18297,9 @@ void wolfSSL_ACCESS_DESCRIPTION_free(WOLFSSL_ACCESS_DESCRIPTION* access)
    /* access = NULL, don't try to access or double free it */
 }
-#endif
+#endif /* OPENSSL_ALL || WOLFSSL_QT */
-#ifdef OPENSSL_EXTRA
+#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
 /* create a generic wolfSSL stack node
 * returns a new WOLFSSL_STACK structure on success */
@@ -18376,9 +18385,7 @@ int wolfSSL_sk_push(WOLFSSL_STACK* sk, const void *data)
    return ret;
 }
 #endif /* OPENSSL_EXTRA */
 #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
 /* Creates and returns new GENERAL_NAME structure */
 WOLFSSL_GENERAL_NAME* wolfSSL_GENERAL_NAME_new(void)
 {
@@ -19059,9 +19066,7 @@ int wolfSSL_i2d_DHparams(const WOLFSSL_DH *dh, unsigned char **out)
 #endif /* OPENSSL_EXTRA */
-#ifndef NO_FILESYSTEM
+#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && !defined(NO_STDIO_FILESYSTEM)
 #ifndef NO_STDIO_FILESYSTEM
 WOLFSSL_X509* wolfSSL_X509_d2i_fp(WOLFSSL_X509** x509, XFILE file)
 {
@@ -19099,8 +19104,12 @@ WOLFSSL_X509* wolfSSL_X509_d2i_fp(WOLFSSL_X509** x509, XFILE file)
    return newX509;
 }
-#endif /* NO_STDIO_FILESYSTEM */
+#endif /* OPENSSL_EXTRA && !NO_FILESYSTEM && !NO_STDIO_FILESYSTEM */
 #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL) || \
    defined(KEEP_PEER_CERT) || defined(SESSION_CERTS)
 #ifndef NO_FILESYSTEM
 WOLFSSL_ABI
 WOLFSSL_X509* wolfSSL_X509_load_certificate_file(const char* fname, int format)
 {
@@ -19165,9 +19174,7 @@ WOLFSSL_X509* wolfSSL_X509_load_certificate_file(const char* fname, int format)
    return x509;
 }
-
+#endif /* !NO_FILESYSTEM */
 #endif /* NO_FILESYSTEM */
 WOLFSSL_X509* wolfSSL_X509_load_certificate_buffer(
    const unsigned char* buf, int sz, int format)
@@ -19234,7 +19241,7 @@ WOLFSSL_X509* wolfSSL_X509_load_certificate_buffer(
    return x509;
 }
-#endif /* KEEP_PEER_CERT || SESSION_CERTS */
+#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL || KEEP_PEER_CERT || SESSION_CERTS */
 /* OPENSSL_EXTRA is needed for wolfSSL_X509_d21 function
   KEEP_OUR_CERT is to insure ability for returning ssl certificate */
@@ -23838,8 +23845,8 @@ int wolfSSL_X509_cmp_time(const WOLFSSL_ASN1_TIME* asnTime, time_t* cmpTime)
 }
 #endif /* !NO_ASN_TIME */
-#if defined(OPENSSL_EXTRA) && !defined(NO_ASN_TIME) && !defined(USER_TIME) && \
+#if (defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)) && \
-    !defined(TIME_OVERRIDES)
+    !defined(NO_ASN_TIME) && !defined(USER_TIME) && !defined(TIME_OVERRIDES)
 WOLFSSL_ASN1_TIME *wolfSSL_X509_time_adj_ex(WOLFSSL_ASN1_TIME *asnTime,
    int offset_day, long offset_sec, time_t *in_tm)
 {
@@ -23884,6 +23891,9 @@ WOLFSSL_X509_REVOKED* wolfSSL_sk_X509_REVOKED_value(
 }
 #endif
 #endif /* OPENSSL_EXTRA */
 #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
 /* Used to create a new WOLFSSL_ASN1_INTEGER structure.
