diff --git a/Makefile.am b/Makefile.am index 71d7ae651..f0c2b8cbf 100644 --- a/Makefile.am +++ b/Makefile.am @@ -126,7 +126,8 @@ CLEANFILES+= ecc-key.der \ pkcs7signedEncryptedCompressedFirmwarePkgData_RSA_SHA256.der \ pkcs7signedEncryptedCompressedFirmwarePkgData_RSA_SHA256_noattr.der \ tests/test-log-dump-to-file.txt \ - MyKeyLog.txt + MyKeyLog.txt \ + .build_params exampledir = $(docdir)/example dist_example_DATA= diff --git a/configure.ac b/configure.ac index f4655ba6b..d8b11169a 100644 --- a/configure.ac +++ b/configure.ac @@ -5185,9 +5185,9 @@ AS_IF([test "x$FIPS_VERSION" = "xrand"],[ENABLED_CRYPTONLY="yes"]) if test "$ENABLED_CRYPTONLY" = "yes" then - if test "$ENABLED_OPENSSLEXTRA" = "yes" + if test "$ENABLED_OPENSSLALL" = "yes" then - AC_MSG_ERROR([cryptonly and opensslextra are mutually incompatible.]) + AC_MSG_ERROR([cryptonly and opensslall are mutually incompatible.]) fi AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_ONLY" fi @@ -7207,6 +7207,12 @@ then AM_CFLAGS="$AM_CFLAGS -DHAVE_WC_INTROSPECTION" fi +if test "$ENABLED_REPRODUCIBLE_BUILD" != "yes" +then + AM_CFLAGS="-include ${output_objdir}/.build_params $AM_CFLAGS" +fi + + CREATE_HEX_VERSION AC_SUBST([AM_CPPFLAGS]) AC_SUBST([AM_CFLAGS]) @@ -7258,7 +7264,6 @@ then echo "#define LIBWOLFSSL_CONFIGURE_ARGS \"$ac_configure_args\"" > ${output_objdir}/.build_params && echo "#define LIBWOLFSSL_GLOBAL_CFLAGS \"$CPPFLAGS $AM_CPPFLAGS $CFLAGS $AM_CFLAGS\" LIBWOLFSSL_GLOBAL_EXTRA_CFLAGS" >> ${output_objdir}/.build_params || AC_MSG_ERROR([Couldn't create ${output_objdir}/.build_params.]) - AM_CFLAGS="-include ${output_objdir}/.build_params $AM_CFLAGS" fi # generate user options header diff --git a/src/ssl.c b/src/ssl.c index 3a4912d1e..62f7a7f13 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -62,8 +62,9 @@ #endif #endif -#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ - defined(HAVE_WEBSERVER) || defined(WOLFSSL_KEY_GEN) +#if !defined(WOLFCRYPT_ONLY) && (defined(OPENSSL_EXTRA) \ + || defined(OPENSSL_EXTRA_X509_SMALL) \ + || defined(HAVE_WEBSERVER) || defined(WOLFSSL_KEY_GEN)) #include /* openssl headers end, wolfssl internal headers next */ #endif @@ -77,15 +78,19 @@ #ifdef OPENSSL_EXTRA /* openssl headers begin */ #include +#ifndef WOLFCRYPT_ONLY #include #include +#endif #include #include #include #include #include #include +#ifndef WOLFCRYPT_ONLY #include +#endif #include #include #include diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 2a535c0b9..50811fcd8 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -9993,7 +9993,8 @@ WOLFSSL_API int EccEnumToNID(int n) #endif /* HAVE_ECC */ #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ -#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) +#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) \ + && !defined(WOLFCRYPT_ONLY) /* Convert shortname to NID. * * For OpenSSL compatability. diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c index be68439d3..d086131db 100644 --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c @@ -3994,12 +3994,12 @@ static int wc_ecc_shared_secret_gen_sync(ecc_key* private_key, ecc_point* point, k = k_lcl; if (mp_init(k) != MP_OKAY) { err = MEMORY_E; - goto out; + goto errout; } /* multiply cofactor