WolfSSL
/
wolfssh
mirror of https://github.com/wolfSSL/wolfssh.git
1
0
Fork 0
Code Issues Releases Wiki Activity

ECC (#35) 

* Renamed the server key files to indicate they are rsa keys.
* Add ecc key files for the server.
* Move ProcessBuffer from ssh.c to internal.c.
* Remove #includes for headers from files that are not used.
* Added support for KEX algorithms: ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521
* Updated readme
* Added support for the public key algorithm ecdsa-sha2-nistp256.
* Added support for public key algorithms ecdsa-sha2-nistp384 and ecdsa-sha2-nistp521.
* The Key Algorithm list for the KEX picks a single value to offer based on the private key used.
* Added private keys on curves nistp384 and nistp521. The curve nistp256 is used as the default.
* Added the new ecc keys to include.am
pull/36/merge
John Safranek 2017-07-14 12:24:38 -07:00 committed by dgarske
parent 4106ce3186
commit 1d594eba1f
15 changed files with 714 additions and 256 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
README.md
View File

@ -50,12 +50,12 @@ From another terminal run:
The server will send a canned banner to the client:
CANNED BANNER
This server is an example test server. It should have its own banner, but
it is currently using a canned one in the library. Be happy or not.
wolfSSH Example Echo Server
Characters typed into the client will be echoed to the screen by the server.
If the characters are echoed twice, the client has local echo enabled.
If the characters are echoed twice, the client has local echo enabled. The
echo server isn't being a proper terminal so the CR/LF translation will not
work as expected.
testing notes
@ -86,6 +86,16 @@ Where the user can be `gretel` or `hansel`.
release notes
-------------
### wolfSSH v1.2.0 (07/XX/2017)
- Added ECDH Group Exchange with SHA2 hashing and curves nistp256,
nistp384, and nistp521.
- Added ECDSA with SHA2 hashing and curves nistp256, nistp384, and nistp521.
- Changed the echoserver to allow only one connection, but multiple
connections are allowed with a command line option.
- Added option to echoserver to offer an ECC public key.
- Other small bug fixes and enhancements.
### wolfSSH v1.1.0 (06/16/2017)
- Added DH Group Exchange with SHA-256 hashing to the key exchange.

17
examples/echoserver/echoserver.c
View File

@ -737,6 +737,7 @@ static void ShowUsage(void)
printf("echoserver %s\n", LIBWOLFSSH_VERSION_STRING);
printf("-h Help, print this usage\n");
printf("-m Allow multiple connections\n");
printf("-e Use ECC private key\n");
}
@ -748,13 +749,14 @@ int main(int argc, char** argv)
uint32_t defaultHighwater = EXAMPLE_HIGHWATER_MARK;
uint32_t threadCount = 0;
int multipleConnections = 0;
int useEcc = 0;
char ch;
#ifdef DEBUG_WOLFSSH
wolfSSH_Debugging_ON();
#endif
while ((ch = mygetopt(argc, argv, "hm")) != -1) {
while ((ch = mygetopt(argc, argv, "hme")) != -1) {
switch (ch) {
case 'h' :
ShowUsage();
@ -764,6 +766,10 @@ int main(int argc, char** argv)
multipleConnections = 1;
break;
case 'e' :
useEcc = 1;
break;
default:
ShowUsage();
exit(MY_EX_USAGE);
@ -790,13 +796,16 @@ int main(int argc, char** argv)
uint8_t buf[SCRATCH_BUFFER_SIZE];
uint32_t bufSz;
bufSz = load_file("./keys/server-key.der", buf, SCRATCH_BUFFER_SIZE);
bufSz = load_file(useEcc ?
"./keys/server-key-ecc.der" :
"./keys/server-key-rsa.der",
buf, SCRATCH_BUFFER_SIZE);
if (bufSz == 0) {
fprintf(stderr, "Couldn't load key file.\n");
exit(EXIT_FAILURE);
}
if (wolfSSH_CTX_UsePrivateKey_buffer(ctx,
buf, bufSz, WOLFSSH_FORMAT_ASN1) < 0) {
if (wolfSSH_CTX_UsePrivateKey_buffer(ctx, buf, bufSz,
WOLFSSH_FORMAT_ASN1) < 0) {
fprintf(stderr, "Couldn't use key buffer.\n");
exit(EXIT_FAILURE);
}

10
keys/include.am
View File

@ -4,8 +4,14 @@
EXTRA_DIST+= \
keys/server-key.der \
keys/server-key.pem \
keys/server-key-ecc.der \
keys/server-key-ecc.pem \
keys/server-key-ecc-384.der \
keys/server-key-ecc-384.pem \
keys/server-key-ecc-521.der \
keys/server-key-ecc-521.pem \
keys/server-key-rsa.der \
keys/server-key-rsa.pem \
keys/key-hansel.pem \
keys/key-gretel.pem \
keys/publickeys.txt \

BIN
keys/server-key-ecc-384.der 100644
View File

Binary file not shown.

