diff --git a/configure.ac b/configure.ac index bf8d2e7e7..aed27d36d 100644 --- a/configure.ac +++ b/configure.ac @@ -720,7 +720,7 @@ then # this set is also enabled by enable-all-crypto: test "$enable_atomicuser" = "" && enable_atomicuser=yes test "$enable_aesgcm" = "" && enable_aesgcm=yes - test "$enable_aesgcm_stream" = "" && enable_aesgcm_stream=yes + test "$enable_aesgcm_stream" = "" && test "$enable_aesgcm" = "yes" && enable_aesgcm_stream=yes test "$enable_aesccm" = "" && enable_aesccm=yes test "$enable_aesctr" = "" && enable_aesctr=yes test "$enable_aeseax" = "" && enable_aeseax=yes @@ -788,7 +788,6 @@ then test "$enable_session_ticket" = "" && enable_session_ticket=yes test "$enable_earlydata" = "" && enable_earlydata=yes test "$enable_ech" = "" && enable_ech=yes - test "$enable_quic" = "" && enable_quic=yes if test "$ENABLED_32BIT" != "yes" then @@ -799,13 +798,14 @@ then if test "$ENABLED_LINUXKM_DEFAULTS" != "yes" then test "$enable_compkey" = "" && enable_compkey=yes + test "$enable_quic" = "" && enable_quic=yes AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL_IO -DHAVE_IO_TIMEOUT" fi # sp-math is incompatible with opensslextra, ECC custom curves, and DSA. if test "$ENABLED_SP_MATH" = "no" then - test "$enable_dsa" = "" && enable_dsa=yes + test "$enable_dsa" = "" && test "$enable_sha" != "no" && enable_dsa=yes test "$enable_ecccustcurves" = "" && enable_ecccustcurves=yes test "$enable_brainpool" = "" && enable_brainpool=yes test "$enable_srp" = "" && enable_srp=yes @@ -908,7 +908,7 @@ if test "$ENABLED_ALL_CRYPT" = "yes" then test "$enable_atomicuser" = "" && enable_atomicuser=yes test "$enable_aesgcm" = "" && enable_aesgcm=yes - test "$enable_aesgcm_stream" = "" && enable_aesgcm_stream=yes + test "$enable_aesgcm_stream" = "" && test "$enable_aesgcm" = "yes" && enable_aesgcm_stream=yes test "$enable_aesccm" = "" && enable_aesccm=yes test "$enable_aesctr" = "" && enable_aesctr=yes test "$enable_aeseax" = "" && enable_aeseax=yes @@ -974,7 +974,7 @@ then if test "$ENABLED_SP_MATH" = "no" then - test "$enable_dsa" = "" && enable_dsa=yes + test "$enable_dsa" = "" && test "$enable_sha" != "no" && enable_dsa=yes test "$enable_ecccustcurves" = "" && enable_ecccustcurves=yes test "$enable_brainpool" = "" && enable_brainpool=yes test "$enable_srp" = "" && enable_srp=yes @@ -1476,6 +1476,10 @@ then then AC_MSG_ERROR([TLS 1.3 is disabled - necessary for QUIC]) fi + if test "$enable_aesgcm" = "no" + then + AC_MSG_ERROR([AES-GCM is disabled - necessary for QUIC]) + fi AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_QUIC" # QUIC proto handlers need app_data at WOLFSSL* AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA" @@ -3581,7 +3585,7 @@ AC_ARG_ENABLE([dsa], [ ENABLED_DSA=no ] ) -if test "$enable_dsa" = "" +if test "$enable_dsa" = "" && test "$enable_sha" != "no" then if (test "$ENABLED_OPENSSH" = "yes" && test "x$ENABLED_FIPS" = "xno") || test "$ENABLED_OPENVPN" = "yes" || test "$ENABLED_NGINX" = "yes" || test "$ENABLED_WPAS" = "yes" || test "$ENABLED_QT" = "yes" || test "$ENABLED_BIND" = "yes" || test "$ENABLED_LIBSSH2" = "yes" || test "$ENABLED_NTP" = "yes" then @@ -9721,8 +9725,11 @@ echo " * Secure Renegotiation: $ENABLED_SECURE_RENEGOTIATION" echo " * Fallback SCSV: $ENABLED_FALLBACK_SCSV" echo " * Keying Material Exporter: $ENABLED_KEYING_MATERIAL" echo " * All TLS Extensions: $ENABLED_TLSX" -echo " * PKCS#7: $ENABLED_PKCS7" echo " * S/MIME: $ENABLED_SMIME" +echo " * PKCS#7: $ENABLED_PKCS7" +echo " * PKCS#8: $ENABLED_PKCS8" +echo " * PKCS#11: $ENABLED_PKCS11" +echo " * PKCS#12: $ENABLED_PKCS12" echo " * wolfSSH: $ENABLED_WOLFSSH" echo " * wolfEngine: $ENABLED_WOLFENGINE" echo " * wolfTPM: $ENABLED_WOLFTPM" @@ -9741,9 +9748,6 @@ echo " * User Crypto: $ENABLED_USER_CRYPTO" echo " * Fast RSA: $ENABLED_FAST_RSA" echo " * Asynchronous Crypto: $ENABLED_ASYNCCRYPT" echo " * Asynchronous Crypto (sim): $ENABLED_ASYNCCRYPT_SW" -echo " * PKCS#8: $ENABLED_PKCS8" -echo " * PKCS#11: $ENABLED_PKCS11" -echo " * PKCS#12: $ENABLED_PKCS12" echo " * Cavium Nitrox: $ENABLED_CAVIUM" echo " * Cavium Octeon (Sync): $ENABLED_OCTEON_SYNC" echo " * Intel Quick Assist: $ENABLED_INTEL_QA" diff --git a/src/internal.c b/src/internal.c index dfddaafc2..4dae1b960 100644 --- a/src/internal.c +++ b/src/internal.c @@ -13219,9 +13219,11 @@ int LoadCertByIssuer(WOLFSSL_X509_STORE* store, X509_NAME* issuer, int type) len = wolfSSL_i2d_X509_NAME_canon(issuer, &pbuf); if (len > 0) { - #ifndef NO_SHA + #if defined(NO_SHA) && !defined(NO_SHA256) + retHash = wc_Sha256Hash((const byte*)pbuf, len, dgt); + #elif !defined(NO_SHA) retHash = wc_ShaHash((const byte*)pbuf, len, dgt); - #endif + #endif if (retHash == 0) { /* 4 bytes in little endian as unsigned long */ hash = (((unsigned long)dgt[3] << 24) | diff --git a/src/wolfio.c b/src/wolfio.c index f2a656fe7..4fee95835 100644 --- a/src/wolfio.c +++ b/src/wolfio.c @@ -2489,11 +2489,18 @@ int MicriumSendTo(WOLFSSL* ssl, char *buf, int sz, void *ctx) /* Micrium DTLS Generate Cookie callback * return : number of bytes copied into buf, or error */ +#if defined(NO_SHA) && !defined(NO_SHA256) + #define MICRIUM_COOKIE_DIGEST_SIZE WC_SHA256_DIGEST_SIZE +#elif !defined(NO_SHA) + #define MICRIUM_COOKIE_DIGEST_SIZE WC_SHA_DIGEST_SIZE +#else + #error Must enable either SHA-1 or SHA256 (or both) for Micrium. +#endif int MicriumGenerateCookie(WOLFSSL* ssl, byte *buf, int sz, void *ctx) { NET_SOCK_ADDR peer; NET_SOCK_ADDR_LEN peerSz = sizeof(peer); - byte digest[WC_SHA_DIGEST_SIZE]; + byte digest[MICRIUM_COOKIE_DIGEST_SIZE]; int ret = 0; (void)ctx; @@ -2505,12 +2512,16 @@ int MicriumGenerateCookie(WOLFSSL* ssl, byte *buf, int sz, void *ctx) return GEN_COOKIE_E; } +#if defined(NO_SHA) && !defined(NO_SHA256) + ret = wc_Sha256Hash((byte*)&peer, peerSz, digest); +#else ret = wc_ShaHash((byte*)&peer, peerSz, digest); +#endif if (ret != 0) return ret; - if (sz > WC_SHA_DIGEST_SIZE) - sz = WC_SHA_DIGEST_SIZE; + if (sz > MICRIUM_COOKIE_DIGEST_SIZE) + sz = MICRIUM_COOKIE_DIGEST_SIZE; XMEMCPY(buf, digest, sz); return sz; @@ -2804,20 +2815,31 @@ int uIPReceive(WOLFSSL *ssl, char *buf, int sz, void *_ctx) /* uIP DTLS Generate Cookie callback * return : number of bytes copied into buf, or error */ +#if defined(NO_SHA) && !defined(NO_SHA256) + #define UIP_COOKIE_DIGEST_SIZE WC_SHA256_DIGEST_SIZE +#elif !defined(NO_SHA) + #define UIP_COOKIE_DIGEST_SIZE WC_SHA_DIGEST_SIZE +#else + #error Must enable either SHA-1 or SHA256 (or both) for