times private key "k" */ err = mp_mul_d(&private_key->k, cofactor, k); if (err != MP_OKAY) - goto out; + goto errout; } } #endif @@ -4028,8 +4028,8 @@ static int wc_ecc_shared_secret_gen_sync(ecc_key* private_key, ecc_point* point, #if defined(WOLFSSL_SP_MATH) { err = WC_KEY_SIZE_E; - (void)curve; + goto errout; } #else { @@ -4041,7 +4041,7 @@ static int wc_ecc_shared_secret_gen_sync(ecc_key* private_key, ecc_point* point, #endif err = wc_ecc_new_point_ex(&result, private_key->heap); if (err != MP_OKAY) - goto out; + goto errout; #ifdef ECC_TIMING_RESISTANT if (private_key->rng == NULL) { @@ -4085,15 +4085,15 @@ static int wc_ecc_shared_secret_gen_sync(ecc_key* private_key, ecc_point* point, } #endif - out: + errout: #ifdef HAVE_ECC_CDH if (k == k_lcl) mp_clear(k); -#endif #ifdef WOLFSSL_SMALL_STACK if (k_lcl != NULL) XFREE(k_lcl, private_key->heap, DYNAMIC_TYPE_ECC_BUFFER); +#endif #endif WOLFSSL_LEAVE("wc_ecc_shared_secret_gen_sync", err); @@ -10278,43 +10278,44 @@ static int build_lut(int idx, mp_int* a, mp_int* modulus, mp_digit mp, #endif err = mp_init(tmp); - if (err != MP_OKAY) + if (err != MP_OKAY) { err = GEN_MEM_ERR; + goto errout; + } /* sanity check to make sure lut_order table is of correct size, should compile out to a NOP if true */ if ((sizeof(lut_orders) / sizeof(lut_orders[0])) < (1U<x, mu, modulus, + if ((mp_mulmod(fp_cache[idx].g->x, mu, modulus, fp_cache[idx].LUT[1]->x) != MP_OKAY) || - (mp_mulmod(fp_cache[idx].g->y, mu, modulus, + (mp_mulmod(fp_cache[idx].g->y, mu, modulus, fp_cache[idx].LUT[1]->y) != MP_OKAY) || - (mp_mulmod(fp_cache[idx].g->z, mu, modulus, + (mp_mulmod(fp_cache[idx].g->z, mu, modulus, fp_cache[idx].LUT[1]->z) != MP_OKAY)) { err = MP_MULMOD_E; - } + goto errout; } /* make all single bit entries */ for (x = 1; x < FP_LUT; x++) { - if (err != MP_OKAY) - break; if ((mp_copy(fp_cache[idx].LUT[1<<(x-1)]->x, fp_cache[idx].LUT[1<x) != MP_OKAY) || (mp_copy(fp_cache[idx].LUT[1<<(x-1)]->y, @@ -10322,14 +10323,14 @@ static int build_lut(int idx, mp_int* a, mp_int* modulus, mp_digit mp, (mp_copy(fp_cache[idx].LUT[1<<(x-1)]->z, fp_cache[idx].LUT[1<z) != MP_OKAY)){ err = MP_INIT_E; - break; + goto errout; } else { /* now double it bitlen/FP_LUT times */ for (y = 0; y < lut_gap; y++) { if ((err = ecc_projective_dbl_point_safe(fp_cache[idx].LUT[1<z); } + errout: + mp_clear(tmp); #ifdef WOLFSSL_SMALL_STACK XFREE(tmp, NULL, DYNAMIC_TYPE_ECC_BUFFER); diff --git a/wolfcrypt/src/integer.c b/wolfcrypt/src/integer.c index a69573af9..f03078683 100644 --- a/wolfcrypt/src/integer.c +++ b/wolfcrypt/src/integer.c @@ -537,13 +537,14 @@ void mp_clamp (mp_int * a) /* swap the elements of two integers, for cases where you can't simply swap the * mp_int pointers around */ -void mp_exch (mp_int * a, mp_int * b) +int mp_exch (mp_int * a, mp_int * b) { mp_int t; t = *a; *a = *b; *b = t; + return MP_OKAY; } int mp_cond_swap_ct (mp_int * a, mp_int * b, int c, int m) diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c index da235049f..fbf836515 100644 --- a/wolfcrypt/src/wc_port.c +++ b/wolfcrypt/src/wc_port.c @@ -61,7 +61,8 @@ #include #endif -#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) +#if (defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)) \ + && !defined(WOLFCRYPT_ONLY) #include #endif diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 82c4a128c..f72aca7d8 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -316,9 +316,9 @@ _Pragma("GCC diagnostic ignored \"-Wunused-function\"") #ifdef OPENSSL_EXTRA #ifndef WOLFCRYPT_ONLY #include + #include #endif #include - #include #include #include #endif @@ -406,7 +406,7 @@ WOLFSSL_TEST_SUBROUTINE int hmac_sha256_test(void); WOLFSSL_TEST_SUBROUTINE int hmac_sha384_test(void); WOLFSSL_TEST_SUBROUTINE int hmac_sha512_test(void); WOLFSSL_TEST_SUBROUTINE int hmac_sha3_test(void); -WOLFSSL_TEST_SUBROUTINE int wc_hkdf_test(void); +/* WOLFSSL_TEST_SUBROUTINE */ static int hkdf_test(void); WOLFSSL_TEST_SUBROUTINE int sshkdf_test(void); WOLFSSL_TEST_SUBROUTINE int x963kdf_test(void); WOLFSSL_TEST_SUBROUTINE int arc4_test(void); @@ -974,7 +974,7 @@ initDefaultName(); #endif #ifdef HAVE_HKDF - if ( (ret = wc_hkdf_test()) != 0) + if ( (ret = hkdf_test()) != 0) return err_sys("HMAC-KDF test failed!\n", ret); else test_pass("HMAC-KDF test passed!\n"); @@ -6554,7 +6554,8 @@ WOLFSSL_TEST_SUBROUTINE int des3_test(void) #if defined(WOLFSSL_AES_OFB) || defined(WOLFSSL_AES_CFB) || \ defined(WOLFSSL_AES_XTS) -#if defined(OPENSSL_EXTRA) && !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) +#if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY) \ + && !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) /* pass in the function, key, iv, plain text and expected and this function * tests that the encryption and decryption is successful */ static int EVP_test(const WOLFSSL_EVP_CIPHER* type, const byte* key, @@ -6758,7 +6759,8 @@ EVP_TEST_END: #ifdef WOLFSSL_AES_128 /* 128 key size test */ - #if defined(OPENSSL_EXTRA) && !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) + #if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY) \ + && !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) ret = EVP_test(EVP_aes_128_ofb(), key2, iv2, plain2, sizeof(plain2), cipher2, sizeof(cipher2)); if (ret != 0) { @@ -6796,7 +6798,8 @@ EVP_TEST_END: #ifdef WOLFSSL_AES_192 /* 192 key size test */ - #if defined(OPENSSL_EXTRA) && !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) + #if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY) \ + && !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) ret = EVP_test(EVP_aes_192_ofb(), key3, iv3, plain3, sizeof(plain3), cipher3, sizeof(cipher3)); if (ret != 0) { @@ -6834,7 +6837,8 @@ EVP_TEST_END: #ifdef WOLFSSL_AES_256 /* 256 key size test */ - #if defined(OPENSSL_EXTRA) && !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) + #if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY) \ + && !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) ret = EVP_test(EVP_aes_256_ofb(), key1, iv1, plain1, sizeof(plain1), cipher1, sizeof(cipher1)); if (ret != 0) { @@ -7148,7 +7152,8 @@ EVP_TEST_END: #ifdef WOLFSSL_AES_128 /* 128 key tests */ - #if defined(OPENSSL_EXTRA) && !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) + #if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY) \ + && !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) ret = EVP_test(EVP_aes_128_cfb128(), key1, iv, msg1, sizeof(msg1), cipher1, sizeof(cipher1)); if (ret != 0) { @@ -7196,7 +7201,8 @@ EVP_TEST_END: #ifdef WOLFSSL_AES_192 /* 192 key size test */ - #if defined(OPENSSL_EXTRA) && !