diff --git a/CMakeLists.txt b/CMakeLists.txt index 8c258066..a51d9e3a 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -45,33 +45,38 @@ option(ENABLE_SM4_CL "Enable SM4 OpenCL" OFF) option(ENABLE_INTEL_RDRAND "Enable Intel RDRAND instructions" OFF) option(ENABLE_INTEL_RDSEED "Enable Intel RDSEED instructions" OFF) -option(ENABLE_SM4_ECB "Enable SM4 ECB mode" ON) -option(ENABLE_SM4_OFB "Enable SM4 OFB mode" ON) -option(ENABLE_SM4_CFB "Enable SM4 CFB mode" ON) -option(ENABLE_SM4_CCM "Enable SM4 CCM mode" ON) -option(ENABLE_SM4_XTS "Enable SM4 XTS mode" ON) -option(ENABLE_SM4_CBC_MAC "Enable SM4-CBC-MAC" ON) +option(ENABLE_SM4_ECB "Enable SM4 ECB mode" OFF) +option(ENABLE_SM4_OFB "Enable SM4 OFB mode" OFF) +option(ENABLE_SM4_CFB "Enable SM4 CFB mode" OFF) +option(ENABLE_SM4_CCM "Enable SM4 CCM mode" OFF) +option(ENABLE_SM4_XTS "Enable SM4 XTS mode" OFF) +option(ENABLE_SM4_CBC_MAC "Enable SM4-CBC-MAC" OFF) option(ENABLE_SM2_EXTS "Enable SM2 Extensions" OFF) +option(ENABLE_SM9 "Enable SM9" OFF) +option(ENABLE_CMS "Enable CMS" OFF) -option(ENABLE_SECP256R1 "Enable ECDH/ECDSA on curve secp256r1" ON) +option(ENABLE_SECP256R1 "Enable ECDH/ECDSA on curve secp256r1" OFF) -option(ENABLE_LMS "Enable LMS/HSS signature" ON) -option(ENABLE_XMSS "Enable XMSS/XMSS^MT signature" ON) -option(ENABLE_SPHINCS "Enable SPHINCS+ signature" ON) -option(ENABLE_KYBER "Enable Kyber" ON) +option(ENABLE_LMS "Enable LMS/HSS signature" OFF) +option(ENABLE_XMSS "Enable XMSS/XMSS^MT signature" OFF) +option(ENABLE_SPHINCS "Enable SPHINCS+ signature" OFF) +option(ENABLE_KYBER "Enable Kyber" OFF) -option(ENABLE_SHA1 "Enable SHA1" ON) -option(ENABLE_SHA2 "Enable SHA2" ON) -option(ENABLE_AES "Enable AES" ON) -option(ENABLE_CHACHA20 "Enable Chacha20" ON) +option(ENABLE_SHA1 "Enable SHA1" OFF) +option(ENABLE_SHA2 "Enable SHA2" OFF) +option(ENABLE_AES "Enable AES" OFF) +option(ENABLE_CHACHA20 "Enable Chacha20" OFF) +option(ENABLE_ZUC "Enable ZUC" OFF) +option(ENABLE_GHASH "Enable standalone GHASH command and test" OFF) option(ENABLE_SKF "Enable SKF module" OFF) -option(ENABLE_SDF "Enable SDF module" ON) +option(ENABLE_SDF "Enable SDF module" OFF) option(ENABLE_ASM_UNDERSCORE_PREFIX "Add prefix `_` to assembly symbols" ON) -option(ENABLE_TLS_DEBUG "Enable TLS and TLCP print debug message" ON) +option(ENABLE_TLS "Enable TLS and TLCP protocol support" OFF) +option(ENABLE_TLS_DEBUG "Enable TLS and TLCP print debug message" OFF) option (ENABLE_SM2_ENC_PRE_COMPUTE "Enable SM2 encryption precomputing" ON) @@ -93,14 +98,6 @@ set(src src/sm2_sign.c src/sm2_enc.c src/sm2_exch.c - src/sm9_z256.c - src/sm9_z256_table.c - src/sm9_key.c - src/sm9_sign.c - src/sm9_enc.c - src/sm9_exch.c - src/zuc.c - src/zuc_modes.c src/block_cipher.c src/digest.c src/hmac.c @@ -110,9 +107,7 @@ set(src src/sm4_cbc_sm3_hmac.c src/sm4_ctr_sm3_hmac.c src/pkcs8.c - src/bn.c src/ec.c - src/rsa.c src/asn1.c src/hex.c src/base64.c @@ -124,19 +119,7 @@ set(src src/x509_crl.c src/x509_new.c src/x509_key.c - src/cms.c - src/socket.c - src/tls.c - src/tls_ext.c - src/tls_psk.c - src/tls_sni.c - src/tls_sct.c - src/tls_ocsp.c - src/tls_cookie.c - src/tls_trace.c - src/tlcp.c - src/tls12.c - src/tls13.c + src/rsa.c src/file.c ) @@ -157,15 +140,7 @@ set(tools tools/sm2verify.c tools/sm2encrypt.c tools/sm2decrypt.c - tools/sm9setup.c - tools/sm9keygen.c - tools/sm9sign.c - tools/sm9verify.c - tools/sm9encrypt.c - tools/sm9decrypt.c - tools/zuc.c tools/rand.c - tools/ghash.c tools/certgen.c tools/certparse.c tools/certverify.c @@ -177,17 +152,6 @@ set(tools tools/crlget.c tools/crlparse.c tools/crlverify.c - tools/cmssign.c - tools/cmsverify.c - tools/cmsencrypt.c - tools/cmsdecrypt.c - tools/cmsparse.c - tools/tlcp_client.c - tools/tlcp_server.c - tools/tls12_client.c - tools/tls12_server.c - tools/tls13_client.c - tools/tls13_server.c ) set(tests @@ -201,16 +165,11 @@ set(tests sm2_key sm2_sign sm2_enc - sm9 - zuc block_cipher digest - hmac hkdf gf128 - ghash pkcs8 - bn ec asn1 hex @@ -224,10 +183,6 @@ set(tests x509_req x509_crl x509_key - cms - tls - tls13 - tls_ocsp ) @@ -291,6 +246,9 @@ if (ENABLE_SM2_NEON) endif() if (ENABLE_SM9_ARM64) + if (NOT ENABLE_SM9) + message(FATAL_ERROR "ENABLE_SM9_ARM64 requires ENABLE_SM9") + endif() message(STATUS "ENABLE_SM9_ARM64 is ON") add_definitions(-DENABLE_SM9_ARM64) enable_language(ASM) @@ -429,12 +387,47 @@ if (ENABLE_SM2_EXTS) endif() +if (ENABLE_SM9) + message(STATUS "ENABLE_SM9 is ON") + add_definitions(-DENABLE_SM9) + list(APPEND src + src/sm9_z256.c + src/sm9_z256_table.c + src/sm9_key.c + src/sm9_sign.c + src/sm9_enc.c + src/sm9_exch.c) + list(APPEND tools + tools/sm9setup.c + tools/sm9keygen.c + tools/sm9sign.c + tools/sm9verify.c + tools/sm9encrypt.c + tools/sm9decrypt.c) + list(APPEND tests sm9) +endif() + + +if (ENABLE_CMS) + message(STATUS "ENABLE_CMS is ON") + add_definitions(-DENABLE_CMS) + list(APPEND src src/cms.c) + list(APPEND tools + tools/cmssign.c + tools/cmsverify.c + tools/cmsencrypt.c + tools/cmsdecrypt.c + tools/cmsparse.c) + list(APPEND tests cms) +endif() + + if (ENABLE_SECP256R1) message(STATUS "ENABLE_SECP256R1 is ON") add_definitions(-DENABLE_SECP256R1) - list(APPEND src src/secp256r1.c src/secp256r1_key.c src/ecdsa.c src/ecdh.c) + list(APPEND src src/bn.c src/secp256r1.c src/secp256r1_key.c src/ecdsa.c src/ecdh.c) list(APPEND tools tools/p256keygen.c) - list(APPEND tests secp256r1 secp256r1_key ecdsa) + list(APPEND tests bn secp256r1 secp256r1_key ecdsa) endif() @@ -507,7 +500,7 @@ if (ENABLE_SHA2) add_definitions(-DENABLE_SHA2) list(APPEND src src/sha256.c src/sha512.c) list(APPEND src src/sha256_hmac.c) - list(APPEND tests sha224 sha256 sha384 sha512) + list(APPEND tests sha224 sha256 sha384 sha512 hmac) endif() @@ -525,6 +518,47 @@ if (ENABLE_CHACHA20) list(APPEND tests chacha20) endif() +if (ENABLE_ZUC) + message(STATUS "ENABLE_ZUC is ON") + add_definitions(-DENABLE_ZUC) + list(APPEND src src/zuc.c src/zuc_modes.c) + list(APPEND tools tools/zuc.c) + list(APPEND tests zuc) +endif() + +if (ENABLE_GHASH) + message(STATUS "ENABLE_GHASH is ON") + add_definitions(-DENABLE_GHASH) + list(APPEND tools