diff --git a/.github/SECURITY.md b/.github/SECURITY.md index 4369d0790..2bab9b6ff 100644 --- a/.github/SECURITY.md +++ b/.github/SECURITY.md @@ -6,7 +6,7 @@ If you discover a vulnerability, please report it to support@wolfssl.com 1. Include a detailed description 2. Include method to reproduce and/or method of discovery - 3. We will evaulate the report promptly and respond to you with findings. + 3. We will evaluate the report promptly and respond to you with findings. 4. We will credit you with the report if you would like. **Please keep the vulnerability private** until a fix has been released. diff --git a/.github/workflows/os-check.yml b/.github/workflows/os-check.yml index d9cbec127..8acf5dd18 100644 --- a/.github/workflows/os-check.yml +++ b/.github/workflows/os-check.yml @@ -1,4 +1,4 @@ -name: Test MacOS/Ubuntu/Windows compilation +name: GitHub Action Tests concurrency: group: ${{ github.ref }} @@ -13,35 +13,122 @@ jobs: name: macOS Build Test runs-on: macos-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 + - name: brew run: brew install automake libtool + - name: autogen run: ./autogen.sh - - name: configure - run: ./configure - - name: make - run: make - - name: make check - run: make check - - name: make distcheck - run: make distcheck + + - name: configure make check + run: | + ./configure + make + make check + make distcheck + + - name: configure all make check + run: | + ./configure --enable-all + make + make check + make distcheck + + - name: configure all ASN template + run: | + ./configure --enable-all --enable-asn=template + make + make check + make distcheck + + - name: make user_settings_all.h + run: | + cp ./examples/configs/user_settings_all.h user_settings.h + ./configure --enable-usersettings + make + make check + + - name: user_settings_all.h with compatibility layer + run: | + cp ./examples/configs/user_settings_all.h user_settings.h + sed -i -e "s/if 0/if 1/" user_settings.h + ./configure --enable-usersettings + make + make check + + - name: user_settings_min_ecc.h + run: | + cp ./examples/configs/user_settings_min_ecc.h user_settings.h + ./configure --enable-usersettings --disable-examples + make + ./wolfcrypt/test/testwolfcrypt + + - name: user_settings_wolfboot_keytools.h + run: | + cp ./examples/configs/user_settings_wolfboot_keytools.h user_settings.h + ./configure --enable-usersettings --disable-examples + make + ./wolfcrypt/test/testwolfcrypt ubuntu_build: name: Ubuntu Build Test runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 + - name: autogen run: ./autogen.sh - - name: configure - run: ./configure - - name: make - run: make - - name: make check - run: make check - - name: make distcheck - run: make distcheck + + - name: configure make check + run: | + ./configure + make + make check + make distcheck + + - name: configure all make check + run: | + ./configure --enable-all + make + make check + make distcheck + + - name: configure all ASN template + run: | + ./configure --enable-all --enable-asn=template + make + make check + make distcheck + + - name: make user_settings_all.h + run: | + cp ./examples/configs/user_settings_all.h user_settings.h + ./configure --enable-usersettings + make + make check + + - name: user_settings_all.h with compatibility layer + run: | + cp ./examples/configs/user_settings_all.h user_settings.h + sed -i -e "s/if 0/if 1/" user_settings.h + ./configure --enable-usersettings + make + make check + + - name: user_settings_min_ecc.h + run: | + cp ./examples/configs/user_settings_min_ecc.h user_settings.h + ./configure --enable-usersettings --disable-examples + make + ./wolfcrypt/test/testwolfcrypt + + - name: user_settings_wolfboot_keytools.h + run: | + cp ./examples/configs/user_settings_wolfboot_keytools.h user_settings.h + ./configure --enable-usersettings --disable-examples + make + ./wolfcrypt/test/testwolfcrypt windows_build: name: Windows Build Test @@ -56,7 +143,7 @@ jobs: BUILD_CONFIGURATION: Release BUILD_PLATFORM: x64 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Add MSBuild to PATH uses: microsoft/setup-msbuild@v1 diff --git a/configure.ac b/configure.ac index 89bdf0d55..a7a9a93cf 100644 --- a/configure.ac +++ b/configure.ac @@ -8447,10 +8447,10 @@ AM_CONDITIONAL([BUILD_HMAC],[test "x$ENABLED_HMAC" = "xyes"]) AM_CONDITIONAL([BUILD_ERROR_STRINGS],[test "x$ENABLED_ERROR_STRINGS" = "xyes"]) AM_CONDITIONAL([BUILD_DO178],[test "x$ENABLED_DO178" = "xyes"]) AM_CONDITIONAL([BUILD_PSA],[test "x$ENABLED_PSA" = "xyes"]) -AM_CONDITIONAL([BUILD_DTLS13],[test "x$ENABLED_DTLS13" = "xyes"]) +AM_CONDITIONAL([BUILD_DTLS13],[test "x$ENABLED_DTLS13" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"]) AM_CONDITIONAL([BUILD_QUIC],[test "x$ENABLED_QUIC" = "xyes"]) AM_CONDITIONAL([BUILD_DTLS_CID],[test "x$ENABLED_DTLS_CID" = "xyes"]) -AM_CONDITIONAL([BUILD_DTLS],[test "x$ENABLED_DTLS" = "xyes"]) +AM_CONDITIONAL([BUILD_DTLS],[test "x$ENABLED_DTLS" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"]) AM_CONDITIONAL([BUILD_MAXQ10XX],[test "x$ENABLED_MAXQ10XX" = "xyes"]) if test "$ENABLED_REPRODUCIBLE_BUILD" != "yes" && diff --git a/examples/client/client.c b/examples/client/client.c index 7f828850d..3e5dbb429 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -3662,7 +3662,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) } } -#ifdef HAVE_CRL +#if defined(HAVE_CRL) && !defined(NO_FILESYSTEM) if (disableCRL == 0 && !useVerifyCb) { #if defined(HAVE_IO_TIMEOUT) && defined(HAVE_HTTP_CLIENT) wolfIO_SetTimeout(DEFAULT_TIMEOUT_SEC); @@ -4273,7 +4273,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) } #endif -#if defined(OPENSSL_EXTRA) && defined(HAVE_EXT_CACHE) +#if !defined(NO_SESSION_CACHE) && (defined(OPENSSL_EXTRA) || \ + defined(HAVE_EXT_CACHE)) if (flatSession) { const byte* constFlatSession = flatSession; session = wolfSSL_d2i_SSL_SESSION(NULL, @@ -4283,7 +4284,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) wolfSSL_set_session(sslResume, session); -#if defined(OPENSSL_EXTRA) && defined(HAVE_EXT_CACHE) +#if !defined(NO_SESSION_CACHE) && (defined(OPENSSL_EXTRA) || \ + defined(HAVE_EXT_CACHE)) if (flatSession) { XFREE(flatSession, NULL, DYNAMIC_TYPE_TMP_BUFFER); } diff --git a/examples/configs/user_settings_all.h b/examples/configs/user_settings_all.h index a631d7872..29d21756a 100644 --- a/examples/configs/user_settings_all.h +++ b/examples/configs/user_settings_all.h @@ -50,22 +50,30 @@ extern "C" { #define HAVE_NULL_CIPHER /* Enable use of TLS cipher suites without cipher (clear text / no encryption) */ #define WOLFSSL_HAVE_CERT_SERVICE #define WOLFSSL_JNI -#define WOLFSSL_SEP +#define WOLFSSL_SEP /* certificate policy set extension */ #define WOLFCRYPT_HAVE_SRP #define WOLFSSL_HAVE_WOLFSCEP #define WOLFSSL_ENCRYPTED_KEYS /* Support for encrypted keys PKCS8 */ #define HAVE_PKCS7 -#define WOLFSSL_MULTI_ATTRIB -#define WOLFSSL_DER_LOAD -#define ASN_BER_TO_DER /* BER to DER support */ #define WOLFSSL_SIGNER_DER_CERT +#define WOLFSSL_TRUST_PEER_CERT +#define WOLFSSL_SYS_CA_CERTS /* Enable ability to load CA certs from OS */ +#define WOLFSSL_WOLFSSH +#define WC_NO_ASYNC_THREADING //#define HAVE_THREAD_LS /* DG Commented: Thread local storage - may not be portable */ //#define WOLFSSL_AEAD_ONLY /* automatically set if TLS v1.3 only, but can be enabled for TLS v1.2 manually */ /* TLS Features */ -#define WOLFSSL_DTLS #define WOLFSSL_TLS13 #define WOLFSSL_EITHER_SIDE /* allow generic server/client method for WOLFSSL_CTX new */ +#define WOLFSSL_TLS13_NO_PEEK_HANDSHAKE_DONE + +/* DTLS */ +#define WOLFSSL_DTLS +#define WOLFSSL_MULTICAST + +/* DTLS v1.3 is not yet included with enable-all */ +//#define WOLFSSL_DTLS13 /* DG Disabled SSLv3 and TLSv1.0 - should avoid using */ //#define WOLFSSL_ALLOW_SSLV3 @@ -80,9 +88,17 @@ extern "C" { #define HAVE_MAX_FRAGMENT #define HAVE_TRUNCATED_HMAC #define HAVE_SESSION_TICKET +#define WOLFSSL_TICKET_HAVE_ID +#define WOLFSSL_FORCE_CACHE_ON_TICKET #define HAVE_EXTENDED_MASTER #define HAVE_TRUSTED_CA #define HAVE_ENCRYPT_THEN_MAC +#define WOLFSSL_POST_HANDSHAKE_AUTH +#define WOLFSSL_SEND_HRR_COOKIE /* Used by DTLS v1.3 */ +#define HAVE_ANON /* anon cipher suites */ +#define HAVE_FALLBACK_SCSV /* TLS_FALLBACK_SCSV */ +#define WOLFSSL_EARLY_DATA +#define HAVE_SERVER_RENEGOTIATION_INFO /* TLS Session Cache */ #define SESSION_CERTS @@ -94,6 +110,22 @@ extern "C" { #define WOLFSSL_CERT_GEN #define WOLFSSL_CERT_REQ #define WOLFSSL_CERT_EXT +#define WOLFSSL_MULTI_ATTRIB +#define HAVE_SMIME +#define WOLFSSL_DER_LOAD +#define ASN_BER_TO_DER /* BER to DER support */ +#define WOLFSSL_HAVE_ISSUER_NAMES /* Store pointers to issuer name components and their lengths and encodings */ +#define WOLFSSL_SUBJ_DIR_ATTR /* Enable support for SubjectDirectoryAttributes extension */ +#define WOLFSSL_SUBJ_INFO_ACC /* Enable support for SubjectInfoAccess extension */ +#define WOLFSSL_CERT_NAME_ALL /* Adds more certificate name capability at the cost of taking up more memory. Adds initials, givenname, dnQualifer for example */ +#define WOLFSSL_FPKI /* Enable support for FPKI (Federal PKI) extensions */ +#define WOLFSSL_AKID_NAME /* Enable support for full AuthorityKeyIdentifier extension. Only supports copying full AKID from an existing certificate */ +#define HAVE_CTS /* Ciphertext stealing interface */ +#define WOLFSSL_PEM_TO_DER +#define WOLFSSL_DER_TO_PEM +#define WOLFSSL_CUSTOM_OID +#define HAVE_OID_ENCODING +//#define WOLFSSL_ASN_TEMPLATE /* Not enabled yet by default */ /* Certificate Revocation */ #define HAVE_OCSP @@ -105,11 +137,21 @@ extern "C" { //#define HAVE_CRL_MONITOR /* DG Disabled (Monitors CRL files on filesystem) - not portable feature */ -/* Fast math key size 4096-bit max */ -#define USE_FAST_MATH -#define FP_MAX_BITS 8192 +#if 1 + /* sp_int.c */ + #define WOLFSSL_SP_MATH_ALL +#else + /* Fast math key size 4096-bit max */ + #define USE_FAST_MATH +#endif //#define HAVE___UINT128_T 1 /* DG commented: May not be portable */ +/* Max Sizes */ +#define RSA_MAX_SIZE 4096 +#define FP_MAX_BITS 8192 +#define SP_INT_BITS 4096 + + /* Timing Resistance */ #define TFM_TIMING_RESISTANT #define ECC_TIMING_RESISTANT @@ -118,6 +160,8 @@ extern "C" { /* DH Key Sizes */ #define HAVE_FFDHE_2048 #define HAVE_FFDHE_3072 +#define WOLFSSL_DH_EXTRA /* Enable additional DH key import/export */ +#define HAVE_DH_DEFAULT_PARAMS /* ECC Features */ #define HAVE_ECC @@ -132,9 +176,14 @@ extern "C" { #define HAVE_COMP_KEY /* Compressed key support */ #define FP_ECC /* Fixed point caching - speed repeated operations against same key */ #define HAVE_ECC_ENCRYPT +#define WOLFCRYPT_HAVE_ECCSI +#define WOLFCRYPT_HAVE_SAKKE +#define WOLFSSL_ECDSA_DETERMINISTIC_K_VARIANT /* RSA */ #define WC_RSA_PSS +#define WOLFSSL_PSS_LONG_SALT +#define WC_RSA_NO_PADDING /* AES */ #define HAVE_AES_DECRYPT @@ -142,11 +191,16 @@ extern "C" { #define WOLFSSL_AES_DIRECT #define WOLFSSL_AES_COUNTER #define HAVE_AESGCM +#define GCM_TABLE_4BIT +#define WOLFSSL_AESGCM_STREAM #define HAVE_AESCCM #define WOLFSSL_AES_OFB #define WOLFSSL_AES_CFB #define WOLFSSL_AES_XTS #define HAVE_AES_KEYWRAP +#define WOLFSSL_AES_CBC_LENGTH_CHECKS +#define WOLFSSL_USE_ALIGN +#define WOLFSSL_AES_SIV /* Hashing */ #define WOLFSSL_SHA224 @@ -155,29 +209,44 @@ extern "C" { #define WOLFSSL_SHAKE256 #define WOLFSSL_SHA3 #define WOLFSSL_HASH_FLAGS /* enable hash flag API's */ +#define WOLFSSL_SHAKE256 /* Additional Algorithms */ #define HAVE_HASHDRBG #define HAVE_CURVE25519 #define HAVE_ED25519 +#define WOLFSSL_ED25519_STREAMING_VERIFY #define CURVED25519_SMALL +#define HAVE_ED448 +#define WOLFSSL_ED448_STREAMING_VERIFY #define HAVE_CURVE448 #define HAVE_POLY1305 #define HAVE_CHACHA +#define HAVE_XCHACHA #define HAVE_HKDF #define HAVE_X963_KDF #define WOLFSSL_CMAC #define WOLFSSL_DES_ECB +#define HAVE_BLAKE2 +#define HAVE_BLAKE2B +#define HAVE_BLAKE2S +#define WOLFSSL_SIPHASH +#define HAVE_KEYING_MATERIAL +#define WOLFSSL_HAVE_PRF + /* Non-Standard Algorithms (DG disabled) */ //#define HAVE_CAMELLIA //#define WOLFSSL_RIPEMD //#define HAVE_SCRYPT +//#define WOLFSSL_MD2 +//#define WOLFSSL_ALLOW_RC4 /* Encoding */ #define WOLFSSL_BASE16 #define WOLFSSL_BASE64_ENCODE + /* Openssl compatibility */ #if 0 /* DG Disabled */ /* Openssl compatibility API's */ @@ -192,6 +261,13 @@ extern "C" { #define NO_OLD_WC_NAMES #define NO_OLD_SSL_NAMES #define NO_OLD_SHA_NAMES + #define NO_OLD_MD5_NAME + #define OPENSSL_NO_EC /* macro to enable ECC in openssl */ + #define WOLFSSL_VERBOSE_ERRORS + #define ERROR_QUEUE_PER_THREAD + #define WOLFSSL_ERROR_CODE_OPENSSL + #define HAVE_WOLFSSL_SSL_H 1 + #define OPENSSL_COMPATIBLE_DEFAULTS /* Openssl compatibility application specific */ #define WOLFSSL_LIBWEBSOCKETS @@ -206,6 +282,9 @@ extern "C" { #define WOLFSSL_ASIO #define ASIO_USE_WOLFSSL #define BOOST_ASIO_USE_WOLFSSL + #define WOLFSSL_OPENVPN + + #define NO_WOLFSSL_STUB #endif /* TLS static cipher support - off by default */ @@ -222,6 +301,68 @@ extern "C" { #endif +/* Used to manually test disable edge cases */ +#ifdef TEST_DISABLES + #define NO_SESSION_CACHE + + //#define NO_ECC256 + //#define NO_ECC_KEY_EXPORT + //#define NO_ECC_DHE + //#define NO_ECC_SIGN + //#define NO_ECC_VERIFY + + //#define NO_RSA + #define NO_DH + #define NO_DSA + + #define NO_SHA + #define NO_SHA256 + #ifdef NO_SHA256 + #undef WOLFSSL_SHA224 + #endif + #define NO_SHA512 + #ifdef NO_SHA512 + #undef WOLFSSL_SHA384 + #undef WOLFSSL_SHA512 + #undef HAVE_ED25519 + #endif + #define NO_MD4 + #define NO_MD5 + //#define NO_KDF + //#define NO_HMAC + + #define NO_RC4 + #define NO_DES3 + //#define NO_AES + #define NO_AES_CBC + #define WOLFSSL_NO_SHAKE128 + + #define NO_PSK + #define NO_PWDBASED + #define NO_OLD_TLS + //#define WOLFSSL_NO_TLS12 + + //#define NO_64BIT + #define WOLFSSL_SP_NO_MALLOC + #define NO_FILESYSTEM + #define NO_WRITEV + + #define NO_ERROR_STRINGS + //#define NO_WOLFSSL_CLIENT + //#define NO_WOLFSSL_SERVER + + #define NO_MULTIBYTE_PRINT + //#define NO_ASN_TIME + //#define NO_ASN_CRYPT + //#define NO_CODING + #define NO_SIG_WRAPPER + //#define NO_HASH_WRAPPER + //#define WC_NO_HARDEN + + //#define NO_CERTS + //#define NO_ASN +#endif + #ifdef __cplusplus } #endif diff --git a/examples/configs/user_settings_wolfboot_keytools.h b/examples/configs/user_settings_wolfboot_keytools.h index 522e89982..ee283710b 100644 --- a/examples/configs/user_settings_wolfboot_keytools.h +++ b/examples/configs/user_settings_wolfboot_keytools.h @@ -26,7 +26,7 @@ #ifndef H_USER_SETTINGS_ #define H_USER_SETTINGS_ -#include +/* #include */ /* DG: Removed, not needed for testing */ /* System */ #define WOLFSSL_GENERAL_ALIGNMENT 4 @@ -35,8 +35,6 @@ #define SIZEOF_LONG_LONG 8 /* Math */ -#define WOLFSSL_SP -#define WOLFSSL_SP_NO_3072 #define USE_FAST_MATH #define FP_MAX_BITS (4096 * 2) #define TFM_TIMING_RESISTANT @@ -45,10 +43,18 @@ #define HAVE_ECC #define WOLFSSL_HAVE_SP_ECC #define ECC_TIMING_RESISTANT +#define HAVE_ECC256 +#define HAVE_ECC384 +#define HAVE_ECC521 /* ED25519 */ #define HAVE_ED25519 -#define CURVED25519_SMALL +/* DG: Added, since --enable-usersettings expects small version to be used */ +#define ED25519_SMALL + +/* ED448 */ +#define HAVE_ED448 +#define WOLFSSL_SHAKE256 /* RSA */ #define HAVE_RSA @@ -58,14 +64,18 @@ /* Hashing */ #define WOLFSSL_SHA512 /* Required for ED25519 */ +#define WOLFSSL_SHA384 #define WOLFSSL_SHA3 #undef NO_SHA256 /* Chacha stream cipher */ #define HAVE_CHACHA +/* AES */ +#define WOLFSSL_AES_COUNTER +#define WOLFSSL_AES_DIRECT + /* Disables */ -#define NO_AES #define NO_CMAC #define NO_HMAC #define NO_RC4 @@ -73,15 +83,16 @@ #define NO_DH #define NO_DSA #define NO_MD4 +#define NO_RABBIT #define NO_MD5 #define NO_SIG_WRAPPER #define NO_CERT #define NO_SESSION_CACHE +#define NO_HC128 #define NO_DES3 #define NO_PWDBASED #define NO_WRITEV #define NO_FILESYSTEM -//#define NO_MAIN_DRIVER #define NO_OLD_RNGNAME #define NO_WOLFSSL_DIR #define WOLFSSL_NO_SOCK @@ -89,7 +100,10 @@ #define NO_ERROR_STRINGS #define BENCH_EMBEDDED -#define NO_CRYPT_TEST -#define NO_CRYPT_BENCHMARK + +/* DG: Removed since we need it here for testing */ +/* #define NO_MAIN_DRIVER */ +/* #define NO_CRYPT_TEST */ +/* #define NO_CRYPT_BENCHMARK */ #endif /* !H_USER_SETTINGS_ */ diff --git a/examples/server/server.c b/examples/server/server.c index 5678f320e..9e32a7790 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -2995,7 +2995,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) #ifndef NO_HANDSHAKE_DONE_CB wolfSSL_SetHsDoneCb(ssl, myHsDoneCb, NULL); #endif -#ifdef HAVE_CRL +#if defined(HAVE_CRL) && !defined(NO_FILESYSTEM) if (!disableCRL) { #ifdef HAVE_CRL_MONITOR crlFlags = WOLFSSL_CRL_MONITOR | WOLFSSL_CRL_START_MON; @@ -3021,8 +3021,9 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) } #ifndef NO_RSA /* All the OCSP Stapling test certs are RSA. */ -#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ - || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) +#if !defined(NO_FILESYSTEM) && (\ + defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ + || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)) { /* scope start */ const char* ca1 = "certs/ocsp/intermediate1-ca-cert.pem"; const char* ca2 = "certs/ocsp/intermediate2-ca-cert.pem"; diff --git a/scripts/ocsp.test b/scripts/ocsp.test index 49415b849..0131b0bfd 100755 --- a/scripts/ocsp.test +++ b/scripts/ocsp.test @@ -77,8 +77,8 @@ if test -n "$WOLFSSL_OCSP_TEST"; then printf '%s\n' "Test Passed!" exit 0 elif [ $GL_UNREACHABLE -eq 1 ] && [ $GR_RESULT -eq 0 ]; then - printf '%s\n' "Global Sign is currently unreachable. Logging it but if" - printf '%s\n' "this continues to occur should be investigated" + printf '%s\n' "Global Sign is currently unreachable. Logging it but if" + printf '%s\n' "this continues to occur should be investigated" exit 0 else # Unlike other environment variables the intent of WOLFSSL_OCSP_TEST @@ -96,7 +96,7 @@ else if [ $GL_RESULT -ne 0 ] && [ $GR_RESULT -ne 0 ]; then printf '\n\n%s\n' "Both OCSP connection to globalsign and google failed" printf '%s\n' "Test Failed!" - exit 1 + exit 77 else printf '\n\n%s\n' "WOLFSSL_OCSP_TEST NOT set, and 1 of the tests passed" printf '%s\n' "Test Passed!" diff --git a/src/ssl.c b/src/ssl.c index 2b1c054e3..33d70b416 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -2727,8 +2727,8 @@ int wolfSSL_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz, #ifdef HAVE_TRUSTED_CA -WOLFSSL_API int wolfSSL_UseTrustedCA(WOLFSSL* ssl, byte type, - const byte* certId, word32 certIdSz) +int wolfSSL_UseTrustedCA(WOLFSSL* ssl, byte type, + const byte* certId, word32 certIdSz) { if (ssl == NULL) return BAD_FUNC_ARG; @@ -3467,8 +3467,7 @@ int wolfSSL_CTX_UseSessionTicket(WOLFSSL_CTX* ctx) return TLSX_UseSessionTicket(&ctx->extensions, NULL, ctx->heap); } -WOLFSSL_API int wolfSSL_get_SessionTicket(WOLFSSL* ssl, - byte* buf, word32* bufSz) +int wolfSSL_get_SessionTicket(WOLFSSL* ssl, byte* buf, word32* bufSz) { if (ssl == NULL || buf == NULL || bufSz == NULL || *bufSz == 0) return BAD_FUNC_ARG; @@ -3483,7 +3482,7 @@ WOLFSSL_API int wolfSSL_get_SessionTicket(WOLFSSL* ssl, return WOLFSSL_SUCCESS; } -WOLFSSL_API int wolfSSL_set_SessionTicket(WOLFSSL* ssl, const byte* buf, +int wolfSSL_set_SessionTicket(WOLFSSL* ssl, const byte* buf, word32 bufSz) { if (ssl == NULL || (buf == NULL && bufSz > 0)) @@ -3523,8 +3522,8 @@ WOLFSSL_API int wolfSSL_set_SessionTicket(WOLFSSL* ssl, const byte* buf, } -WOLFSSL_API int wolfSSL_set_SessionTicket_cb(WOLFSSL* ssl, - CallbackSessionTicket cb, void* ctx) +int wolfSSL_set_SessionTicket_cb(WOLFSSL* ssl, + CallbackSessionTicket cb, void* ctx) { if (ssl == NULL) return BAD_FUNC_ARG; @@ -7573,9 +7572,9 @@ int wolfSSL_CertManagerCheckOCSP(WOLFSSL_CERT_MANAGER* cm, byte* der, int sz) return ret == 0 ? WOLFSSL_SUCCESS : ret; } -WOLFSSL_API int wolfSSL_CertManagerCheckOCSPResponse(WOLFSSL_CERT_MANAGER *cm, - byte *response, int responseSz, buffer *responseBuffer, - CertStatus *status, OcspEntry *entry, OcspRequest *ocspRequest) +int wolfSSL_CertManagerCheckOCSPResponse(WOLFSSL_CERT_MANAGER *cm, + byte *response, int responseSz, buffer *responseBuffer, + CertStatus *status, OcspEntry *entry, OcspRequest *ocspRequest) { int ret; @@ -11112,6 +11111,43 @@ long wolfSSL_CTX_set_session_cache_mode(WOLFSSL_CTX* ctx, long mode) return WOLFSSL_SUCCESS; } +#ifdef OPENSSL_EXTRA +/* Get the session cache mode for CTX + * + * ctx WOLFSSL_CTX struct to get cache mode from + * + * Returns a bit mask that has the session cache mode */ +long wolfSSL_CTX_get_session_cache_mode(WOLFSSL_CTX* ctx) +{ + long m = 0; + + WOLFSSL_ENTER("SSL_CTX_set_session_cache_mode"); + + if (ctx == NULL) { + return m; + } + + if (ctx->sessionCacheOff != 1) { + m |= WOLFSSL_SESS_CACHE_SERVER; + } + + if (ctx->sessionCacheFlushOff == 1) { + m |= WOLFSSL_SESS_CACHE_NO_AUTO_CLEAR; + } + +#ifdef HAVE_EXT_CACHE + if (ctx->internalCacheOff == 1) { + m |= WOLFSSL_SESS_CACHE_NO_INTERNAL_STORE; + } + if (ctx->internalCacheLookupOff == 1) { + m |= WOLFSSL_SESS_CACHE_NO_INTERNAL_LOOKUP; + } +#endif + + return m; +} +#endif /* OPENSSL_EXTRA */ + #endif /* NO_SESSION_CACHE */ @@ -14279,7 +14315,7 @@ ClientSession* AddSessionToClientCache(int side, int row, int idx, byte* serverI else return NULL; } -#endif +#endif /* !NO_CLIENT_CACHE */ /** * For backwards compatibility, this API needs to be used in *ALL* functions @@ -17654,7 +17690,7 @@ static int GetMinProtoVersion(int minDowngrade) return ret; } -WOLFSSL_API int wolfSSL_CTX_get_min_proto_version(WOLFSSL_CTX* ctx) +int wolfSSL_CTX_get_min_proto_version(WOLFSSL_CTX* ctx) { int