From c5f9e555672512ddd7f779caaf783058c3dcb1bd Mon Sep 17 00:00:00 2001 From: David Garske Date: Wed, 18 Aug 2021 11:30:18 -0700 Subject: [PATCH] Fixes for CMAC compatibility layer with AES CBC disabled. CMAC code cleanups. Fixes for "make check" with AES CBC disabled. --- src/ssl.c | 19 ++++----- tests/api.c | 79 +++++++++++++++++----------------- wolfcrypt/src/cmac.c | 99 ++++++++++++++++++++++--------------------- wolfcrypt/src/evp.c | 34 +++++++-------- wolfcrypt/src/pkcs7.c | 45 ++++++++++++++++++-- wolfcrypt/test/test.c | 37 +++++++++------- wolfssl/openssl/aes.h | 2 +- wolfssl/openssl/evp.h | 2 +- 8 files changed, 180 insertions(+), 137 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index c6bfd79ee..f1cdd8088 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -33835,7 +33835,8 @@ const WOLFSSL_EVP_MD *wolfSSL_HMAC_CTX_get_md(const WOLFSSL_HMAC_CTX *ctx) return wolfSSL_macType2EVP_md((enum wc_HashType)ctx->type); } -#if defined(WOLFSSL_CMAC) && defined(OPENSSL_EXTRA) +#if defined(WOLFSSL_CMAC) && defined(OPENSSL_EXTRA) && \ + defined(WOLFSSL_AES_DIRECT) WOLFSSL_CMAC_CTX* wolfSSL_CMAC_CTX_new(void) { WOLFSSL_CMAC_CTX* ctx = NULL; @@ -33894,13 +33895,10 @@ int wolfSSL_CMAC_Init(WOLFSSL_CMAC_CTX* ctx, const void *key, size_t keyLen, WOLFSSL_ENTER("wolfSSL_CMAC_Init"); - if (ctx == NULL || cipher == NULL - #ifdef HAVE_AES_CBC - || (cipher != EVP_AES_128_CBC && + if (ctx == NULL || cipher == NULL || ( + cipher != EVP_AES_128_CBC && cipher != EVP_AES_192_CBC && - cipher != EVP_AES_256_CBC) - #endif - ) { + cipher != EVP_AES_256_CBC)) { ret = WOLFSSL_FAILURE; } @@ -33986,7 +33984,7 @@ int wolfSSL_CMAC_Final(WOLFSSL_CMAC_CTX* ctx, unsigned char* out, return ret; } -#endif /* WOLFSSL_CMAC && OPENSSL_EXTRA */ +#endif /* WOLFSSL_CMAC && OPENSSL_EXTRA && WOLFSSL_AES_DIRECT */ /* Free the dynamically allocated data. * @@ -57256,9 +57254,8 @@ int wolfSSL_RAND_poll(void) } switch (ctx->cipherType) { - #ifndef NO_AES -#ifdef HAVE_AES_CBC +#if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) case AES_128_CBC_TYPE : case AES_192_CBC_TYPE : case AES_256_CBC_TYPE : @@ -57379,7 +57376,7 @@ int wolfSSL_RAND_poll(void) switch (ctx->cipherType) { #ifndef NO_AES -#ifdef HAVE_AES_CBC +#if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) case AES_128_CBC_TYPE : case AES_192_CBC_TYPE : case AES_256_CBC_TYPE : diff --git a/tests/api.c b/tests/api.c index 7860e6e8d..71e12246c 100644 --- a/tests/api.c +++ b/tests/api.c @@ -3508,7 +3508,8 @@ static void test_wolfSSL_EVP_get_cipherbynid(void) const WOLFSSL_EVP_CIPHER* c; c = wolfSSL_EVP_get_cipherbynid(419); - #if defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_128) + #if (defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT)) && \ + defined(WOLFSSL_AES_128) AssertNotNull(c); AssertNotNull(strcmp("EVP_AES_128_CBC", c)); #else @@ -3516,7 +3517,8 @@ static void test_wolfSSL_EVP_get_cipherbynid(void) #endif c = wolfSSL_EVP_get_cipherbynid(423); - #if defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_192) + #if (defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT)) && \ + defined(WOLFSSL_AES_192) AssertNotNull(c); AssertNotNull(strcmp("EVP_AES_192_CBC", c)); #else @@ -3524,7 +3526,8 @@ static void test_wolfSSL_EVP_get_cipherbynid(void) #endif c = wolfSSL_EVP_get_cipherbynid(427); - #if defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256) + #if (defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT)) && \ + defined(WOLFSSL_AES_256) AssertNotNull(c); AssertNotNull(strcmp("EVP_AES_256_CBC", c)); #else @@ -6993,7 +6996,7 @@ static void test_wolfSSL_PKCS8(void) static void test_wolfSSL_PKCS8_ED25519(void) { -#if !defined(NO_ASN) && defined(HAVE_PKCS8) && \ +#if !defined(NO_ASN) && defined(HAVE_PKCS8) && defined(HAVE_AES_CBC) && \ defined(WOLFSSL_ENCRYPTED_KEYS) && defined(HAVE_ED25519) && \ defined(HAVE_ED25519_KEY_IMPORT) const byte encPrivKey[] = \ @@ -7025,7 +7028,7 @@ static void test_wolfSSL_PKCS8_ED25519(void) static void test_wolfSSL_PKCS8_ED448(void) { -#if !defined(NO_ASN) && defined(HAVE_PKCS8) && \ +#if !defined(NO_ASN) && defined(HAVE_PKCS8) && defined(HAVE_AES_CBC) && \ defined(WOLFSSL_ENCRYPTED_KEYS) && defined(HAVE_ED448) && \ defined(HAVE_ED448_KEY_IMPORT) const byte encPrivKey[] = \ @@ -23168,8 +23171,8 @@ static int test_wc_ecc_encryptDecrypt (void) { int ret = 0; -#if defined(HAVE_ECC) && defined(HAVE_ECC_ENCRYPT) && defined(WOLFSSL_AES_128) \ - && !defined(WC_NO_RNG) +#if defined(HAVE_ECC) && defined(HAVE_ECC_ENCRYPT) && !defined(WC_NO_RNG) && \ + defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_128) ecc_key srvKey, cliKey, tmpKey; WC_RNG rng; const char* msg = "EccBlock Size 16"; @@ -25894,25 +25897,16 @@ static void test_wc_PKCS7_EncodeDecodeEnvelopedData (void) tempWrd32 = pkcs7->privateKeySz; pkcs7->privateKeySz = 0; - i = wc_PKCS7_DecodeEnvelopedData(pkcs7, output, - (word32)sizeof(output), decoded, (word32)sizeof(decoded)); -#ifndef HAVE_AES_CBC - AssertIntEQ(i, ASN_PARSE_E); -#else - AssertIntEQ(i, BAD_FUNC_ARG); -#endif + AssertIntEQ(wc_PKCS7_DecodeEnvelopedData(pkcs7, output, + (word32)sizeof(output), decoded, (word32)sizeof(decoded)), BAD_FUNC_ARG); pkcs7->privateKeySz = tempWrd32; tmpBytePtr = pkcs7->privateKey; pkcs7->privateKey = NULL; - i = wc_PKCS7_DecodeEnvelopedData(pkcs7, output, - (word32)sizeof(output), decoded, (word32)sizeof(decoded)); -#ifndef HAVE_AES_CBC - AssertIntEQ(i, ASN_PARSE_E); -#else - AssertIntEQ(i, BAD_FUNC_ARG); -#endif + AssertIntEQ(wc_PKCS7_DecodeEnvelopedData(pkcs7, output, + (word32)sizeof(output), decoded, (word32)sizeof(decoded)), BAD_FUNC_ARG); pkcs7->privateKey = tmpBytePtr; + wc_PKCS7_Free(pkcs7); #if !defined(NO_AES) && defined(HAVE_AES_CBC) && !defined(NO_AES_256) @@ -34602,7 +34596,8 @@ static void test_wolfSSL_HMAC(void) static void test_wolfSSL_CMAC(void) { -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_CMAC) && defined(HAVE_AES_CBC) +#if defined(WOLFSSL_CMAC) && defined(OPENSSL_EXTRA) && \ + defined(WOLFSSL_AES_DIRECT) int i; byte key[AES_128_KEY_SIZE]; CMAC_CTX* cmacCtx = NULL; @@ -34627,7 +34622,7 @@ static void test_wolfSSL_CMAC(void) CMAC_CTX_free(cmacCtx); printf(resultFmt, passed); -#endif /* OPENSSL_EXTRA && WOLFSSL_CMAC && HAVE_AES_CBC */ +#endif /* WOLFSSL_CMAC && OPENSSL_EXTRA && WOLFSSL_AES_DIRECT */ } @@ -40279,9 +40274,9 @@ static void test_wolfSSL_EVP_CIPHER_iv_length(void) int enumArray[] = { - - #ifdef HAVE_AES_CBC - NID_aes_128_cbc, + #if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) + #ifdef WOLFSSL_AES_128 + NID_aes_128_cbc, #endif #ifdef WOLFSSL_AES_192 NID_aes_192_cbc, @@ -40289,6 +40284,7 @@ static void test_wolfSSL_EVP_CIPHER_iv_length(void) #ifdef WOLFSSL_AES_256 NID_aes_256_cbc, #endif + #endif /* HAVE_AES_CBC || WOLFSSL_AES_DIRECT */ #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) #ifdef HAVE_AESGCM @@ -40322,8 +40318,10 @@ static void test_wolfSSL_EVP_CIPHER_iv_length(void) NID_idea_cbc, #endif }; + int iv_lengths[] = { - #ifdef HAVE_AES_CBC + #if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) + #ifdef WOLFSSL_AES_128 AES_BLOCK_SIZE, #endif #ifdef WOLFSSL_AES_192 @@ -40332,6 +40330,7 @@ static void test_wolfSSL_EVP_CIPHER_iv_length(void) #ifdef WOLFSSL_AES_256 AES_BLOCK_SIZE, #endif + #endif /* HAVE_AES_CBC || WOLFSSL_AES_DIRECT */ #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) #ifdef HAVE_AESGCM @@ -40370,8 +40369,8 @@ static void test_wolfSSL_EVP_CIPHER_iv_length(void) enumlen = (sizeof(enumArray)/sizeof(int)); for(i = 0; i < enumlen; i++) { - const EVP_CIPHER *c = wolfSSL_EVP_get_cipherbynid(enumArray[i]); - AssertIntEQ(wolfSSL_EVP_CIPHER_iv_length(c), iv_lengths[i]); + const EVP_CIPHER *c = EVP_get_cipherbynid(enumArray[i]); + AssertIntEQ(EVP_CIPHER_iv_length(c), iv_lengths[i]); } printf(resultFmt, passed); @@ -40551,7 +40550,7 @@ static void test_wolfSSL_EVP_PKEY_param_check(void) } static void test_wolfSSL_EVP_BytesToKey(void) { -#if defined(OPENSSL_ALL) && !defined(NO_DES3) +#if defined(OPENSSL_ALL) && !defined(NO_AES) && defined(HAVE_AES_CBC) byte key[AES_BLOCK_SIZE] = {0}; byte iv[AES_BLOCK_SIZE] = {0}; int sz = 5; @@ -40567,20 +40566,20 @@ static void test_wolfSSL_EVP_BytesToKey(void) type = wolfSSL_EVP_get_cipherbynid(NID_aes_128_cbc); - printf(testingFmt, "wolfSSL_EVP_BytesToKey"); + printf(testingFmt, "EVP_BytesToKey"); /* Bad cases */ - AssertIntEQ(wolfSSL_EVP_BytesToKey(NULL, md, salt, data, sz, count, key, iv), + AssertIntEQ(EVP_BytesToKey(NULL, md, salt, data, sz, count, key, iv), 0); - AssertIntEQ(wolfSSL_EVP_BytesToKey(type, md, salt, NULL, sz, count, key, iv), + AssertIntEQ(EVP_BytesToKey(type, md, salt, NULL, sz, count, key, iv), 16); md = "2"; - AssertIntEQ(wolfSSL_EVP_BytesToKey(type, md, salt, data, sz, count, key, iv), + AssertIntEQ(EVP_BytesToKey(type, md, salt, data, sz, count, key, iv), WOLFSSL_FAILURE); /* Good case */ md = "SHA256"; - AssertIntEQ(wolfSSL_EVP_BytesToKey(type, md, salt, data, sz, count, key, iv), + AssertIntEQ(EVP_BytesToKey(type, md, salt, data, sz, count, key, iv), 16); printf(resultFmt, passed); @@ -43667,7 +43666,8 @@ static int test_tls13_apis(void) #if defined(HAVE_PK_CALLBACKS) && (!defined(WOLFSSL_NO_TLS12) || \ !defined(NO_OLD_TLS)) #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_RSA) && \ - !defined(NO_WOLFSSL_CLIENT) && !defined(NO_DH) && !defined(NO_AES) && \ + !defined(NO_WOLFSSL_CLIENT) && !defined(NO_DH) && \ + !defined(NO_AES) && defined(HAVE_AES_CBC) && \ defined(HAVE_IO_TESTS_DEPENDENCIES) && !defined(SINGLE_THREADED) static int my_DhCallback(WOLFSSL* ssl, struct DhKey* key, const unsigned char* priv, unsigned int privSz, @@ -43687,11 +43687,11 @@ static int my_DhCallback(WOLFSSL* ssl, struct DhKey* key, static void test_dh_ctx_setup(WOLFSSL_CTX* ctx) { wolfSSL_CTX_SetDhAgreeCb(ctx, my_DhCallback); -#ifdef WOLFSSL_AES_128 +#if defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_128) AssertIntEQ(wolfSSL_CTX_set_cipher_list(ctx, "DHE-RSA-AES128-SHA256"), WOLFSSL_SUCCESS); #endif -#ifdef WOLFSSL_AES_256 +#if defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256) AssertIntEQ(wolfSSL_CTX_set_cipher_list(ctx, "DHE-RSA-AES256-SHA256"), WOLFSSL_SUCCESS); #endif @@ -43726,7 +43726,8 @@ static void test_dh_ssl_setup_fail(WOLFSSL* ssl) static void test_DhCallbacks(void) { #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_RSA) && \ - !defined(NO_WOLFSSL_CLIENT) && !defined(NO_DH) && !defined(NO_AES) && \ + !defined(NO_WOLFSSL_CLIENT) && !defined(NO_DH) && \ + !defined(NO_AES) && defined(HAVE_AES_CBC) && \ defined(HAVE_IO_TESTS_DEPENDENCIES) && !defined(SINGLE_THREADED) WOLFSSL_CTX *ctx; WOLFSSL *ssl; diff --git a/wolfcrypt/src/cmac.c b/wolfcrypt/src/cmac.c index 93486eda6..ec782ffb2 100644 --- a/wolfcrypt/src/cmac.c +++ b/wolfcrypt/src/cmac.c @@ -88,10 +88,10 @@ int wc_InitCmac_ex(Cmac* cmac, const byte* key, word32 keySz, (void)unused; (void)heap; - (void)devId; - if (cmac == NULL || keySz == 0 || type != WC_CMAC_AES) + if (cmac == NULL || keySz == 0 || type != WC_CMAC_AES) { return BAD_FUNC_ARG; + } XMEMSET(cmac, 0, sizeof(Cmac)); @@ -106,10 +106,13 @@ int wc_InitCmac_ex(Cmac* cmac, const byte* key, word32 keySz, return ret; /* fall-through when unavailable */ } +#else + (void)devId; #endif - if (key == NULL) + if (key == NULL) { return BAD_FUNC_ARG; + } ret = wc_AesSetKey(&cmac->aes, key, keySz, NULL, AES_ENCRYPTION); if (ret == 0) { @@ -129,23 +132,22 @@ int wc_InitCmac(Cmac* cmac, const byte* key, word32 keySz, int type, void* unused) { #ifdef WOLFSSL_QNX_CAAM - return wc_InitCmac_ex(cmac, key, keySz, type, unused, NULL, - WOLFSSL_CAAM_DEVID); + int devId = WOLFSSL_CAAM_DEVID; #else - return wc_InitCmac_ex(cmac, key, keySz, type, unused, NULL, INVALID_DEVID); -#endif + int devId = INVALID_DEVID; +#endif + return wc_InitCmac_ex(cmac, key, keySz, type, unused, NULL, devId); } int wc_CmacUpdate(Cmac* cmac, const byte* in, word32 inSz) { -#ifdef WOLF_CRYPTO_CB - int ret; -#endif + int ret = 0; - if ((cmac == NULL) || (in == NULL && inSz != 0)) + if ((cmac == NULL) || (in == NULL && inSz != 0)) { return BAD_FUNC_ARG; + } #ifdef WOLF_CRYPTO_CB if (cmac->devId != INVALID_DEVID) { @@ -154,8 +156,10 @@ int wc_CmacUpdate(Cmac* cmac, const byte* in, word32 inSz) if (ret != CRYPTOCB_UNAVAILABLE) return ret; /* fall-through when unavailable */ + ret = 0; /* reset error code */ } #endif + while (inSz != 0) { word32 add = min(inSz, AES_BLOCK_SIZE - cmac->bufferSz); XMEMCPY(&cmac->buffer[cmac->bufferSz], in, add); @@ -165,32 +169,30 @@ int wc_CmacUpdate(Cmac* cmac, const byte* in, word32 inSz) inSz -= add; if (cmac->bufferSz == AES_BLOCK_SIZE && inSz != 0) { - if (cmac->totalSz != 0) + if (cmac->totalSz != 0) { xorbuf(cmac->buffer, cmac->digest, AES_BLOCK_SIZE); - wc_AesEncryptDirect(&cmac->aes, - cmac->digest, - cmac->buffer); + } + wc_AesEncryptDirect(&cmac->aes, cmac->digest, cmac->buffer); cmac->totalSz += AES_BLOCK_SIZE; cmac->bufferSz = 0; } } - return 0; + return ret; } int wc_CmacFinal(Cmac* cmac, byte* out, word32* outSz) { -#ifdef WOLF_CRYPTO_CB - int ret; -#endif + int ret = 0; const byte* subKey; - if (cmac == NULL || out == NULL || outSz == NULL) + if (cmac == NULL || out == NULL || outSz == NULL) { return BAD_FUNC_ARG; - - if (*outSz < WC_CMAC_TAG_MIN_SZ || *outSz > WC_CMAC_TAG_MAX_SZ) + } + if (*outSz < WC_CMAC_TAG_MIN_SZ || *outSz > WC_CMAC_TAG_MAX_SZ) { return BUFFER_E; + } #ifdef WOLF_CRYPTO_CB if (cmac->devId != INVALID_DEVID) { @@ -198,6 +200,7 @@ int wc_CmacFinal(Cmac* cmac, byte* out, word32* outSz) if (ret != CRYPTOCB_UNAVAILABLE) return ret; /* fall-through when unavailable */ + ret = 0; /* reset error code */ } #endif @@ -207,11 +210,12 @@ int wc_CmacFinal(Cmac* cmac, byte* out, word32* outSz) else { word32 remainder = AES_BLOCK_SIZE - cmac->bufferSz; - if (remainder == 0) + if (remainder == 0) { remainder = AES_BLOCK_SIZE; - - if (remainder > 1) + } + if (remainder > 1) { XMEMSET(cmac->buffer + AES_BLOCK_SIZE - remainder, 0, remainder); + } cmac->buffer[AES_BLOCK_SIZE - remainder] = 0x80; subKey = cmac->k2; } @@ -223,7 +227,7 @@ int wc_CmacFinal(Cmac* cmac, byte* out, word32* outSz) ForceZero(cmac, sizeof(Cmac)); - return 0; + return ret; } @@ -231,39 +235,36 @@ int wc_AesCmacGenerate(byte* out, word32* outSz, const byte* in, word32 inSz, const byte* key, word32 keySz) { + int ret; #ifdef WOLFSSL_SMALL_STACK Cmac *cmac; #else Cmac cmac[1]; #endif - int ret; - if (out == NULL || (in == NULL && inSz > 0) || key == NULL || keySz == 0) + if (out == NULL || (in == NULL && inSz > 0) || key == NULL || keySz == 0) { return BAD_FUNC_ARG; + } #ifdef WOLFSSL_SMALL_STACK if ((cmac = (Cmac *)XMALLOC(sizeof *cmac, NULL, - DYNAMIC_TYPE_CMAC)) == NULL) + DYNAMIC_TYPE_CMAC)) == NULL) { return MEMORY_E; + } #endif ret = wc_InitCmac(cmac, key, keySz, WC_CMAC_AES, NULL); - if (ret != 0) - goto out; - - ret = wc_CmacUpdate(cmac, in, inSz); - if (ret != 0) - goto out; - - ret = wc_CmacFinal(cmac, out, outSz); - if (ret != 0) - goto out; - - out: + if (ret == 0) { + ret = wc_CmacUpdate(cmac, in, inSz); + } + if (ret == 0) { + ret = wc_CmacFinal(cmac, out, outSz); + } #ifdef WOLFSSL_SMALL_STACK - if (cmac) + if (cmac) { XFREE(cmac, NULL, DYNAMIC_TYPE_CMAC); + } #endif return ret; @@ -274,24 +275,24 @@ int wc_AesCmacVerify(const byte* check, word32 checkSz, const byte* in, word32 inSz, const byte* key, word32 keySz) { + int ret; byte a[AES_BLOCK_SIZE]; word32 aSz = sizeof(a); - int result; int compareRet; if (check == NULL || checkSz == 0 || (in == NULL && inSz != 0) || - key == NULL || keySz == 0) - + key == NULL || keySz == 0) { return BAD_FUNC_ARG; + } XMEMSET(a, 0, aSz); - result = wc_AesCmacGenerate(a, &aSz, in, inSz, key, keySz); + ret = wc_AesCmacGenerate(a, &aSz, in, inSz, key, keySz); compareRet = ConstantCompare(check, a, min(checkSz, aSz)); - if (result == 0) - result = compareRet ? 1 : 0; + if (ret == 0) + ret = compareRet ? 1 : 0; - return result; + return ret; } diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c index 715124b92..9f1db41f4 100644 --- a/wolfcrypt/src/evp.c +++ b/wolfcrypt/src/evp.c @@ -47,7 +47,7 @@ #include #ifndef NO_AES - #ifdef HAVE_AES_CBC + #if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) #ifdef WOLFSSL_AES_128 static const char EVP_AES_128_CBC[] = "AES-128-CBC"; #endif @@ -57,7 +57,7 @@ #ifdef WOLFSSL_AES_256 static const char EVP_AES_256_CBC[] = "AES-256-CBC"; #endif - #endif /* HAVE_AES_CBC */ + #endif /* HAVE_AES_CBC || WOLFSSL_AES_DIRECT */ #ifdef WOLFSSL_AES_OFB #ifdef WOLFSSL_AES_128 @@ -202,7 +202,7 @@ int wolfSSL_EVP_Cipher_key_length(const WOLFSSL_EVP_CIPHER* c) switch (cipherType(c)) { #if !defined(NO_AES) - #if defined(HAVE_AES_CBC) + #if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) case AES_128_CBC_TYPE: return 16; case AES_192_CBC_TYPE: return 24; case AES_256_CBC_TYPE: return 32; @@ -985,7 +985,7 @@ int wolfSSL_EVP_CIPHER_CTX_block_size(const WOLFSSL_EVP_CIPHER_CTX *ctx) switch (ctx->cipherType) { #if !defined(NO_AES) || !defined(NO_DES3) #if !defined(NO_AES) -#if defined(HAVE_AES_CBC) +#if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) case AES_128_CBC_TYPE: case AES_192_CBC_TYPE: case AES_256_CBC_TYPE: @@ -1054,7 +1054,7 @@ static unsigned int cipherType(const WOLFSSL_EVP_CIPHER *cipher) #endif /* NO_DES3 && HAVE_AES_ECB */ #endif #if !defined(NO_AES) -#if defined(HAVE_AES_CBC) +#if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) #ifdef WOLFSSL_AES_128 else if (XSTRNCMP(cipher, EVP_AES_128_CBC, EVP_AES_SIZE) == 0) return AES_128_CBC_TYPE; @@ -1067,7 +1067,7 @@ static unsigned int cipherType(const WOLFSSL_EVP_CIPHER *cipher) else if (XSTRNCMP(cipher, EVP_AES_256_CBC, EVP_AES_SIZE) == 0) return AES_256_CBC_TYPE; #endif -#endif /* HAVE_AES_CBC */ +#endif /* HAVE_AES_CBC || WOLFSSL_AES_DIRECT */ #if defined(HAVE_AESGCM) #ifdef WOLFSSL_AES_128 else if (XSTRNCMP(cipher, EVP_AES_128_GCM, EVP_AES_SIZE) == 0) @@ -1186,7 +1186,7 @@ int wolfSSL_EVP_CIPHER_block_size(const WOLFSSL_EVP_CIPHER *cipher) if (cipher == NULL) return BAD_FUNC_ARG; switch (cipherType(cipher)) { #if !defined(NO_AES) - #if defined(HAVE_AES_CBC) + #if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) case AES_128_CBC_TYPE: case AES_192_CBC_TYPE: case AES_256_CBC_TYPE: @@ -1255,7 +1255,7 @@ unsigned long WOLFSSL_CIPHER_mode(const WOLFSSL_EVP_CIPHER *cipher) { switch (cipherType(cipher)) { #if !defined(NO_AES) - #if defined(HAVE_AES_CBC) + #if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) case AES_128_CBC_TYPE: case AES_192_CBC_TYPE: case AES_256_CBC_TYPE: @@ -1301,7 +1301,7 @@ unsigned long WOLFSSL_CIPHER_mode(const WOLFSSL_EVP_CIPHER *cipher) case AES_192_ECB_TYPE: case AES_256_ECB_TYPE: return WOLFSSL_EVP_CIPH_ECB_MODE; -#endif /* NO_AES */ +#endif /* !NO_AES */ #ifndef NO_DES3 case DES_CBC_TYPE: case DES_EDE3_CBC_TYPE: @@ -3215,7 +3215,7 @@ static const struct cipher{ } cipher_tbl[] = { #ifndef NO_AES - #ifdef HAVE_AES_CBC + #if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) #ifdef