uIP. +#endif int uIPGenerateCookie(WOLFSSL* ssl, byte *buf, int sz, void *_ctx) { uip_wolfssl_ctx *ctx = (uip_wolfssl_ctx *)_ctx; byte token[32]; - byte digest[WC_SHA_DIGEST_SIZE]; + byte digest[UIP_COOKIE_DIGEST_SIZE]; int ret = 0; XMEMSET(token, 0, sizeof(token)); XMEMCPY(token, &ctx->peer_addr, sizeof(uip_ipaddr_t)); XMEMCPY(token + sizeof(uip_ipaddr_t), &ctx->peer_port, sizeof(word16)); +#if defined(NO_SHA) && !defined(NO_SHA256) + ret = wc_Sha256Hash(token, sizeof(uip_ipaddr_t) + sizeof(word16), digest); +#else ret = wc_ShaHash(token, sizeof(uip_ipaddr_t) + sizeof(word16), digest); +#endif if (ret != 0) return ret; - if (sz > WC_SHA_DIGEST_SIZE) - sz = WC_SHA_DIGEST_SIZE; + if (sz > UIP_COOKIE_DIGEST_SIZE) + sz = UIP_COOKIE_DIGEST_SIZE; XMEMCPY(buf, digest, sz); return sz; } @@ -2881,13 +2903,20 @@ int GNRC_ReceiveFrom(WOLFSSL *ssl, char *buf, int sz, void *_ctx) * return : number of bytes copied into buf, or error */ #define GNRC_MAX_TOKEN_SIZE (32) +#if defined(NO_SHA) && !defined(NO_SHA256) + #define GNRC_COOKIE_DIGEST_SIZE WC_SHA256_DIGEST_SIZE +#elif !defined(NO_SHA) + #define GNRC_COOKIE_DIGEST_SIZE WC_SHA_DIGEST_SIZE +#else + #error Must enable either SHA-1 or SHA256 (or both) for GNRC. +#endif int GNRC_GenerateCookie(WOLFSSL* ssl, byte *buf, int sz, void *_ctx) { sock_tls_t *ctx = (sock_tls_t *)_ctx; if (!ctx) return WOLFSSL_CBIO_ERR_GENERAL; byte token[GNRC_MAX_TOKEN_SIZE]; - byte digest[WC_SHA_DIGEST_SIZE]; + byte digest[GNRC_COOKIE_DIGEST_SIZE]; int ret = 0; size_t token_size = sizeof(sock_udp_ep_t); (void)ssl; @@ -2895,11 +2924,15 @@ int GNRC_GenerateCookie(WOLFSSL* ssl, byte *buf, int sz, void *_ctx) token_size = GNRC_MAX_TOKEN_SIZE; XMEMSET(token, 0, GNRC_MAX_TOKEN_SIZE); XMEMCPY(token, &ctx->peer_addr, token_size); +#if defined(NO_SHA) && !defined(NO_SHA256) + ret = wc_Sha256Hash(token, token_size, digest); +#else ret = wc_ShaHash(token, token_size, digest); +#endif if (ret != 0) return ret; - if (sz > WC_SHA_DIGEST_SIZE) - sz = WC_SHA_DIGEST_SIZE; + if (sz > GNRC_COOKIE_DIGEST_SIZE) + sz = GNRC_COOKIE_DIGEST_SIZE; XMEMCPY(buf, digest, sz); return sz; } diff --git a/tests/api.c b/tests/api.c index b877056e6..6f9529cab 100644 --- a/tests/api.c +++ b/tests/api.c @@ -3196,7 +3196,7 @@ static int test_wolfSSL_CertManagerCRL(void) static int test_wolfSSL_CertManagerCheckOCSPResponse(void) { EXPECT_DECLS; -#if defined(HAVE_OCSP) && !defined(NO_RSA) +#if defined(HAVE_OCSP) && !defined(NO_RSA) && !defined(NO_SHA) /* Need one of these for wolfSSL_OCSP_REQUEST_new. */ #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_APACHE_HTTPD) || \ @@ -3516,7 +3516,8 @@ static int test_wolfSSL_CertManagerCheckOCSPResponse(void) static int test_wolfSSL_CheckOCSPResponse(void) { EXPECT_DECLS; -#if defined(HAVE_OCSP) && !defined(NO_RSA) && defined(OPENSSL_ALL) +#if defined(HAVE_OCSP) && !defined(NO_RSA) && !defined(NO_SHA) && \ + defined(OPENSSL_ALL) const char* responseFile = "./certs/ocsp/test-response.der"; const char* responseMultiFile = "./certs/ocsp/test-multi-response.der"; const char* responseNoInternFile = diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c index e66f49c3e..1fc0b003f 100644 --- a/wolfcrypt/src/aes.c +++ b/wolfcrypt/src/aes.c @@ -859,11 +859,11 @@ block cipher mechanism that uses n-bit binary string parameter key with 128-bits #endif #elif defined(WOLFSSL_KCAPI_AES) - /* Only CBC and GCM that are in wolfcrypt/src/port/kcapi/kcapi_aes.c */ + /* Only CBC and GCM are in wolfcrypt/src/port/kcapi/kcapi_aes.c */ #if defined(WOLFSSL_AES_COUNTER) || defined(HAVE_AESCCM) || \ defined(WOLFSSL_CMAC) || defined(WOLFSSL_AES_OFB) || \ defined(WOLFSSL_AES_CFB) || defined(HAVE_AES_ECB) || \ - defined(WOLFSSL_AES_DIRECT) || \ + defined(WOLFSSL_AES_DIRECT) || defined(WOLFSSL_AES_XTS) || \ (defined(HAVE_AES_CBC) && defined(WOLFSSL_NO_KCAPI_AES_CBC)) #define NEED_AES_TABLES @@ -5460,8 +5460,12 @@ int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz) #else while (blocks--) { int ret; +#ifdef WOLFSSL_AESNI + ret = wc_AesDecrypt(aes, in, out); +#else XMEMCPY(aes->tmp, in, AES_BLOCK_SIZE); ret = wc_AesDecrypt(aes, (byte*)aes->tmp, out); +#endif if (ret != 0) return ret; xorbuf(out, (byte*)aes->reg, AES_BLOCK_SIZE); diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c index 28ae8ab09..62b1b3811 100644 --- a/wolfcrypt/src/wc_port.c +++ b/wolfcrypt/src/wc_port.c @@ -2922,7 +2922,7 @@ time_t mynewt_time(time_t* timer) #endif /* WOLFSSL_APACHE_MYNEWT */ #if defined(WOLFSSL_GMTIME) -struct tm* gmtime(const time_t* timer) +struct tm* gmtime_r(const time_t* timer, struct tm *ret) { #define YEAR0 1900 #define EPOCH_YEAR 1970 @@ -2936,8 +2936,6 @@ struct tm* gmtime(const time_t* timer) {31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31} }; - static struct tm st_time; - struct tm* ret = &st_time; time_t secs = *timer; unsigned long dayclock, dayno; int year = EPOCH_YEAR; @@ -2971,6 +2969,12 @@ struct tm* gmtime(const time_t* timer) return ret; } + +struct tm* gmtime(const time_t* timer) { + static struct tm st_time; + return gmtime_r(timer, &st_time); +} + #endif /* WOLFSSL_GMTIME */ diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index bfbb81875..791e5ca7d 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -58,9 +58,10 @@ #ifdef HAVE_STACK_SIZE_VERBOSE #ifdef WOLFSSL_TEST_MAX_RELATIVE_STACK_BYTES - static ssize_t max_relative_stack = WOLFSSL_TEST_MAX_RELATIVE_STACK_BYTES; + static WC_MAYBE_UNUSED ssize_t max_relative_stack = + WOLFSSL_TEST_MAX_RELATIVE_STACK_BYTES; #else - static ssize_t max_relative_stack = -1; + static WC_MAYBE_UNUSED ssize_t max_relative_stack = -1; #endif #endif diff --git a/wolfssl/wolfcrypt/wc_port.h b/wolfssl/wolfcrypt/wc_port.h index 2cd79590e..88affc73a 100644 --- a/wolfssl/wolfcrypt/wc_port.h +++ b/wolfssl/wolfcrypt/wc_port.h @@ -1063,6 +1063,11 @@ WOLFSSL_ABI WOLFSSL_API int wolfCrypt_Cleanup(void); #define XTIME(tl) time((tl)) #endif #endif + +#if defined(WOLFSSL_GMTIME) && !defined(HAVE_GMTIME_R) + #define HAVE_GMTIME_R +#endif + #if !defined(XGMTIME) && !defined(TIME_OVERRIDES) /* Always use gmtime_r if available. */ #if defined(HAVE_GMTIME_S) @@ -1128,8 +1133,9 @@ WOLFSSL_ABI WOLFSSL_API int wolfCrypt_Cleanup(void); extern struct tm* XGMTIME(const time_t* timer, struct tm* tmp); #elif defined(WOLFSSL_GMTIME) struct tm* gmtime(const time_t* timer); + struct tm* gmtime_r(const time_t* timer, struct tm *ret); #endif -#endif /* NO_ASN_TIME */ +#endif /* !NO_ASN_TIME */ #ifndef WOLFSSL_LEANPSK