ret = 0; @@ -23573,7 +23609,7 @@ const unsigned char *SSL_SESSION_get0_id_context(const WOLFSSL_SESSION *sess, un /*** TBD ***/ #ifndef NO_WOLFSSL_STUB -WOLFSSL_API int wolfSSL_sk_SSL_COMP_zero(WOLFSSL_STACK* st) +int wolfSSL_sk_SSL_COMP_zero(WOLFSSL_STACK* st) { (void)st; WOLFSSL_STUB("wolfSSL_sk_SSL_COMP_zero"); @@ -23615,7 +23651,7 @@ long wolfSSL_get_tlsext_status_type(WOLFSSL *s) #endif /* HAVE_CERTIFICATE_STATUS_REQUEST */ #ifndef NO_WOLFSSL_STUB -WOLFSSL_API long wolfSSL_get_tlsext_status_exts(WOLFSSL *s, void *arg) +long wolfSSL_get_tlsext_status_exts(WOLFSSL *s, void *arg) { (void)s; (void)arg; @@ -23626,7 +23662,7 @@ WOLFSSL_API long wolfSSL_get_tlsext_status_exts(WOLFSSL *s, void *arg) /*** TBD ***/ #ifndef NO_WOLFSSL_STUB -WOLFSSL_API long wolfSSL_set_tlsext_status_exts(WOLFSSL *s, void *arg) +long wolfSSL_set_tlsext_status_exts(WOLFSSL *s, void *arg) { (void)s; (void)arg; @@ -23637,7 +23673,7 @@ WOLFSSL_API long wolfSSL_set_tlsext_status_exts(WOLFSSL *s, void *arg) /*** TBD ***/ #ifndef NO_WOLFSSL_STUB -WOLFSSL_API long wolfSSL_get_tlsext_status_ids(WOLFSSL *s, void *arg) +long wolfSSL_get_tlsext_status_ids(WOLFSSL *s, void *arg) { (void)s; (void)arg; @@ -23648,7 +23684,7 @@ WOLFSSL_API long wolfSSL_get_tlsext_status_ids(WOLFSSL *s, void *arg) /*** TBD ***/ #ifndef NO_WOLFSSL_STUB -WOLFSSL_API long wolfSSL_set_tlsext_status_ids(WOLFSSL *s, void *arg) +long wolfSSL_set_tlsext_status_ids(WOLFSSL *s, void *arg) { (void)s; (void)arg; @@ -23659,7 +23695,8 @@ WOLFSSL_API long wolfSSL_set_tlsext_status_ids(WOLFSSL *s, void *arg) /*** TBD ***/ #ifndef NO_WOLFSSL_STUB -WOLFSSL_API int SSL_SESSION_set1_id(WOLFSSL_SESSION *s, const unsigned char *sid, unsigned int sid_len) +int wolfSSL_SESSION_set1_id(WOLFSSL_SESSION *s, const unsigned char *sid, + unsigned int sid_len) { (void)s; (void)sid; @@ -23671,7 +23708,8 @@ WOLFSSL_API int SSL_SESSION_set1_id(WOLFSSL_SESSION *s, const unsigned char *sid #ifndef NO_WOLFSSL_STUB /*** TBD ***/ -WOLFSSL_API int SSL_SESSION_set1_id_context(WOLFSSL_SESSION *s, const unsigned char *sid_ctx, unsigned int sid_ctx_len) +int wolfSSL_SESSION_set1_id_context(WOLFSSL_SESSION *s, + const unsigned char *sid_ctx, unsigned int sid_ctx_len) { (void)s; (void)sid_ctx; @@ -23782,7 +23820,7 @@ void wolfSSL_ASN1_TYPE_free(WOLFSSL_ASN1_TYPE* at) #ifndef NO_WOLFSSL_STUB /*** TBD ***/ -WOLFSSL_API WOLFSSL_EVP_PKEY *wolfSSL_get_privatekey(const WOLFSSL *ssl) +WOLFSSL_EVP_PKEY *wolfSSL_get_privatekey(const WOLFSSL *ssl) { (void)ssl; WOLFSSL_STUB("SSL_get_privatekey"); @@ -23801,8 +23839,7 @@ WOLFSSL_API WOLFSSL_EVP_PKEY *wolfSSL_get_privatekey(const WOLFSSL *ssl) * * return the string length written on success, WOLFSSL_FAILURE on failure. */ -WOLFSSL_API int wolfSSL_i2t_ASN1_OBJECT(char *buf, int buf_len, - WOLFSSL_ASN1_OBJECT *a) +int wolfSSL_i2t_ASN1_OBJECT(char *buf, int buf_len, WOLFSSL_ASN1_OBJECT *a) { WOLFSSL_ENTER("wolfSSL_i2t_ASN1_OBJECT"); return wolfSSL_OBJ_obj2txt(buf, buf_len, a, 0); @@ -23931,8 +23968,7 @@ WOLFSSL_ASN1_OBJECT *wolfSSL_c2i_ASN1_OBJECT(WOLFSSL_ASN1_OBJECT **a, #ifndef NO_BIO /* Return number of bytes written to BIO on success. 0 on failure. */ -WOLFSSL_API int wolfSSL_i2a_ASN1_OBJECT(WOLFSSL_BIO *bp, - WOLFSSL_ASN1_OBJECT *a) +int wolfSSL_i2a_ASN1_OBJECT(WOLFSSL_BIO *bp, WOLFSSL_ASN1_OBJECT *a) { int length = 0; word32 idx = 0; @@ -24009,7 +24045,8 @@ int wolfSSL_i2d_ASN1_OBJECT(WOLFSSL_ASN1_OBJECT *a, unsigned char **pp) #ifndef NO_WOLFSSL_STUB /*** TBD ***/ -WOLFSSL_API void SSL_CTX_set_tmp_dh_callback(WOLFSSL_CTX *ctx, WOLFSSL_DH *(*dh) (WOLFSSL *ssl, int is_export, int keylength)) +void SSL_CTX_set_tmp_dh_callback(WOLFSSL_CTX *ctx, + WOLFSSL_DH *(*dh) (WOLFSSL *ssl, int is_export, int keylength)) { (void)ctx; (void)dh; @@ -24019,7 +24056,7 @@ WOLFSSL_API void SSL_CTX_set_tmp_dh_callback(WOLFSSL_CTX *ctx, WOLFSSL_DH *(*dh) #ifndef NO_WOLFSSL_STUB /*** TBD ***/ -WOLFSSL_API WOLF_STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void) +WOLF_STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void) { WOLFSSL_STUB("SSL_COMP_get_compression_methods"); return NULL; @@ -24036,21 +24073,21 @@ int wolfSSL_sk_SSL_CIPHER_num(const WOLF_STACK_OF(WOLFSSL_CIPHER)* p) return (int)p->num; } -WOLFSSL_API WOLFSSL_CIPHER* wolfSSL_sk_SSL_CIPHER_value(WOLFSSL_STACK* sk, int i) +WOLFSSL_CIPHER* wolfSSL_sk_SSL_CIPHER_value(WOLFSSL_STACK* sk, int i) { WOLFSSL_ENTER("wolfSSL_sk_SSL_CIPHER_value"); return (WOLFSSL_CIPHER*)wolfSSL_sk_value(sk, i); } #if !defined(NETOS) -WOLFSSL_API void ERR_load_SSL_strings(void) +void ERR_load_SSL_strings(void) { } #endif #ifdef HAVE_OCSP -WOLFSSL_API long wolfSSL_get_tlsext_status_ocsp_resp(WOLFSSL *s, unsigned char **resp) +long wolfSSL_get_tlsext_status_ocsp_resp(WOLFSSL *s, unsigned char **resp) { if (s == NULL || resp == NULL) return 0; @@ -24059,7 +24096,8 @@ WOLFSSL_API long wolfSSL_get_tlsext_status_ocsp_resp(WOLFSSL *s, unsigned char * return s->ocspRespSz; } -WOLFSSL_API long wolfSSL_set_tlsext_status_ocsp_resp(WOLFSSL *s, unsigned char *resp, int len) +long wolfSSL_set_tlsext_status_ocsp_resp(WOLFSSL *s, unsigned char *resp, + int len) { if (s == NULL) return WOLFSSL_FAILURE; @@ -24079,8 +24117,8 @@ WOLFSSL_API long wolfSSL_set_tlsext_status_ocsp_resp(WOLFSSL *s, unsigned char * * @param mode maximum fragment length mode * @return 1 on success, otherwise 0 or negative error code */ -WOLFSSL_API int wolfSSL_CTX_set_tlsext_max_fragment_length(WOLFSSL_CTX *c, - unsigned char mode) +int wolfSSL_CTX_set_tlsext_max_fragment_length(WOLFSSL_CTX *c, + unsigned char mode) { if (c == NULL || (mode < WOLFSSL_MFL_2_9 || mode > WOLFSSL_MFL_2_12 )) return BAD_FUNC_ARG; @@ -24093,8 +24131,7 @@ WOLFSSL_API int wolfSSL_CTX_set_tlsext_max_fragment_length(WOLFSSL_CTX *c, * @param mode maximum fragment length mode * @return 1 on success, otherwise 0 or negative error code */ -WOLFSSL_API int wolfSSL_set_tlsext_max_fragment_length(WOLFSSL *s, - unsigned char mode) +int wolfSSL_set_tlsext_max_fragment_length(WOLFSSL *s, unsigned char mode) { if (s == NULL || (mode < WOLFSSL_MFL_2_9 || mode > WOLFSSL_MFL_2_12 )) return BAD_FUNC_ARG; @@ -24107,7 +24144,7 @@ WOLFSSL_API int wolfSSL_set_tlsext_max_fragment_length(WOLFSSL *s, #endif /* OPENSSL_EXTRA */ #ifdef WOLFSSL_HAVE_TLS_UNIQUE -WOLFSSL_API size_t wolfSSL_get_finished(const WOLFSSL *ssl, void *buf, size_t count) +size_t wolfSSL_get_finished(const WOLFSSL *ssl, void *buf, size_t count) { byte len = 0; @@ -24129,7 +24166,7 @@ WOLFSSL_API size_t wolfSSL_get_finished(const WOLFSSL *ssl, void *buf, size_t co return len; } -WOLFSSL_API size_t wolfSSL_get_peer_finished(const WOLFSSL *ssl, void *buf, size_t count) +size_t wolfSSL_get_peer_finished(const WOLFSSL *ssl, void *buf, size_t count) { byte len = 0; WOLFSSL_ENTER("SSL_get_peer_finished"); @@ -24400,44 +24437,7 @@ long wolfSSL_CTX_set_tlsext_status_arg(WOLFSSL_CTX* ctx, void* arg) return WOLFSSL_SUCCESS; } -#endif /* NO_CERTS */ - - -/* Get the session cache mode for CTX - * - * ctx WOLFSSL_CTX struct to get cache mode from - * - * Returns a bit mask that has the session cache mode */ -WOLFSSL_API long wolfSSL_CTX_get_session_cache_mode(WOLFSSL_CTX* ctx) -{ - long m = 