diff --git a/examples/echoserver/echoserver.c b/examples/echoserver/echoserver.c index 823053d..8bc6712 100644 --- a/examples/echoserver/echoserver.c +++ b/examples/echoserver/echoserver.c @@ -1105,6 +1105,12 @@ static int load_file(const char* fileName, byte* buf, word32 bufSz) } #endif /* NO_FILESYSTEM */ +#ifdef HAVE_ECC521 + #define ECC_PATH "./keys/server-key-ecc-521.der" +#else + #define ECC_PATH "./keys/server-key-ecc.der" +#endif + /* returns buffer size on success */ static int load_key(byte isEcc, byte* buf, word32 bufSz) { @@ -1112,8 +1118,7 @@ static int load_key(byte isEcc, byte* buf, word32 bufSz) #ifndef NO_FILESYSTEM const char* bufName; - bufName = isEcc ? "./keys/server-key-ecc.der" : - "./keys/server-key-rsa.der" ; + bufName = isEcc ? ECC_PATH : "./keys/server-key-rsa.der" ; sz = load_file(bufName, buf, bufSz); #else /* using buffers instead */ diff --git a/src/internal.c b/src/internal.c index 3950f32..dbfba06 100644 --- a/src/internal.c +++ b/src/internal.c @@ -130,13 +130,13 @@ Flags: #if defined(NO_DH) || defined(NO_SHA256) #define WOLFSSH_NO_DH_GEX_SHA256 #endif -#if !defined(HAVE_ECC) || defined(NO_SHA256) +#if !defined(HAVE_ECC) || defined(NO_SHA256) || defined(NO_ECC256) #define WOLFSSH_NO_ECDH_SHA2_NISTP256 #endif -#if !defined(HAVE_ECC) || !defined(WOLFSSL_SHA384) +#if !defined(HAVE_ECC) || !defined(WOLFSSL_SHA384) || !defined(HAVE_ECC384) #define WOLFSSH_NO_ECDH_SHA2_NISTP384 #endif -#if !defined(HAVE_ECC) || !defined(WOLFSSL_SHA512) +#if !defined(HAVE_ECC) || !defined(WOLFSSL_SHA512) || !defined(HAVE_ECC521) #define WOLFSSH_NO_ECDH_SHA2_NISTP521 #endif #if !defined(HAVE_ED25519) || defined(NO_SHA256) @@ -145,13 +145,13 @@ Flags: #if defined(NO_RSA) || defined(NO_SHA) #define WOLFSSH_NO_SSH_RSA_SHA1 #endif -#if !defined(HAVE_ECC) || defined(NO_SHA256) +#if !defined(HAVE_ECC) || defined(NO_SHA256) || defined(NO_ECC256) #define WOLFSSH_NO_ECDSA_SHA2_NISTP256 #endif -#if !defined(HAVE_ECC) || !defined(WOLFSSL_SHA384) +#if !defined(HAVE_ECC) || !defined(WOLFSSL_SHA384) || !defined(HAVE_ECC384) #define WOLFSSH_NO_ECDSA_SHA2_NISTP384 #endif -#if !defined(HAVE_ECC) || !defined(WOLFSSL_SHA512) +#if !defined(HAVE_ECC) || !defined(WOLFSSL_SHA512) || !defined(HAVE_ECC521) #define WOLFSSH_NO_ECDSA_SHA2_NISTP521 #endif #if defined(NO_AES) || !defined(HAVE_AES_CBC) @@ -1995,7 +1995,7 @@ static int GetNameList(byte* idList, word32* idListSz, static const byte cannedEncAlgo[] = { #ifndef WOLFSSH_NO_AES_GCM - ID_AES128_GCM, + ID_AES128_GCM, #endif #ifndef WOLFSSH_NO_AES_CTR ID_AES128_CTR, @@ -2016,17 +2016,47 @@ static const byte cannedMacAlgo[] = { ID_HMAC_SHA1, #endif }; -static const byte cannedKeyAlgoClient[] = {ID_ECDSA_SHA2_NISTP256, ID_SSH_RSA}; + +static const byte cannedKeyAlgoClient[] = { +#ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP521 + ID_ECDSA_SHA2_NISTP521, +#endif +#ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP384 + ID_ECDSA_SHA2_NISTP384, +#endif +#ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP256 + ID_ECDSA_SHA2_NISTP256, +#endif +#ifndef WOLFSSH_NO_SSH_RSA_SHA1 + ID_SSH_RSA, +#endif +}; + #ifndef WOLFSSH_NO_SSH_RSA_SHA1 static const byte cannedKeyAlgoRsa[] = {ID_SSH_RSA}; static const word32 cannedKeyAlgoRsaSz = sizeof(cannedKeyAlgoRsa); #endif +#ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP256 static const byte cannedKeyAlgoEcc256[] = {ID_ECDSA_SHA2_NISTP256}; +static const word32 cannedKeyAlgoEcc256Sz = sizeof(cannedKeyAlgoEcc256); +#endif +#ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP384 static const byte cannedKeyAlgoEcc384[] = {ID_ECDSA_SHA2_NISTP384}; +static const word32 cannedKeyAlgoEcc384Sz = sizeof(cannedKeyAlgoEcc384); +#endif +#ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP521 static