Enable support for no TLS while allowing certificate manager #8273
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
douzzer
requested changes
Dec 17, 2024
There was a problem hiding this comment.
Tested with a fatter configuration:
./configure --quiet --disable-jobserver --enable-fips=disabled --enable-all --disable-all-osp --disable-quic --disable-tlsv12 --disable-tls13 --disable-dtls --disable-mcast --disable-srtp --disable-ocsp --disable-tlsx --disable-sni --disable-crl-monitor --disable-alpn CFLAGS="-DNO_TLS"
It's nearly clean. Had to make these changes to src/internal.c:
diff --git a/src/internal.c b/src/internal.c
index e10ba5092..eeeb7cf61 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -191,7 +191,7 @@ WOLFSSL_CALLBACKS needs LARGE_STATIC_BUFFERS, please add LARGE_STATIC_BUFFERS
#else
#define SSL_TICKET_CTX(ssl) ssl->ctx->ticketEncCtx
#endif
- #if !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB)
+ #if !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) && !defined(NO_TLS)
static int TicketEncCbCtx_Init(WOLFSSL_CTX* ctx,
TicketEncCbCtx* keyCtx);
static void TicketEncCbCtx_Free(TicketEncCbCtx* keyCtx);
@@ -2493,7 +2493,7 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap)
#endif /* HAVE_EXTENDED_MASTER && !NO_WOLFSSL_CLIENT */
#if defined(HAVE_SESSION_TICKET) && !defined(NO_WOLFSSL_SERVER)
-#ifndef WOLFSSL_NO_DEF_TICKET_ENC_CB
+#if !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) && !defined(NO_TLS)
ret = TicketEncCbCtx_Init(ctx, &ctx->ticketKeyCtx);
if (ret != 0) return ret;
ctx->ticketEncCb = DefTicketEncCb;
@@ -2798,7 +2798,7 @@ void FreeSSL_Ctx(WOLFSSL_CTX* ctx)
SSL_CtxResourceFree(ctx);
#if defined(HAVE_SESSION_TICKET) && !defined(NO_WOLFSSL_SERVER) && \
- !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB)
+ !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) && !defined(NO_TLS)
TicketEncCbCtx_Free(&ctx->ticketKeyCtx);
#endif
wolfSSL_RefFree(&ctx->ref);
It will also need some more gate fixes in api.c, and fixes for the gates on CipherRequires and AlertTypeToString, which turn up as undefined references when the lib is linked.
… without TLS enabled (NO_TLS). ZD 19054. Tested using `./configure --disable-tlsv12 --disable-tls13 CFLAGS="-DNO_TLS" && make check`
…sable TLS features and set `NO_TLS`. Useful for allowing certificate manager and crypto compatibility API's only.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Enable support for using certificate manager only.
Added
--disable-tlsoption that can be used with--enable-allto disable TLS features and setNO_TLS.Fixed issues building without TLS enabled (
NO_TLS).Fixed issues in
test_tls13_apiswith no filesystem or no RSA/ECC.ZD 19054
Testing
Tested using
./configure --disable-tlsv12 --disable-tls13 CFLAGS="-DNO_TLS" && make check./configure --disable-tlsv12 --disable-tls13 CFLAGS="-DNO_TLS" --enable-cryptocb --enable-crl && make checkChecklist