tools/ghash.c) + list(APPEND tests ghash) +endif() + +if (ENABLE_TLS) + message(STATUS "ENABLE_TLS is ON") + add_definitions(-DENABLE_TLS) + list(APPEND src + src/socket.c + src/tls.c + src/tls_ext.c + src/tls_psk.c + src/tls_sni.c + src/tls_sct.c + src/tls_ocsp.c + src/tls_cookie.c + src/tls_trace.c + src/tlcp.c + src/tls12.c + src/tls13.c) + list(APPEND tools + tools/tlcp_client.c + tools/tlcp_server.c + tools/tls12_client.c + tools/tls12_server.c + tools/tls13_client.c + tools/tls13_server.c) + list(APPEND tests tls tls13 tls_ocsp) +endif() + if (ENABLE_INTEL_RDRAND) include(CheckSourceCompiles) @@ -695,7 +729,7 @@ endif() add_test(NAME sm3_commands COMMAND ${CMAKE_COMMAND} -P "${CMAKE_SOURCE_DIR}/cmake/sm3_commands.cmake") add_test(NAME sm2_commands COMMAND ${CMAKE_COMMAND} -P "${CMAKE_SOURCE_DIR}/cmake/sm2_commands.cmake") add_test(NAME cert_commands COMMAND ${CMAKE_COMMAND} -P "${CMAKE_SOURCE_DIR}/cmake/cert_commands.cmake") -if(NOT WIN32) +if(ENABLE_TLS AND NOT WIN32) add_test(NAME tlcp_commands COMMAND ${CMAKE_COMMAND} -P "${CMAKE_SOURCE_DIR}/cmake/tlcp_commands.cmake") add_test(NAME tls12_commands COMMAND ${CMAKE_COMMAND} -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake") add_test(NAME tls13_commands COMMAND ${CMAKE_COMMAND} -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake") diff --git a/include/gmssl/x509_key.h b/include/gmssl/x509_key.h index 7c33e6bc..dc0e16ea 100644 --- a/include/gmssl/x509_key.h +++ b/include/gmssl/x509_key.h @@ -19,13 +19,25 @@ #include #include #include +#ifdef ENABLE_SM9 #include +#endif +#ifdef ENABLE_SECP256R1 #include #include +#endif +#ifdef ENABLE_LMS #include +#endif +#ifdef ENABLE_XMSS #include +#endif +#ifdef ENABLE_SPHINCS #include +#endif +#ifdef ENABLE_KYBER #include +#endif #ifdef __cplusplus @@ -38,28 +50,52 @@ typedef struct { int algor_param; union { SM2_KEY sm2_key; +#ifdef ENABLE_SECP256R1 SECP256R1_KEY secp256r1_key; +#endif +#ifdef ENABLE_LMS LMS_KEY lms_key; HSS_KEY hss_key; +#endif +#ifdef ENABLE_XMSS XMSS_KEY xmss_key; XMSSMT_KEY xmssmt_key; +#endif +#ifdef ENABLE_SPHINCS SPHINCS_KEY sphincs_key; +#endif +#ifdef ENABLE_KYBER KYBER_KEY kyber_key; +#endif +#ifdef ENABLE_SM9 SM9_SIGN_MASTER_KEY sm9_sign_master_key; // OID_sm9,OID_sm9sign SM9_SIGN_KEY sm9_sign_key; // OID_sm9sign,OID_undef +#endif } u; } X509_KEY; int x509_key_set_sm2_key(X509_KEY *x509_key, const SM2_KEY *sm2_key); +#ifdef ENABLE_SECP256R1 int x509_key_set_secp256r1_key(X509_KEY *x509_key, const SECP256R1_KEY *secp256r1_key); +#endif +#ifdef ENABLE_LMS int x509_key_set_lms_key(X509_KEY *x509_key, const LMS_KEY *lms_key); int x509_key_set_hss_key(X509_KEY *x509_key, const HSS_KEY *hss_key); +#endif +#ifdef ENABLE_XMSS int x509_key_set_xmss_key(X509_KEY *x509_key, const XMSS_KEY *xmss_key); int x509_key_set_xmssmt_key(X509_KEY *x509_key, const XMSSMT_KEY *xmssmt_key); +#endif +#ifdef ENABLE_SPHINCS int x509_key_set_sphincs_key(X509_KEY *x509_key, const SPHINCS_KEY *sphincs_key); +#endif +#ifdef ENABLE_KYBER int x509_key_set_kyber_key(X509_KEY *x509_key, const KYBER_KEY *kyber_key); +#endif +#ifdef ENABLE_SM9 int x509_key_set_sm9_sign_key(X509_KEY *x509_key, const SM9_SIGN_KEY *sm9_sign_key); int x509_key_set_sm9_sign_master_key(X509_KEY *x509_key, const SM9_SIGN_MASTER_KEY *sm9_sign_master_key); +#endif /* algor: param paramlen @@ -153,12 +189,20 @@ int x509_private_keys_from_file(X509_KEY *keys, size_t *keys_cnt, size_t max_cnt typedef union { uint8_t sm2_sig[SM2_MAX_SIGNATURE_SIZE]; +#ifdef ENABLE_LMS LMS_SIGNATURE lms_sig; HSS_SIGNATURE hss_sig; +#endif +#ifdef ENABLE_XMSS XMSS_SIGNATURE xmss_sig; XMSSMT_SIGNATURE xmssmt_sig; +#endif +#ifdef ENABLE_SPHINCS SPHINCS_SIGNATURE sphincs_sig; +#endif +#ifdef ENABLE_SECP256R1 uint8_t ecdsa_sig[SM2_MAX_SIGNATURE_SIZE]; +#endif } X509_SIGNATURE; // FIXME: give sizeof to a number @@ -168,13 +212,23 @@ typedef struct { union { SM2_SIGN_CTX sm2_sign_ctx; SM2_VERIFY_CTX sm2_verify_ctx; +#ifdef ENABLE_SECP256R1 ECDSA_SIGN_CTX ecdsa_sign_ctx; +#endif +#ifdef ENABLE_SM9 SM9_SIGN_CTX sm9_sign_ctx; +#endif +#ifdef ENABLE_LMS LMS_SIGN_CTX lms_sign_ctx; HSS_SIGN_CTX hss_sign_ctx; +#endif +#ifdef ENABLE_XMSS XMSS_SIGN_CTX xmss_sign_ctx; XMSSMT_SIGN_CTX xmssmt_sign_ctx; +#endif +#ifdef ENABLE_SPHINCS SPHINCS_SIGN_CTX sphincs_sign_ctx; +#endif } u; X509_KEY key; const void *args; diff --git a/src/x509_key.c b/src/x509_key.c index 25115add..139ad15a 100644 --- a/src/x509_key.c +++ b/src/x509_key.c @@ -39,6 +39,7 @@ int x509_key_set_sm2_key(X509_KEY *x509_key, const SM2_KEY *sm2_key) return 1; } +#ifdef ENABLE_SECP256R1 int x509_key_set_secp256r1_key(X509_KEY *x509_key, const SECP256R1_KEY *secp256r1_key) { if (!x509_key || !secp256r1_key) { @@ -51,7 +52,9 @@ int x509_key_set_secp256r1_key(X509_KEY *x509_key, const SECP256R1_KEY *secp256r x509_key->u.secp256r1_key = *secp256r1_key; return 1; } +#endif +#ifdef ENABLE_LMS int x509_key_set_lms_key(X509_KEY *x509_key, const LMS_KEY *lms_key) { if (!x509_key || !lms_key) { @@ -77,7 +80,9 @@ int x509_key_set_hss_key(X509_KEY *x509_key, const HSS_KEY *hss_key) x509_key->u.hss_key = *hss_key; return 1; } +#endif +#ifdef ENABLE_XMSS int x509_key_set_xmss_key(X509_KEY *x509_key, const XMSS_KEY *xmss_key) { if (!x509_key || !xmss_key) { @@ -103,7 +108,9 @@ int x509_key_set_xmssmt_key(X509_KEY *x509_key, const XMSSMT_KEY *xmssmt_key) x509_key->u.xmssmt_key = *xmssmt_key; return 1; } +#endif +#ifdef ENABLE_SPHINCS int x509_key_set_sphincs_key(X509_KEY *x509_key, const SPHINCS_KEY *sphincs_key) { if (!x509_key || !sphincs_key) { @@ -116,7 +123,9 @@ int x509_key_set_sphincs_key(X509_KEY *x509_key, const SPHINCS_KEY *sphincs_key) x509_key->u.sphincs_key = *sphincs_key; return 1; } +#endif +#ifdef ENABLE_KYBER int x509_key_set_kyber_key(X509_KEY *x509_key, const KYBER_KEY *kyber_key) { if (!x509_key || !kyber_key) { @@ -129,7 +138,9 @@ int x509_key_set_kyber_key(X509_KEY *x509_key, const KYBER_KEY *kyber_key) x509_key->u.kyber_key = *kyber_key; return 1; } +#endif +#ifdef ENABLE_SM9 int x509_key_set_sm9_sign_master_key(X509_KEY *x509_key, const SM9_SIGN_MASTER_KEY *sm9_sign_master_key) { if (!x509_key || !sm9_sign_master_key) { @@ -155,6 +166,7 @@ int x509_key_set_sm9_sign_key(X509_KEY *x509_key, const SM9_SIGN_KEY *sm9_sign_k x509_key->u.sm9_sign_key = *sm9_sign_key; return 1; } +#endif int x509_key_generate(X509_KEY *key, int algor, const void *param, size_t paramlen) { @@ -171,9 +183,13 @@ int x509_key_generate(X509_KEY *key, int algor, const void *param, size_t paraml switch (algor) { case OID_ec_public_key: +#ifdef ENABLE_LMS case OID_lms_hashsig: +#endif +#ifdef ENABLE_XMSS case OID_xmss_hashsig: case OID_xmssmt_hashsig: +#endif if (!param) { error_print(); return -1; @@ -184,6 +200,7 @@ int x509_key_generate(X509_KEY *key, int algor, const void *param, size_t paraml } param_val = *(const int *)param; break; +#ifdef ENABLE_LMS case OID_hss_lms_hashsig: if (!param) { error_print(); @@ -198,21 +215,23 @@ int x509_key_generate(X509_KEY *key, int algor, const void *param, size_t paraml return -1; } break; +#endif +#ifdef ENABLE_SPHINCS case OID_sphincs_hashsig: if (param || paramlen) { error_print(); return -1; } break; +#endif +#ifdef ENABLE_KYBER case OID_kyber_kem: if (param && paramlen != 32) { error_print(); return -1; } break; - case OID_sm9: - error_print(); - return -1; +#endif default: error_print(); return -1; @@ -227,18 +246,21 @@ int x509_key_generate(X509_KEY *key, int algor, const void *param, size_t paraml return -1; } break; +#ifdef ENABLE_SECP256R1 case OID_secp256r1: if (secp256r1_key_generate(&key->u.secp256r1_key) != 1) { error_print(); return -1; } break; +#endif default: error_print(); return -1; } key->algor_param = param_val; break; +#ifdef ENABLE_LMS case OID_lms_hashsig: if (lms_key_generate(&key->u.lms_key, param_val) != 1) { error_print(); @@ -251,6 +273,8 @@ int x509_key_generate(X509_KEY *key, int algor, const void *param, size_t paraml return -1; } break; +#endif +#ifdef ENABLE_XMSS case OID_xmss_hashsig: if (xmss_key_generate(&key->u.xmss_key, param_val) != 1) { error_print(); @@ -263,19 +287,23 @@ int x509_key_generate(X509_KEY *key, int algor, const void *param, size_t paraml return -1; } break; +#endif +#ifdef ENABLE_SPHINCS case OID_sphincs_hashsig: if (sphincs_key_generate(&key->u.sphincs_key) != 1) { error_print(); return -1; } break; +#endif +#ifdef ENABLE_KYBER case OID_kyber_kem: if (kyber_key_generate_ex(&key->u.kyber_key, (uint8_t *)param) != 1) { error_print(); return -1; } break; - case OID_sm9: +#endif default: error_print(); return -1; @@ -293,32 +321,43 @@ void x509_key_cleanup(X509_KEY *key) case OID_sm2: gmssl_secure_clear(&key->u.sm2_key, sizeof(SM2_KEY)); break; +#ifdef ENABLE_SECP256R1 case OID_secp256r1: secp256r1_key_cleanup(&key->u.secp256r1_key); break; +#endif default: error_print(); return; } break; +#ifdef ENABLE_LMS case OID_lms_hashsig: lms_key_cleanup(&key->u.lms_key); break; case OID_hss_lms_hashsig: hss_key_cleanup(&key->u.hss_key); break; +#endif +#ifdef ENABLE_XMSS case OID_xmss_hashsig: xmss_key_cleanup(&key->u.xmss_key); break; case OID_xmssmt_hashsig: xmssmt_key_cleanup(&key->u.xmssmt_key); break; +#endif +#ifdef ENABLE_SPHINCS case OID_sphincs_hashsig: sphincs_key_cleanup(&key->u.sphincs_key); break; +#endif +#ifdef ENABLE_KYBER case OID_kyber_kem: kyber_key_cleanup(&key->u.kyber_key); break; +#endif +#ifdef ENABLE_SM9 case OID_sm9: switch (key->algor_param) { case OID_sm9sign: @@ -332,6 +371,7 @@ void x509_key_cleanup(X509_KEY *key) case OID_sm9sign: gmssl_secure_clear(&key->u.sm9_sign_key, sizeof(SM9_SIGN_KEY)); break; +#endif default: error_print(); } @@ -356,17 +396,20 @@ int x509_public_key_to_bytes(const X509_KEY *key, uint8_t **out, size_t *outlen) } *outlen += 65; break; +#ifdef ENABLE_SECP256R1 case OID_secp256r1: if (secp256r1_public_key_to_bytes(&key->u.secp256r1_key, out, outlen) != 1) { error_print(); return -1; } break; +#endif default: error_print(); return -1; } break; +#ifdef ENABLE_LMS case OID_lms_hashsig: if (lms_public_key_to_bytes(&key->u.lms_key, out, outlen) != 1) { error_print(); @@ -379,6 +422,8 @@ int x509_public_key_to_bytes(const X509_KEY *key, uint8_t **out, size_t *outlen) return -1; } break; +#endif +#ifdef ENABLE_XMSS case OID_xmss_hashsig: if (xmss_public_key_to_bytes(&key->u.xmss_key, out, outlen) != 1) { error_print(); @@ -391,18 +436,24 @@ int x509_public_key_to_bytes(const X509_KEY *key, uint8_t **out, size_t *outlen) return -1; } break; +#endif +#ifdef ENABLE_SPHINCS case OID_sphincs_hashsig: if (sphincs_public_key_to_bytes(&key->u.sphincs_key, out, outlen) != 1) { error_print(); return -1; } break; +#endif +#ifdef ENABLE_KYBER case OID_kyber_kem: if (kyber_public_key_to_bytes(&key->u.kyber_key, out, outlen) != 1) { error_print(); return -1; } break; +#endif +#ifdef ENABLE_SM9 case OID_sm9: switch (key->algor_param) { case OID_sm9sign: @@ -419,6 +470,7 @@ int x509_public_key_to_bytes(const X509_KEY *key, uint8_t **out, size_t *outlen) case OID_sm9sign: error_print(); return -1; +#endif default: error_print(); return -1; @@ -452,12 +504,14 @@ int x509_public_key_from_bytes(X509_KEY *key, int algor, int algor_param, const *in += 65; *inlen -= 65; break; +#ifdef ENABLE_SECP256R1 case OID_secp256r1: if (secp256r1_public_key_from_bytes(&key->u.secp256r1_key, in, inlen) != 1) { error_print(); return -1; } break; +#endif default: error_print(); return -1; @@ -469,6 +523,7 @@ int x509_public_key_from_bytes(X509_KEY *key, int algor, int algor_param, const return -1; } switch (algor) { +#ifdef ENABLE_LMS case OID_lms_hashsig: if (lms_public_key_from_bytes(&key->u.lms_key, in, inlen) != 1) { error_print(); @@ -481,6 +536,8 @@ int x509_public_key_from_bytes(X509_KEY *key, int algor, int algor_param, const return -1; } break; +#endif +#ifdef ENABLE_XMSS case OID_xmss_hashsig: if (xmss_public_key_from_bytes(&key->u.xmss_key, in, inlen) != 1) { error_print(); @@ -493,18 +550,24 @@ int x509_public_key_from_bytes(X509_KEY *key, int algor, int algor_param, const return -1; } break; +#endif +#ifdef ENABLE_SPHINCS case OID_sphincs_hashsig: if (sphincs_public_key_from_bytes(&key->u.sphincs_key, in, inlen) != 1) { error_print(); return -1; } break; +#endif +#ifdef ENABLE_KYBER case OID_kyber_kem: if (kyber_public_key_from_bytes(&key->u.kyber_key, in, inlen) != 1) { error_print(); return -1; } break; +#endif +#ifdef ENABLE_SM9 case OID_sm9: switch (key->algor_param) { case OID_sm9sign: @@ -521,6 +584,7 @@ int x509_public_key_from_bytes(X509_KEY *key, int algor, int algor_param, const case OID_sm9sign: error_print(); return -1; +#endif default: error_print(); return -1; @@ -569,32 +633,39 @@ int x509_public_key_equ(const X509_KEY *key, const X509_KEY *pub) error_print(); return ret; } +#ifdef ENABLE_SECP256R1 } else if (key->algor_param == OID_secp256r1) { if ((ret = secp256r1_public_key_equ(&key->u.secp256r1_key, &pub->u.secp256r1_key)) != 1) { error_print(); return ret; } +#endif } else { error_print(); return -1; } return 1; +#ifdef ENABLE_LMS case OID_hss_lms_hashsig: if ((ret = hss_public_key_equ(&key->u.hss_key, &pub->u.hss_key)) != 1) { error_print(); return ret; } return 1; +#endif } // sizeof(XXX_PUBLIC_KEY) >= XXX_PUBLIC_KEY_SIZE, depends on compiler switch (key->algor) { +#ifdef ENABLE_LMS case OID_lms_hashsig: if (memcmp(&key->u.lms_key, &pub->u.lms_key, sizeof(LMS_PUBLIC_KEY)) != 0) { error_print(); return 0; } break; +#endif +#ifdef ENABLE_XMSS case OID_xmss_hashsig: if (memcmp(&key->u.xmss_key, &pub->u.xmss_key, sizeof(XMSS_PUBLIC_KEY)) != 0) { error_print(); @@ -607,18 +678,24 @@ int x509_public_key_equ(const X509_KEY *key, const X509_KEY *pub) return 0; } break; +#endif +#ifdef ENABLE_SPHINCS case OID_sphincs_hashsig: if (memcmp(&key->u.sphincs_key, &pub->u.sphincs_key, sizeof(SPHINCS_PUBLIC_KEY)) != 0) { error_print(); return 0; } break; +#endif +#ifdef ENABLE_KYBER case OID_kyber_kem: if (memcmp(&key->u.kyber_key, &pub->u.kyber_key, sizeof(KYBER_PUBLIC_KEY)) != 0) { error_print(); return 0; } break; +#endif +#ifdef ENABLE_SM9 case OID_sm9: switch (key->algor_param) { case OID_sm9sign: @@ -638,6 +715,7 @@ int x509_public_key_equ(const X509_KEY *key, const X509_KEY *pub) return 0; } break; +#endif default: error_print(); return -1; @@ -654,16 +732,19 @@ int x509_public_key_print(FILE *fp, int fmt, int ind, const char *label, const X error_print(); return -1; } +#ifdef ENABLE_SECP256R1 } else if (key->algor_param == OID_secp256r1) { if (secp256r1_public_key_print(fp, fmt, ind, label, &key->u.secp256r1_key) != 1) { error_print(); return -1; } +#endif } else { error_print(); return -1; } break; +#ifdef ENABLE_LMS case OID_lms_hashsig: if (lms_public_key_print(fp, fmt, ind, label, &key->u.lms_key) != 1) { error_print(); @@ -676,6 +757,8 @@ int x509_public_key_print(FILE *fp, int fmt, int ind, const char *label, const X return -1; } break; +#endif +#ifdef ENABLE_XMSS case OID_xmss_hashsig: if (xmss_public_key_print(fp, fmt, ind, label, &key->u.xmss_key) != 1) { error_print(); @@ -688,18 +771,24 @@ int x509_public_key_print(FILE *fp, int fmt, int ind, const char *label, const X return -1; } break; +#endif +#ifdef ENABLE_SPHINCS case OID_sphincs_hashsig: if (sphincs_public_key_print(fp, fmt, ind, label, &key->u.sphincs_key) != 1) { error_print(); return -1; } break; +#endif +#ifdef ENABLE_KYBER case OID_kyber_kem: if (kyber_public_key_print(fp, fmt, ind, label, &key->u.kyber_key) != 1) { error_print(); return -1; } break; +#endif +#ifdef ENABLE_SM9 case OID_sm9: switch (key->algor_param) { case OID_sm9sign: @@ -717,6 +806,7 @@ int x509_public_key_print(FILE *fp, int fmt, int ind, const char *label, const X // TODO: no public key, do we need print ID? error_print(); return -1; +#endif default: error_print(); return -1; @@ -845,15 +935,25 @@ int x509_public_key_info_print(FILE *fp, int fmt, int ind, const char *label, co case OID_rsa_encryption: rsa_public_key_print(fp, fmt, ind, "RSAPublicKey", p, len); break; +#ifdef ENABLE_SM9 case OID_sm9: error_print(); break; +#endif +#ifdef ENABLE_LMS case OID_lms_hashsig: case OID_hss_lms_hashsig: +#endif +#ifdef ENABLE_XMSS case OID_xmss_hashsig: case OID_xmssmt_hashsig: +#endif +#ifdef ENABLE_SPHINCS case OID_sphincs_hashsig: +#endif +#ifdef ENABLE_KYBER case OID_kyber_kem: +#endif // TODO: print public key without too much details default: format_bytes(fp, fmt, ind, "raw_data", p, len); @@ -915,6 +1015,7 @@ int ec_private_key_to_der(const X509_KEY *key, int encode_params, int encode_pub } sm2_z256_to_bytes(key->u.sm2_key.private_key, prikey); break; +#ifdef ENABLE_SECP256R1 case OID_secp256r1: if (encode_pubkey) { pubkey = pubkey_buf; @@ -926,6 +1027,7 @@ int ec_private_key_to_der(const X509_KEY *key, int encode_params, int encode_pub } secp256r1_to_32bytes(key->u.secp256r1_key.private_key, prikey); break; +#endif default: error_print(); return -1; @@ -1026,7 +1128,9 @@ int ec_private_key_from_der(X509_KEY *key, int opt_curve, const uint8_t **in, si } } - } else if (curve == OID_secp256r1) { + } +#ifdef ENABLE_SECP256R1 + else if (curve == OID_secp256r1) { secp256r1_t p256_private; SECP256R1_KEY p256_pub; @@ -1051,7 +1155,9 @@ int ec_private_key_from_der(X509_KEY *key, int opt_curve, const uint8_t **in, si return -1; } } - } else { + } +#endif + else { error_print(); return -1; } @@ -1097,7 +1203,9 @@ int x509_private_key_info_to_der(const X509_KEY *key, uint8_t **out, size_t *out case OID_xmssmt_hashsig: case OID_sphincs_hashsig: case OID_kyber_kem: +#ifdef ENABLE_SM9 case OID_sm9: +#endif // TODO: support these algors, (MUST change private_key[] size)! default: error_print(); @@ -1157,6 +1265,7 @@ int x509_private_key_info_from_der(X509_KEY *key, const uint8_t **attrs, size_t return -1; } break; +#ifdef ENABLE_SM9 case OID_sm9sign: if (algor_param != OID_undef) { error_print(); @@ -1171,13 +1280,16 @@ int x509_private_key_info_from_der(X509_KEY *key, const uint8_t **attrs, size_t return -1; } break; +#endif case OID_lms_hashsig: case OID_hss_lms_hashsig: case OID_xmss_hashsig: case OID_xmssmt_hashsig: case OID_sphincs_hashsig: case OID_kyber_kem: +#ifdef ENABLE_SM9 case OID_sm9: +#endif default: error_print(); return -1; @@ -1376,7 +1488,9 @@ int x509_private_key_from_file(X509_KEY *key, int algor, const char *pass, FILE } else if (ret == 0) { return 0; // TODO: support return 0 for other algors } - } else if (algor == OID_lms_hashsig) { + } +#ifdef