0; - - WOLFSSL_ENTER("SSL_CTX_set_session_cache_mode"); - - if (ctx == NULL) { - return m; - } - - if (ctx->sessionCacheOff != 1) { - m |= SSL_SESS_CACHE_SERVER; - } - - if (ctx->sessionCacheFlushOff == 1) { - m |= SSL_SESS_CACHE_NO_AUTO_CLEAR; - } - -#ifdef HAVE_EXT_CACHE - if (ctx->internalCacheOff == 1) { - m |= SSL_SESS_CACHE_NO_INTERNAL_STORE; - } - if (ctx->internalCacheLookupOff == 1) { - m |= SSL_SESS_CACHE_NO_INTERNAL_LOOKUP; - } -#endif - - return m; -} - +#endif /* !NO_CERTS */ int wolfSSL_get_read_ahead(const WOLFSSL* ssl) { @@ -25201,7 +25201,7 @@ int wolfSSL_ASN1_TIME_check(const WOLFSSL_ASN1_TIME* a) /* * Convert time to Unix time (GMT). */ -static long long TimeToUnixTime(int sec, int minute, int hour, int mday, +static long long TimeToUnixTime(int sec, int minute, int hour, int mday, int mon, int year) { /* Number of cumulative days from the previous months, starting from @@ -25218,7 +25218,7 @@ static long long TimeToUnixTime(int sec, int minute, int hour, int mday, 1969 / 100 - 1969 / 400; return ((((long long) (year - 1970) * 365 + leapDays + - monthDaysCumulative[mon] + mday - 1) * 24 + hour) * 60 + minute) * + monthDaysCumulative[mon] + mday - 1) * 24 + hour) * 60 + minute) * 60 + sec; } @@ -35612,7 +35612,7 @@ int wolfSSL_BN_sub(WOLFSSL_BIGNUM* r, const WOLFSSL_BIGNUM* a, return 0; } -WOLFSSL_API int wolfSSL_BN_mul(WOLFSSL_BIGNUM *r, WOLFSSL_BIGNUM *a, WOLFSSL_BIGNUM *b, +int wolfSSL_BN_mul(WOLFSSL_BIGNUM *r, WOLFSSL_BIGNUM *a, WOLFSSL_BIGNUM *b, WOLFSSL_BN_CTX *ctx) { int ret = WOLFSSL_SUCCESS; @@ -35827,7 +35827,7 @@ int wolfSSL_BN_is_negative(const WOLFSSL_BIGNUM* bn) return mp_isneg((mp_int*)bn->internal); } -WOLFSSL_API void wolfSSL_BN_zero(WOLFSSL_BIGNUM* bn) +void wolfSSL_BN_zero(WOLFSSL_BIGNUM* bn) { if (bn == NULL || bn->internal == NULL) { return; @@ -35836,7 +35836,7 @@ WOLFSSL_API void wolfSSL_BN_zero(WOLFSSL_BIGNUM* bn) mp_zero((mp_int*)bn->internal); } -WOLFSSL_API int wolfSSL_BN_one(WOLFSSL_BIGNUM* bn) +int wolfSSL_BN_one(WOLFSSL_BIGNUM* bn) { int ret = WOLFSSL_SUCCESS; @@ -36633,7 +36633,7 @@ int wolfSSL_BN_add_word(WOLFSSL_BIGNUM *bn, WOLFSSL_BN_ULONG w) /* return code compliant with OpenSSL : * 1 if success, 0 else */ -WOLFSSL_API int wolfSSL_BN_sub_word(WOLFSSL_BIGNUM* bn, WOLFSSL_BN_ULONG w) +int wolfSSL_BN_sub_word(WOLFSSL_BIGNUM* bn, WOLFSSL_BN_ULONG w) { int ret; @@ -40554,7 +40554,7 @@ error: * RETURNS: * returns pointer to a PKCS7 structure on success, otherwise returns NULL */ -WOLFSSL_API PKCS7* wolfSSL_SMIME_read_PKCS7(WOLFSSL_BIO* in, +PKCS7* wolfSSL_SMIME_read_PKCS7(WOLFSSL_BIO* in, WOLFSSL_BIO** bcont) { MimeHdr* allHdrs = NULL; diff --git a/src/tls.c b/src/tls.c index b58cebf23..d02fdb19c 100644 --- a/src/tls.c +++ b/src/tls.c @@ -10058,7 +10058,7 @@ int TLSX_EarlyData_Use(WOLFSSL* ssl, word32 maxSz, int is_response) extension->resp = is_response; /* In QUIC, earlydata size is either 0 or 0xffffffff. - * Override any size between, possibly left from our intial value */ + * Override any size between, possibly left from our initial value */ extension->val = (WOLFSSL_IS_QUIC(ssl) && is_response && maxSz > 0) ? WOLFSSL_MAX_32BIT : maxSz; @@ -11407,7 +11407,7 @@ int TLSX_GetRequestSize(WOLFSSL* ssl, byte msgType, word16* pLength) #endif } #endif -#endif +#endif /* WOLFSSL_TLS13 */ #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) if (!SSL_CM(ssl)->ocspStaplingEnabled) { @@ -11480,8 +11480,9 @@ int TLSX_WriteRequest(WOLFSSL* ssl, byte* output, byte msgType, word16* pOffset) TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS)); #endif #ifdef WOLFSSL_TLS13 - if (!IsAtLeastTLSv1_2(ssl)) + if (!IsAtLeastTLSv1_2(ssl)) { TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS)); + } #if !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS) if (!IsAtLeastTLSv1_3(ssl->version)) { TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE)); @@ -11506,7 +11507,7 @@ int TLSX_WriteRequest(WOLFSSL* ssl, byte* output, byte msgType, word16* pOffset) */ TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY)); #endif -#endif +#endif /* WOLFSSL_TLS13 */ #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) /* mark already sent, so it won't send it */ @@ -11591,33 +11592,34 @@ int TLSX_GetResponseSize(WOLFSSL* ssl, byte msgType, word16* pLength) #ifndef NO_WOLFSSL_SERVER case server_hello: PF_VALIDATE_RESPONSE(ssl, semaphore); - #ifdef WOLFSSL_TLS13 + #ifdef WOLFSSL_TLS13 if (IsAtLeastTLSv1_3(ssl->version)) { XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE); TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS)); - #ifdef HAVE_SUPPORTED_CURVES - if (!ssl->options.noPskDheKe) + #ifdef HAVE_SUPPORTED_CURVES + if (!ssl->options.noPskDheKe) { TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE)); - #endif - #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) + } + #endif + #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY)); - #endif - #ifdef WOLFSSL_DTLS_CID + #endif + #ifdef WOLFSSL_DTLS_CID TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_CONNECTION_ID)); - #endif /* WOLFSSL_DTLS_CID */ + #endif } - #if !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS) + #if !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS) else { - #ifdef HAVE_SUPPORTED_CURVES + #ifdef HAVE_SUPPORTED_CURVES TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE)); - #endif - #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) + #endif + #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY)); - #endif + #endif } - #endif - #endif + #endif + #endif /* WOLFSSL_TLS13 */ break; #ifdef WOLFSSL_TLS13 diff --git a/tests/api.c b/tests/api.c index a521d3513..95b010f5a 100644 --- a/tests/api.c +++ b/tests/api.c @@ -402,7 +402,7 @@ typedef struct testVector { /* Test failed. */ #define TEST_FAIL (0) /* Test skipped - not run. */ -#define TEST_SKIPPED (-1) +#define TEST_SKIPPED (-7777) /* Returns the result based on whether check is true. * @@ -2897,8 +2897,11 @@ static int test_wolfSSL_CertRsaPss(void) XFILE f; const char* rsaPssSha256Cert = "./certs/rsapss/ca-rsapss.der"; const char* rsaPssRootSha256Cert = "./certs/rsapss/root-rsapss.pem"; -#if defined(WOLFSSL_SHA384) && RSA_MAX_SIZE >= 3072 +#if defined(WOLFSSL_SHA384) && defined(WOLFSSL_PSS_LONG_SALT) && \ + RSA_MAX_SIZE >= 3072 const char* rsaPssSha384Cert = "./certs/rsapss/ca-3072-rsapss.der"; +#endif +#if defined(WOLFSSL_SHA384) && RSA_MAX_SIZE >= 3072 const char* rsaPssRootSha384Cert = "./certs/rsapss/root-3072-rsapss.pem"; #endif DecodedCert cert; @@ -3290,7 +3293,7 @@ static int test_wolfSSL_CTX_SetMinMaxDhKey_Sz(void) static int test_wolfSSL_CTX_der_load_verify_locations(void) { int res = TEST_SKIPPED; -#if defined(WOLFSSL_DER_LOAD) && \ +#if !defined(NO_FILESYSTEM) && defined(WOLFSSL_DER_LOAD) && \ (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) WOLFSSL_CTX* ctx = NULL; const char* derCert = "./certs/server-cert.der"; @@ -7326,9 +7329,11 @@ static void test_wolfSSL_CTX_add_session_ctx_ready(WOLFSSL_CTX* ctx) /* Don't store sessions. Lookup is still enabled. */ AssertIntEQ(wolfSSL_CTX_set_session_cache_mode(ctx, WOLFSSL_SESS_CACHE_NO_INTERNAL_STORE), WOLFSSL_SUCCESS); +#ifdef OPENSSL_EXTRA AssertIntEQ(wolfSSL_CTX_get_session_cache_mode(ctx) & WOLFSSL_SESS_CACHE_NO_INTERNAL_STORE, WOLFSSL_SESS_CACHE_NO_INTERNAL_STORE); +#endif /* Require both peers to provide certs */ wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, NULL); } @@ -7391,9 +7396,11 @@ static void test_wolfSSL_CTX_add_session_on_result(WOLFSSL* ssl) AssertNotNull(peer); wolfSSL_X509_free(peer); AssertNotNull(wolfSSL_SESSION_get_peer_chain(*sess)); - AssertNotNull(wolfSSL_SESSION_get0_peer(*sess)); + #ifdef OPENSSL_EXTRA + AssertNotNull(SSL_SESSION_get0_peer(*sess)); + #endif } -#endif +#endif /* SESSION_CERTS */ } static void test_wolfSSL_CTX_add_session_ssl_ready(WOLFSSL* ssl) @@ -9229,7 +9236,8 @@ static int test_wolfSSL_wolfSSL_UseSecureRenegotiation(void) return res; } -#if !defined(NO_WOLFSSL_SERVER) && (!defined(NO_RSA) || defined(HAVE_ECC)) +#if !