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) + #if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY) \ + && !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) ret = EVP_test(EVP_aes_192_cfb128(), key2, iv, msg2, sizeof(msg2), cipher2, sizeof(cipher2)); if (ret != 0) { @@ -7234,7 +7240,8 @@ EVP_TEST_END: #ifdef WOLFSSL_AES_256 /* 256 key size test */ - #if defined(OPENSSL_EXTRA) && !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) + #if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY) \ + && !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) ret = EVP_test(EVP_aes_256_cfb128(), key3, iv, msg3, sizeof(msg3), cipher3, sizeof(cipher3)); if (ret != 0) { @@ -7474,12 +7481,14 @@ EVP_TEST_END: if (ret != 0) ERROR_OUT(-5213, out); + #ifndef WOLFCRYPT_ONLY ret = EVP_test(EVP_aes_128_cfb1(), key1, iv, msg1, sizeof(msg1), cipher, sizeof(msg1)); if (ret != 0) { goto out; } #endif + #endif #endif /* WOLFSSL_AES_128 */ #ifdef WOLFSSL_AES_192 /* 192 key tests */ @@ -7505,11 +7514,13 @@ EVP_TEST_END: if (ret != 0) ERROR_OUT(-5218, out); + #ifndef WOLFCRYPT_ONLY ret = EVP_test(EVP_aes_192_cfb1(), key2, iv2, msg2, sizeof(msg2), cipher, sizeof(msg2)); if (ret != 0) { goto out; } + #endif #endif #endif /* WOLFSSL_AES_192 */ @@ -7537,11 +7548,13 @@ EVP_TEST_END: if (ret != 0) ERROR_OUT(-5223, out); + #ifndef WOLFCRYPT_ONLY ret = EVP_test(EVP_aes_256_cfb1(), key3, iv3, msg3, sizeof(msg3), cipher, sizeof(msg3)); if (ret != 0) { goto out; } + #endif #endif out: @@ -7680,7 +7693,7 @@ EVP_TEST_END: #ifdef WOLFSSL_AES_128 /* 128 key tests */ - #ifdef OPENSSL_EXTRA + #if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY) ret = EVP_test(EVP_aes_128_cfb8(), key1, iv, msg1, sizeof(msg1), cipher1, sizeof(cipher1)); if (ret != 0) { @@ -7726,7 +7739,7 @@ EVP_TEST_END: ERROR_OUT(-5233, out); if (XMEMCMP(cipher, cipher2, sizeof(msg2)) != 0) ERROR_OUT(-5234, out); -#ifdef OPENSSL_EXTRA +#if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY) ret = EVP_test(EVP_aes_192_cfb8(), key2, iv2, msg2, sizeof(msg2), cipher2, sizeof(msg2)); if (ret != 0) { @@ -7749,7 +7762,7 @@ EVP_TEST_END: if (XMEMCMP(cipher, cipher3, sizeof(cipher3)) != 0) ERROR_OUT(-5237, out); - #ifdef OPENSSL_EXTRA + #if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY) ret = EVP_test(EVP_aes_256_cfb8(), key3, iv3, msg3, sizeof(msg3), cipher3, sizeof(msg3)); if (ret != 0) { @@ -7988,7 +8001,8 @@ static int aes_xts_128_test(void) ERROR_OUT(-5417, out); #endif -#if defined(OPENSSL_EXTRA) && !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) +#if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY) \ + && !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) ret = EVP_test(EVP_aes_128_xts(), k2, i2, p2, sizeof(p2), c2, sizeof(c2)); if (ret != 0) { printf("EVP_aes_128_xts failed!\n"); @@ -8190,7 +8204,8 @@ static int aes_xts_256_test(void) ERROR_OUT(-5515, out); #endif -#if defined(OPENSSL_EXTRA) && !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) +#if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY) \ + && !