Improvement to allow building OPENSSL_EXTRA without KEEP_PEER_CERT. Workaround to avoid large WOLFSSL structure size with compatibility layer enabled (the struct WOLFSSL_X509 is over 5KB). Note: May investigate way to place into heap instead. Fix issues building compatibility layer without MD5.

Author: dgarske

.wolfssl_known_macro_extras

@@ -368,6 +368,7 @@ NO_GETENV
 NO_HANDSHAKE_DONE_CB
 NO_IMX6_CAAM_AES
 NO_IMX6_CAAM_HASH
+NO_KEEP_PEER_CERT
 NO_OLD_NAMES
 NO_OLD_POLY1305
 NO_OLD_TIMEVAL_NAME

examples/client/client.c

@@ -1718,7 +1718,8 @@ static const char* client_usage_msg[][78] = {
 
 static void showPeerPEM(WOLFSSL* ssl)
 {
-#if defined(OPENSSL_ALL) && !defined(NO_BIO) && defined(WOLFSSL_CERT_GEN)
+#if defined(OPENSSL_EXTRA) && defined(KEEP_PEER_CERT) && !defined(NO_BIO) && \
+    defined(WOLFSSL_CERT_GEN)
     WOLFSSL_X509* peer = wolfSSL_get_peer_certificate(ssl);
     if (peer) {
         WOLFSSL_BIO* bioOut = wolfSSL_BIO_new(wolfSSL_BIO_s_file());
@@ -1742,7 +1743,7 @@ static void showPeerPEM(WOLFSSL* ssl)
         wolfSSL_BIO_free(bioOut);
     }
     wolfSSL_FreeX509(peer);
-#endif /* OPENSSL_ALL && WOLFSSL_CERT_GEN && !NO_BIO */
+#endif
     (void)ssl;
 }
 

src/pk.c

@@ -360,11 +360,13 @@ static int der_write_to_file_as_pem(const unsigned char* der, int derSz,
  * @param [in]  passedSz    Size of password in bytes.
  * @param [out] cipherInfo  PEM cipher information lines.
  * @param [in]  maxDerSz    Maximum size of DER buffer.
+ * @param [in]  hashType    Hash algorithm
  * @return  1 on success.
  * @return  0 on error.
  */
 int EncryptDerKey(byte *der, int *derSz, const WOLFSSL_EVP_CIPHER* cipher,
-    unsigned char* passwd, int passwdSz, byte **cipherInfo, int maxDerSz)
+    unsigned char* passwd, int passwdSz, byte **cipherInfo, int maxDerSz,
+    int hashType)
 {
     int ret = 0;
     int paddingSz = 0;
@@ -433,7 +435,7 @@ int EncryptDerKey(byte *der, int *derSz, const WOLFSSL_EVP_CIPHER* cipher,
 
         /* Encrypt DER buffer. */
         ret = wc_BufferKeyEncrypt(info, der, (word32)*derSz, passwd, passwdSz,
-            WC_MD5);
+            hashType);
         if (ret != 0) {
             WOLFSSL_MSG("encrypt key failed");
         }
@@ -504,6 +506,14 @@ static int der_to_enc_pem_alloc(unsigned char* der, int derSz,
     byte* tmp = NULL;
     byte* cipherInfo = NULL;
     int pemSz = 0;
+    int hashType = WC_HASH_TYPE_NONE;
+#if !defined(NO_SHA256)
+    hashType = WC_SHA256;
+#elif !defined(NO_SHA)
+    hashType = WC_SHA;
+#elif !defined(NO_MD5)
+    hashType = WC_MD5;
+#endif
 
     /* Macro doesn't always use it. */
     (void)heap;
@@ -536,7 +546,7 @@ static int der_to_enc_pem_alloc(unsigned char* der, int derSz,
 
             /* Encrypt DER inline. */
             ret = EncryptDerKey(der, &derSz, cipher, passwd, passwdSz,
-                &cipherInfo, derSz + blockSz);
+                &cipherInfo, derSz + blockSz, hashType);
             if (ret != 1) {
                 WOLFSSL_ERROR_MSG("EncryptDerKey failed");
             }
@@ -5978,7 +5988,8 @@ int wolfSSL_PEM_write_mem_DSAPrivateKey(WOLFSSL_DSA* dsa,
                                         unsigned char* passwd, int passwdSz,
                                         unsigned char **pem, int *pLen)
 {
-#if defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM)
+#if (defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM)) && \
+    !defined(NO_MD5)
     byte *derBuf, *tmp, *cipherInfo = NULL;
     int  der_max_len = 0, derSz = 0;
     const int type = DSA_PRIVATEKEY_TYPE;
@@ -6024,8 +6035,8 @@ int wolfSSL_PEM_write_mem_DSAPrivateKey(WOLFSSL_DSA* dsa,
     if (passwd != NULL && passwdSz > 0 && cipher != NULL) {
         int ret;
 
