Topic: NO_HMAC build error

When I define NO_HMAC, I get build errors in several files.  I do not see a reference in the documentation to needing to set other macros with NO_HMAC - are other macros required to be disabled, too, or is this a build problem?  Thank you.

Share

Re: NO_HMAC build error

Hi Tammy,

wolfSSL internally has a dependency on HMAC and the option to --enable/--disable hmac was removed years ago. Can you point out where you found NO_HMAC in the documentation so I can update the doc to note that NO_HMAC is no longer supported and should not be used with SSL/TLS?


Warm Regards,

KH

Re: NO_HMAC build error

Hello Kaleb,

Thank you for your response.  I am referring to documentation at this link.  https://www.wolfssl.com/documentation/w … Manual.pdf

Is this the proper document that I should be using?

Thanks,
Tammy

Share

Re: NO_HMAC build error

Hi Tammy,

Yes that is the correct document to be using. Here is what I will update the manual section to read:

NO_HMAC removes HMAC from the build.
NOTE: HMAC is a dependency of SSL/TLS but if you are only using wolfCrypt IE build option "WOLFCRYPT_ONLY" then NO_HMAC can be used in this case.

Will that help to clarify it better?

Warmest Regards,

KH

5 (edited by tammy_leino 2019-07-12 09:47:08)

Re: NO_HMAC build error

Thank you, Kaleb.  When I build with WOLFCRYPT_ONLY defined and NO_HMAC defined, I still get build errors in pkcs12.c.  From your comment above, it seems that this should build successfully.  Is there another macro that needs to be toggled?

Share

Re: NO_HMAC build error

Tammy,

Can you tell me what other settings you are using?

$ ./configure --enable-pkcs12 --enable-cryptonly CFLAGS=-DNO_HMAC
$ make
$ ./wolfcrypt/test/testwolfcrypt
------------------------------------------------------------------------------
 wolfSSL version 4.0.0
------------------------------------------------------------------------------
error    test passed!
MEMORY   test passed!
base64   test passed!
asn      test passed!
MD5      test passed!
SHA      test passed!
SHA-224  test passed!
SHA-256  test passed!
SHA-384  test passed!
SHA-512  test passed!
SHA-3    test passed!
Hash     test passed!
GMAC     test passed!
Chacha   test passed!
POLY1305 test passed!
ChaCha20-Poly1305 AEAD test passed!
AES      test passed!
AES192   test passed!
AES256   test passed!
AES-GCM  test passed!
RANDOM   test passed!
RSA      test passed!
DH       test passed!
ECC      test passed!
logging  test passed!
mutex    test passed!
memcb    test passed!
Test complete

**NOTE: The version says version 4.0.0 but this was tested from the github master branch at https://github.com/wolfssl/wolfssl.git, if you are working with a download from the website or specific version please let me know which one and I can test it as well.

Warm Regards,

KH

Re: NO_HMAC build error

Tammy,

I did find that if not using the configure setup you must also define WOLFSSL_NO_TLS12 explicitly, this is set by the auto-tools but not in a makefile setup or if using settings.h to control the build. I will open a PR to address this.

Warm Regards,

KH

Re: NO_HMAC build error

Thank you, Kaleb.

I am porting WolfSSL to the Nucleus OS, so listing out the configuration options is a little tricky - also because I think I have some out of date configuration options in my port.  I am porting version 4.0.0 from a previous version.

I found a lot of macros in the code that are not documented in the latest WolfSSL manual as configurable, but Nucleus has allowed these to be configurable in the past.  Could you possibly verify whether these macros should be configurable by the user in the 4.0.0 version of code, please?  The problem may be that we have some legacy macros enabled that should not be toggled.

