From 77fe4f3a2eb76dbe91a8d75a98ab01b73e33c90f Mon Sep 17 00:00:00 2001 From: John Safranek Date: Thu, 28 May 2015 10:25:41 -0700 Subject: [PATCH] Fixes #71. Disable SHA works with TLS, PWDBASED, testing. --- configure.ac | 2 - src/crl.c | 6 +- src/ssl.c | 29 +++++++--- wolfcrypt/src/asn.c | 116 ++++++++++++++++++++++---------------- wolfcrypt/src/pkcs7.c | 2 +- wolfcrypt/src/pwdbased.c | 8 +++ wolfcrypt/test/test.c | 43 ++++++++------ wolfssl/internal.h | 26 +++++---- wolfssl/wolfcrypt/asn.h | 27 +++++---- wolfssl/wolfcrypt/pkcs7.h | 2 +- 10 files changed, 156 insertions(+), 105 deletions(-) diff --git a/configure.ac b/configure.ac index e707f8657..4197c9304 100644 --- a/configure.ac +++ b/configure.ac @@ -1775,8 +1775,6 @@ AC_ARG_ENABLE([examples], AS_IF([test "x$ENABLED_FILESYSTEM" = "xno"], [ENABLED_EXAMPLES="no"]) AS_IF([test "x$ENABLED_INLINE" = "xno"], [ENABLED_EXAMPLES="no"]) -# certs still have sha signatures for now -AS_IF([test "x$ENABLED_SHA" = "xno" && test "x$ENABLED_PSK" = "xno"], [ENABLED_EXAMPLES="no"]) AM_CONDITIONAL([BUILD_EXAMPLES], [test "x$ENABLED_EXAMPLES" = "xyes"]) diff --git a/src/crl.c b/src/crl.c index 39bfa1284..0f47ee1a4 100644 --- a/src/crl.c +++ b/src/crl.c @@ -66,8 +66,8 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl) { WOLFSSL_ENTER("InitCRL_Entry"); - XMEMCPY(crle->issuerHash, dcrl->issuerHash, SHA_DIGEST_SIZE); - /* XMEMCPY(crle->crlHash, dcrl->crlHash, SHA_DIGEST_SIZE); + XMEMCPY(crle->issuerHash, dcrl->issuerHash, CRL_DIGEST_SIZE); + /* XMEMCPY(crle->crlHash, dcrl->crlHash, CRL_DIGEST_SIZE); * copy the hash here if needed for optimized comparisons */ XMEMCPY(crle->lastDate, dcrl->lastDate, MAX_DATE_SIZE); XMEMCPY(crle->nextDate, dcrl->nextDate, MAX_DATE_SIZE); @@ -152,7 +152,7 @@ int CheckCertCRL(WOLFSSL_CRL* crl, DecodedCert* cert) crle = crl->crlList; while (crle) { - if (XMEMCMP(crle->issuerHash, cert->issuerHash, SHA_DIGEST_SIZE) == 0) { + if (XMEMCMP(crle->issuerHash, cert->issuerHash, CRL_DIGEST_SIZE) == 0) { WOLFSSL_MSG("Found CRL Entry on list"); WOLFSSL_MSG("Checking next date validity"); diff --git a/src/ssl.c b/src/ssl.c index 7342e81a4..48ee6a54f 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1797,7 +1797,7 @@ int AlreadySigner(WOLFSSL_CERT_MANAGER* cm, byte* hash) #else subjectHash = signers->subjectNameHash; #endif - if (XMEMCMP(hash, subjectHash, SHA_DIGEST_SIZE) == 0) { + if (XMEMCMP(hash, subjectHash, SIGNER_DIGEST_SIZE) == 0) { ret = 1; break; } @@ -1831,7 +1831,7 @@ Signer* GetCA(void* vp, byte* hash) #else subjectHash = signers->subjectNameHash; #endif - if (XMEMCMP(hash, subjectHash, SHA_DIGEST_SIZE) == 0) { + if (XMEMCMP(hash, subjectHash, SIGNER_DIGEST_SIZE) == 0) { ret = signers; break; } @@ -1861,7 +1861,8 @@ Signer* GetCAByName(void* vp, byte* hash) for (row = 0; row < CA_TABLE_SIZE && ret == NULL; row++) { signers = cm->caTable[row]; while (signers && ret == NULL) { - if (XMEMCMP(hash, signers->subjectNameHash, SHA_DIGEST_SIZE) == 0) { + if (XMEMCMP(hash, + signers->subjectNameHash, SIGNER_DIGEST_SIZE) == 0) { ret = signers; } signers = signers->next; @@ -1942,10 +1943,10 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, buffer der, int type, int verify) #endif #ifndef NO_SKID XMEMCPY(signer->subjectKeyIdHash, cert->extSubjKeyId, - SHA_DIGEST_SIZE); + SIGNER_DIGEST_SIZE); #endif XMEMCPY(signer->subjectNameHash, cert->subjectHash, - SHA_DIGEST_SIZE); + SIGNER_DIGEST_SIZE); signer->keyUsage = cert->extKeyUsageSet ? cert->extKeyUsage : 0xFFFF; signer->next = NULL; /* If Key Usage not set, all uses valid. */ @@ -7458,6 +7459,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) #endif /* NO_MD5 */ +#ifndef NO_SHA void wolfSSL_SHA_Init(WOLFSSL_SHA_CTX* sha) { typedef char sha_test[sizeof(SHA_CTX) >= sizeof(Sha) ? 1 : -1]; @@ -7503,6 +7505,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) WOLFSSL_ENTER("SHA1_Final"); SHA_Final(input, sha); } +#endif /* NO_SHA */ void wolfSSL_SHA256_Init(WOLFSSL_SHA256_CTX* sha256) @@ -7606,12 +7609,14 @@ int wolfSSL_set_compression(WOLFSSL* ssl) #endif /* NO_MD5 */ +#ifndef NO_SHA const WOLFSSL_EVP_MD* wolfSSL_EVP_sha1(void) { static const char* type = "SHA"; WOLFSSL_ENTER("EVP_sha1"); return type; } +#endif /* NO_SHA */ const WOLFSSL_EVP_MD* wolfSSL_EVP_sha256(void) @@ -8225,11 +8230,13 @@ int wolfSSL_set_compression(WOLFSSL* ssl) wolfSSL_MD5_Init((MD5_CTX*)&ctx->hash); } #endif + #ifndef NO_SHA /* has to be last since would pick or 256, 384, or 512 too */ else if (XSTRNCMP(type, "SHA", 3) == 0) { ctx->macType = SHA; wolfSSL_SHA_Init((SHA_CTX*)&ctx->hash); } + #endif /* NO_SHA */ else return BAD_FUNC_ARG; @@ -12386,12 +12393,14 @@ int wolfSSL_EVP_MD_size(const WOLFSSL_EVP_MD* type) return BAD_FUNC_ARG; } - if (XSTRNCMP(type, "MD5", 3) == 0) { - return MD5_DIGEST_SIZE; - } - else if (XSTRNCMP(type, "SHA256", 6) == 0) { + if (XSTRNCMP(type, "SHA256", 6) == 0) { return SHA256_DIGEST_SIZE; } +#ifndef NO_MD5 + else if (XSTRNCMP(type, "MD5", 3) == 0) { + return MD5_DIGEST_SIZE; + } +#endif #ifdef WOLFSSL_SHA384 else if (XSTRNCMP(type, "SHA384", 6) == 0) { return SHA384_DIGEST_SIZE; @@ -12402,10 +12411,12 @@ int wolfSSL_EVP_MD_size(const WOLFSSL_EVP_MD* type) return SHA512_DIGEST_SIZE; } #endif +#ifndef NO_SHA /* has to be last since would pick or 256, 384, or 512 too */ else if (XSTRNCMP(type, "SHA", 3) == 0) { return SHA_DIGEST_SIZE; } +#endif return BAD_FUNC_ARG; } diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 018e84fa2..e3d9ff44b 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -941,9 +941,11 @@ static int