From 356889a5284539bfcc102c1bfff05f000f02fb85 Mon Sep 17 00:00:00 2001 From: David Garske Date: Tue, 17 Dec 2024 13:40:03 -0800 Subject: [PATCH] Add `--disable-tls` option that can be used with `--enable-all` to disable TLS features and set `NO_TLS`. Useful for allowing certificate manager and crypto compatibility API's only. --- configure.ac | 52 ++++++++++++++++++++++++++++++++++++++++++-------- src/internal.c | 4 ++-- tests/api.c | 6 +++--- 3 files changed, 49 insertions(+), 13 deletions(-) diff --git a/configure.ac b/configure.ac index c780ad028b..0a9ea74465 100644 --- a/configure.ac +++ b/configure.ac @@ -917,6 +917,50 @@ then ENABLED_SP_MATH_ALL="no" fi +# wolfCrypt Only Build +AC_ARG_ENABLE([cryptonly], + [AS_HELP_STRING([--enable-cryptonly],[Enable wolfCrypt Only build (default: disabled)])], + [ENABLED_CRYPTONLY=$enableval], + [ENABLED_CRYPTONLY=no]) + +AS_IF([test "x$FIPS_VERSION" = "xrand"],[ENABLED_CRYPTONLY="yes"]) + +# TLS +AC_ARG_ENABLE([tls], + [AS_HELP_STRING([--enable-tls],[Enable TLS support (default: enabled)])], + [ ENABLED_TLS=$enableval ], + [ ENABLED_TLS=yes ] + ) + +if test "$ENABLED_CRYPTONLY" = "yes" +then + ENABLED_TLS=no +fi +if test "$ENABLED_TLS" = "no" +then + AM_CFLAGS="$AM_CFLAGS -DNO_TLS" + test "$enable_tls13" = "" && enable_tls13=no + test "$enable_tlsv12" = "" && enable_tlsv12=no + test "$enable_tlsv10" = "" && enable_tlsv10=no + test "$enable_dtls" = "" && enable_dtls=no + test "$enable_dtls13" = "" && enable_dtls13=no + test "$enable_mcast" = "" && enable_mcast=no + test "$enable_srtp" = "" && enable_srtp=no + test "$enable_ocsp" = "" && enable_ocsp=no + test "$enable_tlsx" = "" && enable_tlsx=no + test "$enable_sni" = "" && enable_sni=no + test "$enable_sni" = "" && enable_sni=no + test "$enable_crl_monitor" = "" && enable_crl_monitor=no + test "$enable_alpn" = "" && enable_alpn=no + test "$enable_pkcallbacks" = "" && enable_pkcallbacks=no + test "$enable_quic" = "" && enable_quic=no + test "$enable_ech" = "" && enable_ech=no + test "$enable_ocspstapling" = "" && enable_ocspstapling=no + + # Disable all open source compatibility enables that might get set with all + test "$enable_all_osp" = "" && enable_all_osp=no +fi + # All features, except conflicting or experimental: AC_ARG_ENABLE([all], @@ -1751,14 +1795,6 @@ then AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_USE_RWLOCK" fi -# wolfCrypt Only Build -AC_ARG_ENABLE([cryptonly], - [AS_HELP_STRING([--enable-cryptonly],[Enable wolfCrypt Only build (default: disabled)])], - [ENABLED_CRYPTONLY=$enableval], - [ENABLED_CRYPTONLY=no]) - -AS_IF([test "x$FIPS_VERSION" = "xrand"],[ENABLED_CRYPTONLY="yes"]) - # ECH AC_ARG_ENABLE([ech], [AS_HELP_STRING([--enable-ech],[Enable ECH (default: disabled)])], diff --git a/src/internal.c b/src/internal.c index 575846c8f4..5b69bae1d6 100644 --- a/src/internal.c +++ b/src/internal.c @@ -13502,8 +13502,8 @@ int CopyDecodedAcertToX509(WOLFSSL_X509_ACERT* x509, DecodedAcert* dAcert) #endif /* WOLFSSL_ACERT */ -#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \ - (defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) && !defined(WOLFSSL_NO_TLS12)) +#if (defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \ + defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)) && !defined(WOLFSSL_NO_TLS12) static int ProcessCSR_ex(WOLFSSL* ssl, byte* input, word32* inOutIdx, word32 status_length, int idx) { diff --git a/tests/api.c b/tests/api.c index 7bfa496c04..ef5d8ad3be 100644 --- a/tests/api.c +++ b/tests/api.c @@ -2341,7 +2341,7 @@ static int test_wolfSSL_CTX_trust_peer_cert(void) { EXPECT_DECLS; #if !defined(NO_CERTS) && defined(WOLFSSL_TRUST_PEER_CERT) && \ - !defined(NO_WOLFSSL_CLIENT) && !defined(NO_RSA) + !defined(NO_TLS) && !defined(NO_WOLFSSL_CLIENT) && !defined(NO_RSA) WOLFSSL_CTX *ctx = NULL; WOLFSSL* ssl = NULL; @@ -14580,7 +14580,7 @@ static int test_wolfSSL_UseOCSPStapling(void) { EXPECT_DECLS; #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) && defined(HAVE_OCSP) && \ - !defined(NO_WOLFSSL_CLIENT) + !defined(NO_TLS) && !defined(NO_WOLFSSL_CLIENT) WOLFSSL_CTX* ctx = NULL; WOLFSSL* ssl = NULL; @@ -14625,7 +14625,7 @@ static int test_wolfSSL_UseOCSPStaplingV2(void) { EXPECT_DECLS; #if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) && defined(HAVE_OCSP) && \ - !defined(NO_WOLFSSL_CLIENT) + !defined(NO_TLS) && !defined(NO_WOLFSSL_CLIENT) WOLFSSL_CTX* ctx = NULL; WOLFSSL* ssl = NULL;