LeanTLS: Fixed issue with GetCA, GetCAByName and PickHashSigAlgo with HAVE_ECC, NO_RSA and NO_CERTS defined. Added new "--enable-leantls" option, which enables TLS 1.2 client only with ECC256, AES128 and SHA256 (no RSA, DH, DSA, MD4, MD5, SHA, PSK, PWD, CERTS, DES3, Error Strings, ARC4, Coding, Memory or File System).

2016-02-12 14:30:26 -08:00 · 2016-02-12 14:30:26 -08:00 · 8e8ee45828
parent 375d85fe9a
commit 8e8ee45828
3 changed files with 53 additions and 48 deletions
--- a/configure.ac
+++ b/configure.ac
@ -256,6 +256,21 @@ fi
 AM_CONDITIONAL([BUILD_LEANPSK], [test "x$ENABLED_LEANPSK" = "xyes"])


+# lean TLS build (TLS 1.2 client only (no client auth), ECC256, AES128 and SHA256 w/o Shamir)
+AC_ARG_ENABLE([leantls],
+    [  --enable-leantls        Enable Lean TLS build (default: disabled)],
+    [ ENABLED_LEANTLS=$enableval ],
+    [ ENABLED_LEANTLS=no ]
+    )
+
+if test "$ENABLED_LEANTLS" = "yes"
+then
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LEANTLS -DNO_FILESYSTEM -DNO_WRITEV -DHAVE_ECC -DTFM_ECC256 -DECC_USER_CURVES -DNO_WOLFSSL_SERVER -DNO_RABBIT -DNO_RSA -DNO_DSA -DNO_DH -DNO_CERTS -DNO_PWDBASED -DNO_DES3 -DNO_MD5 -DNO_ERROR_STRINGS -DNO_OLD_TLS -DNO_RC4 -DNO_SESSION_CACHE -DNO_SHA -DUSE_SLOW_SHA -DUSE_SLOW_SHA2 -DNO_PSK -DNO_WOLFSSL_MEMORY -DNO_CODING"
+fi
+
+AM_CONDITIONAL([BUILD_LEANTLS], [test "x$ENABLED_LEANTLS" = "xyes"])
+
+
 # big cache
 AC_ARG_ENABLE([bigcache],
    [  --enable-bigcache       Enable big session cache (default: disabled)],
@ -354,7 +369,7 @@ AC_ARG_ENABLE([sniffer],
   [ ENABLED_SNIFFER=no ]
   )

-# sniffer does't work in maxstrength mode
+# sniffer doesn't work in maxstrength mode
 if test "$ENABLED_SNIFFER" = "yes" && test "$ENABLED_MAXSTRENGTH" = "yes"
 then
    AC_MSG_ERROR([cannot enable maxstrength in sniffer mode.])
@ -380,8 +395,8 @@ AC_ARG_ENABLE([aesgcm],
    [ ENABLED_AESGCM=yes ]
    )

-# lean psk does't need gcm
-if test "$ENABLED_LEANPSK" = "yes"
+# leanpsk and leantls don't need gcm
+if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
 then
    ENABLED_AESGCM=no
 fi
@ -566,8 +581,8 @@ AC_ARG_ENABLE([sha512],
    [ ENABLED_SHA512=$SHA512_DEFAULT ]
    )

-# lean psk does't need sha512
-if test "$ENABLED_LEANPSK" = "yes"
+# leanpsk and leantls don't need sha512
+if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
 then
    ENABLED_SHA512=no
 fi
@ -723,7 +738,7 @@ AC_ARG_ENABLE([ecc],
    [ ENABLED_ECC=$ECC_DEFAULT ]
    )

-# lean psk does't need ecc
+# lean psk doesn't need ecc
 if test "$ENABLED_LEANPSK" = "yes"
 then
    ENABLED_ECC=no
@ -742,12 +757,6 @@ fi
 AM_CONDITIONAL([BUILD_ECC], [test "x$ENABLED_ECC" = "xyes"])


-if test "$ENABLED_ECC" = "yes" && test "$ENABLED_SMALL" = "yes"
-then
-    AC_MSG_ERROR([cannot enable ecc and small, ecc requires TLS which small turns off.])
-fi
-
-
 # for using memory optimization setting on both curve25519 and ed25519
 ENABLED_CURVED25519_SMALL=no

