diff --git a/configure.ac b/configure.ac index b2a05e73d..876db3f50 100644 --- a/configure.ac +++ b/configure.ac @@ -871,8 +871,8 @@ fi # ASN -# turn off asn, which means no certs, no rsa, no dh, no dsa, no ecc, -# and no big int, use this to disable all public key stuff +# turn off asn, which means no certs, no rsa, no dsa, no ecc, +# and no big int (unless dh is on) AC_ARG_ENABLE([asn], [ --enable-asn Enable ASN (default: enabled)], [ ENABLED_ASN=$enableval ], @@ -881,7 +881,12 @@ AC_ARG_ENABLE([asn], if test "$ENABLED_ASN" = "no" then - AM_CFLAGS="$AM_CFLAGS -DNO_ASN -DNO_CERTS -DNO_BIG_INT" + AM_CFLAGS="$AM_CFLAGS -DNO_ASN -DNO_CERTS" + if test "$ENABLED_DH" = "no" + then + # DH needs bigint + AM_CFLAGS="$AM_CFLAGS -DNO_BIG_INT" + fi else # turn off ASN if leanpsk on if test "$ENABLED_LEANPSK" = "yes" @@ -901,11 +906,6 @@ then AC_MSG_ERROR([please disable dsa if disabling asn.]) fi -if test "$ENABLED_DH" = "yes" && test "$ENABLED_ASN" = "no" -then - AC_MSG_ERROR([please disable dh if disabling asn.]) -fi - if test "$ENABLED_ECC" = "yes" && test "$ENABLED_ASN" = "no" then AC_MSG_ERROR([please disable ecc if disabling asn.]) @@ -916,7 +916,8 @@ then AC_MSG_ERROR([please enable psk if disabling asn.]) fi -if test "$ENABLED_ASN" = "no" +# DH needs bigint +if test "$ENABLED_ASN" = "no" && test "$ENABLED_DH" = "no" then ENABLED_FASTMATH=no ENABLED_SLOWMATH=no @@ -1623,10 +1624,16 @@ AC_ARG_ENABLE([fastmath], if test "x$ENABLED_FASTMATH" = "xyes" then - # turn off fastmth if leanpsk on or asn off + # turn off fastmth if leanpsk on or asn off (w/o dh) if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_ASN" = "no" then - ENABLED_FASTMATH=no + if test "$ENABLED_DH" = "no" + then + ENABLED_FASTMATH=no + else + AM_CFLAGS="$AM_CFLAGS -DUSE_FAST_MATH" + ENABLED_SLOWMATH="no" + fi else AM_CFLAGS="$AM_CFLAGS -DUSE_FAST_MATH" ENABLED_SLOWMATH="no" diff --git a/examples/client/client.c b/examples/client/client.c index 1883b3bf9..9306ce80c 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -531,12 +531,15 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) wolfSSL_CTX_set_psk_client_callback(ctx, my_psk_client_cb); if (cipherList == NULL) { const char *defaultCipherList; - #ifdef HAVE_NULL_CIPHER + #if defined(HAVE_AESGCM) && !defined(NO_DH) + defaultCipherList = "DHE-PSK-AES128-GCM-SHA256"; + #elif defined(HAVE_NULL_CIPHER) defaultCipherList = "PSK-NULL-SHA256"; #else defaultCipherList = "PSK-AES128-CBC-SHA256"; #endif - if (wolfSSL_CTX_set_cipher_list(ctx,defaultCipherList) !=SSL_SUCCESS) + if (wolfSSL_CTX_set_cipher_list(ctx,defaultCipherList) + !=SSL_SUCCESS) err_sys("client can't set cipher list 2"); } #endif diff --git a/examples/echoserver/echoserver.c b/examples/echoserver/echoserver.c index 18b39100d..680c11d5e 100644 --- a/examples/echoserver/echoserver.c +++ b/examples/echoserver/echoserver.c @@ -237,7 +237,7 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args) ssl = CyaSSL_new(ctx); if (ssl == NULL) err_sys("SSL_new failed"); CyaSSL_set_fd(ssl, clientfd); - #if !defined(NO_FILESYSTEM) && !defined(NO_DH) + #if !defined(NO_FILESYSTEM) && !defined(NO_DH) && !defined(NO_ASN) CyaSSL_SetTmpDH_file(ssl, dhParam, SSL_FILETYPE_PEM); #elif !defined(NO_DH) SetDH(ssl); /* will repick suites with DHE, higher than PSK */ diff --git a/examples/server/server.c b/examples/server/server.c index 728b3dbe9..573bbbfad 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -168,6 +168,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) int usePsk = 0; int useAnon = 0; int doDTLS = 0; + int needDH = 0; int useNtruKey = 0; int nonBlocking = 0; int trackMemory = 0; @@ -201,6 +202,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) #endif (void)trackMemory; (void)pkCallbacks; + (void)needDH; #ifdef CYASSL_TIRTOS fdOpenSession(Task_self()); @@ -444,7 +446,10 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) SSL_CTX_use_psk_identity_hint(ctx, "cyassl server"); if (cipherList == NULL) { const char *defaultCipherList; - #ifdef HAVE_NULL_CIPHER + #if defined(HAVE_AESGCM) && !defined(NO_DH) + defaultCipherList = "DHE-PSK-AES128-GCM-SHA256"; + needDH = 1; + #elif defined(HAVE_NULL_CIPHER) defaultCipherList = "PSK-NULL-SHA256"; #else defaultCipherList = "PSK-AES128-CBC-SHA256"; @@ -522,8 +527,8 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) CloseSocket(sockfd); SSL_set_fd(ssl, clientfd); - if (usePsk == 0 || useAnon == 1 || cipherList != NULL) { - #if !defined(NO_FILESYSTEM) && !defined(NO_DH) + if (usePsk == 0 || useAnon == 1 || cipherList != NULL || needDH == 1) { + #if !defined(NO_FILESYSTEM) && !defined(NO_DH) && !defined(NO_ASN) CyaSSL_SetTmpDH_file(ssl, dhParam, SSL_FILETYPE_PEM); #elif !defined(NO_DH) SetDH(ssl); /* repick suites with DHE, higher priority than PSK */ diff --git a/src/internal.c b/src/internal.c index db43afbce..26760cc2b 100644 --- a/src/internal.c +++ b/src/internal.c @@ -29,6 +29,7 @@ #include #include #include +#include #ifdef NO_INLINE #include #else @@ -426,9 +427,11 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx) if (ctx->suites) XFREE(ctx->suites, ctx->heap, DYNAMIC_TYPE_SUITES); -#ifndef NO_CERTS +#ifndef NO_DH XFREE(ctx->serverDH_G.buffer, ctx->heap, DYNAMIC_TYPE_DH); XFREE(ctx->serverDH_P.buffer, ctx->heap, DYNAMIC_TYPE_DH); +#endif +#ifndef NO_CERTS XFREE(ctx->privateKey.buffer, ctx->heap, DYNAMIC_TYPE_KEY); XFREE(ctx->certificate.buffer, ctx->heap, DYNAMIC_TYPE_CERT); XFREE(ctx->certChain.buffer, ctx->heap, DYNAMIC_TYPE_CERT); @@ -1548,15 +1551,17 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx) ssl->options.quietShutdown = ctx->quietShutdown; ssl->options.groupMessages = ctx->groupMessages; +#ifndef NO_DH + if (ssl->options.side == WOLFSSL_SERVER_END) { + ssl->buffers.serverDH_P = ctx->serverDH_P; + ssl->buffers.serverDH_G = ctx->serverDH_G; + } +#endif #ifndef NO_CERTS /* ctx still owns certificate, certChain, key, dh, and cm */ ssl->buffers.certificate = ctx->certificate; ssl->buffers.certChain = ctx->certChain; ssl->buffers.key = ctx->privateKey; - if (ssl->options.side == WOLFSSL_SERVER_END) { - ssl->buffers.serverDH_P = ctx->serverDH_P; - ssl->buffers.serverDH_G = ctx->serverDH_G; - } #endif #ifdef WOLFSSL_DTLS @@ -1725,7 +1730,7 @@ void SSL_ResourceFree(WOLFSSL* ssl) XFREE(ssl->hsHashes, ssl->heap, DYNAMIC_TYPE_HASHES); XFREE(ssl->buffers.domainName.buffer, ssl->heap, DYNAMIC_TYPE_DOMAIN); -#ifndef NO_CERTS +#ifndef NO_DH