From 24bfea1ad2c8032aa5380356de08334f4f6267fc Mon Sep 17 00:00:00 2001 From: David Garske Date: Tue, 20 Aug 2019 10:38:08 -0700 Subject: [PATCH] Fixes for various build options (!NO_RSA, HAVE_ECC, NO_PKCS8, NO_PKCS12). Added new `NO_CHECK_PRIVATE_KEY` to allow reduce code size when not required. --- src/ssl.c | 5 +++-- tests/api.c | 42 +++++++++++++++++++++++--------------- wolfcrypt/src/asn.c | 30 +++++++++++++++++++++------ wolfcrypt/src/wc_encrypt.c | 2 ++ wolfcrypt/test/test.c | 5 ++++- 5 files changed, 58 insertions(+), 26 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 1527b7eec0..77172d301f 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -6279,7 +6279,7 @@ int wolfSSL_CertManagerLoadCA(WOLFSSL_CERT_MANAGER* cm, const char* file, return ret; } - +#ifndef NO_CHECK_PRIVATE_KEY /* Check private against public in certificate for match * * ctx WOLFSSL_CTX structure to check private key in @@ -6339,10 +6339,11 @@ int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx) return WOLFSSL_FAILURE; #endif } +#endif /* !NO_CHECK_PRIVATE_KEY */ + #ifdef HAVE_CRL - /* check CRL if enabled, WOLFSSL_SUCCESS */ int wolfSSL_CertManagerCheckCRL(WOLFSSL_CERT_MANAGER* cm, byte* der, int sz) { diff --git a/tests/api.c b/tests/api.c index 497ba96073..2ea8c337ce 100644 --- a/tests/api.c +++ b/tests/api.c @@ -4390,8 +4390,8 @@ static void test_wolfSSL_PKCS12(void) #if !defined(NO_FILESYSTEM) && !defined(NO_ASN) && defined(HAVE_PKCS8) && \ - defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_DES3) && \ - !defined(NO_PWDBASED) && !defined(NO_RSA) + defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_DES3) && !defined(NO_PWDBASED) && \ + (!defined(NO_RSA) || defined(HAVE_ECC)) #define TEST_PKCS8_ENC #endif @@ -4425,10 +4425,14 @@ static void test_wolfSSL_PKCS8(void) #if !defined(NO_FILESYSTEM) && !defined(NO_ASN) && defined(HAVE_PKCS8) byte buffer[FOURK_BUF]; byte der[FOURK_BUF]; + #ifndef NO_RSA + const char serverKeyPkcs8PemFile[] = "./certs/server-keyPkcs8.pem"; + const char serverKeyPkcs8DerFile[] = "./certs/server-keyPkcs8.der"; + #endif const char eccPkcs8PrivKeyPemFile[] = "./certs/ecc-privkeyPkcs8.pem"; - const char eccPkcs8PrivKeyDerFile[] = "./certs/ecc-privkeyPkcs8.der"; - const char serverKeyPkcs8PemFile[] = "./certs/server-keyPkcs8.pem"; - const char serverKeyPkcs8DerFile[] = "./certs/server-keyPkcs8.der"; + #ifdef HAVE_ECC + const char eccPkcs8PrivKeyDerFile[] = "./certs/ecc-privkeyPkcs8.der"; + #endif XFILE f; int bytes; WOLFSSL_CTX* ctx; @@ -4438,8 +4442,10 @@ static void test_wolfSSL_PKCS8(void) word32 x = 0; #endif #ifdef TEST_PKCS8_ENC - const char serverKeyPkcs8EncPemFile[] = "./certs/server-keyPkcs8Enc.pem"; - const char serverKeyPkcs8EncDerFile[] = "./certs/server-keyPkcs8Enc.der"; + #ifndef NO_RSA + const char serverKeyPkcs8EncPemFile[] = "./certs/server-keyPkcs8Enc.pem"; + const char serverKeyPkcs8EncDerFile[] = "./certs/server-keyPkcs8Enc.der"; + #endif #ifdef HAVE_ECC const char eccPkcs8EncPrivKeyPemFile[] = "./certs/ecc-keyPkcs8Enc.pem"; const char eccPkcs8EncPrivKeyDerFile[] = "./certs/ecc-keyPkcs8Enc.der"; @@ -4466,13 +4472,14 @@ static void test_wolfSSL_PKCS8(void) #ifdef TEST_PKCS8_ENC wolfSSL_CTX_set_default_passwd_cb(ctx, PKCS8TestCallBack); wolfSSL_CTX_set_default_passwd_cb_userdata(ctx, (void*)&flag); + flag = 1; /* used by password callback as return code */ + #ifndef NO_RSA /* test loading PEM PKCS8 encrypted file */ f = XFOPEN(serverKeyPkcs8EncPemFile, "rb"); AssertTrue((f != XBADFILE)); bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f); XFCLOSE(f); - flag = 1; /* used by password callback as return code */ AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); @@ -4502,6 +4509,7 @@ static void test_wolfSSL_PKCS8(void) flag = 0; /* used by password callback as return code */ AssertIntNE(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes, WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + #endif /* !NO_RSA */ #ifdef HAVE_ECC /* test loading PEM PKCS8 encrypted ECC Key file */ @@ -4542,10 +4550,11 @@ static void test_wolfSSL_PKCS8(void) /* leave flag as "okay" */ flag = 1; - #endif + #endif /* HAVE_ECC */ #endif /* TEST_PKCS8_ENC */ +#ifndef NO_RSA /* test loading ASN.1 (DER) PKCS8 private key file (not encrypted) */ f = XFOPEN(serverKeyPkcs8DerFile, "rb"); AssertTrue((f != XBADFILE)); @@ -4561,14 +4570,13 @@ static void test_wolfSSL_PKCS8(void) XFCLOSE(f); AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); - +#endif /* !NO_RSA */ /* Test PKCS8 PEM ECC key no crypt */ f = XFOPEN(eccPkcs8PrivKeyPemFile, "rb"); AssertTrue((f != XBADFILE)); bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f); XFCLOSE(f); - #ifdef HAVE_ECC /* Test PKCS8 PEM ECC key no crypt */ AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes, @@ -4583,12 +4591,7 @@ static void test_wolfSSL_PKCS8(void) wc_ecc_free(&key); } AssertIntEQ(ret, 0); -#else - AssertIntEQ((bytes = wc_KeyPemToDer(buffer, bytes, der, - (word32)sizeof(der), NULL)), ASN_NO_PEM_HEADER); -#endif -#ifdef HAVE_ECC /* Test PKCS8 DER ECC key no crypt */ f = XFOPEN(eccPkcs8PrivKeyDerFile, "rb"); AssertTrue((f != XBADFILE)); @@ -4598,7 +4601,10 @@ static void test_wolfSSL_PKCS8(void) /* Test using a PKCS8 ECC PEM */ AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes, WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); -#endif +#else + AssertIntEQ((bytes = wc_KeyPemToDer(buffer, bytes, der, + (word32)sizeof(der), NULL)), ASN_NO_PEM_HEADER); +#endif /* HAVE_ECC */ wolfSSL_CTX_free(ctx); @@ -18459,6 +18465,7 @@ static void test_wolfSSL_private_keys(void) AssertIntEQ(SSL_CTX_use_PrivateKey_ASN1(0, ctx, (unsigned char*)client_key_der_2048, sizeof_client_key_der_2048), WOLFSSL_SUCCESS); +#ifndef NO_CHECK_PRIVATE_KEY #ifndef HAVE_USER_RSA /* Should mismatch now that a different private key loaded */ AssertIntNE(wolfSSL_CTX_check_private_key(ctx), WOLFSSL_SUCCESS); @@ -18469,6 +18476,7 @@ static void test_wolfSSL_private_keys(void) sizeof_server_key_der_2048), WOLFSSL_SUCCESS); /* After loading back in DER format of original key, should match */ AssertIntEQ(wolfSSL_CTX_check_private_key(ctx), WOLFSSL_SUCCESS); +#endif /* !NO_CHECK_PRIVATE_KEY */ /* pkey not set yet, expecting to fail */ AssertIntEQ(SSL_use_PrivateKey(ssl, pkey), WOLFSSL_FAILURE); diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 20afdffd97..4679b86b59 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -2312,7 +2312,7 @@ int wc_RsaPrivateKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key, #endif /* HAVE_USER_RSA */ #endif /* NO_RSA */ -#ifdef HAVE_PKCS8 +#if defined(HAVE_PKCS8) || defined(HAVE_PKCS12) /* Remove PKCS8 header, place inOutIdx at beginning of traditional, * return traditional length on success, negative on error */ @@ -2383,6 +2383,10 @@ int ToTraditional(byte* input, word32 sz) return ToTraditional_ex(input, sz, &oid); } +#endif /* HAVE_PKCS8 || HAVE_PKCS12 */ + +#ifdef HAVE_PKCS8 + /* find beginning of traditional key inside PKCS#8 unencrypted buffer * return traditional length on success, with inOutIdx at beginning of * traditional @@ -2513,7 +2517,7 @@ int