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_SERVER) && \ + (!defined(NO_RSA) || defined(HAVE_ECC)) /* Called when writing. */ static int DummySend(WOLFSSL* ssl, char* buf, int sz, void* ctx) { @@ -9269,7 +9277,8 @@ static int BufferInfoRecv(WOLFSSL* ssl, char* buf, int sz, void* ctx) static int test_tls_ext_duplicate(void) { int res = TEST_SKIPPED; -#if !defined(NO_WOLFSSL_SERVER) && (!defined(NO_RSA) || defined(HAVE_ECC)) +#if !defined(NO_WOLFSSL_SERVER) && (!defined(NO_RSA) || defined(HAVE_ECC)) && \ + !defined(NO_FILESYSTEM) const unsigned char clientHelloDupTlsExt[] = { 0x16, 0x03, 0x03, 0x00, 0x6a, 0x01, 0x00, 0x00, 0x66, 0x03, 0x03, 0xf4, 0x65, 0xbd, 0x22, 0xfe, @@ -27326,7 +27335,7 @@ static int test_wc_Ed448PrivateKeyToDer(void) static int test_wc_SetSubjectBuffer(void) { int res = TEST_SKIPPED; -#if defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA) +#if defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) Cert cert; FILE* file; byte* der; @@ -28291,7 +28300,7 @@ static int test_wc_PKCS7_EncodeSignedData_ex(void) } /* END test_wc_PKCS7_EncodeSignedData_ex */ -#if defined(HAVE_PKCS7) +#if defined(HAVE_PKCS7) && !defined(NO_FILESYSTEM) /** * Loads certs/keys from files or buffers into the argument buffers, @@ -28590,7 +28599,7 @@ static int CreatePKCS7SignedData(unsigned char* output, int outputSz, static int test_wc_PKCS7_VerifySignedData(void) { int res = TEST_SKIPPED; -#if defined(HAVE_PKCS7) +#if defined(HAVE_PKCS7) && !defined(NO_FILESYSTEM) PKCS7* pkcs7; byte output[6000]; /* Large size needed for bundles with int CA certs */ word32 outputSz = sizeof(output); @@ -29009,9 +29018,11 @@ static int test_wc_PKCS7_EncodeDecodeEnvelopedData(void) #endif /* USE_CERT_BUFFERS_256 */ #endif /* END HAVE_ECC */ +#ifndef NO_FILESYSTEM /* Silence. */ (void)keyFile; (void)certFile; +#endif { const pkcs7EnvelopedVector testVectors[] = { @@ -31310,12 +31321,12 @@ static int test_wc_GetPubKeyDerFromCert(void) byte keyDer[TWOK_BUF]; /* large enough for up to RSA 2048 */ word32 keyDerSz = (word32)sizeof(keyDer); DecodedCert decoded; -#if !defined(NO_RSA) && defined(WOLFSSL_CERT_REQ) +#if !defined(NO_RSA) && defined(WOLFSSL_CERT_REQ) && !defined(NO_FILESYSTEM) byte certBuf[6000]; /* for PEM and CSR, client-cert.pem is 5-6kB */ word32 certBufSz = sizeof(certBuf); #endif #if ((!defined(USE_CERT_BUFFERS_2048) && !defined(USE_CERT_BUFFERS_1024)) || \ - defined(WOLFSSL_CERT_REQ)) && !defined(NO_RSA) + defined(WOLFSSL_CERT_REQ)) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) XFILE fp; #endif #ifndef NO_RSA @@ -31390,7 +31401,7 @@ static int test_wc_GetPubKeyDerFromCert(void) wc_FreeDecodedCert(&decoded); /* Certificate Request Tests */ - #ifdef WOLFSSL_CERT_REQ + #if defined(WOLFSSL_CERT_REQ) && !defined(NO_FILESYSTEM) { XMEMSET(certBuf, 0, sizeof(certBuf)); fp = XFOPEN("./certs/csr.signed.der", "rb"); @@ -37597,9 +37608,10 @@ static int test_wolfSSL_X509_get_ext_count(void) static int test_wolfSSL_X509_sign2(void) { int res = TEST_SKIPPED; + /* test requires WOLFSSL_AKID_NAME to match expected output */ #if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_CERTS) && \ defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_ALT_NAMES) && \ - defined(WOLFSSL_CERT_EXT) && \ + defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_AKID_NAME) && \ (defined(WOLFSSL_QT) || defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME)) WOLFSSL_X509 *x509, *ca; const unsigned char *der; @@ -55731,7 +55743,7 @@ static int test_ENGINE_cleanup(void) static int test_wolfSSL_CTX_LoadCRL(void) { int res = TEST_SKIPPED; -#if defined(HAVE_CRL) && !defined(NO_RSA) +#if defined(HAVE_CRL) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) WOLFSSL_CTX* ctx = NULL; WOLFSSL* ssl = NULL; const char* badPath = "dummypath"; @@ -59088,7 +59100,10 @@ static int test_wolfSSL_DTLS_fragment_buckets(void) } #endif -#if defined(WOLFSSL_DTLS) && !defined(WOLFSSL_NO_TLS12) && \ + + +#if !defined(NO_FILESYSTEM) && \ + defined(WOLFSSL_DTLS) && !defined(WOLFSSL_NO_TLS12) && \ !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) static int test_wolfSSL_dtls_stateless2(void) @@ -59268,7 +59283,7 @@ static int _test_wolfSSL_dtls_stateless_resume(byte useticket, byte bad) wolfSSL_free(ssl_s); wolfSSL_CTX_free(ctx_c); wolfSSL_CTX_free(ctx_s); - return TEST_SUCCESS; + return 0; } static int test_wolfSSL_dtls_stateless_resume(void) @@ -59277,18 +59292,18 @@ static int test_wolfSSL_dtls_stateless_resume(void) #ifdef HAVE_SESSION_TICKET ret = _test_wolfSSL_dtls_stateless_resume(1, 0); if (ret != 0) - return ret; + return TEST_RES_CHECK(ret); ret = _test_wolfSSL_dtls_stateless_resume(1, 1); if (ret != 0) - return ret - 100; + return TEST_RES_CHECK(ret - 100); #endif /* HAVE_SESION_TICKET */ ret = _test_wolfSSL_dtls_stateless_resume(0, 0); if (ret != 0) - return ret - 200; + return TEST_RES_CHECK(ret - 200); ret = _test_wolfSSL_dtls_stateless_resume(0, 1); if (ret != 0) - return ret - 300; - return TEST_SUCCESS; + return TEST_RES_CHECK(ret - 300); + return TEST_RES_CHECK(TEST_SUCCESS); } #endif /* WOLFSSL_DTLS_NO_HVR_ON_RESUME */ @@ -60537,7 +60552,8 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_DtlsUpdateWindow), TEST_DECL(test_wolfSSL_DTLS_fragment_buckets), #endif -#if defined(WOLFSSL_DTLS) && !defined(WOLFSSL_NO_TLS12) && \ +#if !defined(NO_FILESYSTEM) && \ + defined(WOLFSSL_DTLS) && !defined(WOLFSSL_NO_TLS12) && \ !