XFREE(ssl->buffers.serverDH_Priv.buffer, ssl->heap, DYNAMIC_TYPE_DH); XFREE(ssl->buffers.serverDH_Pub.buffer, ssl->heap, DYNAMIC_TYPE_DH); /* parameters (p,g) may be owned by ctx */ @@ -1733,7 +1738,8 @@ void SSL_ResourceFree(WOLFSSL* ssl) XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap, DYNAMIC_TYPE_DH); XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap, DYNAMIC_TYPE_DH); } - +#endif +#ifndef NO_CERTS if (ssl->buffers.weOwnCert) XFREE(ssl->buffers.certificate.buffer, ssl->heap, DYNAMIC_TYPE_CERT); if (ssl->buffers.weOwnCertChain) @@ -1890,7 +1896,7 @@ void FreeHandshakeResources(WOLFSSL* ssl) ssl->eccTempKey = NULL; } #endif -#ifndef NO_CERTS +#ifndef NO_DH XFREE(ssl->buffers.serverDH_Priv.buffer, ssl->heap, DYNAMIC_TYPE_DH); ssl->buffers.serverDH_Priv.buffer = NULL; XFREE(ssl->buffers.serverDH_Pub.buffer, ssl->heap, DYNAMIC_TYPE_DH); @@ -1902,7 +1908,8 @@ void FreeHandshakeResources(WOLFSSL* ssl) XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap, DYNAMIC_TYPE_DH); ssl->buffers.serverDH_P.buffer = NULL; } - +#endif +#ifndef NO_CERTS if (ssl->buffers.weOwnCert) { XFREE(ssl->buffers.certificate.buffer, ssl->heap, DYNAMIC_TYPE_CERT); ssl->buffers.certificate.buffer = NULL; @@ -9896,6 +9903,8 @@ static void PickHashSigAlgo(WOLFSSL* ssl, byte sigAlgo = ssl->specs.sig_algo; word16 verifySz = (word16) (*inOutIdx - begin); + (void)hash; + /* save message for hash verify */ if (verifySz > MAX_DH_SZ) ERROR_OUT(BUFFER_ERROR, done); diff --git a/src/ssl.c b/src/ssl.c index 133d637e7..581836dac 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -5606,11 +5606,11 @@ static INLINE word32 HashSession(const byte* sessionID, word32 len, int* error) byte digest[MAX_DIGEST_SIZE]; #ifndef NO_MD5 - *error = wc_Md5Hash(sessionID, len, digest); + *error = wc_Md5Hash(sessionID, len, digest); #elif !defined(NO_SHA) - *error = wc_ShaHash(sessionID, len, digest); + *error = wc_ShaHash(sessionID, len, digest); #elif !defined(NO_SHA256) - *error = Sha256Hash(sessionID, len, digest); + *error = wc_Sha256Hash(sessionID, len, digest); #else #error "We need a digest to hash the session IDs" #endif diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c index 8b1152cf4..912ba6f3c 100644 --- a/wolfcrypt/benchmark/benchmark.c +++ b/wolfcrypt/benchmark/benchmark.c @@ -93,7 +93,8 @@ #define SHOW_INTEL_CYCLES #endif -#if defined(USE_CERT_BUFFERS_1024) || defined(USE_CERT_BUFFERS_2048) +#if defined(USE_CERT_BUFFERS_1024) || defined(USE_CERT_BUFFERS_2048) \ + || !defined(NO_DH) /* include test cert and key buffers for use with NO_FILESYSTEM */ #if defined(WOLFSSL_MDK_ARM) #include "cert_data.h" /* use certs_test.c for initial data, @@ -1218,6 +1219,8 @@ void bench_rsa(void) void set_Bench_DH_File(char * cert) { certDHname = cert ; } #elif defined(FREESCALE_MQX) static char *certDHname = "a:\\certs\\dh2048.der"; + #elif defined(NO_ASN) + /* do nothing, but don't need a file */ #else static const char *certDHname = "certs/dh2048.der"; #endif @@ -1240,6 +1243,9 @@ void bench_dh(void) DhKey dhKey; int dhKeySz = 2048; /* used in printf */ + (void)idx; + (void)tmp; + #ifdef USE_CERT_BUFFERS_1024 XMEMCPY(tmp, dh_key_der_1024, sizeof_dh_key_der_1024); @@ -1248,6 +1254,9 @@ void