-        ret = EncryptDerKey(derBuf, &derSz, cipher,
-                            passwd, passwdSz, &cipherInfo, der_max_len);
+        ret = EncryptDerKey(derBuf, &derSz, cipher, passwd, passwdSz,
+            &cipherInfo, der_max_len, WC_MD5);
         if (ret != 1) {
             WOLFSSL_MSG("EncryptDerKey failed");
             XFREE(derBuf, NULL, DYNAMIC_TYPE_DER);
@@ -6086,7 +6097,7 @@ int wolfSSL_PEM_write_mem_DSAPrivateKey(WOLFSSL_DSA* dsa,
     (void)pem;
     (void)pLen;
     return 0;
-#endif /* WOLFSSL_PEM_TO_DER || WOLFSSL_DER_TO_PEM */
+#endif /* (WOLFSSL_PEM_TO_DER || WOLFSSL_DER_TO_PEM) && !NO_MD5 */
 }
 
 #ifndef NO_FILESYSTEM

src/ssl.c

@@ -11447,8 +11447,10 @@ const char *wolfSSL_get0_peername(WOLFSSL *ssl) {
         return (const char *)ssl->buffers.domainName.buffer;
     else if (ssl->session && ssl->session->peer)
         return ssl->session->peer->subjectCN;
+#ifdef KEEP_PEER_CERT
     else if (ssl->peerCert.subjectCN[0])
         return ssl->peerCert.subjectCN;
+#endif
     else {
         ssl->error = NO_PEER_CERT;
         return NULL;
@@ -14634,7 +14636,7 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_set_peer_cert_chain(WOLFSSL* ssl)
     return sk;
 }
 
-
+#ifdef KEEP_PEER_CERT
 /**
  * Implemented in a similar way that ngx_ssl_ocsp_validate does it when
  * SSL_get0_verified_chain is not available.
@@ -14695,6 +14697,7 @@ WOLF_STACK_OF(WOLFSSL_X509) *wolfSSL_get0_verified_chain(const WOLFSSL *ssl)
     wolfSSL_X509_STORE_CTX_free(storeCtx);
     return chain;
 }
+#endif /* KEEP_PEER_CERT */
 #endif /* SESSION_CERTS && OPENSSL_EXTRA */
 
 #ifndef NO_CERTS
@@ -18405,9 +18408,8 @@ int wolfSSL_sk_SSL_COMP_num(WOLF_STACK_OF(WOLFSSL_COMP)* sk)
 
 #endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
 
-#ifdef OPENSSL_EXTRA
-
-#if defined(HAVE_EX_DATA) && !defined(NO_FILESYSTEM)
+#if defined(OPENSSL_EXTRA) && defined(KEEP_PEER_CERT) && \
+    defined(HAVE_EX_DATA) && !defined(NO_FILESYSTEM)
 int wolfSSL_cmp_peer_cert_to_file(WOLFSSL* ssl, const char *fname)
 {
     int ret = WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR);
@@ -18478,7 +18480,6 @@ int wolfSSL_cmp_peer_cert_to_file(WOLFSSL* ssl, const char *fname)
     return ret;
 }
 #endif
-#endif /* OPENSSL_EXTRA */
 
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
 const WOLFSSL_ObjectInfo wolfssl_object_info[] = {

tests/api.c

@@ -10267,9 +10267,11 @@ static void test_wolfSSL_CTX_add_session_on_result(WOLFSSL* ssl)
          * for all connections. TLS 1.3 only has tickets so if we don't
          * include the session id in the ticket then the certificates
          * will not be available on resumption. */
+    #ifdef KEEP_PEER_CERT
         WOLFSSL_X509* peer = wolfSSL_get_peer_certificate(ssl);
         AssertNotNull(peer);
         wolfSSL_X509_free(peer);
+    #endif
         AssertNotNull(wolfSSL_SESSION_get_peer_chain(*sess));
     #ifdef OPENSSL_EXTRA
         AssertNotNull(SSL_SESSION_get0_peer(*sess));
@@ -10668,9 +10670,11 @@ static int twcase_server_sess_ctx_pre_shutdown(WOLFSSL* ssl)
          * for all connections. TLS 1.3 only has tickets so if we don't
          * include the session id in the ticket then the certificates
          * will not be available on resumption. */
+    #ifdef KEEP_PEER_CERT
         WOLFSSL_X509* peer = NULL;
         ExpectNotNull(peer = wolfSSL_get_peer_certificate(ssl));
         wolfSSL_X509_free(peer);
+    #endif
         ExpectNotNull(wolfSSL_SESSION_get_peer_chain(*sess));
     }
 #endif
@@ -10697,10 +10701,11 @@ static int twcase_client_sess_ctx_pre_shutdown(WOLFSSL* ssl)
             wolfSSL_session_reused(ssl))
 #endif
     {
-
+    #ifdef KEEP_PEER_CERT
         WOLFSSL_X509* peer = wolfSSL_get_peer_certificate(ssl);
         ExpectNotNull(peer);
         wolfSSL_X509_free(peer);
+    #endif
         ExpectNotNull(wolfSSL_SESSION_get_peer_chain(*sess));
 #ifdef OPENSSL_EXTRA
         ExpectNotNull(wolfSSL_SESSION_get0_peer(*sess));
@@ -30247,16 +30252,16 @@ static int msgSrvCb(SSL_CTX *ctx, SSL *ssl)
 #endif
 