DecryptKey(const char* password, int passwordSz, byte* salt, if (version == PKCS5v2) ret = wc_PBKDF2(key, (byte*)password, passwordSz, salt, saltSz, iterations, derivedLen, typeH); +#ifndef NO_SHA else if (version == PKCS5) ret = wc_PBKDF1(key, (byte*)password, passwordSz, salt, saltSz, iterations, derivedLen, typeH); +#endif else if (version == PKCS12) { int i, idx = 0; byte unicodePasswd[MAX_UNICODE_SZ]; @@ -1447,9 +1449,9 @@ void InitDecodedCert(DecodedCert* cert, byte* source, word32 inSz, void* heap) cert->extAuthInfoSz = 0; cert->extCrlInfo = NULL; cert->extCrlInfoSz = 0; - XMEMSET(cert->extSubjKeyId, 0, SHA_SIZE); + XMEMSET(cert->extSubjKeyId, 0, KEYID_SIZE); cert->extSubjKeyIdSet = 0; - XMEMSET(cert->extAuthKeyId, 0, SHA_SIZE); + XMEMSET(cert->extAuthKeyId, 0, KEYID_SIZE); cert->extAuthKeyIdSet = 0; cert->extKeyUsageSet = 0; cert->extKeyUsage = 0; @@ -1852,11 +1854,11 @@ static int GetKey(DecodedCert* cert) /* process NAME, either issuer or subject */ static int GetName(DecodedCert* cert, int nameType) { - Sha sha; /* MUST have SHA-1 hash for cert names */ int length; /* length of all distinguished names */ int dummy; int ret; - char* full = (nameType == ISSUER) ? cert->issuer : cert->subject; + char* full; + byte* hash; word32 idx; #ifdef OPENSSL_EXTRA DecodedName* dName = @@ -1865,6 +1867,15 @@ static int GetName(DecodedCert* cert, int nameType) WOLFSSL_MSG("Getting Cert Name"); + if (nameType == ISSUER) { + full = cert->issuer; + hash = cert->issuerHash; + } + else { + full = cert->subject; + hash = cert->subjectHash; + } + if (cert->source[cert->srcIdx] == ASN_OBJECT_ID) { WOLFSSL_MSG("Trying optional prefix..."); @@ -1882,14 +1893,13 @@ static int GetName(DecodedCert* cert, int nameType) if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0) return ASN_PARSE_E; - ret = wc_InitSha(&sha); +#ifdef NO_SHA + ret = wc_Sha256Hash(&cert->source[idx], length + cert->srcIdx - idx, hash); +#else + ret = wc_ShaHash(&cert->source[idx], length + cert->srcIdx - idx, hash); +#endif if (ret != 0) return ret; - wc_ShaUpdate(&sha, &cert->source[idx], length + cert->srcIdx - idx); - if (nameType == ISSUER) - wc_ShaFinal(&sha, cert->issuerHash); - else - wc_ShaFinal(&sha, cert->subjectHash); length += cert->srcIdx; idx = 0; @@ -3811,19 +3821,18 @@ static int DecodeAuthKeyId(byte* input, int sz, DecodedCert* cert) cert->extAuthKeyIdSz = length; #endif /* OPENSSL_EXTRA */ - if (length == SHA_SIZE) { + if (length == KEYID_SIZE) { XMEMCPY(cert->extAuthKeyId, input + idx, length); } else { - Sha sha; - ret = wc_InitSha(&sha); - if (ret != 0) - return ret; - wc_ShaUpdate(&sha, input + idx, length); - wc_ShaFinal(&sha, cert->extAuthKeyId); + #ifdef NO_SHA + ret = wc_Sha256Hash(input + idx, length, cert->extAuthKeyId); + #else + ret = wc_ShaHash(input + idx, length, cert->extAuthKeyId); + #endif } - return 0; + return ret; } @@ -3853,12 +3862,11 @@ static int DecodeSubjKeyId(byte* input, int sz, DecodedCert* cert) XMEMCPY(cert->extSubjKeyId, input + idx, length); } else { - Sha sha; - ret = wc_InitSha(&sha); - if (ret != 0) - return ret; - wc_ShaUpdate(&sha, input + idx, length); - wc_ShaFinal(&sha, cert->extSubjKeyId); + #ifdef NO_SHA + ret = wc_Sha256Hash(input + idx, length, cert->extSubjKeyId); + #else + ret = wc_ShaHash(input + idx, length, cert->extSubjKeyId); + #endif } return ret; @@ -4355,12 +4363,15 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) #ifndef NO_SKID if (cert->extSubjKeyIdSet == 0 && cert->publicKey != NULL && cert->pubKeySize > 0) { - Sha sha; - ret = wc_InitSha(&sha); + #ifdef NO_SHA + ret = wc_Sha256Hash(cert->publicKey, cert->pubKeySize, + cert->extSubjKeyId); + #else + ret = wc_ShaHash(cert->publicKey, cert->pubKeySize, + cert->extSubjKeyId); + #endif if (ret != 0) return ret; - wc_ShaUpdate(&sha, cert->publicKey, cert->pubKeySize); - wc_ShaFinal(&sha, cert->extSubjKeyId); } #endif @@ -4379,14 +4390,15 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) if (ca) { #ifdef HAVE_OCSP /* Need the ca's public key hash for OCSP */ - { - Sha sha; - ret = wc_InitSha(&sha); - if (ret != 0) - return ret; - wc_ShaUpdate(&sha, ca->publicKey, ca->pubKeySize); - wc_ShaFinal(&sha, cert->issuerKeyHash); - } + #ifdef NO_SHA + ret = wc_Sha256Hash(ca->publicKey, ca->pubKeySize, + cert->issuerKeyHash); + #else /* NO_SHA */ + ret = wc_ShaHash(ca->publicKey, ca->pubKeySize, + cert->issuerKeyHash); + #endif /* NO_SHA */ + if (ret != 0) + return ret; #endif /* HAVE_OCSP */ /* try to confirm/verify signature */ if (!ConfirmSignature(cert->source + cert->certBegin, @@ -7343,13 +7355,18 @@ int EncodeOcspRequest(OcspRequest* req) WOLFSSL_ENTER("EncodeOcspRequest"); +#ifdef NO_SHA + algoSz = SetAlgoID(SHA256h, algoArray, hashType, 0); +#else algoSz = SetAlgoID(SHAh, algoArray, hashType, 0); +#endif req->issuerHash = req->cert->issuerHash; - issuerSz = SetDigest(req->cert->issuerHash, SHA_SIZE, issuerArray); - + issuerSz = SetDigest(req->cert->issuerHash, KEYID_SIZE, issuerArray); + req->issuerKeyHash = req->cert->issuerKeyHash; - issuerKeySz = SetDigest(req->cert->issuerKeyHash, SHA_SIZE, issuerKeyArray); + issuerKeySz = SetDigest(req->cert->issuerKeyHash, + KEYID_SIZE, issuerKeyArray); req->serial = req->cert->serial; req->serialSz = req->cert->serialSz; @@ -7453,14 +7470,14 @@ int CompareOcspReqResp(OcspRequest* req, OcspResponse* resp) } } - cmp = XMEMCMP(req->issuerHash, resp->issuerHash, SHA_DIGEST_SIZE); + cmp = XMEMCMP(req->issuerHash, resp->issuerHash, KEYID_SIZE); if (cmp != 0) { WOLFSSL_MSG("\tissuerHash mismatch"); return