 * returns a pointer to new structure on success and NULL on failure
 */
@@ -24058,7 +24068,7 @@ WOLFSSL_ASN1_INTEGER* wolfSSL_X509_get_serialNumber(WOLFSSL_X509* x509)
    return a;
 }
-#endif /* OPENSSL_EXTRA */
+#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
 #if defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(WOLFSSL_NGINX) || \
    defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)
@@ -27406,9 +27416,6 @@ WOLFSSL_STACK* wolfSSL_sk_new_null(void)
    return sk;
 }
 #endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
 #ifdef OPENSSL_EXTRA
 WOLFSSL_BASIC_CONSTRAINTS* wolfSSL_BASIC_CONSTRAINTS_new(void)
 {
@@ -27477,7 +27484,7 @@ int wolfSSL_sk_SSL_COMP_num(WOLF_STACK_OF(WOLFSSL_COMP)* sk)
    return (int)sk->num;
 }
-#endif /* OPENSSL_EXTRA */
+#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
 #if !defined(NO_SESSION_CACHE) && (defined(OPENSSL_EXTRA) || \
        defined(HAVE_EXT_CACHE))
@@ -37157,7 +37164,9 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl)
        return copy;
    }
-#if defined(WOLFSSL_CERT_GEN)
+#ifdef WOLFSSL_CERT_GEN
 #if defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA)
    /* Helper function to copy cert name from a WOLFSSL_X509_NAME structure to
    * a Cert structure.
    *
@@ -37189,7 +37198,7 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl)
        return length;
    }
-
+#endif
 #ifdef WOLFSSL_CERT_REQ
    static int ReqCertFromX509(Cert* cert, WOLFSSL_X509* req)
@@ -37200,7 +37209,7 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl)
            return WOLFSSL_FAILURE;
-        ret = CopyX509NameToCert(&(req->subject), cert->sbjRaw);
+        ret = CopyX509NameToCert(&req->subject, cert->sbjRaw);
        if (ret < 0) {
            WOLFSSL_MSG("REQ subject conversion error");
            ret = MEMORY_E;
@@ -37212,7 +37221,7 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl)
        if (ret == WOLFSSL_SUCCESS) {
            cert->version = req->version;
            cert->isCA = req->isCa;
-#ifdef WOLFSSL_CERT_EXT
+    #ifdef WOLFSSL_CERT_EXT
            if (req->subjKeyIdSz != 0) {
                XMEMCPY(cert->skid, req->subjKeyId, req->subjKeyIdSz);
                cert->skidSz = req->subjKeyIdSz;
@@ -37220,12 +37229,13 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl)
            if (req->keyUsageSet)
                cert->keyUsage = req->keyUsage;
            /* Extended Key Usage not supported. */
-#endif
+    #endif
        }
        return ret;
    }
-#endif
+#endif /* WOLFSSL_CERT_REQ */
 #ifdef WOLFSSL_ALT_NAMES
    /* converts WOLFSSL_AN1_TIME to Cert form, returns positive size on
     * success */
@@ -37244,8 +37254,7 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl)
        }
        return t->length - 1 + sz;
    }
-#endif
+#endif /* WOLFSSL_ALT_NAMES */
    /* convert a WOLFSSL_X509 to a Cert structure for writing out */
    static int CertFromX509(Cert* cert, WOLFSSL_X509* x509)
@@ -37292,7 +37301,6 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl)
        cert->altNamesSz = FlattenAltNames(cert->altNames,
                sizeof(cert->altNames), x509->altNames);
    #endif /* WOLFSSL_ALT_NAMES */
        cert->sigType = wolfSSL_X509_get_signature_type(x509);
@@ -37357,23 +37365,23 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl)
        if (x509->issuerSet)
            cert->selfSigned = 0;
-        ret = CopyX509NameToCert(&(x509->subject), cert->sbjRaw);
+    #if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA)
        ret = CopyX509NameToCert(&x509->subject, cert->sbjRaw);
        if (ret < 0) {
            WOLFSSL_MSG("Subject conversion error");
            return MEMORY_E;
        }
        if (cert->selfSigned) {
            XMEMCPY(cert->issRaw, cert->sbjRaw, sizeof(CertName));
        }
        else {
-            ret = CopyX509NameToCert(&(x509->issuer), cert->issRaw);
+            ret = CopyX509NameToCert(&x509->issuer, cert->issRaw);
            if (ret < 0) {
                WOLFSSL_MSG("Issuer conversion error");
                return MEMORY_E;
            }
        }
-
+    #endif
        cert->heap = x509->heap;
@@ -37389,7 +37397,7 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl)
        int hashType;