ENABLE_LMS + else if (algor == OID_lms_hashsig) { uint8_t buf[LMS_PRIVATE_KEY_SIZE]; const uint8_t *cp = buf; size_t len = sizeof(buf); @@ -1410,7 +1524,10 @@ int x509_private_key_from_file(X509_KEY *key, int algor, const char *pass, FILE error_print(); return -1; } - } else if (algor == OID_xmss_hashsig) { + } +#endif +#ifdef ENABLE_XMSS + else if (algor == OID_xmss_hashsig) { if (xmss_private_key_from_file(&key->u.xmss_key, fp) != 1) { error_print(); return -1; @@ -1420,7 +1537,10 @@ int x509_private_key_from_file(X509_KEY *key, int algor, const char *pass, FILE error_print(); return -1; } - } else if (algor == OID_sphincs_hashsig) { + } +#endif +#ifdef ENABLE_SPHINCS + else if (algor == OID_sphincs_hashsig) { uint8_t buf[SPHINCS_PRIVATE_KEY_SIZE]; const uint8_t *cp = buf; size_t len = sizeof(buf); @@ -1437,7 +1557,10 @@ int x509_private_key_from_file(X509_KEY *key, int algor, const char *pass, FILE error_print(); return -1; } - } else if (algor == OID_kyber_kem) { + } +#endif +#ifdef ENABLE_KYBER + else if (algor == OID_kyber_kem) { uint8_t buf[KYBER_PRIVATE_KEY_SIZE]; const uint8_t *cp = buf; size_t len = sizeof(buf); @@ -1454,7 +1577,9 @@ int x509_private_key_from_file(X509_KEY *key, int algor, const char *pass, FILE error_print(); return -1; } - } else { + } +#endif + else { error_print(); return -1; } @@ -1500,14 +1625,17 @@ int x509_key_get_sign_algor(const X509_KEY *key, int *algor) case OID_sm2: *algor = OID_sm2sign_with_sm3; break; +#ifdef ENABLE_SECP256R1 case OID_secp256r1: *algor = OID_ecdsa_with_sha256; break; +#endif default: error_print(); return -1; } break; +#ifdef ENABLE_SM9 case OID_sm9: switch (key->algor_param) { case OID_sm9sign: @@ -1518,14 +1646,23 @@ int x509_key_get_sign_algor(const X509_KEY *key, int *algor) return -1; } break; +#endif +#ifdef ENABLE_LMS case OID_lms_hashsig: case OID_hss_lms_hashsig: +#endif +#ifdef ENABLE_XMSS case OID_xmss_hashsig: case OID_xmssmt_hashsig: +#endif +#ifdef ENABLE_SPHINCS case OID_sphincs_hashsig: +#endif *algor = key->algor; break; +#ifdef ENABLE_KYBER case OID_kyber_kem: +#endif default: error_print(); return -1; @@ -1539,9 +1676,12 @@ int x509_key_get_signature_size(const X509_KEY *key, size_t *siglen) case OID_ec_public_key: *siglen = SM2_signature_max_size; break; +#ifdef ENABLE_SM9 case OID_sm9: *siglen = SM9_SIGNATURE_SIZE; break; +#endif +#ifdef ENABLE_LMS case OID_lms_hashsig: if (lms_key_get_signature_size(&key->u.lms_key, siglen) != 1) { error_print(); @@ -1554,6 +1694,8 @@ int x509_key_get_signature_size(const X509_KEY *key, size_t *siglen) return -1; } break; +#endif +#ifdef ENABLE_XMSS case OID_xmss_hashsig: if (xmss_key_get_signature_size(&key->u.xmss_key, siglen) != 1) { error_print(); @@ -1566,12 +1708,17 @@ int x509_key_get_signature_size(const X509_KEY *key, size_t *siglen) return -1; } break; +#endif +#ifdef ENABLE_SPHINCS case OID_sphincs_hashsig: *siglen = SPHINCS_SIGNATURE_SIZE; break; +#endif +#ifdef ENABLE_KYBER case OID_kyber_kem: error_print(); return -1; +#endif default: error_print(); return -1; @@ -1586,11 +1733,17 @@ int x509_sign_init(X509_SIGN_CTX *ctx, X509_KEY *key, const void *args, size_t a return -1; } switch (key->algor) { +#ifdef ENABLE_SM9 case OID_sm9: +#endif +#ifdef ENABLE_LMS case OID_lms_hashsig: case OID_hss_lms_hashsig: +#endif +#ifdef ENABLE_XMSS case OID_xmss_hashsig: case OID_xmssmt_hashsig: +#endif if (args) { error_print(); return -1; @@ -1618,6 +1771,7 @@ int x509_sign_init(X509_SIGN_CTX *ctx, X509_KEY *key, const void *args, size_t a } ctx->sign_algor = OID_sm2sign_with_sm3; break; +#ifdef ENABLE_SECP256R1 case OID_secp256r1: if (ecdsa_sign_init(&ctx->u.ecdsa_sign_ctx, &key->u.secp256r1_key) != 1) { error_print(); @@ -1625,11 +1779,13 @@ int x509_sign_init(X509_SIGN_CTX *ctx, X509_KEY *key, const void *args, size_t a } ctx->sign_algor = OID_ecdsa_with_sha256; break; +#endif default: error_print(); return -1; } break; +#ifdef ENABLE_LMS case OID_lms_hashsig: if (lms_sign_init(&ctx->u.lms_sign_ctx, &key->u.lms_key) != 1) { error_print(); @@ -1644,6 +1800,8 @@ int x509_sign_init(X509_SIGN_CTX *ctx, X509_KEY *key, const void *args, size_t a } ctx->sign_algor = key->algor; break; +#endif +#ifdef ENABLE_XMSS case OID_xmss_hashsig: if (xmss_sign_init(&ctx->u.xmss_sign_ctx, &key->u.xmss_key) != 1) { error_print(); @@ -1658,8 +1816,10 @@ int x509_sign_init(X509_SIGN_CTX *ctx, X509_KEY *key, const void *args, size_t a } ctx->sign_algor = key->algor; break; +#endif // to generate a random signature (instead of a deterministic one), caller should prepare uint8_t rand[16] +#ifdef ENABLE_SPHINCS case OID_sphincs_hashsig: if (args) { if (argslen != sizeof(sphincs_hash128_t)) { @@ -1673,6 +1833,8 @@ int x509_sign_init(X509_SIGN_CTX *ctx, X509_KEY *key, const void *args, size_t a } ctx->sign_algor = key->algor; break; +#endif +#ifdef ENABLE_SM9 case OID_sm9sign: if (key->algor_param != OID_undef) { error_print(); @@ -1685,6 +1847,7 @@ int x509_sign_init(X509_SIGN_CTX *ctx, X509_KEY *key, const void *args, size_t a ctx->key = *key; ctx->sign_algor = OID_sm9sign; break; +#endif default: error_print(); return -1; @@ -1701,7 +1864,9 @@ int x509_sign_set_signature_size(X509_SIGN_CTX *ctx, size_t siglen) } switch (ctx->sign_algor) { case OID_sm2sign_with_sm3: +#ifdef ENABLE_SECP256R1 case OID_ecdsa_with_sha256: +#endif switch (siglen) { case SM2_signature_compact_size: case SM2_signature_typical_size: @@ -1734,18 +1899,23 @@ int x509_sign_update(X509_SIGN_CTX *ctx, const uint8_t *data, size_t datalen) return -1; } break; +#ifdef ENABLE_SECP256R1 case OID_ecdsa_with_sha256: if (ecdsa_sign_update(&ctx->u.ecdsa_sign_ctx, data, datalen) != 1) { error_print(); return -1; } break; +#endif +#ifdef ENABLE_SM9 case OID_sm9sign: if (sm9_sign_update(&ctx->u.sm9_sign_ctx, data, datalen) != 1) { error_print(); return -1; } break; +#endif +#ifdef ENABLE_LMS case OID_lms_hashsig: if (lms_sign_update(&ctx->u.lms_sign_ctx, data, datalen) != 1) { error_print(); @@ -1758,6 +1928,8 @@ int x509_sign_update(X509_SIGN_CTX *ctx, const uint8_t *data, size_t datalen) return -1; } break; +#endif +#ifdef ENABLE_XMSS