diff --git a/src/internal.c b/src/internal.c index cf1f2f6e..97d94fb4 100644 --- a/src/internal.c +++ b/src/internal.c @@ -92,6 +92,9 @@ Flags: WOLFSSH_NO_DH_GROUP14_SHA1 Set when DH or SHA1 are disabled. Set to disable use of DH (Oakley 14) and SHA1 support. + WOLFSSH_NO_DH_GROUP14_SHA256 + Set when DH or SHA256 are disabled. Set to disable use of DH (Oakley 14) + and SHA256 support. WOLFSSH_NO_DH_GEX_SHA256 Set when DH or SHA2-256 are disabled. Set to disable use of DH group exchange and SHA2-256 support. @@ -674,6 +677,9 @@ static const char cannedKexAlgoNames[] = #if !defined(WOLFSSH_NO_ECDH_SHA2_NISTP256) "ecdh-sha2-nistp256," #endif +#if !defined(WOLFSSH_NO_DH_GROUP14_SHA256) + "diffie-hellman-group14-sha256," +#endif #if !defined(WOLFSSH_NO_DH_GEX_SHA256) "diffie-hellman-group-exchange-sha256," #endif @@ -2397,6 +2403,9 @@ static const NameIdPair NameIdMap[] = { #ifndef WOLFSSH_NO_DH_GROUP14_SHA1 { ID_DH_GROUP14_SHA1, TYPE_KEX, "diffie-hellman-group14-sha1" }, #endif +#ifndef WOLFSSH_NO_DH_GROUP14_SHA256 + { ID_DH_GROUP14_SHA256, TYPE_KEX, "diffie-hellman-group14-sha256" }, +#endif #ifndef WOLFSSH_NO_DH_GEX_SHA256 { ID_DH_GEX_SHA256, TYPE_KEX, "diffie-hellman-group-exchange-sha256" }, #endif @@ -2409,9 +2418,6 @@ static const NameIdPair NameIdMap[] = { #ifndef WOLFSSH_NO_ECDH_SHA2_NISTP521 { ID_ECDH_SHA2_NISTP521, TYPE_KEX, "ecdh-sha2-nistp521" }, #endif -#ifndef WOLFSSH_NO_DH_GEX_SHA256 - { ID_DH_GROUP14_SHA256, TYPE_KEX, "diffie-hellman-group14-sha256" }, -#endif #ifndef WOLFSSH_NO_ECDH_NISTP256_KYBER_LEVEL1_SHA256 /* We use kyber-512 here to achieve interop with OQS's fork. */ { ID_ECDH_NISTP256_KYBER_LEVEL1_SHA256, TYPE_KEX, @@ -3632,6 +3638,10 @@ INLINE enum wc_HashType HashForId(byte id) #endif /* SHA2-256 */ +#ifndef WOLFSSH_NO_DH_GROUP14_SHA256 + case ID_DH_GROUP14_SHA256: + return WC_HASH_TYPE_SHA256; +#endif #ifndef WOLFSSH_NO_DH_GEX_SHA256 case ID_DH_GEX_SHA256: return WC_HASH_TYPE_SHA256; @@ -4239,6 +4249,7 @@ static const word32 dhPrimeGroup1Sz = (word32)sizeof(dhPrimeGroup1); #endif #if !defined(WOLFSSH_NO_DH_GROUP14_SHA1) || \ + !defined(WOLFSSH_NO_DH_GROUP14_SHA256) || \ !defined(WOLFSSH_NO_DH_GEX_SHA256) static const byte dhPrimeGroup14[] = { /* SSH DH Group 14 (Oakley Group 14, 2048-bit MODP Group, RFC 3526) */ @@ -10093,6 +10104,14 @@ static int GetDHPrimeGroup(int kexId, const byte** primeGroup, *generatorSz = dhGeneratorSz; break; #endif + #ifndef WOLFSSH_NO_DH_GROUP14_SHA256 + case ID_DH_GROUP14_SHA256: + *primeGroup = dhPrimeGroup14; + *primeGroupSz = dhPrimeGroup14Sz; + *generator = dhGenerator; + *generatorSz = dhGeneratorSz; + break; + #endif #ifndef WOLFSSH_NO_DH_GEX_SHA256 case ID_DH_GEX_SHA256: *primeGroup = dhPrimeGroup14; @@ -10121,7 +10140,7 @@ static int SendKexGetSigningKey(WOLFSSH* ssh, void* heap; byte scratchLen[LENGTH_SZ]; word32 scratch = 0; -#ifndef WOLFSSH_NO_DH +#ifndef WOLFSSH_NO_DH_GEX_SHA256 const byte* primeGroup = NULL; word32 primeGroupSz = 0; const byte* generator = NULL; @@ -11363,6 +11382,12 @@ int SendKexDhReply(WOLFSSH* ssh) msgId = MSGID_KEXDH_REPLY; break; #endif +#ifndef WOLFSSH_NO_DH_GROUP14_SHA256 + case ID_DH_GROUP14_SHA256: + useDh = 1; + msgId = MSGID_KEXDH_REPLY; + break; +#endif #ifndef WOLFSSH_NO_DH_GEX_SHA256 case ID_DH_GEX_SHA256: useDh = 1; @@ -11923,6 +11948,15 @@ int SendKexDhInit(WOLFSSH* ssh) generatorSz = dhGeneratorSz; break; #endif +#ifndef WOLFSSH_NO_DH_GROUP14_SHA256 + case ID_DH_GROUP14_SHA256: + ssh->handshake->useDh = 1; + primeGroup = dhPrimeGroup14; + primeGroupSz = dhPrimeGroup14Sz; + generator = dhGenerator; + generatorSz = dhGeneratorSz; + break; +#endif #ifndef WOLFSSH_NO_DH_GEX_SHA256 case ID_DH_GEX_SHA256: ssh->handshake->useDh = 1; diff --git a/wolfssh/internal.h b/wolfssh/internal.h index 286acaf9..a1f29b48 100644 --- a/wolfssh/internal.h +++ b/wolfssh/internal.h @@ -140,6 +140,10 @@ extern "C" { #undef WOLFSSH_NO_DH_GROUP14_SHA1 #define WOLFSSH_NO_DH_GROUP14_SHA1 #endif +#if defined(WOLFSSH_NO_DH) || defined(WOLFSSH_NO_SHA256) + #undef WOLFSSH_NO_DH_GROUP14_SHA256 + #define WOLFSSH_NO_DH_GROUP14_SHA256 +#endif #if defined(WOLFSSH_NO_DH) || defined(NO_SHA256) #undef WOLFSSH_NO_DH_GEX_SHA256 #define WOLFSSH_NO_DH_GEX_SHA256 @@ -171,6 +175,7 @@ extern "C" { #if defined(WOLFSSH_NO_DH_GROUP1_SHA1) && \ defined(WOLFSSH_NO_DH_GROUP14_SHA1) && \ + defined(WOLFSSH_NO_DH_GROUP14_SHA256) && \ defined(WOLFSSH_NO_DH_GEX_SHA256) && \ defined(WOLFSSH_NO_ECDH_SHA2_NISTP256) && \ defined(WOLFSSH_NO_ECDH_SHA2_NISTP384) && \ @@ -182,6 +187,7 @@ extern "C" { #if defined(WOLFSSH_NO_DH_GROUP1_SHA1) && \ defined(WOLFSSH_NO_DH_GROUP14_SHA1) && \ + defined(WOLFSSH_NO_DH_GROUP14_SHA256) && \ defined(WOLFSSH_NO_DH_GEX_SHA256) #undef WOLFSSH_NO_DH #define WOLFSSH_NO_DH @@ -307,13 +313,13 @@ enum { /* Key Exchange IDs */ ID_DH_GROUP1_SHA1, ID_DH_GROUP14_SHA1, + ID_DH_GROUP14_SHA256, ID_DH_GEX_SHA256, ID_ECDH_SHA2_NISTP256, ID_ECDH_SHA2_NISTP384, ID_ECDH_SHA2_NISTP521, ID_ECDH_SHA2_ED25519, ID_ECDH_SHA2_ED25519_LIBSSH, - ID_DH_GROUP14_SHA256, #ifndef WOLFSSH_NO_ECDH_NISTP256_KYBER_LEVEL1_SHA256 ID_ECDH_NISTP256_KYBER_LEVEL1_SHA256, #endif