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) ret = EVP_test(EVP_aes_256_xts(), k2, i2, p2, sizeof(p2), c2, sizeof(c2)); if (ret != 0) { printf("EVP_aes_256_xts failed\n"); @@ -20313,7 +20328,7 @@ WOLFSSL_TEST_SUBROUTINE int pwdbased_test(void) #if defined(HAVE_HKDF) && !defined(NO_HMAC) -WOLFSSL_TEST_SUBROUTINE int wc_hkdf_test(void) +/* WOLFSSL_TEST_SUBROUTINE */ static int hkdf_test(void) { int ret = 0; diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 9abe7fa19..5137415b9 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -36,7 +36,9 @@ #endif /* OPENSSL_EXTRA_SSL_GUARD */ #include +#ifndef WOLFCRYPT_ONLY #include +#endif #include #ifdef OPENSSL_EXTRA #include diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 60094ad10..dbbbc4329 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -83,8 +83,10 @@ #elif (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) #include - #include #include + #ifndef WOLFCRYPT_ONLY + #include + #endif /* We need the old SSL names */ #ifdef NO_OLD_SSL_NAMES @@ -1786,7 +1788,7 @@ WOLFSSL_API int wolfSSL_i2d_PrivateKey(const WOLFSSL_EVP_PKEY* key, unsigned char** der); WOLFSSL_API int wolfSSL_i2d_PublicKey(const WOLFSSL_EVP_PKEY* key, unsigned char** der); -#if defined(OPENSSL_EXTRA) +#if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY) WOLFSSL_API int wolfSSL_EVP_PKEY_print_public(WOLFSSL_BIO* out, const WOLFSSL_EVP_PKEY* pkey, int indent, WOLFSSL_ASN1_PCTX* pctx); @@ -4678,6 +4680,7 @@ WOLFSSL_API int wolfSSL_X509_CA_num(WOLFSSL_X509_STORE *store); WOLFSSL_API long wolfSSL_X509_get_version(const WOLFSSL_X509 *x); WOLFSSL_API int wolfSSL_X509_get_signature_nid(const WOLFSSL_X509* x); +#ifndef WOLFCRYPT_ONLY WOLFSSL_API int wolfSSL_PEM_write_bio_PKCS8PrivateKey(WOLFSSL_BIO* bio, WOLFSSL_EVP_PKEY* pkey, const WOLFSSL_EVP_CIPHER* enc, char* passwd, int passwdSz, wc_pem_password_cb* cb, void* ctx); @@ -4689,7 +4692,7 @@ WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_d2i_PKCS8PrivateKey_bio(WOLFSSL_BIO* bio, WOLFSSL_EVP_PKEY** pkey, wc_pem_password_cb* cb, void* u); WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_d2i_AutoPrivateKey( WOLFSSL_EVP_PKEY** pkey, const unsigned char** data, long length); - +#endif /* !WOLFCRYPT_ONLY */ #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ @@ -4719,7 +4722,9 @@ WOLFSSL_API int wolfSSL_get_ephemeral_key(WOLFSSL* ssl, int keyAlgo, #endif #if defined(OPENSSL_EXTRA) +#ifndef WOLFCRYPT_ONLY WOLFSSL_API int wolfSSL_EVP_PKEY_param_check(WOLFSSL_EVP_PKEY_CTX* ctx); +#endif WOLFSSL_API void wolfSSL_CTX_set_security_level(WOLFSSL_CTX* ctx, int level); WOLFSSL_API int wolfSSL_CTX_get_security_level(const WOLFSSL_CTX* ctx); diff --git a/wolfssl/wolfcrypt/integer.h b/wolfssl/wolfcrypt/integer.h index 255f55ca2..d7a6286c8 100644 --- a/wolfssl/wolfcrypt/integer.h +++ b/wolfssl/wolfcrypt/integer.h @@ -302,7 +302,7 @@ MP_API int mp_grow (mp_int * a, int size); MP_API int mp_div_2d (mp_int * a, int b, mp_int * c, mp_int * d); MP_API void mp_zero (mp_int * a); MP_API void mp_clamp (mp_int * a); -MP_API void mp_exch (mp_int * a, mp_int * b); +MP_API int mp_exch (mp_int * a, mp_int * b); MP_API int mp_cond_swap_ct (mp_int * a, mp_int * b, int c, int m); MP_API void mp_rshd (mp_int * a, int b); MP_API void mp_rshb (mp_int * a, int b);