case OID_xmss_hashsig: if (xmss_sign_update(&ctx->u.xmss_sign_ctx, data, datalen) != 1) { error_print(); @@ -1770,9 +1942,12 @@ int x509_sign_update(X509_SIGN_CTX *ctx, const uint8_t *data, size_t datalen) return -1; } break; +#endif +#ifdef ENABLE_SPHINCS case OID_sphincs_hashsig: error_print(); return -1; +#endif default: error_print(); return -1; @@ -1801,6 +1976,7 @@ int x509_sign_finish(X509_SIGN_CTX *ctx, uint8_t *sig, size_t *siglen) } } break; +#ifdef ENABLE_SECP256R1 case OID_ecdsa_with_sha256: if (ctx->fixed_siglen) { if (ecdsa_sign_finish_fixlen(&ctx->u.ecdsa_sign_ctx, ctx->fixed_siglen, sig) != 1) { @@ -1815,12 +1991,16 @@ int x509_sign_finish(X509_SIGN_CTX *ctx, uint8_t *sig, size_t *siglen) } } break; +#endif +#ifdef ENABLE_SM9 case OID_sm9sign: if (sm9_sign_finish(&ctx->u.sm9_sign_ctx, &ctx->key.u.sm9_sign_key, sig, siglen) != 1) { error_print(); return -1; } break; +#endif +#ifdef ENABLE_LMS case OID_lms_hashsig: if (lms_sign_finish(&ctx->u.lms_sign_ctx, sig, siglen) != 1) { error_print(); @@ -1833,6 +2013,8 @@ int x509_sign_finish(X509_SIGN_CTX *ctx, uint8_t *sig, size_t *siglen) return -1; } break; +#endif +#ifdef ENABLE_XMSS case OID_xmss_hashsig: if (xmss_sign_finish(&ctx->u.xmss_sign_ctx, sig, siglen) != 1) { error_print(); @@ -1845,9 +2027,12 @@ int x509_sign_finish(X509_SIGN_CTX *ctx, uint8_t *sig, size_t *siglen) return -1; } break; +#endif +#ifdef ENABLE_SPHINCS case OID_sphincs_hashsig: error_print(); return -1; +#endif default: error_print(); return -1; @@ -1868,12 +2053,20 @@ int x509_sign(X509_SIGN_CTX *ctx, const uint8_t *data, size_t datalen, uint8_t * switch (ctx->sign_algor) { case OID_sm2sign_with_sm3: +#ifdef ENABLE_SECP256R1 case OID_ecdsa_with_sha256: +#endif +#ifdef ENABLE_SM9 case OID_sm9sign: +#endif +#ifdef ENABLE_LMS case OID_lms_hashsig: case OID_hss_lms_hashsig: +#endif +#ifdef ENABLE_XMSS case OID_xmss_hashsig: case OID_xmssmt_hashsig: +#endif if (x509_sign_update(ctx, data, datalen) != 1) { error_print(); return -1; @@ -1883,6 +2076,7 @@ int x509_sign(X509_SIGN_CTX *ctx, const uint8_t *data, size_t datalen, uint8_t * return -1; } break; +#ifdef ENABLE_SPHINCS case OID_sphincs_hashsig: if (sphincs_sign_prepare(&ctx->u.sphincs_sign_ctx, data, datalen) != 1) { error_print(); @@ -1897,6 +2091,7 @@ int x509_sign(X509_SIGN_CTX *ctx, const uint8_t *data, size_t datalen, uint8_t * return -1; } break; +#endif default: error_print(); return -1; @@ -1912,12 +2107,14 @@ int x509_verify_init(X509_SIGN_CTX *ctx, const X509_KEY *key, const void *args, return -1; } switch (key->algor) { +#ifdef ENABLE_SM9 case OID_sm9: if (!args || !argslen) { error_print(); return -1; } break; +#endif case OID_ec_public_key: break; default: @@ -1947,6 +2144,7 @@ int x509_verify_init(X509_SIGN_CTX *ctx, const X509_KEY *key, const void *args, ctx->sig = sig; ctx->siglen = siglen; break; +#ifdef ENABLE_SECP256R1 case OID_secp256r1: if (ecdsa_verify_init(&ctx->u.ecdsa_sign_ctx, &key->u.secp256r1_key, sig, siglen) != 1) { error_print(); @@ -1954,11 +2152,13 @@ int x509_verify_init(X509_SIGN_CTX *ctx, const X509_KEY *key, const void *args, } ctx->sign_algor = OID_ecdsa_with_sha256; break; +#endif default: error_print(); return -1; } break; +#ifdef ENABLE_SM9 case OID_sm9: if (key->algor_param != OID_sm9sign) { error_print(); @@ -1975,6 +2175,8 @@ int x509_verify_init(X509_SIGN_CTX *ctx, const X509_KEY *key, const void *args, ctx->sig = sig; ctx->siglen = siglen; break; +#endif +#ifdef ENABLE_LMS case OID_lms_hashsig: if (lms_verify_init(&ctx->u.lms_sign_ctx, &key->u.lms_key, sig, siglen) != 1) { error_print(); @@ -1989,6 +2191,8 @@ int x509_verify_init(X509_SIGN_CTX *ctx, const X509_KEY *key, const void *args, } ctx->sign_algor = key->algor; break; +#endif +#ifdef ENABLE_XMSS case OID_xmss_hashsig: if (xmss_verify_init(&ctx->u.xmss_sign_ctx, &key->u.xmss_key, sig, siglen) != 1) { error_print(); @@ -2003,6 +2207,8 @@ int x509_verify_init(X509_SIGN_CTX *ctx, const X509_KEY *key, const void *args, } ctx->sign_algor = key->algor; break; +#endif +#ifdef ENABLE_SPHINCS case OID_sphincs_hashsig: if (sphincs_verify_init(&ctx->u.sphincs_sign_ctx, &key->u.sphincs_key, sig, siglen) != 1) { error_print(); @@ -2010,6 +2216,7 @@ int x509_verify_init(X509_SIGN_CTX *ctx, const X509_KEY *key, const void *args, } ctx->sign_algor = key->algor; break; +#endif default: error_print(); return -1; @@ -2026,18 +2233,23 @@ int x509_verify_update(X509_SIGN_CTX *ctx, const uint8_t *data, size_t datalen) return -1; } break; +#ifdef ENABLE_SECP256R1 case OID_ecdsa_with_sha256: if (ecdsa_verify_update(&ctx->u.ecdsa_sign_ctx, data, datalen) != 1) { error_print(); return -1; } break; +#endif +#ifdef ENABLE_SM9 case OID_sm9sign: if (sm9_verify_update(&ctx->u.sm9_sign_ctx, data, datalen) != 1) { error_print(); return -1; } break; +#endif +#ifdef ENABLE_LMS case OID_lms_hashsig: if (lms_verify_update(&ctx->u.lms_sign_ctx, data, datalen) != 1) { error_print(); @@ -2050,6 +2262,8 @@ int x509_verify_update(X509_SIGN_CTX *ctx, const uint8_t *data, size_t datalen) return -1; } break; +#endif +#ifdef ENABLE_XMSS case OID_xmss_hashsig: if (xmss_verify_update(&ctx->u.xmss_sign_ctx, data, datalen) != 1) { error_print(); @@ -2062,9 +2276,12 @@ int x509_verify_update(X509_SIGN_CTX *ctx, const uint8_t *data, size_t datalen) return -1; } break; +#endif +#ifdef ENABLE_SPHINCS case OID_sphincs_hashsig: error_print(); return -1; +#endif default: error_print(); return -1; @@ -2086,12 +2303,15 @@ int x509_verify_finish(X509_SIGN_CTX *ctx) return -1; } break; +#ifdef ENABLE_SECP256R1 case OID_ecdsa_with_sha256: if ((ret = ecdsa_verify_finish(&ctx->u.ecdsa_sign_ctx)) < 0) { error_print(); return -1; } break; +#endif +#ifdef ENABLE_SM9 case OID_sm9sign: id = ctx->args; idlen = ctx->argslen; @@ -2105,6 +2325,8 @@ int x509_verify_finish(X509_SIGN_CTX *ctx) return -1; } break; +#endif +#ifdef ENABLE_LMS case OID_lms_hashsig: if ((ret = lms_verify_finish(&ctx->u.lms_sign_ctx)) < 0) { error_print(); @@ -2117,6 +2339,8 @@ int x509_verify_finish(X509_SIGN_CTX *ctx) return -1; } break; +#endif +#ifdef ENABLE_XMSS case OID_xmss_hashsig: if ((ret = xmss_verify_finish(&ctx->u.xmss_sign_ctx)) < 0) { error_print(); @@ -2129,9 +2353,12 @@ int x509_verify_finish(X509_SIGN_CTX *ctx) return -1; } break; +#endif +#ifdef ENABLE_SPHINCS case OID_sphincs_hashsig: error_print(); return -1; +#endif default: error_print(); return -1; @@ -2149,12 +2376,20 @@ int x509_verify(X509_SIGN_CTX *ctx, const uint8_t *data, size_t datalen) } switch (ctx->sign_algor) { case OID_sm2sign_with_sm3: +#ifdef ENABLE_SECP256R1 case OID_ecdsa_with_sha256: +#endif +#ifdef ENABLE_LMS case OID_lms_hashsig: case OID_hss_lms_hashsig: +#endif +#ifdef ENABLE_XMSS case OID_xmss_hashsig: case OID_xmssmt_hashsig: +#endif +#ifdef ENABLE_SM9 case OID_sm9sign: +#endif if (x509_verify_update(ctx, data, datalen) != 1) { error_print(); return -1; @@ -2164,6 +2399,7 @@ int x509_verify(X509_SIGN_CTX *ctx, const uint8_t *data, size_t datalen) return -1; } break; +#ifdef ENABLE_SPHINCS case OID_sphincs_hashsig: if (sphincs_verify_update(&ctx->u.sphincs_sign_ctx, data, datalen) != 1) { error_print(); @@ -2174,6 +2410,7 @@ int x509_verify(X509_SIGN_CTX *ctx, const uint8_t *data, size_t datalen) return -1; } break; +#endif default: error_print(); return -1; @@ -2188,26 +2425,36 @@ void x509_sign_ctx_cleanup(X509_SIGN_CTX *ctx) case OID_sm2sign_with_sm3: gmssl_secure_clear(&ctx->u.sm2_sign_ctx, sizeof(SM2_SIGN_CTX)); break; +#ifdef ENABLE_SECP256R1 case OID_ecdsa_with_sha256: gmssl_secure_clear(&ctx->u.ecdsa_sign_ctx, sizeof(ECDSA_SIGN_CTX)); break; +#endif +#ifdef ENABLE_LMS case OID_lms_hashsig: lms_sign_ctx_cleanup(&ctx->u.lms_sign_ctx); break; case OID_hss_lms_hashsig: hss_sign_ctx_cleanup(&ctx->u.hss_sign_ctx); break; +#endif +#ifdef ENABLE_XMSS case OID_xmss_hashsig: xmss_sign_ctx_cleanup(&ctx->u.xmss_sign_ctx); break; case OID_xmssmt_hashsig: xmssmt_sign_ctx_cleanup(&ctx->u.xmssmt_sign_ctx); break; +#endif +#ifdef ENABLE_SPHINCS case OID_sphincs_hashsig: sphincs_sign_ctx_cleanup(&ctx->u.sphincs_sign_ctx); break; +#endif +#ifdef ENABLE_SM9 case OID_sm9sign: gmssl_secure_clear(&ctx->u.sm9_sign_ctx, sizeof(SM9_SIGN_CTX)); +#endif } memset(ctx, 0, sizeof(X509_SIGN_CTX)); } @@ -2235,12 +2482,14 @@ int x509_key_do_exchange(const X509_KEY *key, const X509_KEY *pub, uint8_t *out, return -1; } break; +#ifdef ENABLE_SECP256R1 case OID_secp256r1: if (secp256r1_do_ecdh(&key->u.secp256r1_key, &pub->u.secp256r1_key, out) != 1) { error_print(); return -1; } break; +#endif default: error_print(); return -1; @@ -2270,12 +2519,14 @@ int x509_key_exchange(const X509_KEY *key, const uint8_t *peer_pub, size_t peer_ return -1; } break; +#ifdef ENABLE_SECP256R1 case OID_secp256r1: if (secp256r1_ecdh(&key->u.secp256r1_key, peer_pub, out) != 1) { error_print(); return -1; } break; +#endif default: error_print(); return -1; @@ -2286,6 +2537,7 @@ int x509_key_exchange(const X509_KEY *key, const uint8_t *peer_pub, size_t peer_ int x509_key_encapsulate(const X509_KEY *key, uint8_t *ciphertext, size_t *ciphertext_len, uint8_t secret[32]) { +#ifdef ENABLE_KYBER if (!key || !ciphertext || !ciphertext_len || !secret) { error_print(); return -1; @@ -2300,10 +2552,15 @@ int x509_key_encapsulate(const X509_KEY *key, uint8_t *ciphertext, size_t *ciphe } *ciphertext_len = sizeof(KYBER_CIPHERTEXT); return 1; +#else + error_print(); + return -1; +#endif } int x509_key_decapsulate(const X509_KEY *key, const uint8_t *ciphertext, size_t ciphertext_len, uint8_t secret[32]) { +#ifdef ENABLE_KYBER if (!key || !ciphertext || !secret) { error_print(); return -1; @@ -2321,4 +2578,8 @@ int x509_key_decapsulate(const X509_KEY *key, const uint8_t *ciphertext, size_t return -1; } return 1; +#else + error_print(); + return -1; +#endif } diff --git a/tests/x509_keytest.c b/tests/x509_keytest.c index 421d1edb..e0b85ee4 100644 --- a/tests/x509_keytest.c +++ b/tests/x509_keytest.c @@ -19,24 +19,36 @@ #include -int lms_types[] = { +#ifdef ENABLE_LMS +static int lms_types[] = { LMS_HASH256_M32_H5, LMS_HASH256_M32_H5, LMS_HASH256_M32_H5, }; +#endif struct { int algor; int algor_param; } tests[] = { { OID_ec_public_key, OID_sm2 }, +#ifdef ENABLE_SECP256R1 { OID_ec_public_key, OID_secp256r1 }, +#endif +#ifdef ENABLE_LMS { OID_lms_hashsig, LMS_HASH256_M32_H5 }, { OID_hss_lms_hashsig, OID_undef }, // use lms_types[] +#endif +#ifdef ENABLE_XMSS { OID_xmss_hashsig, XMSS_HASH256_10_256 }, { OID_xmssmt_hashsig, XMSSMT_HASH256_20_4_256 }, +#endif +#ifdef ENABLE_SPHINCS { OID_sphincs_hashsig, OID_undef }, +#endif +#ifdef ENABLE_KYBER { OID_kyber_kem, OID_undef }, +#endif }; X509_KEY x509_keys[sizeof(tests)/sizeof(tests[0])]; @@ -51,15 +63,23 @@ static int test_x509_key_generate(void) size_t paramlen = 0; switch (tests[i].algor) { +#ifdef ENABLE_LMS case OID_hss_lms_hashsig: param = lms_types; paramlen = sizeof(lms_types); break; +#endif +#ifdef ENABLE_SPHINCS case OID_sphincs_hashsig: +#endif +#ifdef ENABLE_KYBER case OID_kyber_kem: +#endif +#if defined(ENABLE_SPHINCS) || defined(ENABLE_KYBER) param = NULL; paramlen = 0; break; +#endif default: param = &tests[i].algor_param; paramlen = sizeof(tests[i].algor_param); @@ -432,6 +452,7 @@ static int test_x509_sign(void) return 1; } +#ifdef ENABLE_SM9 static int test_x509_sign_sm9(void) { SM9_SIGN_MASTER_KEY sm9_sign_master_key; @@ -490,6 +511,7 @@ static int test_x509_sign_sm9(void) printf("%s() ok\n", __FUNCTION__); return 1; } +#endif static int test_x509_key_exchange(void) { @@ -566,6 +588,7 @@ static int test_x509_key_exchange(void) return 1; } +#ifdef ENABLE_KYBER static int test_x509_kem(void) { uint8_t ciphertext[sizeof(KYBER_CIPHERTEXT)]; @@ -600,6 +623,7 @@ static int test_x509_kem(void) printf("%s() ok\n", __FUNCTION__); return 1; } +#endif int main(void) { @@ -612,9 +636,13 @@ int main(void) if (test_x509_private_key_info_encrypt_to_pem() != 1) goto err; if (test_x509_private_key_info_decrypt_from_pem() != 1) goto err; if (test_x509_sign() != 1) goto err; +#ifdef ENABLE_SM9 if (test_x509_sign_sm9() != 1) goto err; +#endif if (test_x509_key_exchange() != 1) goto err; +#ifdef ENABLE_KYBER if (test_x509_kem() != 1) goto err; +#endif printf("%s all tests passed!