@ -874,8 +883,8 @@ if test "$ENABLED_ERROR_STRINGS" = "no"
 then
    AM_CFLAGS="$AM_CFLAGS -DNO_ERROR_STRINGS"
 else
-    # turn off error strings if leanpsk on
-    if test "$ENABLED_LEANPSK" = "yes"
+    # turn off error strings if leanpsk or leantls on
+    if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
    then
        AM_CFLAGS="$AM_CFLAGS -DNO_ERROR_STRINGS"
        ENABLED_ERROR_STRINGS=no
@ -894,8 +903,8 @@ if test "$ENABLED_OLD_TLS" = "no"
 then
    AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"
 else
-    # turn off old if leanpsk on
-    if test "$ENABLED_LEANPSK" = "yes"
+    # turn off old if leanpsk or leantls on
+    if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
    then
        AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"
        ENABLED_OLD_TLS=no
@ -942,8 +951,8 @@ if test "$ENABLED_MEMORY" = "no"
 then
    AM_CFLAGS="$AM_CFLAGS -DNO_WOLFSSL_MEMORY"
 else
-    # turn off memory cb if leanpsk on
-    if test "$ENABLED_LEANPSK" = "yes"
+    # turn off memory cb if leanpsk or leantls on
+    if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
    then
        # but don't turn on NO_WOLFSSL_MEMORY because using own
        ENABLED_MEMORY=no
@ -964,8 +973,8 @@ if test "$ENABLED_RSA" = "no"
 then
    AM_CFLAGS="$AM_CFLAGS -DNO_RSA"
 else
-    # turn off RSA if leanpsk on
-    if test "$ENABLED_LEANPSK" = "yes"
+    # turn off RSA if leanpsk or leantls on
+    if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
    then
        AM_CFLAGS="$AM_CFLAGS -DNO_RSA"
        ENABLED_RSA=no
@ -991,8 +1000,8 @@ if test "$ENABLED_DH" = "no"
 then
    AM_CFLAGS="$AM_CFLAGS -DNO_DH"
 else
-    # turn off DH if leanpsk on
-    if test "$ENABLED_LEANPSK" = "yes"
+    # turn off DH if leanpsk or leantls on
+    if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
    then
        AM_CFLAGS="$AM_CFLAGS -DNO_DH"
        ENABLED_DH=no
@ -1115,8 +1124,8 @@ if test "$ENABLED_CODING" = "no"
 then
    AM_CFLAGS="$AM_CFLAGS -DNO_CODING"
 else
-    # turn off CODING if leanpsk on
-    if test "$ENABLED_LEANPSK" = "yes"
+    # turn off CODING if leanpsk or leantls on
+    if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
    then
        AM_CFLAGS="$AM_CFLAGS -DNO_CODING"
        ENABLED_CODING=no
@ -1137,8 +1146,8 @@ if test "$ENABLED_DES3" = "no"
 then
    AM_CFLAGS="$AM_CFLAGS -DNO_DES3"
 else
-    # turn off DES3 if leanpsk on
-    if test "$ENABLED_LEANPSK" = "yes"
+    # turn off DES3 if leanpsk or leantls on
+    if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
    then
        AM_CFLAGS="$AM_CFLAGS -DNO_DES3"
        ENABLED_DES3=no
@ -1180,8 +1189,8 @@ if test "$ENABLED_ARC4" = "no"
 then
    AM_CFLAGS="$AM_CFLAGS -DNO_RC4"
 else
-    # turn off ARC4 if leanpsk on
-    if test "$ENABLED_LEANPSK" = "yes"
+    # turn off ARC4 if leanpsk or leantls on
+    if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
    then
        AM_CFLAGS="$AM_CFLAGS -DNO_RC4"
        ENABLED_ARC4=no
@ -1202,8 +1211,8 @@ if test "$ENABLED_MD5" = "no"
 then
    AM_CFLAGS="$AM_CFLAGS -DNO_MD5 -DNO_OLD_TLS"
 else
-    # turn off MD5 if leanpsk on
-    if test "$ENABLED_LEANPSK" = "yes"
+    # turn off MD5 if leanpsk or leantls on
+    if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
    then
        AM_CFLAGS="$AM_CFLAGS -DNO_MD5 -DNO_OLD_TLS"
        ENABLED_MD5=no
@ -1224,8 +1233,8 @@ if test "$ENABLED_SHA" = "no"
 then
    AM_CFLAGS="$AM_CFLAGS -DNO_SHA -DNO_OLD_TLS"
 else
-    # turn off SHA if leanpsk on
-    if test "$ENABLED_LEANPSK" = "yes"
+    # turn off SHA if leanpsk or leantls on
+    if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
    then
        AM_CFLAGS="$AM_CFLAGS -DNO_SHA -DNO_OLD_TLS"
        ENABLED_SHA=no
@ -1332,8 +1341,8 @@ AC_ARG_ENABLE([poly1305],
    [ ENABLED_POLY1305=$POLY1305_DEFAULT]
    )

