Add settings.h check: DSA needs SHA1

[gojimmypi]

Description

Adds a settings.h sanity check to ensure if DSA is enabled, that SHA1 is also enabled.

I started going down the road of gating out all the DSA code when not enabled, but the further I got, the more complex it became. I gave up when I found MakeAnyCert() that has a DSA parameter. It is certainly possible to code around this, and I can do so if desired. For now we have the sanity check,

Otherwise, without this change: when DSA is enabled and SHA1 is disabled (e.g. #define NO_SHA) , unintuitive compile time errors may occur such as this:

C:/workspace/wolfssl-gojimmypi-pr/wolfcrypt/src/dsa.c: In function 'wc_DsaSign':
C:/workspace/wolfssl-gojimmypi-pr/wolfcrypt/src/dsa.c:653:34: error: 'WC_SHA_DIGEST_SIZE' undeclared (first use in this function); did you mean 'WC_SHA384_DIGEST_SIZE'?
  653 |     return wc_DsaSign_ex(digest, WC_SHA_DIGEST_SIZE, out, key, rng);
      |                                  ^~~~~~~~~~~~~~~~~~
      |                                  WC_SHA384_DIGEST_SIZE
C:/workspace/wolfssl-gojimmypi-pr/wolfcrypt/src/dsa.c:653:34: note: each undeclared identifier is reported only once for each function it appears in
C:/workspace/wolfssl-gojimmypi-pr/wolfcrypt/src/dsa.c: In function 'wc_DsaVerify':
C:/workspace/wolfssl-gojimmypi-pr/wolfcrypt/src/dsa.c:988:36: error: 'WC_SHA_DIGEST_SIZE' undeclared (first use in this function); did you mean 'WC_SHA384_DIGEST_SIZE'?
  988 |     return wc_DsaVerify_ex(digest, WC_SHA_DIGEST_SIZE, sig, key, answer);
      |                                    ^~~~~~~~~~~~~~~~~~
      |                                    WC_SHA384_DIGEST_SIZE
C:/workspace/wolfssl-gojimmypi-pr/wolfcrypt/src/dsa.c: In function 'wc_DsaSign':
C:/workspace/wolfssl-gojimmypi-pr/wolfcrypt/src/dsa.c:654:1: error: control reaches end of non-void function [-Werror=return-type]
  654 | }
      | ^
C:/workspace/wolfssl-gojimmypi-pr/wolfcrypt/src/dsa.c: In function 'wc_DsaVerify':
C:/workspace/wolfssl-gojimmypi-pr/wolfcrypt/src/dsa.c:989:1: error: control reaches end of non-void function [-Werror=return-type]
  989 | }
      | ^

Fixes zd# n/a

Testing

Limited testing only with embedded target.

Checklist

• added tests
• updated/added doxygen
• updated appropriate READMEs
• Updated manual and documentation

[dgarske]

HAVE_DSA isn't really a thing... we don't use it.

./configure --enable-dsa --disable-sha && make
configure: error: please disable DSA if disabling SHA-1.

Would prefer simple the following:

#if !defined(NO_DSA) && !defined(NO_SHA)
    #error "Please disable DSA if disabling SHA-1"
#endif

[gojimmypi]

HAVE_DSA isn't really a thing... we don't use it.

Perhaps it would be good to revisit all the DSA the code and gate everything out to reduce code size at some point?

Would prefer the following

I agree in concept, although that exact logic doesn't work. Adding it, and I still see the unintuitive compile error.

I think this is perhaps the intention for that message:

#if defined(HAVE_DSA) && defined(NO_SHA)
    #error "Please disable DSA if disabling SHA-1"
#endif

or perhaps even this, which I included just now & squashed commits:

#if (defined(HAVE_DSA) || !defined(NO_DSA)) && defined(NO_SHA)
    #error "Please disable DSA if disabling SHA-1"
#endif

A missing NO_DSA may not actually mean that HAVE_DSA is enabled, as there's only a check in the reverse order (first checking if HAVE_DSA is defined and then defining NO_DSA.

Further, all of this will work in my case for the Espressif ESP-IDF, but is it intentional that the logic for DSA and others is wrapped in a #ifdef FREERTOS?

[dgarske]

Again, HAVE_DSA isn't really needed. Just gating on !defined(NO_DSA) should be enough. And yes I had a typo in my example !defined(NO_SHA) -> defined(NO_SHA).

[dgarske]

Please resolve merge conflicts

[gojimmypi]

Jenkins retest this please

[dgarske]

Nit: #if !defined(NO_DSA) && defined(NO_SHA)

[gojimmypi]

Agreed. Oversight on my part.

[gojimmypi]

Jenkins retest this please

[dgarske]

Retest this please