cmp; } - cmp = XMEMCMP(req->issuerKeyHash, resp->issuerKeyHash, SHA_DIGEST_SIZE); + cmp = XMEMCMP(req->issuerKeyHash, resp->issuerKeyHash, KEYID_SIZE); if (cmp != 0) { WOLFSSL_MSG("\tissuerKeyHash mismatch"); @@ -7487,13 +7504,12 @@ int CompareOcspReqResp(OcspRequest* req, OcspResponse* resp) #endif -/* store SHA1 hash of NAME */ +/* store SHA hash of NAME */ WOLFSSL_LOCAL int GetNameHash(const byte* source, word32* idx, byte* hash, int maxIdx) { - Sha sha; int length; /* length of all distinguished names */ - int ret = 0; + int ret; word32 dummy; WOLFSSL_ENTER("GetNameHash"); @@ -7515,15 +7531,15 @@ WOLFSSL_LOCAL int GetNameHash(const byte* source, word32* idx, byte* hash, if (GetSequence(source, idx, &length, maxIdx) < 0) return ASN_PARSE_E; - ret = wc_InitSha(&sha); - if (ret != 0) - return ret; - wc_ShaUpdate(&sha, source + dummy, length + *idx - dummy); - wc_ShaFinal(&sha, hash); +#ifdef NO_SHA + ret = wc_Sha256Hash(source + dummy, length + *idx - dummy, hash); +#else + ret = wc_ShaHash(source + dummy, length + *idx - dummy, hash); +#endif *idx += length; - return 0; + return ret; } diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index 1e46ee608..2f66ea216 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -188,7 +188,7 @@ int wc_PKCS7_InitWithCert(PKCS7* pkcs7, byte* cert, word32 certSz) XMEMCPY(pkcs7->publicKey, dCert->publicKey, dCert->pubKeySize); pkcs7->publicKeySz = dCert->pubKeySize; - XMEMCPY(pkcs7->issuerHash, dCert->issuerHash, SHA_SIZE); + XMEMCPY(pkcs7->issuerHash, dCert->issuerHash, KEYID_SIZE); pkcs7->issuer = dCert->issuerRaw; pkcs7->issuerSz = dCert->issuerRawLen; XMEMCPY(pkcs7->issuerSn, dCert->serial, dCert->serialSz); diff --git a/wolfcrypt/src/pwdbased.c b/wolfcrypt/src/pwdbased.c index 745493982..b9764d8d0 100644 --- a/wolfcrypt/src/pwdbased.c +++ b/wolfcrypt/src/pwdbased.c @@ -68,6 +68,7 @@ #endif /* WOLFSSL_HAVE_MIN */ +#ifndef NO_SHA /* PBKDF1 needs at least SHA available */ int wc_PBKDF1(byte* output, const byte* passwd, int pLen, const byte* salt, int sLen, int iterations, int kLen, int hashType) @@ -130,6 +131,7 @@ int wc_PBKDF1(byte* output, const byte* passwd, int pLen, const byte* salt, return 0; } +#endif /* NO_SHA */ int GetDigestSize(int hashType) @@ -142,9 +144,11 @@ int GetDigestSize(int hashType) hLen = MD5_DIGEST_SIZE; break; #endif +#ifndef NO_SHA case SHA: hLen = SHA_DIGEST_SIZE; break; +#endif #ifndef NO_SHA256 case SHA256: hLen = SHA256_DIGEST_SIZE; @@ -264,10 +268,12 @@ int GetPKCS12HashSizes(int hashType, word32* v, word32* u) *u = MD5_DIGEST_SIZE; break; #endif +#ifndef NO_SHA case SHA: *v = SHA_BLOCK_SIZE; *u = SHA_DIGEST_SIZE; break; +#endif #ifndef NO_SHA256 case SHA256: *v = SHA256_BLOCK_SIZE; @@ -313,6 +319,7 @@ int DoPKCS12Hash(int hashType, byte* buffer, word32 