11
keys/server-key-ecc-384.pem 100644
View File

@ -0,0 +1,11 @@
ASN1 OID: secp384r1
NIST CURVE: P-384
-----BEGIN EC PARAMETERS-----
BgUrgQQAIg==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MIGkAgEBBDA+rdK7vwWnvjo/fCgVEoneW7NkTXARdh21byoDYvumT5jmT/mG3E+4
79sta42lcUKgBwYFK4EEACKhZANiAAQ41ivkGP9XP9DgINSIdsThEh37LW6+5Ild
dyQxbUaiMQWHPymG1ccSgDpvRxq4aFDrBj4QiWE0nPi0xqTPXpe9flHpdePpIXJh
UG65zzxJPT64jUZ7XyfrqyFhwABm/r0=
-----END EC PRIVATE KEY-----

BIN
keys/server-key-ecc-521.der 100644
View File

Binary file not shown.

12
keys/server-key-ecc-521.pem 100644
View File

@ -0,0 +1,12 @@
ASN1 OID: secp521r1
NIST CURVE: P-521
-----BEGIN EC PARAMETERS-----
BgUrgQQAIw==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MIHcAgEBBEIATKTYZCjZQA57LfORLrmWwZWJUEOvkuht5wrk30byKikaa7J0iq6C
WA32w59Js+2C8XiezhtlfUVDjP8VZTQ1RXWgBwYFK4EEACOhgYkDgYYABAH40KfD
xY2EGVeWnyE6lPPaVQ7fdtjdFxUx81uwaci8MA1vazfRgEapcX8sb1lRnIJwlbKa
YxMwYhjCNXaUAND5bQAKGTujRmUr60CamkXFl6Ptky3Vqq6Wvy8xflp6x0WLPGzb
qpDDVTgs383Kc3fZLrIKXox0I3ylo0Wxnj8aIpCxVA==
-----END EC PRIVATE KEY-----

BIN
keys/server-key-ecc.der 100644
View File

Binary file not shown.

10
keys/server-key-ecc.pem 100644
View File

@ -0,0 +1,10 @@
ASN1 OID: prime256v1
NIST CURVE: P-256
-----BEGIN EC PARAMETERS-----
BggqhkjOPQMBBw==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIGEJmQt50l8oWg9dFcyhVlT5KzmHIS2nfYV7uH84xm3VoAoGCCqGSM49
AwEHoUQDQgAEgRP/pCu3nEV0eoNMYfM/rSbPIs2po7ylYbR85mLUwvdVQ5ox+4AR
ILUSSyT1eNf9Iu9GNfAFWGtfY8jaG8T1aQ==
-----END EC PRIVATE KEY-----