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) #ifdef WOLFSSL_DTLS_NO_HVR_ON_RESUME TEST_DECL(test_wolfSSL_dtls_stateless_resume), @@ -60713,7 +60729,11 @@ void ApiTest(void) printf(" %s\n", apitest_res_string(ret)); } fflush(stdout); - AssertIntNE(ret, TEST_FAIL); + /* if return code is < 0 and not skipped then assert error */ + Assert((ret > 0 || ret == TEST_SKIPPED), + ("Test failed\n"), + ("ret %d", ret)); + TestCleanup(); } diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index e40d27422..2fc822f54 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -13195,7 +13195,8 @@ static int GetCertName(DecodedCert* cert, char* full, byte* hash, int nameType, cert->subjectEmail = (char*)&input[srcIdx]; cert->subjectEmailLen = strLen; } - #if defined(WOLFSSL_HAVE_ISSUER_NAMES) + #if defined(WOLFSSL_HAVE_ISSUER_NAMES) && \ + (defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)) else if (nameType == ISSUER) { cert->issuerEmail = (char*)&input[srcIdx]; cert->issuerEmailLen = strLen; @@ -15059,7 +15060,7 @@ void FreeSignatureCtx(SignatureCtx* sigCtx) sigCtx->state = SIG_STATE_BEGIN; } -#ifndef NO_ASN_CRYPT +#if !defined(NO_ASN_CRYPT) && !defined(NO_HASH_WRAPPER) static int HashForSignature(const byte* buf, word32 bufSz, word32 sigOID, byte* digest, int* typeH, int* digestSz, int verify) { @@ -15226,7 +15227,7 @@ static int HashForSignature(const byte* buf, word32 bufSz, word32 sigOID, return ret; } -#endif /* !NO_ASN_CRYPT */ +#endif /* !NO_ASN_CRYPT && !NO_HASH_WRAPPER */ /* Return codes: 0=Success, Negative (see error-crypt.h), ASN_SIG_CONFIRM_E */ static int ConfirmSignature(SignatureCtx* sigCtx, @@ -15926,7 +15927,7 @@ static int ConfirmSignature(SignatureCtx* sigCtx, break; } #endif /* !NO_DSA && !HAVE_SELFTEST */ - #if defined(HAVE_ECC) + #if defined(HAVE_ECC) && defined(HAVE_ECC_VERIFY) case ECDSAk: { #if defined(HAVE_PK_CALLBACKS) @@ -22343,6 +22344,7 @@ wcchar END_PUB_KEY = "-----END PUBLIC KEY-----"; const int pem_struct_min_sz = XSTR_SIZEOF("-----BEGIN X509 CRL-----" "-----END X509 CRL-----"); +#ifdef WOLFSSL_PEM_TO_DER static WC_INLINE const char* SkipEndOfLineChars(const char* line, const char* endOfLine) { @@ -22353,6 +22355,7 @@ static WC_INLINE const char* SkipEndOfLineChars(const char* line, } return line; } +#endif int wc_PemGetHeaderFooter(int type, const char** header, const char** footer) { @@ -27735,7 +27738,7 @@ static int MakeSignature(CertSignCtx* certSignCtx, const byte* buf, int sz, } #endif /* !NO_RSA */ - #ifdef HAVE_ECC + #if defined(HAVE_ECC) && defined(HAVE_ECC_SIGN) if (!rsaKey && eccKey) { word32 outSz = sigSz; @@ -27744,7 +27747,7 @@ static int MakeSignature(CertSignCtx* certSignCtx, const byte* buf, int sz, if (ret == 0) ret = outSz; } - #endif /* HAVE_ECC */ + #endif /* HAVE_ECC && HAVE_ECC_SIGN */ #if defined(HAVE_ED25519) && defined(HAVE_ED25519_SIGN) if (!rsaKey && !eccKey && ed25519Key) { @@ -35166,9 +35169,7 @@ static int GetRevoked(RevokedCert* rcert, const byte* buff, word32* idx, DecodedCRL* dcrl, int maxIdx) { #ifndef WOLFSSL_ASN_TEMPLATE -#ifndef NO_ASN_TIME int ret; -#endif int len; word32 end; RevokedCert* rc; diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c index f4a330c4e..9e34611ee 100644 --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c @@ -225,7 +225,8 @@ ECC Curve Sizes: /* forward declarations */ static int wc_ecc_new_point_ex(ecc_point** point, void* heap); static void wc_ecc_del_point_ex(ecc_point* p, void* heap); -#if defined(WOLFSSL_ECDSA_DETERMINISTIC_K) || defined(WOLFSSL_ECDSA_DETERMINISTIC_K_VARIANT) +#if defined(HAVE_ECC_SIGN) && (defined(WOLFSSL_ECDSA_DETERMINISTIC_K) || \ + defined(WOLFSSL_ECDSA_DETERMINISTIC_K_VARIANT)) static int deterministic_sign_helper(const byte* in, word32 inlen, ecc_key* key); #endif @@ -1257,7 +1258,7 @@ const size_t ecc_sets_count = ECC_SET_COUNT - 1; #endif -#ifdef HAVE_COMP_KEY +#if defined(HAVE_COMP_KEY) && defined(HAVE_ECC_KEY_EXPORT) static int wc_ecc_export_x963_compressed(ecc_key* key, byte* out, word32* outLen); #endif @@ -14373,7 +14374,7 @@ int mp_sqrtmod_prime(mp_int* n, mp_int* prime, mp_int* ret) #endif /* !WOLFSSL_SP_MATH */ #endif /* !WOLFSSL_ATECC508A && !WOLFSSL_ATECC608A && !WOLFSSL_CRYPTOCELL */ - +#ifdef HAVE_ECC_KEY_EXPORT /* export public ECC key in ANSI X9.63 format compressed */ static int wc_ecc_export_x963_compressed(ecc_key* key, byte* out, word32* outLen) { @@ -14414,7 +14415,7 @@ static int wc_ecc_export_x963_compressed(ecc_key* key, byte* out, word32* outLen return ret; } - +#endif /* HAVE_ECC_KEY_EXPORT */ #endif /* HAVE_COMP_KEY */ @@ -14479,7 +14480,7 @@ int wc_ecc_set_custom_curve(ecc_key* key, const ecc_set_type* dp) } #endif /* WOLFSSL_CUSTOM_CURVES */ -#ifdef HAVE_X963_KDF +#if defined(HAVE_X963_KDF) && !defined(NO_HASH_WRAPPER) static WC_INLINE void IncrementX963KdfCounter(byte* inOutCtr) { @@ -14581,7 +14582,7 @@ int wc_X963_KDF(enum wc_HashType type, const byte* secret, word32 secretSz, return ret; } -#endif /* HAVE_X963_KDF */ +#endif /* HAVE_X963_KDF && !NO_HASH_WRAPPER */ #ifdef WOLFSSL_SE050 /* Use specified hardware key ID with ecc_key operations. Unlike devId, diff --git a/wolfcrypt/src/kdf.c b/wolfcrypt/src/kdf.c index bc25ee39c..d9b968962 100644 --- a/wolfcrypt/src/kdf.c +++ b/wolfcrypt/src/kdf.c @@ -54,7 +54,7 @@ #include -#ifdef WOLFSSL_HAVE_PRF +#if defined(WOLFSSL_HAVE_PRF) && !defined(NO_HMAC) #ifdef WOLFSSL_SHA512 #define P_HASH_MAX_SIZE WC_SHA512_DIGEST_SIZE @@ -335,7 +335,7 @@ int wc_PRF_TLS(byte* digest, word32 digLen, const byte* secret, word32 secLen, return ret; } -#endif /* WOLFSSL_HAVE_PRF */ +#endif /* WOLFSSL_HAVE_PRF && !NO_HMAC */ #if defined(HAVE_HKDF) && !defined(NO_HMAC) diff --git a/wolfcrypt/src/misc.c b/wolfcrypt/src/misc.c index fb85a67e4..6568d1288 100644 --- a/wolfcrypt/src/misc.c +++ b/wolfcrypt/src/misc.c @@ -834,8 +834,8 @@ WC_STATIC WC_INLINE word32 MakeWordFromHash(const byte* hashID) #endif /* HAVE_SESSION_TICKET || !NO_CERTS || !NO_SESSION_CACHE */ -#if !defined(WOLFCRYPT_ONLY) && (!defined(NO_SESSION_CACHE) || \ - defined(HAVE_SESSION_TICKET)) +#if !defined(WOLFCRYPT_ONLY) && !defined(NO_HASH_WRAPPER) && \ + (!defined(NO_SESSION_CACHE) || defined(HAVE_SESSION_TICKET)) #include @@ -856,7 +856,8 @@ WC_STATIC WC_INLINE word32 HashObject(const byte* o, word32 len, int* error) return *error == 0 ? MakeWordFromHash(digest) : 0; /* 0 on failure */ } -#endif /* WOLFCRYPT_ONLY && (!NO_SESSION_CACHE || HAVE_SESSION_TICKET) */ +#endif /* WOLFCRYPT_ONLY && !NO_HASH_WRAPPER && + * (!NO_SESSION_CACHE || HAVE_SESSION_TICKET) */ #undef WC_STATIC diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c index 8d612c0b0..e2e546e7d 100644 --- a/wolfcrypt/src/rsa.c +++ b/wolfcrypt/src/rsa.c @@ -1611,7 +1611,7 @@ int wc_RsaPad_ex(const byte* input, word32 inputLen, byte* pkcsBlock, /* UnPadding */ -#ifndef WC_NO_RSA_OAEP +#if !defined(WC_NO_RSA_OAEP) && !defined(NO_HASH_WRAPPER) /* UnPad plaintext, set start to *output, return length of plaintext, * < 0 on error */ static int RsaUnPad_OAEP(byte *pkcsBlock, unsigned int pkcsBlockLen, @@ -1724,7 +1724,7 @@ static int RsaUnPad_OAEP(byte *pkcsBlock, unsigned int pkcsBlockLen, *output = (byte*)(pkcsBlock + idx); return pkcsBlockLen - idx; } -#endif /* WC_NO_RSA_OAEP */ +#endif /* !WC_NO_RSA_OAEP */ #ifdef WC_RSA_PSS /* 0x00 .. 