        int sigType = WOLFSSL_FAILURE;
-    #if !defined(NO_PWDBASED)
+    #if !defined(NO_PWDBASED) && defined(OPENSSL_EXTRA)
        /* Convert key type and hash algorithm to a signature algorithm */
        if (wolfSSL_EVP_get_hashinfo(md, &hashType, NULL) == WOLFSSL_FAILURE) {
            return WOLFSSL_FAILURE;
@@ -37685,6 +37693,7 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl)
        return ret;
    }
 #endif /* WOLFSSL_CERT_GEN */
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)
    WOLFSSL_X509_NAME *wolfSSL_d2i_X509_NAME(WOLFSSL_X509_NAME **name,
@@ -44025,7 +44034,7 @@ int wolfSSL_set_ocsp_url(WOLFSSL* ssl, char* url)
    return WOLFSSL_SUCCESS;
 }
 #endif /* OCSP */
-#endif /* OPENSSL_ALL / WOLFSSL_NGINX  / WOLFSSL_HAPROXY */
+#endif /* OPENSSL_ALL || WOLFSSL_NGINX  || WOLFSSL_HAPROXY */
 #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \
    defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)
@@ -44246,6 +44255,20 @@ int wolfSSL_X509_check_issued(WOLFSSL_X509 *issuer, WOLFSSL_X509 *subject)
    return X509_V_OK;
 }
 char* wolfSSL_sk_WOLFSSL_STRING_value(WOLF_STACK_OF(WOLFSSL_STRING)* strings,
    int idx)
 {
    for (; idx > 0 && strings != NULL; idx--)
        strings = strings->next;
    if (strings == NULL)
        return NULL;
    return strings->data.string;
 }
 #endif /* WOLFSSL_NGINX || WOLFSSL_HAPROXY || OPENSSL_EXTRA || OPENSSL_ALL */
 #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
 WOLFSSL_X509* wolfSSL_X509_dup(WOLFSSL_X509 *x)
 {
    WOLFSSL_ENTER("wolfSSL_X509_dup");
@@ -44258,16 +44281,7 @@ WOLFSSL_X509* wolfSSL_X509_dup(WOLFSSL_X509 *x)
    return wolfSSL_X509_d2i(NULL, x->derCert->buffer, x->derCert->length);
 }
-char* wolfSSL_sk_WOLFSSL_STRING_value(WOLF_STACK_OF(WOLFSSL_STRING)* strings,
+#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
    int idx)
 {
    for (; idx > 0 && strings != NULL; idx--)
        strings = strings->next;
    if (strings == NULL)
        return NULL;
    return strings->data.string;
 }
 #endif /* WOLFSSL_NGINX || WOLFSSL_HAPROXY || OPENSSL_EXTRA || OPENSSL_ALL */
 #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
 #ifdef HAVE_ALPN
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -12732,7 +12732,7 @@ static int wc_EncodeName(EncodedName* name, const char* nameStr, char nameType,
 }
-#if defined(OPENSSL_EXTRA)
+#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
 /* Converts from NID_* value to wolfSSL value if needed */
 static int ConvertNIDToWolfSSL(int nid)
 {
@@ -12871,7 +12871,7 @@ int wolfSSL_i2d_X509_NAME(WOLFSSL_X509_NAME* name, unsigned char** out)
    }
    return totalBytes;
 }
-#endif /* OPENSSL_EXTRA */
+#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
 /* encode CertName into output, return total bytes written */
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -3659,7 +3659,7 @@ struct WOLFSSL_X509 {
    WOLFSSL_STACK* ext_sk; /* Store X509_EXTENSIONS from wolfSSL_X509_get_ext */
    WOLFSSL_STACK* ext_d2i;/* Store d2i extensions from wolfSSL_X509_get_ext_d2i */
 #endif /* WOLFSSL_QT || OPENSSL_ALL */
-#ifdef OPENSSL_EXTRA
+#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
    WOLFSSL_ASN1_INTEGER* serialNumber; /* Stores SN from wolfSSL_X509_get_serialNumber */
 #endif
    WOLFSSL_ASN1_TIME notBefore;
--- a/wolfssl/ssl.h
+++ b/wolfssl/ssl.h
@@ -191,7 +191,7 @@ typedef struct WOLFSSL_AUTHORITY_KEYID  WOLFSSL_AUTHORITY_KEYID;
 typedef struct WOLFSSL_BASIC_CONSTRAINTS WOLFSSL_BASIC_CONSTRAINTS;
 typedef struct WOLFSSL_ACCESS_DESCRIPTION WOLFSSL_ACCESS_DESCRIPTION;
-#if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA)
+#if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
 struct WOLFSSL_AUTHORITY_KEYID {
    WOLFSSL_ASN1_STRING *keyid;
@@ -3320,6 +3320,11 @@ WOLFSSL_API int wolfSSL_check_private_key(const WOLFSSL* ssl);
 #endif /* !NO_CERTS */
 #endif /* OPENSSL_ALL || OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
 #ifdef WOLFSSL_WPAS_SMALL
    /* WPA Supplicant requires GEN_ values */
    #include <wolfssl/openssl/x509v3.h>
 #endif
 #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
 WOLFSSL_API void* wolfSSL_X509_get_ext_d2i(const WOLFSSL_X509* x509,
                                                     int nid, int* c, int* idx);