WOLFSSL_AES_128 {AES_128_CBC_TYPE, EVP_AES_128_CBC, NID_aes_128_cbc}, #endif @@ -3479,7 +3479,7 @@ const WOLFSSL_EVP_CIPHER *wolfSSL_EVP_get_cipherbynid(int id) switch(id) { #ifndef NO_AES - #ifdef HAVE_AES_CBC + #if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) #ifdef WOLFSSL_AES_128 case NID_aes_128_cbc: return wolfSSL_EVP_aes_128_cbc(); @@ -4130,7 +4130,7 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD* type) #ifndef NO_AES - #ifdef HAVE_AES_CBC + #if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) #ifdef WOLFSSL_AES_128 const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_128_cbc(void) { @@ -4818,7 +4818,7 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD* type) #endif #ifndef NO_AES - #ifdef HAVE_AES_CBC + #if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) #ifdef WOLFSSL_AES_128 if (ctx->cipherType == AES_128_CBC_TYPE || (type && XSTRNCMP(type, EVP_AES_128_CBC, EVP_AES_SIZE) == 0)) { @@ -4898,7 +4898,7 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD* type) } } #endif /* WOLFSSL_AES_256 */ - #endif /* HAVE_AES_CBC */ + #endif /* HAVE_AES_CBC || WOLFSSL_AES_DIRECT */ #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) #ifdef HAVE_AESGCM @@ -7152,7 +7152,7 @@ int wolfSSL_EVP_CIPHER_CTX_iv_length(const WOLFSSL_EVP_CIPHER_CTX* ctx) switch (ctx->cipherType) { -#ifdef HAVE_AES_CBC +#if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) case AES_128_CBC_TYPE : case AES_192_CBC_TYPE : case AES_256_CBC_TYPE : @@ -7245,7 +7245,7 @@ int wolfSSL_EVP_CIPHER_iv_length(const WOLFSSL_EVP_CIPHER* cipher) WOLFSSL_MSG("wolfSSL_EVP_CIPHER_iv_length"); #ifndef NO_AES -#ifdef HAVE_AES_CBC +#if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) #ifdef WOLFSSL_AES_128 if (XSTRNCMP(name, EVP_AES_128_CBC, XSTRLEN(EVP_AES_128_CBC)) == 0) return AES_BLOCK_SIZE; @@ -7258,7 +7258,7 @@ int wolfSSL_EVP_CIPHER_iv_length(const WOLFSSL_EVP_CIPHER* cipher) if (XSTRNCMP(name, EVP_AES_256_CBC, XSTRLEN(EVP_AES_256_CBC)) == 0) return AES_BLOCK_SIZE; #endif -#endif /* HAVE_AES_CBC */ +#endif /* HAVE_AES_CBC || WOLFSSL_AES_DIRECT */ #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) #ifdef HAVE_AESGCM diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index 2033f62c9..094a3e38e 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -643,23 +643,42 @@ static int wc_PKCS7_GetOIDBlockSize(int oid) switch (oid) { #ifndef NO_AES #ifdef WOLFSSL_AES_128 + #ifdef HAVE_AES_CBC case AES128CBCb: + #endif + #ifdef HAVE_AESGCM case AES128GCMb: + #endif + #ifdef HAVE_AESCCM case AES128CCMb: + #endif #endif #ifdef WOLFSSL_AES_192 + #ifdef HAVE_AES_CBC case AES192CBCb: + #endif + #ifdef HAVE_AESGCM case AES192GCMb: + #endif + #ifdef HAVE_AESCCM case AES192CCMb: + #endif #endif #ifdef WOLFSSL_AES_256 + #ifdef HAVE_AES_CBC case AES256CBCb: + #endif + #ifdef HAVE_AESGCM case AES256GCMb: + #endif + #ifdef HAVE_AESCCM case AES256CCMb: + #endif #endif blockSz = AES_BLOCK_SIZE; break; -#endif +#endif /* !NO_AES */ + #ifndef NO_DES3 case DESb: case DES3b: @@ -683,35 +702,53 @@ static int wc_PKCS7_GetOIDKeySize(int oid) switch (oid) { #ifndef NO_AES #ifdef WOLFSSL_AES_128 + #ifdef HAVE_AES_CBC case AES128CBCb: + #endif + #ifdef HAVE_AESGCM case AES128GCMb: + #endif + #ifdef HAVE_AESCCM case AES128CCMb: + #endif case AES128_WRAP: blockKeySz = 16; break; #endif #ifdef WOLFSSL_AES_192 + #ifdef HAVE_AES_CBC case AES192CBCb: + #endif + #ifdef HAVE_AESGCM case AES192GCMb: + #endif + #ifdef HAVE_AESCCM case AES192CCMb: + #endif case AES192_WRAP: blockKeySz = 24; break; #endif #ifdef WOLFSSL_AES_256 + #ifdef HAVE_AES_CBC case AES256CBCb: + #endif + #ifdef HAVE_AESGCM case AES256GCMb: + #endif + #ifdef HAVE_AESCCM case AES256CCMb: + #endif case AES256_WRAP: blockKeySz = 32; break; #endif -#endif +#endif /* !NO_AES */ + #ifndef NO_DES3 case DESb: blockKeySz = DES_KEYLEN; break; - case DES3b: blockKeySz = DES3_KEYLEN; break; @@ -7513,7 +7550,7 @@ int wc_PKCS7_AddRecipient_PWRI(PKCS7* pkcs7, byte* passwd, word32 pLen, word32 kdfAlgoIdSeqSz, kdfAlgoIdSz; word32 kdfParamsSeqSz, kdfSaltOctetStrSz, kdfIterationsSz; /* OPTIONAL: keyLength, not supported yet */ - /* OPTIONAL: prf AlgorithIdentifier, not supported yet */ + /* OPTIONAL: prf AlgorithmIdentifier, not supported yet */ /* KeyEncryptionAlgorithmIdentifier */ byte keyEncAlgoIdSeq[MAX_SEQ_SZ]; diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 9ab2af2b1..a3da72026 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -454,7 +454,8 @@ WOLFSSL_TEST_SUBROUTINE int pbkdf2_test(void); WOLFSSL_TEST_SUBROUTINE int scrypt_test(void); #ifdef HAVE_ECC WOLFSSL_TEST_SUBROUTINE int ecc_test(void); - #ifdef HAVE_ECC_ENCRYPT + #if defined(HAVE_ECC_ENCRYPT) && defined(HAVE_AES_CBC) && \ + defined(WOLFSSL_AES_128) WOLFSSL_TEST_SUBROUTINE int ecc_encrypt_test(void); #endif #if defined(USE_CERT_BUFFERS_256) && !defined(WOLFSSL_ATECC508A) && \ @@ -1215,7 +1216,8 @@ initDefaultName(); return err_sys("ECC test failed!\n", ret); else test_pass("ECC test passed!\n"); - #if defined(HAVE_ECC_ENCRYPT) && defined(WOLFSSL_AES_128) + #if defined(HAVE_ECC_ENCRYPT) && defined(HAVE_AES_CBC) && \ + defined(WOLFSSL_AES_128) if ( (ret = ecc_encrypt_test()) != 0) return err_sys("ECC Enc test failed!\n", ret); else @@ -23976,7 +23978,8 @@ done: return ret; } -#if defined(HAVE_ECC_ENCRYPT) && defined(WOLFSSL_AES_128) +#if defined(HAVE_ECC_ENCRYPT) && defined(HAVE_AES_CBC) && \ + defined(WOLFSSL_AES_128) #if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256 static int ecc_encrypt_kat(WC_RNG *rng) @@ -24431,7 +24434,7 @@ done: return ret; } -#endif /* HAVE_ECC_ENCRYPT */ +#endif /* HAVE_ECC_ENCRYPT && HAVE_AES_CBC && WOLFSSL_AES_128 */ #if defined(USE_CERT_BUFFERS_256) && !defined(WOLFSSL_ATECC508A) && \ !defined(WOLFSSL_ATECC608A) && !defined(NO_ECC256) && \ @@ -24513,7 +24516,8 @@ WOLFSSL_TEST_SUBROUTINE int ecc_test_buffers(void) #endif #endif /* !WC_NO_RNG */ -#if defined(HAVE_ECC_ENCRYPT) && defined(HAVE_HKDF) +#if defined(HAVE_ECC_ENCRYPT) && defined(HAVE_HKDF) && \ + defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_128) { word32 y; /* test encrypt and decrypt if they're available */ @@ -30754,7 +30758,7 @@ static int pkcs7enveloped_run_vectors(byte* rsaCert, word32 rsaCertSz, "pkcs7envelopedDataDES3.der"}, #endif - #ifndef NO_AES + #if !defined(NO_AES) && defined(HAVE_AES_CBC) #ifdef WOLFSSL_AES_128 {data, (word32)sizeof(data), DATA, AES128CBCb, 0, 0, rsaCert, rsaCertSz, rsaPrivKey, rsaPrivKeySz, NULL, 0, 0, 0, NULL, 0, NULL, 0, NULL, NULL, @@ -30785,7 +30789,7 @@ static int pkcs7enveloped_run_vectors(byte* rsaCert, word32 rsaCertSz, NULL, 0, NULL, 0, NULL, NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0, 0, "pkcs7envelopedDataAES256CBC_IANDS.der"}, #endif - #endif /* NO_AES */ + #endif /* !NO_AES && HAVE_AES_CBC */ #endif /* key agreement key encryption technique*/ @@ -31328,7 +31332,7 @@ static int pkcs7authenveloped_run_vectors(byte* rsaCert, word32 rsaCertSz, #endif #if !defined(NO_PWDBASED) && !defined(NO_AES) && defined(HAVE_AESGCM) && \ - !defined(NO_SHA) && defined(WOLFSSL_AES_128) + !defined(NO_SHA) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_128) #ifndef HAVE_FIPS WOLFSSL_SMALL_STACK_STATIC const char password[] = "password"; @@ -31501,7 +31505,7 @@ static int pkcs7authenveloped_run_vectors(byte* rsaCert, word32 rsaCertSz, /* pwri (PasswordRecipientInfo) recipient types */ #if !defined(NO_PWDBASED) && !defined(NO_AES) && defined(HAVE_AESGCM) - #if !defined(NO_SHA) && defined(WOLFSSL_AES_128) + #if !defined(NO_SHA) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_128) ADD_PKCS7_TEST_VEC( {data, (word32)sizeof(data), DATA, AES128GCMb, 0, 0, NULL, 0, NULL, 0, NULL, 0, NULL, 0, NULL, 0, 0, 0, NULL, 0, @@ -32372,7 +32376,7 @@ WOLFSSL_TEST_SUBROUTINE int pkcs7encrypted_test(void) }; #endif -#ifndef NO_AES +#if !defined(NO_AES) && defined(HAVE_AES_CBC) #ifdef WOLFSSL_AES_128 byte aes128Key[] = { 0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08, @@ -32440,7 +32444,7 @@ WOLFSSL_TEST_SUBROUTINE int pkcs7encrypted_test(void) NULL, 0, "pkcs7encryptedDataDES.der"}, #endif /* NO_DES3 */ -#ifndef NO_AES +#if !defined(NO_AES) && defined(HAVE_AES_CBC) #ifdef WOLFSSL_AES_128 {data, (word32)sizeof(data), DATA, AES128CBCb, aes128Key, sizeof(aes128Key), NULL, 0, "pkcs7encryptedDataAES128CBC.der"}, @@ -32469,7 +32473,7 @@ WOLFSSL_TEST_SUBROUTINE int pkcs7encrypted_test(void) sizeof(aes256Key), NULL, 0, "pkcs7encryptedDataAES256CBC_firmwarePkgData.der"}, #endif -#endif /* NO_AES */ +#endif /* !NO_AES && HAVE_AES_CBC */ }; encrypted = (byte *)XMALLOC(PKCS7_BUF_SIZE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); @@ -33277,7 +33281,8 @@ static int pkcs7signed_run_SingleShotVectors( 0x72,0x6c,0x64 }; -#if defined(WOLFSSL_AES_256) && !defined(NO_PKCS7_ENCRYPTED_DATA) +#if !defined(NO_PKCS7_ENCRYPTED_DATA) && \ + defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256) static byte aes256Key[] = { 0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08, 0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08, @@ -33330,7 +33335,8 @@ static int pkcs7signed_run_SingleShotVectors( "pkcs7signedFirmwarePkgData_RSA_SHA256_with_ca_cert.der", 0, NULL, 0, 0, 0, 0, NULL, 0, NULL, 0, 0}, - #if defined(WOLFSSL_AES_256) && !defined(NO_PKCS7_ENCRYPTED_DATA) + #if !defined(NO_PKCS7_ENCRYPTED_DATA) && \ + defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256) /* Signed Encrypted FirmwarePkgData, RSA, SHA256, no attribs */ {data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf, rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0, @@ -33410,7 +33416,8 @@ static int pkcs7signed_run_SingleShotVectors( "pkcs7signedFirmwarePkgData_ECDSA_SHA256_SKID.der", 0, NULL, 0, CMS_SKID, 0, 0, NULL, 0, NULL, 0, 0}, - #if defined(WOLFSSL_AES_256) && !defined(NO_PKCS7_ENCRYPTED_DATA) + #if !defined(NO_PKCS7_ENCRYPTED_DATA) && \ + defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256) /* Signed Encrypted FirmwarePkgData, ECDSA, SHA256, no attribs */ {data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf, eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0, diff --git a/wolfssl/openssl/aes.h b/wolfssl/openssl/aes.h index 0899943d5..c8b8c587c 100644 --- a/wolfssl/openssl/aes.h +++ b/wolfssl/openssl/aes.h @@ -82,7 +82,7 @@ WOLFSSL_API void wolfSSL_AES_decrypt #define AES_encrypt wolfSSL_AES_encrypt #define AES_decrypt wolfSSL_AES_decrypt -#endif /* HAVE_AES_DIRECT */ +#endif /* WOLFSSL_AES_DIRECT */ #ifndef AES_ENCRYPT #define AES_ENCRYPT AES_ENCRYPTION diff --git a/wolfssl/openssl/evp.h b/wolfssl/openssl/evp.h index 213a162a5..a37391521 100644 --- a/wolfssl/openssl/evp.h +++ b/wolfssl/openssl/evp.h @@ -105,7 +105,7 @@ WOLFSSL_API const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_128_ecb(void); WOLFSSL_API const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_192_ecb(void); WOLFSSL_API const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_256_ecb(void); WOLFSSL_API const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_128_cbc(void); -#if !defined(NO_AES) && defined(HAVE_AES_CBC) +#if !defined(NO_AES) && (defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT)) WOLFSSL_API const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_192_cbc(void); WOLFSSL_API const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_256_cbc(void); #endif