\n", __FILE__); return 0; diff --git a/tools/gmssl.c b/tools/gmssl.c index 85654950..7646b6f9 100644 --- a/tools/gmssl.c +++ b/tools/gmssl.c @@ -34,36 +34,58 @@ extern int sm2decrypt_main(int argc, char **argv); extern int sm3_main(int argc, char **argv); extern int sm3hmac_main(int argc, char **argv); extern int sm3_pbkdf2_main(int argc, char **argv); +#ifdef ENABLE_SM4_ECB extern int sm4_ecb_main(int argc, char **argv); +#endif extern int sm4_cbc_main(int argc, char **argv); extern int sm4_ctr_main(int argc, char **argv); +#ifdef ENABLE_SM4_CFB extern int sm4_cfb_main(int argc, char **argv); +#endif +#ifdef ENABLE_SM4_OFB extern int sm4_ofb_main(int argc, char **argv); +#endif +#ifdef ENABLE_SM4_CCM extern int sm4_ccm_main(int argc, char **argv); +#endif extern int sm4_gcm_main(int argc, char **argv); +#ifdef ENABLE_SM4_XTS extern int sm4_xts_main(int argc, char **argv); +#endif extern int sm4_cbc_sm3_hmac_main(int argc, char **argv); extern int sm4_ctr_sm3_hmac_main(int argc, char **argv); +#ifdef ENABLE_SM4_CBC_MAC extern int sm4_cbc_mac_main(int argc, char **argv); +#endif +#ifdef ENABLE_ZUC extern int zuc_main(int argc, char **argv); +#endif +#ifdef ENABLE_GHASH extern int ghash_main(int argc, char **argv); +#endif +#ifdef ENABLE_SM9 extern int sm9setup_main(int argc, char **argv); extern int sm9keygen_main(int argc, char **argv); extern int sm9sign_main(int argc, char **argv); extern int sm9verify_main(int argc, char **argv); extern int sm9encrypt_main(int argc, char **argv); extern int sm9decrypt_main(int argc, char **argv); +#endif +#ifdef ENABLE_CMS extern int cmsparse_main(int argc, char **argv); extern int cmsencrypt_main(int argc, char **argv); extern int cmsdecrypt_main(int argc, char **argv); extern int cmssign_main(int argc, char **argv); extern int cmsverify_main(int argc, char **argv); +#endif +#ifdef ENABLE_TLS extern int tlcp_client_main(int argc, char **argv); extern int tlcp_server_main(int argc, char **argv); extern int tls12_client_main(int argc, char **argv); extern int tls12_server_main(int argc, char **argv); extern int tls13_client_main(int argc, char **argv); extern int tls13_server_main(int argc, char **argv); +#endif #ifdef ENABLE_SECP256R1 extern int p256keygen_main(int argc, char **argv); #endif @@ -122,25 +144,43 @@ static const char *options = " sm3 Generate SM3 hash\n" " sm3hmac Generate SM3 HMAC tag\n" " sm3_pbkdf2 Hash password into key using PBKDF2 algoritm\n" +#ifdef ENABLE_SM4_ECB " sm4_ecb Encrypt or decrypt with SM4 ECB\n" +#endif " sm4_cbc Encrypt or decrypt with SM4 CBC\n" " sm4_ctr Encrypt or decrypt with SM4 CTR\n" +#ifdef ENABLE_SM4_CFB " sm4_cfb Encrypt or decrypt with SM4 CFB\n" +#endif +#ifdef ENABLE_SM4_OFB " sm4_ofb Encrypt or decrypt with SM4 OFB\n" +#endif +#ifdef ENABLE_SM4_CCM " sm4_ccm Encrypt or decrypt with SM4 CCM\n" +#endif " sm4_gcm Encrypt or decrypt with SM4 GCM\n" +#ifdef ENABLE_SM4_XTS " sm4_xts Encrypt or decrypt with SM4 XTS\n" +#endif " sm4_cbc_sm3_hmac Encrypt or decrypt with SM4 CBC with SM3-HMAC\n" " sm4_ctr_sm3_hmac Encrypt or decrypt with SM4 CTR with SM3-HMAC\n" +#ifdef ENABLE_SM4_CBC_MAC " sm4_cbc_mac Generate SM4 CBC-MAC\n" +#endif +#ifdef ENABLE_GHASH " ghash Generate GHASH\n" +#endif +#ifdef ENABLE_ZUC " zuc Encrypt or decrypt with ZUC\n" +#endif +#ifdef ENABLE_SM9 " sm9setup Generate SM9 master secret\n" " sm9keygen Generate SM9 private key\n" " sm9sign Generate SM9 signature\n" " sm9verify Verify SM9 signature\n" " sm9encrypt SM9 public key encryption\n" " sm9decrypt SM9 decryption\n" +#endif " reqgen Generate certificate signing request (CSR)\n" " reqsign Generate certificate from CSR\n" " reqparse Parse and print a CSR\n" @@ -152,11 +192,13 @@ static const char *options = " certparse Parse and print certificates\n" " certverify Verify certificate chain\n" " certrevoke Revoke certificate and output RevokedCertificate record\n" +#ifdef ENABLE_CMS " cmsparse Parse CMS (cryptographic message syntax) file\n" " cmsencrypt Generate CMS EnvelopedData\n" " cmsdecrypt Decrypt CMS EnvelopedData\n" " cmssign Generate CMS SignedData\n" " cmsverify Verify CMS SignedData\n" +#endif #ifdef ENABLE_SECP256R1 " p256keygen Generate P-256 (secp256r1, prime256v1) keypair\n" #endif @@ -198,12 +240,14 @@ static const char *options = #ifdef ENABLE_SKF " skfutil SKF crypto device utility\n" #endif +#ifdef ENABLE_TLS " tlcp_client TLCP client\n" " tlcp_server TLCP server\n" " tls12_client TLS 1.2 client\n" " tls12_server TLS 1.2 server\n" " tls13_client TLS 1.3 client\n" " tls13_server TLS 1.3 server\n" +#endif "\n" "run `gmssl -help` to print help of the given command\n" "\n"; @@ -298,14 +342,19 @@ int main(int argc, char **argv) return sm4_cbc_sm3_hmac_main(argc, argv); } else if (!strcmp(*argv, "sm4_ctr_sm3_hmac")) { return sm4_ctr_sm3_hmac_main(argc, argv); +#ifdef ENABLE_GHASH } else if (!strcmp(*argv, "ghash")) { return ghash_main(argc, argv); +#endif #if ENABLE_SM4_CBC_MAC } else if (!strcmp(*argv, "sm4_cbc_mac")) { return sm4_cbc_mac_main(argc, argv); #endif +#ifdef ENABLE_ZUC } else if (!strcmp(*argv, "zuc")) { return zuc_main(argc, argv); +#endif +#ifdef ENABLE_SM9 } else if (!strcmp(*argv, "sm9setup")) { return sm9setup_main(argc, argv); } else if (!strcmp(*argv, "sm9keygen")) { @@ -318,6 +367,8 @@ int main(int argc, char **argv) return sm9encrypt_main(argc, argv); } else if (!strcmp(*argv, "sm9decrypt")) { return sm9decrypt_main(argc, argv); +#endif +#ifdef ENABLE_CMS } else if (!strcmp(*argv, "cmsparse")) { return cmsparse_main(argc, argv); } else if (!strcmp(*argv, "cmsencrypt")) { @@ -328,6 +379,8 @@ int main(int argc, char **argv) return cmssign_main(argc, argv); } else if (!strcmp(*argv, "cmsverify")) { return cmsverify_main(argc, argv); +#endif +#ifdef ENABLE_TLS } else if (!strcmp(*argv, "tlcp_client")) { return tlcp_client_main(argc, argv); } else if (!strcmp(*argv, "tlcp_server")) { @@ -340,6 +393,7 @@ int main(int argc, char **argv) return tls13_client_main(argc, argv); } else if (!strcmp(*argv, "tls13_server")) { return tls13_server_main(argc, argv); +#endif #ifdef ENABLE_SECP256R1 } else if (!strcmp(*argv, "p256keygen")) { return p256keygen_main(argc, argv);