diff --git a/configure.ac b/configure.ac index 981ae79fa..d9b17709c 100644 --- a/configure.ac +++ b/configure.ac @@ -2639,7 +2639,12 @@ then if test "x$ENABLED_TLSX" = "xno" then ENABLED_TLSX="yes" - AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DHAVE_MAX_FRAGMENT -DHAVE_TRUNCATED_HMAC -DHAVE_SUPPORTED_CURVES" + AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DHAVE_MAX_FRAGMENT -DHAVE_TRUNCATED_HMAC" + + # Check the ECC supported curves prereq + AS_IF([test "x$ENABLED_ECC" = "xyes"], + [ENABLED_SUPPORTED_CURVES=yes + AM_CFLAGS="$AM_CFLAGS -DHAVE_SUPPORTED_CURVES"]) fi # Requires ecc make sure on diff --git a/examples/client/client.c b/examples/client/client.c index 284f21e83..4286c5306 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -197,7 +197,7 @@ static int ClientBenchmarkConnections(WOLFSSL_CTX* ctx, char* host, word16 port, else if (useX25519) { if (wolfSSL_UseKeyShare(ssl, WOLFSSL_ECC_X25519) != SSL_SUCCESS) { - err_sys("unable to use curve secp256r1"); + err_sys("unable to use curve x25519"); } } #endif @@ -281,7 +281,7 @@ static int ClientBenchmarkThroughput(WOLFSSL_CTX* ctx, char* host, word16 port, if (useX25519) { if (wolfSSL_UseKeyShare(ssl, WOLFSSL_ECC_X25519) != SSL_SUCCESS) { - err_sys("unable to use curve secp256r1"); + err_sys("unable to use curve x25519"); } } #endif @@ -1551,10 +1551,11 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) if (useX25519) { if (wolfSSL_UseKeyShare(ssl, WOLFSSL_ECC_X25519) != SSL_SUCCESS) { - err_sys("unable to use curve secp256r1"); + err_sys("unable to use curve x25519"); } } #endif + #ifdef HAVE_ECC if (wolfSSL_UseKeyShare(ssl, WOLFSSL_ECC_SECP256R1) != SSL_SUCCESS) { err_sys("unable to use curve secp256r1"); @@ -1563,6 +1564,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) != SSL_SUCCESS) { err_sys("unable to use curve secp384r1"); } + #endif } if (onlyKeyShare == 0 || onlyKeyShare == 1) { #ifdef HAVE_FFDHE_2048 @@ -1983,10 +1985,11 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #ifdef HAVE_CURVE25519 if (useX25519) { if (wolfSSL_UseKeyShare(ssl, WOLFSSL_ECC_X25519) != SSL_SUCCESS) { - err_sys("unable to use curve secp256r1"); + err_sys("unable to use curve x25519"); } } #endif + #ifdef HAVE_ECC if (wolfSSL_UseKeyShare(sslResume, WOLFSSL_ECC_SECP256R1) != SSL_SUCCESS) { err_sys("unable to use curve secp256r1"); @@ -1995,6 +1998,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) WOLFSSL_ECC_SECP384R1) != SSL_SUCCESS) { err_sys("unable to use curve secp384r1"); } + #endif #ifdef HAVE_FFDHE_2048 if (wolfSSL_UseKeyShare(sslResume, WOLFSSL_FFDHE_2048) != SSL_SUCCESS) { err_sys("unable to use DH 2048-bit parameters"); diff --git a/src/tls.c b/src/tls.c index 0fb7f249b..23748f99c 100755 --- a/src/tls.c +++ b/src/tls.c @@ -2956,29 +2956,6 @@ static int TLSX_EllipticCurve_Parse(WOLFSSL* ssl, byte* input, word16 length, return 0; } -#ifdef WOLFSSL_TLS13 -/* Searches the supported groups extension for the specified named group. - * - * ssl The SSL/TLS object. - * name The group name to match. - * returns 1 when the extension has the group name and 0 otherwise. - */ -static int TLSX_SupportedGroups_Find(WOLFSSL* ssl, word16 name) -{ - TLSX* extension; - EllipticCurve* curve = NULL; - - if ((extension = TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS)) == NULL) - return 0; - - for (curve = (EllipticCurve*)extension->data; curve; curve = curve->next) { - if (curve->name == name) - return 1; - } - return 0; -} -#endif /* WOLFSSL_TLS13 */ - int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) { TLSX* extension = (first == ECC_BYTE || first == CHACHA_BYTE) ? TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS) @@ -4685,7 +4662,7 @@ end: } #endif -#ifndef NO_ECC +#ifdef HAVE_ECC /* Create a key share entry using named elliptic curve parameters group. * Generates a key pair. * @@ -4846,7 +4823,7 @@ end: } return ret; } -#endif /* !NO_ECC */ +#endif /* HAVE_ECC */ /* Generate a secret/key using the key share entry. * @@ -4855,10 +4832,16 @@ end: */ static int TLSX_KeyShare_GenKey(WOLFSSL *ssl, KeyShareEntry *kse) { +#ifndef NO_DH /* Named FFHE groups have a bit set to identify them. */ if ((kse->group & NAMED_DH_MASK) == NAMED_DH_MASK) return TLSX_KeyShare_GenDhKey(ssl, kse); +#endif +#ifdef HAVE_ECC return TLSX_KeyShare_GenEccKey(ssl, kse); +#else + return NOT_COMPILED_IN; +#endif } /* Free the key share dynamic data. @@ -5070,8 +5053,9 @@ static int TLSX_KeyShare_ProcessDh(WOLFSSL* ssl, KeyShareEntry* keyShareEntry) */ static int TLSX_KeyShare_ProcessEcc(WOLFSSL* ssl, KeyShareEntry* keyShareEntry) { -#ifndef NO_ECC int ret; + +#ifdef HAVE_ECC int curveId; ecc_key* keyShareKey = (ecc_key*)keyShareEntry->key; @@ -5197,10 +5181,15 @@ static int TLSX_KeyShare_ProcessEcc(WOLFSSL* ssl, KeyShareEntry* keyShareEntry) ); #endif - return ret; + #else - return PEER_KEY_ERROR; -#endif + (void)ssl; + (void)keyShareEntry; + + ret = PEER_KEY_ERROR; +#endif /* HAVE_ECC */ + + return ret; } /* Process the key share extension on the client side. @@ -5300,6 +5289,35 @@ static int TLSX_KeyShare_Find(WOLFSSL* ssl, word16 group) return 0; } + +/* Searches the supported groups extension for the specified named group. + * + * ssl The SSL/TLS object. + * name The group name to match. + * returns 1 when the extension has the group name and 0 otherwise. + */ +static int TLSX_SupportedGroups_Find(WOLFSSL* ssl, word16 name) +{ +#ifdef HAVE_SUPPORTED_CURVES + TLSX* extension; + EllipticCurve* curve = NULL; + + if ((extension = TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS)) == NULL) + return 0; + + for (curve = (EllipticCurve*)extension->data; curve; curve = curve->next) { + if (curve->name == name) + return 1; + } +#endif + + (void)ssl; + (void)name; + + return 0; +} + + /* Parse the KeyShare extension. * Different formats in different messages. * @@ -5572,6 +5590,7 @@ static int TLSX_KeyShare_IsSupported(int namedGroup) static int TLSX_KeyShare_SetSupported(WOLFSSL* ssl) { int ret; +#ifdef HAVE_SUPPORTED_CURVES TLSX* extension; EllipticCurve* curve = NULL; @@ -5603,8 +5622,13 @@ static int TLSX_KeyShare_SetSupported(WOLFSSL* ssl) /* Set extension to be in reponse. */ extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE); extension->resp = 1; +#else - return 0; + (void)ssl; + ret = NOT_COMPILED_IN; +#endif + + return ret; } /* Establish the secret based on the key shares received from the client. @@ -7034,6 +7058,7 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer) ssl->heap)) != 0) return ret; +#ifdef HAVE_SUPPORTED_CURVES if (!ssl->options.userCurves && !ssl->ctx->userCurves) { /* Add FFDHE supported groups. */ #ifdef HAVE_FFDHE_2048 @@ -7068,6 +7093,7 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer) #endif ret = 0; } +#endif if (TLSX_Find(ssl->extensions, TLSX_KEY_SHARE) == NULL) { #if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \ diff --git a/src/tls13.c b/src/tls13.c index c3ac01cf9..1261ceb72 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -3588,6 +3588,7 @@ static int CreateRSAEncodedSig(byte* sig, byte* sigData, int sigDataSz, return wc_EncodeSignature(sig, hash, hashSz, hashOid); } } +#endif /* !NO_RSA */ #ifdef HAVE_ECC /* Encode the ECC signature. @@ -3648,9 +3649,9 @@ static int CreateECCEncodedSig(byte* sigData, int sigDataSz, int hashAlgo) return hashSz; } -#endif - +#endif /* HAVE_ECC */ +#ifndef NO_RSA /* Check that the decrypted signature matches the encoded signature * based on the digest of the signature data. * @@ -4467,15 +4468,19 @@ static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input, WOLFSSL_MSG("Oops, peer sent ED25519 key but not in verify"); } #endif + #ifdef HAVE_ECC if (args->sigAlgo == ecc_dsa_sa_algo && !ssl->peerEccDsaKeyPresent) { WOLFSSL_MSG("Oops, peer sent ECC key but not in verify"); } + #endif + #ifndef NO_RSA if ((args->sigAlgo == rsa_sa_algo || args->sigAlgo == rsa_pss_sa_algo) && (ssl->peerRsaKey == NULL || !ssl->peerRsaKeyPresent)) { WOLFSSL_MSG("Oops, peer sent RSA key but not in verify"); } + #endif sig->buffer = (byte*)XMALLOC(args->sz, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);