-# lean psk does't need poly1305
-if test "$ENABLED_LEANPSK" = "yes"
+# leanpsk and leantls don't need poly1305
+if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
 then
    ENABLED_POLY1305=no
 fi
@ -1361,8 +1370,8 @@ AC_ARG_ENABLE([chacha],
    [ ENABLED_CHACHA=$CHACHA_DEFAULT]
    )

-# lean psk does't need chacha
-if test "$ENABLED_LEANPSK" = "yes"
+# leanpsk and leantls don't need chacha
+if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
 then
    ENABLED_CHACHA=no
 fi
@ -1406,8 +1415,8 @@ if test "$ENABLED_FILESYSTEM" = "no"
 then
    AM_CFLAGS="$AM_CFLAGS -DNO_FILESYSTEM"
 else
-    # turn off filesystem if leanpsk on
-    if test "$ENABLED_LEANPSK" = "yes"
+    # turn off filesystem if leanpsk or leantls on
+    if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
    then
        AM_CFLAGS="$AM_CFLAGS -DNO_FILESYSTEM"
        ENABLED_FILESYSTEM=no
@ -1636,10 +1645,6 @@ AC_ARG_WITH([ntru],

 AM_CONDITIONAL([BUILD_NTRU], [test "x$ENABLED_NTRU" = "xyes"])

-if test "$ENABLED_NTRU" = "yes" && test "$ENABLED_SMALL" = "yes"
-then
-    AC_MSG_ERROR([cannot enable ntru and small, ntru requires TLS which small turns off.])
-fi

 # SNI
 AC_ARG_ENABLE([sni],
@ -2759,6 +2764,7 @@ echo "   * MD4:                        $ENABLED_MD4"
 echo "   * PSK:                        $ENABLED_PSK"
 echo "   * Poly1305:                   $ENABLED_POLY1305"
 echo "   * LEANPSK:                    $ENABLED_LEANPSK"
+echo "   * LEANTLS:                    $ENABLED_LEANTLS"
 echo "   * RSA:                        $ENABLED_RSA"
 echo "   * DSA:                        $ENABLED_DSA"
 echo "   * DH:                         $ENABLED_DH"
--- a/src/internal.c
+++ b/src/internal.c
@ -142,10 +142,9 @@ static int SSL_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz,

 #ifndef NO_CERTS
 static int BuildCertHashes(WOLFSSL* ssl, Hashes* hashes);
-#endif
-
 static void PickHashSigAlgo(WOLFSSL* ssl,
                                const byte* hashSigAlgo, word32 hashSigAlgoSz);
+#endif

 #ifdef HAVE_QSH
    int QSH_Init(WOLFSSL* ssl);
@ -10594,7 +10593,7 @@ int SetCipherList(Suites* suites, const char* list)
    return ret;
 }

-
+#ifndef NO_CERTS
 static void PickHashSigAlgo(WOLFSSL* ssl,
                             const byte* hashSigAlgo, word32 hashSigAlgoSz)
 {
@ -10630,7 +10629,7 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
        }
    }
 }
-
+#endif

 #ifdef WOLFSSL_CALLBACKS

--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@ -4908,7 +4908,7 @@ int ParseCert(DecodedCert* cert, int type, int verify, void* cm)
 #endif


-#ifdef WOLFCRYPT_ONLY
+#if defined(WOLFCRYPT_ONLY) || defined(NO_CERTS)

 /* dummy functions, not using wolfSSL so don't need actual ones */
 Signer* GetCA(void* signers, byte* hash)
@ -4927,7 +4927,7 @@ Signer* GetCAByName(void* signers, byte* hash)
 }
 #endif /* NO_SKID */

-#endif /* WOLFCRYPT_ONLY */
+#endif /* WOLFCRYPT_ONLY || NO_CERTS */

 #ifndef NO_ASN_TIME
 int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)