 #if defined(OPENSSL_ALL) && defined(SESSION_CERTS) && !defined(NO_BIO)
+#ifdef KEEP_PEER_CERT
     {
         WOLFSSL_X509* peer = NULL;
-
         ExpectNotNull(peer= wolfSSL_get_peer_certificate(ssl));
         ExpectNotNull(bio = BIO_new_fp(stderr, BIO_NOCLOSE));
-
         fprintf(stderr, "Peer Certificate = :\n");
-        X509_print(bio,peer);
+        X509_print(bio, peer);
         X509_free(peer);
     }
+#endif
 
     ExpectNotNull(sk = SSL_get_peer_cert_chain(ssl));
     if (sk == NULL) {
@@ -53654,8 +53659,8 @@ static int test_wolfSSL_PEM_write_RSAPrivateKey(void)
 {
     EXPECT_DECLS;
 #if !defined(NO_RSA) && defined(OPENSSL_EXTRA) && defined(WOLFSSL_KEY_GEN) && \
-    (defined(WOLFSSL_PEM_TO_DER) || \
-    defined(WOLFSSL_DER_TO_PEM)) && !defined(NO_FILESYSTEM)
+    (defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM)) && \
+    !defined(NO_FILESYSTEM)
     RSA* rsa = NULL;
 #ifdef USE_CERT_BUFFERS_1024
     const unsigned char* privDer = client_key_der_1024;
@@ -53685,12 +53690,13 @@ static int test_wolfSSL_PEM_write_RSAPrivateKey(void)
 
     ExpectIntEQ(wolfSSL_PEM_write_RSAPrivateKey(stderr, rsa, NULL, NULL, 0,
         NULL, NULL), 1);
-#ifndef NO_AES
+#if !defined(NO_AES) && defined(HAVE_AES_CBC)
     ExpectIntEQ(wolfSSL_PEM_write_RSAPrivateKey(stderr, rsa, EVP_aes_128_cbc(),
         NULL, 0, NULL, NULL), 1);
     ExpectIntEQ(wolfSSL_PEM_write_RSAPrivateKey(stderr, rsa, EVP_aes_128_cbc(),
         passwd, sizeof(passwd) - 1, NULL, NULL), 1);
 #endif
+
     RSA_free(rsa);
 #endif
     return EXPECT_RESULT();
@@ -53736,7 +53742,7 @@ static int test_wolfSSL_PEM_write_mem_RSAPrivateKey(void)
         &plen), 1);
     XFREE(pem, NULL, DYNAMIC_TYPE_KEY);
     pem = NULL;
-#ifndef NO_AES
+#if !defined(NO_AES) && defined(HAVE_AES_CBC)
     ExpectIntEQ(wolfSSL_PEM_write_mem_RSAPrivateKey(rsa, EVP_aes_128_cbc(),
         NULL, 0, &pem, &plen), 1);
     XFREE(pem, NULL, DYNAMIC_TYPE_KEY);

wolfssl/internal.h

@@ -7134,8 +7134,9 @@ WOLFSSL_LOCAL WC_RNG* wolfssl_make_global_rng(void);
 
 #if !defined(WOLFCRYPT_ONLY) && defined(OPENSSL_EXTRA)
 #if defined(WOLFSSL_KEY_GEN) && defined(WOLFSSL_PEM_TO_DER)
-WOLFSSL_LOCAL int EncryptDerKey(byte *der, int *derSz, const WOLFSSL_EVP_CIPHER* cipher,
-    unsigned char* passwd, int passwdSz, byte **cipherInfo, int maxDerSz);
+WOLFSSL_LOCAL int EncryptDerKey(byte *der, int *derSz,
+    const WOLFSSL_EVP_CIPHER* cipher, unsigned char* passwd, int passwdSz,
+    byte **cipherInfo, int maxDerSz, int hashType);
 #endif
 #endif
 

wolfssl/wolfcrypt/settings.h

@@ -3913,7 +3913,7 @@ extern void uITRON4_free(void *p) ;
 /* Parts of the openssl compatibility layer require peer certs */
 #if (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) || \
      defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \
-     defined(HAVE_LIGHTY)) && !defined(NO_CERTS)
+     defined(HAVE_LIGHTY)) && !defined(NO_CERTS) && !defined(NO_KEEP_PEER_CERT)
     #undef  KEEP_PEER_CERT
     #define KEEP_PEER_CERT
 #endif