WC_NO_HARDEN
HAVE_RABBIT - not present in header files, but present in ssl.c
HAVE_HC128
WOLFSSL_SHA224
HAVE_ECC_ENCRYPT
WOLFSSL_MD2
HAVE_ONE_TIME_AUTH
HAVE_BLAKE2
HAVE_PKCS7
HAVE_HKDF
WOLFSSL_STATIC_DH
WOLFSSL_STATIC_RSA
HAVE_AES_KEYWRAP
HAVE_X963_KDF
WOLFSSL_AES_DIRECT
WOLFSSL_STM32L4
WOLFSSL_STM32_CUBEMX
WOLFSSL_AES_COUNTER
WOLFSSL_ALLOW_SSLV3 - not present in header files, but present in internal.c
WOLFSSL_MAX_STRENGTH
WC_NO_RNG
WOLFSSL_WPAS - not present in header files, but present in ssl.c
FORTRESS
WOLFSSL_LEANPSK
WOLFSSL_LEANTLS
BIG_SESSION_CACHE - not present in header files, but present in ssl.c
HUGE_SESSION_CACHE - not present in header files, but present in ssl.c
PERSIST_SESSION_CACHE - not present in header files, but present in ssl.c
PERSIST_CERT_CACHE - not present in header files, but present in ssl.c
HAVE_WRITE_DUP
WOLFSSL_SNIFFER
HAVE_NULL_CIPHER
SESSION_CERTS
WOLFSSL_CERT_EXT
WOLFSSL_SEP
ECC_SHAMIR
WOLFSSL_CUSTOM_CURVES
HAVE_COMP_KEY
HAVE_STACK_SIZE
NO_WOLFSSL_MEMORY
NO_RSA
NO_ASN
NO_CODING - not present in header files, but present in coding.c
WOLFSSL_BASE64_ENCODE
HAVE_IDEA
WOLFSSL_CMAC
HAVE_WEBSERVER
HAVE_FIPS
HAVE_CERTIFICATE_STATUS_REQUEST_V2
HAVE_CRL_MONITOR
HAVE_WNR
HAVE_MAX_FRAGMENT
HAVE_TRUNCATED_HMAC
HAVE_SUPPORTED_CURVES
HAVE_EXTENDED_MASTER
HAVE_TLS_EXTENSIONS
WOLFCRYPT_HAVE_SRP
WOLFSSL_TEST_CERT
HAVE_IO_POOL
WOLFSSL_HAVE_CERT_SERVICE
WOLFSSL_JNI
HAVE_LIGHTY
HAVE_STUNNEL
HAVE_SCRYPT
HAVE_CAVIUM_V
HAVE_FAST_RSA
HAVE_MCAPI - not present in header files, but present in compress.c
WC_NO_ASYNC_THREADING
HAVE_SECURE_RENEGOTIATION
WOLFSSL_SGX
WOLFSSL_ASYNC_CRYPT
HAVE_RENEGOTIATION_INDICATION - not present in header files, but present in internal.c
HAVE_SNI
NO_OLD_TLS
NO_SHA
NO_CERTS
NO_BIG_INT
OLD_HELLO_ALLOWED - not present in header files, but present in several files
WC_RSA_BLINDING
NO_ASN_TIME

Share

Re: NO_HMAC build error

Hi Tammy,

I see several defines in the above list that would be conflicting. For example HAVE_FAST_RSA means you are on an Intel box with the Intel IPP libraries available. HAVE_CAVIUM_V would indicate you are on running on a CAVIUM part and not an Intel part, the two together do not reflect a traditional use case for example, were those really being used together previously? Another conflict is BIG_SESSION_CACHE and HUGE_SESSION_CACHE, you can set one or the other but not both.

Were all of these settings really being used at the same time previously or are you just listing everything? Many of these are documented in the manual here: https://www.wolfssl.com/documentation/w … Manual.pdf

See Chapter 2 section 2.4 and the appropriate sub-section and we are in a release cycle right now so more settings will be added when the new manual is published. Perhaps you can provide a list of settings you are actively using and note when a feature is turned on if it causes errors or not and we can evaluate those?

Warm Regards,

KH

Re: NO_HMAC build error

Hello Kaleb,

No, these are not being set at the same time.  These are just configuration options that we have identified within WolfSSL that should be exposed to the user.  I am just checking with you to see which ones are no longer valid within WolfSSL since I do not see these in the latest version of documentation.

Share

Re: NO_HMAC build error

Tammy,

That is good to hear! I will review the list and try to get updates for each of these that are not yet in the documentation. I've opened a PR to resolve the NO_HMAC with wolfcrypt only when not using the configure script to run the build here: https://github.com/wolfSSL/wolfssl/pull/2365

Warm Regards,

KH