0
keys/server-key.der → keys/server-key-rsa.der
View File

0
keys/server-key.pem → keys/server-key-rsa.pem
View File

803
src/internal.c
View File

File diff suppressed because it is too large Load Diff

70
src/ssh.c
View File

@ -31,8 +31,6 @@
#include <wolfssh/ssh.h>
#include <wolfssh/internal.h>
#include <wolfssh/log.h>
#include <wolfssl/wolfcrypt/rsa.h>
#include <wolfssl/wolfcrypt/asn.h>
#include <wolfssl/wolfcrypt/wc_port.h>
#ifdef NO_INLINE
@ -459,74 +457,6 @@ void* wolfSSH_GetUserAuthCtx(WOLFSSH* ssh)
}
static int ProcessBuffer(WOLFSSH_CTX* ctx, const uint8_t* in, uint32_t inSz,
int format, int type)
{
int dynamicType;
void* heap;
uint8_t* der;
uint32_t derSz;
if (ctx == NULL || in == NULL || inSz == 0)
return WS_BAD_ARGUMENT;
if (format != WOLFSSH_FORMAT_ASN1 && format != WOLFSSH_FORMAT_PEM &&
format != WOLFSSH_FORMAT_RAW)
return WS_BAD_FILETYPE_E;
if (type == BUFTYPE_CA)
dynamicType = DYNTYPE_CA;
else if (type == BUFTYPE_CERT)
dynamicType = DYNTYPE_CERT;
else if (type == BUFTYPE_PRIVKEY)
dynamicType = DYNTYPE_PRIVKEY;
else
return WS_BAD_ARGUMENT;
heap = ctx->heap;
if (format == WOLFSSH_FORMAT_PEM)
return WS_UNIMPLEMENTED_E;
else {
/* format is ASN1 or RAW */
der = (uint8_t*)WMALLOC(inSz, heap, dynamicType);
if (der == NULL)
return WS_MEMORY_E;
WMEMCPY(der, in, inSz);
derSz = inSz;
}
/* Maybe decrypt */
if (type == BUFTYPE_PRIVKEY) {
if (ctx->privateKey)
WFREE(ctx->privateKey, heap, dynamicType);
ctx->privateKey = der;
ctx->privateKeySz = derSz;
}
else {
WFREE(der, heap, dynamicType);
return WS_UNIMPLEMENTED_E;
}
if (type == BUFTYPE_PRIVKEY && format != WOLFSSH_FORMAT_RAW) {
/* Check RSA key */
RsaKey key;
uint32_t scratch = 0;
if (wc_InitRsaKey(&key, NULL) < 0)
return WS_RSA_E;
if (wc_RsaPrivateKeyDecode(der, &scratch, &key, derSz) < 0)
return WS_BAD_FILE_E;
wc_FreeRsaKey(&key);
}
return WS_SUCCESS;
}
int wolfSSH_CTX_SetBanner(WOLFSSH_CTX* ctx,
const char* newBanner)
{

4
wolfssh/error.h
View File

@ -68,7 +68,9 @@ enum WS_ErrorCodes {
WS_INVALID_USERNAME = -28,
WS_CRYPTO_FAILED = -29, /* crypto action failed */
WS_INVALID_STATE_E = -30,
WS_REKEYING = -31
WS_REKEYING = -31,
WS_INVALID_PRIME_CURVE = -32,
WS_ECC_E = -33
};

15
wolfssh/internal.h
View File

@ -31,7 +31,6 @@
#include <wolfssl/options.h>
#include <wolfssl/wolfcrypt/hash.h>
#include <wolfssl/wolfcrypt/random.h>
#include <wolfssl/wolfcrypt/dh.h>
#include <wolfssl/wolfcrypt/aes.h>
@ -73,9 +72,15 @@ enum {
ID_DH_GROUP1_SHA1,
ID_DH_GROUP14_SHA1,
ID_DH_GEX_SHA256,
ID_ECDH_SHA2_NISTP256,
ID_ECDH_SHA2_NISTP384,
ID_ECDH_SHA2_NISTP521,
/* Public Key IDs */
ID_SSH_RSA,
ID_ECDSA_SHA2_NISTP256,
ID_ECDSA_SHA2_NISTP384,
ID_ECDSA_SHA2_NISTP521,
/* UserAuth IDs */
ID_USERAUTH_PASSWORD,
@ -155,6 +160,7 @@ struct WOLFSSH_CTX {
uint8_t* privateKey; /* Owned by CTX */
uint32_t privateKeySz;
uint8_t useEcc; /* Depends on the private key */
uint32_t highwaterMark;
const char* banner;
uint32_t bannerSz;
@ -191,7 +197,8 @@ typedef struct HandshakeInfo {
Keys clientKeys;
Keys serverKeys;
wc_HashAlg hash;
uint8_t e[257]; /* May have a leading zero, for unsigned. */
uint8_t e[257]; /* May have a leading zero, for unsigned, or
* it is a nistp521 Q_S value. */
uint32_t eSz;
uint8_t* serverKexInit;
uint32_t serverKexInitSz;
@ -251,7 +258,7 @@ struct WOLFSSH {
Buffer inputBuffer;
Buffer outputBuffer;
RNG* rng;
WC_RNG* rng;
uint8_t h[WC_MAX_DIGEST_SIZE];
uint32_t hSz;
@ -299,6 +306,8 @@ WOLFSSH_LOCAL void ChannelDelete(WOLFSSH_CHANNEL*, void*);
WOLFSSH_LOCAL WOLFSSH_CHANNEL* ChannelFind(WOLFSSH*, uint32_t, uint8_t);
WOLFSSH_LOCAL int ChannelRemove(WOLFSSH*, uint32_t, uint8_t);
WOLFSSH_LOCAL int ChannelPutData(WOLFSSH_CHANNEL*, uint8_t*, uint32_t);
WOLFSSH_LOCAL int ProcessBuffer(WOLFSSH_CTX*, const uint8_t*, uint32_t,
int, int);
#ifndef WOLFSSH_USER_IO