bench_dh(void) #elif defined(USE_CERT_BUFFERS_2048) XMEMCPY(tmp, dh_key_der_2048, sizeof_dh_key_der_2048); bytes = sizeof_dh_key_der_2048; +#elif defined(NO_ASN) + dhKeySz = 1024; + /* do nothing, but don't use default FILE */ #else FILE* file = fopen(certDHname, "rb"); @@ -1261,12 +1270,16 @@ void bench_dh(void) wc_InitDhKey(&dhKey); +#ifdef NO_ASN + bytes = wc_DhSetKey(&dhKey, dh_p, sizeof(dh_p), dh_g, sizeof(dh_g)); +#else bytes = wc_DhKeyDecode(tmp, &idx, &dhKey, (word32)bytes); + #if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) + fclose(file); + #endif +#endif if (bytes != 0) { printf("dhekydecode failed, can't benchmark\n"); - #if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) - fclose(file); - #endif return; } @@ -1295,9 +1308,6 @@ void bench_dh(void) printf("DH %d key agreement %6.3f milliseconds, avg over %d" " iterations\n", dhKeySz, milliEach, ntimes); -#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) - fclose(file); -#endif wc_FreeDhKey(&dhKey); } #endif diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 95208e448..a79e85062 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -1318,40 +1318,6 @@ int wc_DhKeyDecode(const byte* input, word32* inOutIdx, DhKey* key, word32 inSz) return 0; } -int wc_DhSetKey(DhKey* key, const byte* p, word32 pSz, const byte* g, word32 gSz) -{ - if (key == NULL || p == NULL || g == NULL || pSz == 0 || gSz == 0) - return BAD_FUNC_ARG; - - /* may have leading 0 */ - if (p[0] == 0) { - pSz--; p++; - } - - if (g[0] == 0) { - gSz--; g++; - } - - if (mp_init(&key->p) != MP_OKAY) - return MP_INIT_E; - if (mp_read_unsigned_bin(&key->p, p, pSz) != 0) { - mp_clear(&key->p); - return ASN_DH_KEY_E; - } - - if (mp_init(&key->g) != MP_OKAY) { - mp_clear(&key->p); - return MP_INIT_E; - } - if (mp_read_unsigned_bin(&key->g, g, gSz) != 0) { - mp_clear(&key->g); - mp_clear(&key->p); - return ASN_DH_KEY_E; - } - - return 0; -} - int wc_DhParamsLoad(const byte* input, word32 inSz, byte* p, word32* pInOutSz, byte* g, word32* gInOutSz) diff --git a/wolfcrypt/src/dh.c b/wolfcrypt/src/dh.c index c8d4137f3..8bbaeab20 100644 --- a/wolfcrypt/src/dh.c +++ b/wolfcrypt/src/dh.c @@ -174,5 +174,42 @@ int wc_DhAgree(DhKey* key, byte* agree, word32* agreeSz, const byte* priv, } +/* not in asn anymore since no actual asn types used */ +int wc_DhSetKey(DhKey* key, const byte* p, word32 pSz, const byte* g, + word32 gSz) +{ + if (key == NULL || p == NULL || g == NULL || pSz == 0 || gSz == 0) + return BAD_FUNC_ARG; + + /* may have leading 0 */ + if (p[0] == 0) { + pSz--; p++; + } + + if (g[0] == 0) { + gSz--; g++; + } + + if (mp_init(&key->p) != MP_OKAY) + return MP_INIT_E; + if (mp_read_unsigned_bin(&key->p, p, pSz) != 0) { + mp_clear(&key->p); + return ASN_DH_KEY_E; + } + + if (mp_init(&key->g) != MP_OKAY) { + mp_clear(&key->p); + return MP_INIT_E; + } + if (mp_read_unsigned_bin(&key->g, g, gSz) != 0) { + mp_clear(&key->g); + mp_clear(&key->p); + return ASN_DH_KEY_E; + } + + return 0; +} + + #endif /* NO_DH */ diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 2b5adbeb9..dd0951869 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -95,7 +95,8 @@ #endif -#if defined(USE_CERT_BUFFERS_1024) || defined(USE_CERT_BUFFERS_2048) +#if