wc_CreatePKCS8Key(byte* out, word32* outSz, byte* key, word32 keySz, #endif /* HAVE_PKCS8 */ -#ifdef HAVE_PKCS12 +#if defined(HAVE_PKCS12) || !defined(NO_CHECK_PRIVATE_KEY) /* check that the private key is a pair for the public key in certificate * return 1 (true) on match * return 0 or negative value on failure/error @@ -2716,11 +2720,11 @@ int wc_CheckPrivateKey(byte* key, word32 keySz, DecodedCert* der) return ret; } -#endif /* HAVE_PKCS12 */ +#endif /* HAVE_PKCS12 || !NO_CHECK_PRIVATE_KEY */ #ifndef NO_PWDBASED -#ifdef HAVE_PKCS8 +#if defined(HAVE_PKCS8) || defined(HAVE_PKCS12) /* Check To see if PKCS version algo is supported, set id if it is return 0 < 0 on error */ static int CheckAlgo(int first, int second, int* id, int* version, int* blockSz) @@ -2780,7 +2784,6 @@ static int CheckAlgo(int first, int second, int* id, int* version, int* blockSz) } } - /* Check To see if PKCS v2 algo is supported, set id if it is return 0 < 0 on error */ static int CheckAlgoV2(int oid, int* id, int* blockSz) @@ -2810,6 +2813,9 @@ static int CheckAlgoV2(int oid, int* id, int* blockSz) } } +#endif /* HAVE_PKCS8 || HAVE_PKCS12 */ + +#ifdef HAVE_PKCS8 int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, word32* oidSz, int* algoID, void* heap) @@ -2894,6 +2900,10 @@ int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, word32* oidSz, return 1; } +#endif /* HAVE_PKCS8 */ + +#if defined(HAVE_PKCS8) || defined(HAVE_PKCS12) + #define PKCS8_MIN_BLOCK_SIZE 8 static int Pkcs8Pad(byte* buf, int sz, int blockSz) { @@ -2913,6 +2923,10 @@ static int Pkcs8Pad(byte* buf, int sz, int blockSz) return sz + padSz; } +#endif /* HAVE_PKCS8 || HAVE_PKCS12 */ + +#ifdef HAVE_PKCS8 + /* * Used when creating PKCS12 shrouded key bags * vPKCS is the version of PKCS to use @@ -3353,6 +3367,10 @@ int TraditionalEnc(byte* key, word32 keySz, byte* out, word32* outSz, return ret; } +#endif /* HAVE_PKCS8 */ + +#if defined(HAVE_PKCS8) || defined(HAVE_PKCS12) + /* Remove Encrypted PKCS8 header, move beginning of traditional to beginning of input */ int ToTraditionalEnc(byte* input, word32 sz,const char* password, @@ -3496,7 +3514,7 @@ exit_tte: return ret; } -#endif /* HAVE_PKCS8 */ +#endif /* HAVE_PKCS8 || HAVE_PKCS12 */ #ifdef HAVE_PKCS12 diff --git a/wolfcrypt/src/wc_encrypt.c b/wolfcrypt/src/wc_encrypt.c index 9bc9e558c4..20c62c55cc 100644 --- a/wolfcrypt/src/wc_encrypt.c +++ b/wolfcrypt/src/wc_encrypt.c @@ -440,6 +440,7 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt, ret = wc_PBKDF1(key, (byte*)password, passwordSz, salt, saltSz, iterations, derivedLen, typeH); #endif +#ifdef HAVE_PKCS12 else if (version == PKCS12v1) { int i, idx = 0; byte unicodePasswd[MAX_UNICODE_SZ]; @@ -465,6 +466,7 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt, ret += wc_PKCS12_PBKDF(cbcIv, unicodePasswd, idx, salt, saltSz, iterations, 8, typeH, 2); } +#endif /* HAVE_PKCS12 */ else { #ifdef WOLFSSL_SMALL_STACK XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index fc4c0b211b..d359fe9560 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -15798,6 +15798,7 @@ int scrypt_test(void) } #endif +#ifdef HAVE_PKCS12 int pkcs12_test(void) { const byte passwd[] = { 0x00, 0x73, 0x00, 0x6d, 0x00, 0x65, 0x00, 0x67, @@ -15849,7 +15850,7 @@ int pkcs12_test(void) return 0; } - +#endif /* HAVE_PKCS12 */ int pbkdf2_test(void) { @@ -15914,9 +15915,11 @@ int pwdbased_test(void) ret = pbkdf2_test(); if (ret != 0) return ret; +#ifdef HAVE_PKCS12 ret = pkcs12_test(); if (ret != 0) return ret; +#endif #ifdef HAVE_SCRYPT ret = scrypt_test(); if (ret != 0)