Topic: NO_SHA256 issue

Hello,

If I need to add asn.o to my build and I have NO_SHA256 define (I have WOLFSSL_SHA512 & WOLFSSL_SHA384 instead) I get a lot of errors from asn.c and asn.h files regarding SHA256 part.

As I understand it, the ASN module can't be used without SHA256. Here are some examples:

#ifdef NO_SHA
    ret = wc_Sha256Hash(&cert->source[idx], length + cert->srcIdx - idx, hash);
#else
    ret = wc_ShaHash(&cert->source[idx], length + cert->srcIdx - idx, hash);
#endif

#ifdef NO_SHA
    KEYID_SIZE          = SHA256_DIGEST_SIZE,
#else
    KEYID_SIZE          = SHA_DIGEST_SIZE,
#endif

Is there a way to get rid from SHA256?

Best regards.

Share

Re: NO_SHA256 issue

Hi andrey,

SHA256 and HMAC are required in the HASH_DRBG used by wolfSSL to generate RANDOM data. If you are using any portion of the library that requires random data then SHA256 is a dependancy. In this case you are using TLS which requires a random data string in the CLIENT HELLO message so it is not supported to disable SHA256 with TLS enabled (not unique to ASN).


Warm Regards,

Kaleb

Re: NO_SHA256 issue

Hi andrey,

I just discussed your question with the team and one of my peers pointed out that if you do have access to a hardware RNG then you could disable SHA256 and the HASH_DRBG in favor of your hardware based RNG. To do that you could use this configuration:

#NOTE: <customfunc> would need to be replaced by the API you implement to call your hardware RNG.
./configure CFLAGS="-DCUSTOM_RAND_GENERATE_BLOCK=<customfunc> -DNO_SHA256" --disable-hashdrbg

Let me know if you have any questions on that.


Warm Regards,

Kaleb

Re: NO_SHA256 issue

Hello,
Thanks Kaleb for the reply,

I do have the following defines:
#define WOLFSSL_STM32F2
#define WC_NO_HASHDRBG
#define CUSTOM_RAND_GENERATE_BLOCK(OUT,SZ) wc_GenerateSeed(NULL,OUT,SZ)

But it seems I cannot add ecc.o to the build without asn.o as ecc needs some asn functionality like DecodeAuthKeyId, DecodeSubjKeyId, ParseCertRelative, etc...

Or maybe I'm missing something?

Best regards.

Share

Re: NO_SHA256 issue

Hello,

Sorry, more likely I'm mistaken.
As I understand, the need for asn.o is coming from certificate usage.

But the problem still remains.

Best regards.

Share

Re: NO_SHA256 issue

Hello,

I'm back to the office and can definitely say that asn.h is needed while using ECC.
asn.h requires sha256.h, thus NO_SHA256 can't be defined.

If I want to use certificates, by removing NO_CERTS define, I need to add asn.o to the build and still can't define NO_SHA256 because of the above reason and that asn.c have calls to sha256.c functions.

Best regards.

Share

Re: NO_SHA256 issue

Hi Andrey,

I think this goes back to the other question for "Minimum ECC Build". Since currently ecc enables all of the public key functionality, which in turn requires asn.c for certificate processing... That is why the build is not working. I have let Rod Weaver know of your situation and he should be in touch soon to discuss the option of adding this as a feature to our library. IE compiling with ECC enabled and public key functionality disables to allow for generating a shared secret with ECDHE_PSK only cipher suites.

Warm Regards,

Kaleb

Re: NO_SHA256 issue

Hello,
I really appreciate your help, thank you very much.

This issue,  if I understand it, a little bit different.

I've tried to test ECDHE_ECDSA cipher suites with SHA384 hash algorithm and tried to remove sha256.o from the build by NO_SHA256 define. That didn't work due to asn.c/asn.h.

If I try ECDHE_PSK_..._SHA384 cipher suites I still can't make a build without sha256.o due to asn.h.

The problem is, that if I want only SHA384 in my cipher suites I can't remove SHA256 from the build.
Probably, it somehow related to enabling ECC, as I don't remember such a problem when I was trying DHE_RSA_..._SHA384 cipher suites.

Best regards.

Share