totalLen, } break; #endif /* NO_MD5 */ +#ifndef NO_SHA case SHA: { Sha sha; @@ -328,6 +335,7 @@ int DoPKCS12Hash(int hashType, byte* buffer, word32 totalLen, } } break; +#endif /* NO_SHA */ #ifndef NO_SHA256 case SHA256: { diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 8dac3b8ea..6620a5fda 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -4409,9 +4409,10 @@ int openssl_test(void) { EVP_MD_CTX md_ctx; testVector a, b, c, d, e, f; - byte hash[SHA_DIGEST_SIZE*4]; /* max size */ + byte hash[SHA256_DIGEST_SIZE*2]; /* max size */ (void)a; + (void)b; (void)c; (void)e; (void)f; @@ -4436,6 +4437,8 @@ int openssl_test(void) #endif /* NO_MD5 */ +#ifndef NO_SHA + b.input = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaa"; @@ -4453,6 +4456,8 @@ int openssl_test(void) if (memcmp(hash, b.output, SHA_DIGEST_SIZE) != 0) return -72; +#endif /* NO_SHA */ + d.input = "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"; d.output = "\x24\x8D\x6A\x61\xD2\x06\x38\xB8\xE5\xC0\x26\x93\x0C\x3E\x60" @@ -4656,22 +4661,22 @@ int pkcs12_test(void) byte derived[64]; const byte verify[] = { - 0x8A, 0xAA, 0xE6, 0x29, 0x7B, 0x6C, 0xB0, 0x46, - 0x42, 0xAB, 0x5B, 0x07, 0x78, 0x51, 0x28, 0x4E, - 0xB7, 0x12, 0x8F, 0x1A, 0x2A, 0x7F, 0xBC, 0xA3 + 0x27, 0xE9, 0x0D, 0x7E, 0xD5, 0xA1, 0xC4, 0x11, + 0xBA, 0x87, 0x8B, 0xC0, 0x90, 0xF5, 0xCE, 0xBE, + 0x5E, 0x9D, 0x5F, 0xE3, 0xD6, 0x2B, 0x73, 0xAA }; const byte verify2[] = { - 0x48, 0x3D, 0xD6, 0xE9, 0x19, 0xD7, 0xDE, 0x2E, - 0x8E, 0x64, 0x8B, 0xA8, 0xF8, 0x62, 0xF3, 0xFB, - 0xFB, 0xDC, 0x2B, 0xCB, 0x2C, 0x02, 0x95, 0x7F + 0x90, 0x1B, 0x49, 0x70, 0xF0, 0x94, 0xF0, 0xF8, + 0x45, 0xC0, 0xF3, 0xF3, 0x13, 0x59, 0x18, 0x6A, + 0x35, 0xE3, 0x67, 0xFE, 0xD3, 0x21, 0xFD, 0x7C }; int id = 1; int kLen = 24; int iterations = 1; - int ret = wc_PKCS12_PBKDF(derived, passwd, sizeof(passwd), salt, 8, iterations, - kLen, SHA, id); + int ret = wc_PKCS12_PBKDF(derived, passwd, sizeof(passwd), salt, 8, + iterations, kLen, SHA256, id); if (ret < 0) return -103; @@ -4680,8 +4685,8 @@ int pkcs12_test(void) return -104; iterations = 1000; - ret = wc_PKCS12_PBKDF(derived, passwd2, sizeof(passwd2), salt2, 8, iterations, - kLen, SHA, id); + ret = wc_PKCS12_PBKDF(derived, passwd2, sizeof(passwd2), salt2, 8, + iterations, kLen, SHA256, id); if (ret < 0) return -105; @@ -4701,12 +4706,12 @@ int pbkdf2_test(void) byte derived[64]; const byte verify[] = { - 0xba, 0x9b, 0x3b, 0x95, 0x04, 0x4d, 0x78, 0x11, 0xec, 0xa1, 0xff, 0x3f, - 0xea, 0x3a, 0xdb, 0x55, 0x3e, 0x54, 0x0b, 0xa0, 0x9f, 0xad, 0xe6, 0x81 + 0x43, 0x6d, 0xb5, 0xe8, 0xd0, 0xfb, 0x3f, 0x35, 0x42, 0x48, 0x39, 0xbc, + 0x2d, 0xd4, 0xf9, 0x37, 0xd4, 0x95, 0x16, 0xa7, 0x2a, 0x9a, 0x21, 0xd1 }; int ret = wc_PBKDF2(derived, (byte*)passwd, (int)strlen(passwd), salt, 