defined(USE_CERT_BUFFERS_1024) || defined(USE_CERT_BUFFERS_2048) \ + || !defined(NO_DH) /* include test cert and key buffers for use with NO_FILESYSTEM */ #if defined(WOLFSSL_MDK_ARM) #include "cert_data.h" @@ -4241,6 +4242,8 @@ int rsa_test(void) #if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) #ifdef FREESCALE_MQX static const char* dhKey = "a:\\certs\\dh2048.der"; + #elif defined(NO_ASN) + /* don't use file, no DER parsing */ #else static const char* dhKey = "./certs/dh2048.der"; #endif @@ -4262,6 +4265,9 @@ int dh_test(void) DhKey key2; RNG rng; + (void)idx; + (void)tmp; + (void)bytes; #ifdef USE_CERT_BUFFERS_1024 XMEMCPY(tmp, dh_key_der_1024, sizeof_dh_key_der_1024); @@ -4269,6 +4275,8 @@ int dh_test(void) #elif defined(USE_CERT_BUFFERS_2048) XMEMCPY(tmp, dh_key_der_2048, sizeof_dh_key_der_2048); bytes = sizeof_dh_key_der_2048; +#elif defined(NO_ASN) + /* don't use file, no DER parsing */ #else FILE* file = fopen(dhKey, "rb"); @@ -4281,6 +4289,15 @@ int dh_test(void) wc_InitDhKey(&key); wc_InitDhKey(&key2); +#ifdef NO_ASN + ret = wc_DhSetKey(&key, dh_p, sizeof(dh_p), dh_g, sizeof(dh_g)); + if (ret != 0) + return -51; + + ret = wc_DhSetKey(&key2, dh_p, sizeof(dh_p), dh_g, sizeof(dh_g)); + if (ret != 0) + return -51; +#else ret = wc_DhKeyDecode(tmp, &idx, &key, bytes); if (ret != 0) return -51; @@ -4289,6 +4306,7 @@ int dh_test(void) ret = wc_DhKeyDecode(tmp, &idx, &key2, bytes); if (ret != 0) return -52; +#endif ret = wc_InitRng(&rng); if (ret != 0) diff --git a/wolfssl/certs_test.h b/wolfssl/certs_test.h index 69007d625..c3561c5f7 100644 --- a/wolfssl/certs_test.h +++ b/wolfssl/certs_test.h @@ -1192,5 +1192,28 @@ const int sizeof_server_cert_der_2048 = sizeof(server_cert_der_2048); #endif /* USE_CERT_BUFFERS_1024 */ +/* dh1024 p */ +static unsigned char dh_p[] = +{ + 0xE6, 0x96, 0x9D, 0x3D, 0x49, 0x5B, 0xE3, 0x2C, 0x7C, 0xF1, 0x80, 0xC3, + 0xBD, 0xD4, 0x79, 0x8E, 0x91, 0xB7, 0x81, 0x82, 0x51, 0xBB, 0x05, 0x5E, + 0x2A, 0x20, 0x64, 0x90, 0x4A, 0x79, 0xA7, 0x70, 0xFA, 0x15, 0xA2, 0x59, + 0xCB, 0xD5, 0x23, 0xA6, 0xA6, 0xEF, 0x09, 0xC4, 0x30, 0x48, 0xD5, 0xA2, + 0x2F, 0x97, 0x1F, 0x3C, 0x20, 0x12, 0x9B, 0x48, 0x00, 0x0E, 0x6E, 0xDD, + 0x06, 0x1C, 0xBC, 0x05, 0x3E, 0x37, 0x1D, 0x79, 0x4E, 0x53, 0x27, 0xDF, + 0x61, 0x1E, 0xBB, 0xBE, 0x1B, 0xAC, 0x9B, 0x5C, 0x60, 0x44, 0xCF, 0x02, + 0x3D, 0x76, 0xE0, 0x5E, 0xEA, 0x9B, 0xAD, 0x99, 0x1B, 0x13, 0xA6, 0x3C, + 0x97, 0x4E, 0x9E, 0xF1, 0x83, 0x9E, 0xB5, 0xDB, 0x12, 0x51, 0x36, 0xF7, + 0x26, 0x2E, 0x56, 0xA8, 0x87, 0x15, 0x38, 0xDF, 0xD8, 0x23, 0xC6, 0x50, + 0x50, 0x85, 0xE2, 0x1F, 0x0D, 0xD5, 0xC8, 0x6B, +}; + +/* dh1024 g */ +static unsigned char dh_g[] = +{ + 0x02, +}; + + #endif /* CYASSL_CERTS_TEST_H */ diff --git a/wolfssl/internal.h b/wolfssl/internal.h index a18858247..11907d057 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -463,7 +463,8 @@ typedef byte word24[3]; #endif #if defined(BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256) || \ - defined(BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) + defined(BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) || \ + defined(BUILD_TLS_PSK_WITH_AES_128_GCM_SHA256) #define BUILD_AESGCM #endif @@ -1417,13 +1418,15 @@ struct WOLFSSL_CTX { WOLFSSL_METHOD* method; wolfSSL_Mutex countMutex; /* reference count mutex */ int refCount; /* reference count */ +#ifndef NO_DH + buffer serverDH_P; + buffer serverDH_G; +#endif #ifndef NO_CERTS buffer certificate; buffer certChain; /* chain after self, in DER, with leading size for each cert */ buffer privateKey; - buffer serverDH_P; - buffer serverDH_G; WOLFSSL_CERT_MANAGER* cm; /* our cert manager, ctx owns SSL will use */ #endif Suites* suites; /* make dynamic, user may not need/set */ @@ -1753,16 +1756,18 @@ typedef struct Buffers { byte weOwnCertChain; /* SSL own cert chain flag */ byte weOwnKey; /* SSL own key flag */ byte weOwnDH; /* SSL own dh (p,g) flag */ -#ifndef NO_CERTS - buffer certificate; /* WOLFSSL_CTX owns, unless we own */ - buffer key; /* WOLFSSL_CTX owns, unless we own */ - buffer certChain; /* WOLFSSL_CTX owns, unless we own */ - /* chain after self, in DER, with leading size for each cert */ - buffer serverDH_P; /* WOLFSSL_CTX owns, unless we own */ - buffer serverDH_G; /* WOLFSSL_CTX owns, unless we own */ +#ifndef NO_DH + buffer serverDH_P; /* WOLFSSL_CTX owns, unless we own */ + buffer serverDH_G; /* WOLFSSL_CTX owns, unless we own */ buffer serverDH_Pub; buffer serverDH_Priv; #endif +#ifndef NO_CERTS + buffer certificate; /* WOLFSSL_CTX owns, unless we own */ + buffer key; /* WOLFSSL_CTX owns, unless we own */ + buffer certChain; /* WOLFSSL_CTX owns, unless we own */ + /* chain after self, in DER, with leading size for each cert */ +#endif #ifdef WOLFSSL_DTLS WOLFSSL_DTLS_CTX dtlsCtx; /* DTLS connection context */ #endif diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 2f090a20f..afee66e47 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -876,8 +876,7 @@ WOLFSSL_API WOLFSSL_X509* /* connect enough to get peer cert */ WOLFSSL_API int wolfSSL_connect_cert(WOLFSSL* ssl); -/* XXX This should be #ifndef NO_DH */ -#ifndef NO_CERTS +#ifndef NO_DH /* server Diffie-Hellman parameters */ WOLFSSL_API int wolfSSL_SetTmpDH(WOLFSSL*, const unsigned char* p, int pSz, const unsigned char* g, int gSz); @@ -899,7 +898,7 @@ WOLFSSL_API int wolfSSL_CTX_SetTmpEC_DHE_Sz(WOLFSSL_CTX*, unsigned short); WOLFSSL_API int wolfSSL_CTX_SetTmpDH_file(WOLFSSL_CTX*, const char* f, int format); #endif -#endif +#endif /* NO_DH */ /* keyblock size in bytes or -1 */ /* need to call wolfSSL_KeepArrays before handshake to save keys */ diff --git a/wolfssl/test.h b/wolfssl/test.h index c87d6b084..104b3f73d 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -965,15 +965,6 @@ static INLINE void CRL_CallBack(const char* url) #endif -#ifndef NO_CERTS - -static INLINE void CaCb(unsigned char* der, int sz, int type) -{ - (void)der; - printf("Got CA cache add callback, derSz = %d, type = %d\n", sz, type); -} - - #ifndef NO_DH static INLINE void SetDH(WOLFSSL* ssl) { @@ -1029,6 +1020,15 @@ static INLINE void SetDHCtx(WOLFSSL_CTX* ctx) wolfSSL_CTX_SetTmpDH(ctx, p, sizeof(p), g, sizeof(g)); } #endif /* NO_DH */ + +#ifndef NO_CERTS + +static INLINE void CaCb(unsigned char* der, int sz, int type) +{ + (void)der; + printf("Got CA cache add callback, derSz = %d, type = %d\n", sz, type); +} + #endif /* !NO_CERTS */ #ifdef HAVE_CAVIUM