0x00 0x01 | Salt | Gen Hash | 0xbc diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 296405408..5f67ae98d 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -13149,7 +13149,7 @@ WOLFSSL_TEST_SUBROUTINE int memory_test(void) static const char* certEccRsaDerFile = CERT_WRITE_TEMP_DIR "certeccrsa.der"; #endif #if defined(HAVE_ECC_KEY_EXPORT) && !defined(WC_NO_RNG) && \ - !defined(WOLF_CRYPTO_CB_ONLY_ECC) + !defined(WOLF_CRYPTO_CB_ONLY_ECC) && !defined(NO_ASN_CRYPT) static const char* eccCaKeyPemFile = CERT_WRITE_TEMP_DIR "ecc-key.pem"; static const char* eccPubKeyDerFile = CERT_WRITE_TEMP_DIR "ecc-public-key.der"; static const char* eccCaKeyTempFile = CERT_WRITE_TEMP_DIR "ecc-key.der"; @@ -22624,6 +22624,7 @@ static int ecc_test_vector_item(const eccVector* vector) } #endif +#ifdef HAVE_ECC_VERIFY do { #if defined(WOLFSSL_ASYNC_CRYPT) ret = wc_AsyncWait(ret, &userA->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN); @@ -22638,6 +22639,7 @@ static int ecc_test_vector_item(const eccVector* vector) if (verify != 1) ret = -9812; +#endif done: @@ -23349,7 +23351,7 @@ done: } #endif -#ifdef HAVE_ECC_CDH +#if defined(HAVE_ECC_CDH) && defined(HAVE_ECC_DHE) static int ecc_test_cdh_vectors(WC_RNG* rng) { int ret; @@ -23449,7 +23451,7 @@ done: return ret; } -#endif /* HAVE_ECC_CDH */ +#endif /* HAVE_ECC_CDH && HAVE_ECC_DHE */ #endif /* HAVE_ECC_VECTOR_TEST */ #ifdef HAVE_ECC_KEY_IMPORT @@ -23933,20 +23935,17 @@ done: static int ecc_test_curve_size(WC_RNG* rng, int keySize, int testVerifyCount, int curve_id, const ecc_set_type* dp) { -#if (defined(HAVE_ECC_DHE) || defined(HAVE_ECC_CDH)) && !defined(WC_NO_RNG) && \ +#if defined(HAVE_ECC_DHE) && !defined(WC_NO_RNG) && \ !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) WC_DECLARE_VAR(sharedA, byte, ECC_SHARED_SIZE, HEAP_HINT); WC_DECLARE_VAR(sharedB, byte, ECC_SHARED_SIZE, HEAP_HINT); + word32 y; #endif #ifdef HAVE_ECC_KEY_EXPORT #define ECC_KEY_EXPORT_BUF_SIZE (MAX_ECC_BYTES * 2 + 32) WC_DECLARE_VAR(exportBuf, byte, ECC_KEY_EXPORT_BUF_SIZE, HEAP_HINT); #endif word32 x = 0; -#if (defined(HAVE_ECC_DHE) || defined(HAVE_ECC_CDH)) && !defined(WC_NO_RNG) && \ - !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) - word32 y; -#endif #if defined(HAVE_ECC_SIGN) && !defined(WOLFSSL_KCAPI_ECC) WC_DECLARE_VAR(sig, byte, ECC_SIG_SIZE, HEAP_HINT); WC_DECLARE_VAR(digest, byte, ECC_DIGEST_SIZE, HEAP_HINT); @@ -24108,7 +24107,6 @@ static int ecc_test_curve_size(WC_RNG* rng, int keySize, int testVerifyCount, if (XMEMCMP(sharedA, sharedB, x)) ERROR_OUT(-9920, done); TEST_SLEEP(); -#endif /* HAVE_ECC_DHE */ #ifdef HAVE_ECC_CDH /* add cofactor flag */ @@ -24149,6 +24147,7 @@ static int ecc_test_curve_size(WC_RNG* rng, int keySize, int testVerifyCount, wc_ecc_set_flags(userA, 0); wc_ecc_set_flags(userB, 0); #endif /* HAVE_ECC_CDH */ +#endif /* HAVE_ECC_DHE */ #endif /* !WOLFSSL_ATECC508A && WOLFSSL_ATECC608A */ #ifdef HAVE_ECC_KEY_EXPORT @@ -26273,7 +26272,7 @@ WOLFSSL_TEST_SUBROUTINE int ecc_test(void) goto done; } #endif -#ifdef HAVE_ECC_CDH +#if defined(HAVE_ECC_CDH) && defined(HAVE_ECC_DHE) ret = ecc_test_cdh_vectors(&rng); if (ret != 0) { printf("ecc_test_cdh_vectors failed! %d\n", ret); @@ -44262,6 +44261,6 @@ WOLFSSL_TEST_SUBROUTINE int aes_siv_test(void) #else #ifndef NO_MAIN_DRIVER - int main() { return 0; } + int main(void) { return 0; } #endif #endif /* NO_CRYPT_TEST */ diff --git a/wolfssl/internal.h b/wolfssl/internal.h index ac926014a..857cb79a3 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -3651,7 +3651,7 @@ typedef struct Ciphers { #ifdef HAVE_CHACHA ChaCha* chacha; #endif -#if defined(WOLFSSL_TLS13) && defined(HAVE_NULL_CIPHER) +#if defined(WOLFSSL_TLS13) && defined(HAVE_NULL_CIPHER) && !defined(NO_HMAC) Hmac* hmac; #endif #ifdef WOLFSSL_CIPHER_TEXT_CHECK diff --git a/wolfssl/openssl/pem.h b/wolfssl/openssl/pem.h index 7b328dd81..19618ebd6 100644 --- a/wolfssl/openssl/pem.h +++ b/wolfssl/openssl/pem.h @@ -218,6 +218,8 @@ WOLFSSL_API int wolfSSL_PEM_write_DHparams(XFILE fp, WOLFSSL_DH* dh); #endif /* NO_FILESYSTEM */ +#define PEM_BUFSIZE WOLF_PEM_BUFSIZE + #define PEM_read wolfSSL_PEM_read #define PEM_read_bio wolfSSL_PEM_read_bio #define PEM_write wolfSSL_PEM_write diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index dd3c04daf..93e54c4a4 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -362,6 +362,9 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS; #define SSL_SESSION_set_cipher wolfSSL_SESSION_set_cipher #define SSL_is_init_finished wolfSSL_is_init_finished +#define SSL_SESSION_set1_id wolfSSL_SESSION_set1_id +#define SSL_SESSION_set1_id_context wolfSSL_SESSION_set1_id_context + #define SSL_get_version wolfSSL_get_version #define SSL_get_current_cipher wolfSSL_get_current_cipher diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index c2b4aa605..c2877f404 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -2516,8 +2516,6 @@ WOLFSSL_API void wolfSSL_ERR_print_errors(WOLFSSL_BIO *bio); #define SSL_R_TLSV1_ALERT_UNKNOWN_CA WOLFSSL_R_TLSV1_ALERT_UNKNOWN_CA #define SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN WOLFSSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN #define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE WOLFSSL_R_SSLV3_ALERT_BAD_CERTIFICATE - - #define PEM_BUFSIZE WOLF_PEM_BUFSIZE #endif enum { /* ssl Constants */ @@ -5009,8 +5007,8 @@ WOLFSSL_API const unsigned char *SSL_SESSION_get0_id_context( #endif #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) -WOLFSSL_API int SSL_SESSION_set1_id(WOLFSSL_SESSION *s, const unsigned char *sid, unsigned int sid_len); -WOLFSSL_API int SSL_SESSION_set1_id_context(WOLFSSL_SESSION *s, const unsigned char *sid_ctx, unsigned int sid_ctx_len); +WOLFSSL_API int wolfSSL_SESSION_set1_id(WOLFSSL_SESSION *s, const unsigned char *sid, unsigned int sid_len); +WOLFSSL_API int wolfSSL_SESSION_set1_id_context(WOLFSSL_SESSION *s, const unsigned char *sid_ctx, unsigned int sid_ctx_len); WOLFSSL_API WOLFSSL_X509_ALGOR* wolfSSL_X509_ALGOR_new(void); WOLFSSL_API void wolfSSL_X509_ALGOR_free(WOLFSSL_X509_ALGOR *alg); WOLFSSL_API const WOLFSSL_X509_ALGOR* wolfSSL_X509_get0_tbs_sigalg(const WOLFSSL_X509 *x); diff --git a/wolfssl/test.h b/wolfssl/test.h index 34f4ce630..dd523536c 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -3681,7 +3681,7 @@ static WC_INLINE int myEccSharedSecret(WOLFSSL* ssl, ecc_key* otherKey, #endif /* HAVE_ECC */ -#ifdef HAVE_HKDF +#if defined(HAVE_HKDF) && !defined(NO_HMAC) static WC_INLINE int myHkdfExtract(byte* prk, const byte* salt, word32 saltLen, byte* ikm, word32 ikmLen, int digest, void* ctx) { @@ -3722,7 +3722,7 @@ static WC_INLINE int myHkdfExtract(byte* prk, const byte* salt, word32 saltLen, ikmLen); return ret; } -#endif /* HAVE_HKDF */ +#endif /* HAVE_HKDF && !NO_HMAC */ #if defined(HAVE_ED25519) && defined(HAVE_ED25519_KEY_IMPORT) #ifdef HAVE_ED25519_SIGN @@ -4590,9 +4590,9 @@ static WC_INLINE void SetupPkCallbacks(WOLFSSL_CTX* ctx) wolfSSL_CTX_SetEccVerifyCb(ctx, myEccVerify); wolfSSL_CTX_SetEccSharedSecretCb(ctx, myEccSharedSecret); #endif /* HAVE_ECC */ - #ifdef HAVE_HKDF + #if defined(HAVE_HKDF) && !defined(NO_HMAC) wolfSSL_CTX_SetHKDFExtractCb(ctx, myHkdfExtract); - #endif /* HAVE_HKDF */ + #endif /* HAVE_HKDF && !NO_HMAC */ #ifndef NO_DH wolfSSL_CTX_SetDhAgreeCb(ctx, myDhCallback); #endif @@ -5131,12 +5131,14 @@ void DEBUG_WRITE_DER(const byte* der, int derSz, const char* fileName); #define DTLS_CID_BUFFER_SIZE 256 -#if defined(WOLFSSL_TICKET_NONCE_MALLOC) && defined(HAVE_SESSION_TICKET) \ +#if !defined(NO_FILESYSTEM) && ( \ + defined(WOLFSSL_TICKET_NONCE_MALLOC) && defined(HAVE_SESSION_TICKET) \ && defined(WOLFSSL_TLS13) && \ (!defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)))\ || \ (defined(WOLFSSL_DTLS) && !defined(WOLFSSL_NO_TLS12) && \ - !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER)) + !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER))) + #define TEST_MEMIO_BUF_SZ (64 * 1024) struct test_memio_ctx {