8, - iterations, kLen, SHA); + iterations, kLen, SHA256); if (ret != 0) return ret; @@ -4717,6 +4722,7 @@ int pbkdf2_test(void) } +#ifndef NO_SHA int pbkdf1_test(void) { char passwd[] = "password"; @@ -4738,11 +4744,15 @@ int pbkdf1_test(void) return 0; } +#endif int pwdbased_test(void) { - int ret = pbkdf1_test(); + int ret = 0; +#ifndef NO_SHA + ret += pbkdf1_test(); +#endif ret += pbkdf2_test(); return ret + pkcs12_test(); @@ -4968,7 +4978,8 @@ int ecc_test(void) if (ret != 0) return -1017; -#if (defined(HAVE_ECC192) && defined(HAVE_ECC224)) || defined(HAVE_ALL_CURVES) +#if !defined(NO_SHA) && \ + ((defined(HAVE_ECC192) && defined(HAVE_ECC224)) || defined(HAVE_ALL_CURVES)) { /* test raw ECC key import */ Sha sha; diff --git a/wolfssl/internal.h b/wolfssl/internal.h index d4dc91247..7434841dd 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -433,13 +433,15 @@ typedef byte word24[3]; #endif #endif #if !defined(NO_DES3) - #if !defined(NO_RSA) - #define BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - #define BUILD_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA - #endif + #ifndef NO_SHA + #if !defined(NO_RSA) + #define BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA + #define BUILD_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA + #endif - #define BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - #define BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA + #define BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA + #define BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA + #endif /* NO_SHA */ #endif #endif @@ -1152,10 +1154,10 @@ struct WOLFSSL_CIPHER { typedef struct OCSP_Entry OCSP_Entry; -#ifdef SHA_DIGEST_SIZE - #define OCSP_DIGEST_SIZE SHA_DIGEST_SIZE +#ifdef NO_SHA + #define OCSP_DIGEST_SIZE SHA256_DIGEST_SIZE #else - #define OCSP_DIGEST_SIZE 160 + #define OCSP_DIGEST_SIZE SHA_DIGEST_SIZE #endif #ifdef NO_ASN @@ -1189,10 +1191,10 @@ struct WOLFSSL_OCSP { typedef struct CRL_Entry CRL_Entry; -#ifdef SHA_DIGEST_SIZE - #define CRL_DIGEST_SIZE SHA_DIGEST_SIZE +#ifdef NO_SHA + #define CRL_DIGEST_SIZE SHA256_DIGEST_SIZE #else - #define CRL_DIGEST_SIZE 160 + #define CRL_DIGEST_SIZE SHA_DIGEST_SIZE #endif #ifdef NO_ASN diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 7511cdfc4..10d0943bb 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -48,6 +48,7 @@ #ifndef NO_MD5 #include #endif +#include #include /* public interface */ #ifdef HAVE_ECC #include @@ -138,7 +139,11 @@ enum Misc_ASN { ASN_BOOL_SIZE = 2, /* including type */ ASN_ECC_HEADER_SZ = 2, /* String type + 1 byte len */ ASN_ECC_CONTEXT_SZ = 2, /* Content specific type + 1 byte len */ - SHA_SIZE = 20, +#ifdef NO_SHA + KEYID_SIZE = SHA256_DIGEST_SIZE, +#else + KEYID_SIZE = SHA_DIGEST_SIZE, +#endif RSA_INTS = 8, /* RSA ints in private key */ MIN_DATE_SIZE = 13, MAX_DATE_SIZE = 32, @@ -353,10 +358,10 @@ struct DecodedCert { Base_entry* permittedNames; /* Permitted name bases */ Base_entry* excludedNames; /* Excluded name bases */ #endif /* IGNORE_NAME_CONSTRAINTS */ - byte subjectHash[SHA_SIZE]; /* hash of all Names */ - byte issuerHash[SHA_SIZE]; /* hash of all Names */ + byte subjectHash[KEYID_SIZE]; /* hash of all Names */ + byte issuerHash[KEYID_SIZE]; /* hash of all Names */ #ifdef HAVE_OCSP - byte issuerKeyHash[SHA_SIZE]; /* hash of the public Key */ + byte issuerKeyHash[KEYID_SIZE]; /* hash of the public Key */ #endif /* HAVE_OCSP */ byte* signature; /* not owned, points into raw cert */ char* subjectCN; /* CommonName */ @@ -379,9 +384,9 @@ struct DecodedCert { int extAuthInfoSz; /* length of the URI */ byte* extCrlInfo; /* CRL Distribution Points */ int extCrlInfoSz; /* length of the URI */ - byte extSubjKeyId[SHA_SIZE]; /* Subject Key ID */ + byte extSubjKeyId[KEYID_SIZE]; /* Subject Key ID */ byte extSubjKeyIdSet; /* Set when the SKID was read from cert */ - byte extAuthKeyId[SHA_SIZE]; /* Authority Key ID */ + byte extAuthKeyId[KEYID_SIZE]; /* Authority Key ID */ byte extAuthKeyIdSet; /* Set when the AKID was read from cert */ #ifndef IGNORE_NAME_CONSTRAINTS byte extNameConstraintSet; @@ -471,10 +476,10 @@ struct DecodedCert { }; -#ifdef SHA_DIGEST_SIZE - #define SIGNER_DIGEST_SIZE SHA_DIGEST_SIZE +#ifdef NO_SHA + #define SIGNER_DIGEST_SIZE SHA256_DIGEST_SIZE #else - #define SIGNER_DIGEST_SIZE 20 + #define SIGNER_DIGEST_SIZE SHA_DIGEST_SIZE #endif /* CA Signers */ @@ -710,8 +715,8 @@ struct DecodedCRL { word32 sigLength; /* length of signature */ word32 signatureOID; /* sum of algorithm object id */ byte* signature; /* pointer into raw source, not owned */ - byte issuerHash[SHA_DIGEST_SIZE]; /* issuer hash */ - byte crlHash[SHA_DIGEST_SIZE]; /* raw crl data hash */ + byte issuerHash[SIGNER_DIGEST_SIZE]; /* issuer hash */ + byte crlHash[SIGNER_DIGEST_SIZE]; /* raw crl data hash */ byte lastDate[MAX_DATE_SIZE]; /* last date updated */ byte nextDate[MAX_DATE_SIZE]; /* next update date */ byte lastDateFormat; /* format of last date */ diff --git a/wolfssl/wolfcrypt/pkcs7.h b/wolfssl/wolfcrypt/pkcs7.h index c748f4514..e39a12b9d 100644 --- a/wolfssl/wolfcrypt/pkcs7.h +++ b/wolfssl/wolfcrypt/pkcs7.h @@ -80,7 +80,7 @@ typedef struct PKCS7 { byte* singleCert; /* recipient cert, DER, not owner */ word32 singleCertSz; /* size of recipient cert buffer, bytes */ - byte issuerHash[SHA_SIZE]; /* hash of all alt Names */ + byte issuerHash[KEYID_SIZE]; /* hash of all alt Names */ byte* issuer; /* issuer name of singleCert */ word32 issuerSz; /* length of issuer name */ byte issuerSn[MAX_SN_SZ]; /* singleCert's serial number */