const byte cannedKeyAlgoEcc521[] = {ID_ECDSA_SHA2_NISTP521}; +static const word32 cannedKeyAlgoEcc521Sz = sizeof(cannedKeyAlgoEcc521); +#endif static const byte cannedKexAlgo[] = { +#ifndef WOLFSSH_NO_ECDH_SHA2_NISTP521 + ID_ECDH_SHA2_NISTP521, +#endif +#ifndef WOLFSSH_NO_ECDH_SHA2_NISTP384 + ID_ECDH_SHA2_NISTP384, +#endif #ifndef WOLFSSH_NO_ECDH_SHA2_NISTP256 ID_ECDH_SHA2_NISTP256, #endif @@ -2044,9 +2074,6 @@ static const byte cannedKexAlgo[] = { static const word32 cannedEncAlgoSz = sizeof(cannedEncAlgo); static const word32 cannedMacAlgoSz = sizeof(cannedMacAlgo); static const word32 cannedKeyAlgoClientSz = sizeof(cannedKeyAlgoClient); -static const word32 cannedKeyAlgoEcc256Sz = sizeof(cannedKeyAlgoEcc256); -static const word32 cannedKeyAlgoEcc384Sz = sizeof(cannedKeyAlgoEcc384); -static const word32 cannedKeyAlgoEcc521Sz = sizeof(cannedKeyAlgoEcc521); static const word32 cannedKexAlgoSz = sizeof(cannedKexAlgo); @@ -6162,92 +6189,100 @@ static INLINE void CopyNameList(byte* buf, word32* idx, static const char cannedEncAlgoNames[] = #if !defined(WOLFSSH_NO_AES_GCM) - "aes128-gcm@openssh.com" -#endif -#if !defined(WOLFSSH_NO_AES_GCM) && !defined(WOLFSSH_NO_AES_CTR) - "," + "aes128-gcm@openssh.com," #endif #if !defined(WOLFSSH_NO_AES_CTR) - "aes128-ctr" -#endif -#if (!defined(WOLFSSH_NO_AES_GCM) || !defined(WOLFSSH_NO_AES_CTR)) && \ - !defined(WOLFSSH_NO_AES_CBC) - "," + "aes128-ctr," #endif #if !defined(WOLFSSH_NO_AES_CBC) - "aes128-cbc" + "aes128-cbc," #endif - ; + ""; #if defined(WOLFSSH_NO_AES_GCM) && defined(WOLFSSH_NO_AES_CTR) && \ defined(WOLFSSH_NO_AES_CBC) -#warning "You need at least one of AES-GCM, AES-CTR or AES-CBC." +#warning "You need at least one encryption algorithm." #endif static const char cannedMacAlgoNames[] = #if !defined(WOLFSSH_NO_HMAC_SHA2_256) - "hmac-sha2-256" -#endif -#if !defined(WOLFSSH_NO_HMAC_SHA2_256) && !defined(WOLFSSH_NO_HMAC_SHA1_96) - "," + "hmac-sha2-256," #endif #if !defined(WOLFSSH_NO_HMAC_SHA1_96) - "hmac-sha1-96" -#endif -#if (!defined(WOLFSSH_NO_HMAC_SHA2_256) || !defined(WOLFSSH_NO_HMAC_SHA1_96)) \ - && !defined(WOLFSSH_NO_HMAC_SHA1) - "," + "hmac-sha1-96," #endif #if !defined(WOLFSSH_NO_HMAC_SHA1) - "hmac-sha1" + "hmac-sha1," #endif - ; -#if defined(WOLFSSH_NO_HMAC_SHA2_256) && defined(WOLFSSH_NO_HMAC_SHA1_96)\ - && defined(WOLFSSH_NO_HMAC_SHA1) - #warning "You need at least one of HMAC-SHA2-256, HMAC-SHA1-96 or HMAC-SHA1" + ""; +#if defined(WOLFSSH_NO_HMAC_SHA2_256) && \ + defined(WOLFSSH_NO_HMAC_SHA1_96) && \ + defined(WOLFSSH_NO_HMAC_SHA1) + #warning "You need at least one MAC algorithm." +#endif + +static const char cannedKeyAlgoClientNames[] = +#ifndef WOLFSSL_NO_ECDSA_SHA2_NISTP521 + "ecdsa-sha2-nistp521," +#endif +#ifndef WOLFSSL_NO_ECDSA_SHA2_NISTP384 + "ecdsa-sha2-nistp384," +#endif +#ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP256 + "ecdsa-sha2-nistp256," +#endif +#ifndef WOLFSSH_NO_SSH_RSA_SHA1 + "ssh-rsa," +#endif + ""; +#if defined(WOLFSSH_NO_ECDSA_SHA2_NISTP256) && \ + defined(WOLFSSH_NO_ECDSA_SHA2_NISTP384) && \ + defined(WOLFSSH_NO_ECDSA_SHA2_NISTP521) && \ + defined(WOLFSSH_NO_SSH_RSA_SHA2) + #warning "You need at least one signing algorithm." #endif -static const char cannedKeyAlgoClientNames[] = "ecdsa-sha2-nistp256,ssh-rsa"; static const char cannedKeyAlgoRsaNames[] = "ssh-rsa"; static const char cannedKeyAlgoEcc256Names[] = "ecdsa-sha2-nistp256"; static const char cannedKeyAlgoEcc384Names[] = "ecdsa-sha2-nistp384"; static const char cannedKeyAlgoEcc521Names[] = "ecdsa-sha2-nistp521"; + static const char cannedKexAlgoNames[] = -#if !defined(WOLFSSH_NO_ECDH_SHA2_NISTP256) - "ecdh-sha2-nistp256" +#if !defined(WOLFSSH_NO_ECDH_SHA2_NISTP521) + "ecdh-sha2-nistp521," #endif -#if !defined(WOLFSSH_NO_ECDH_SHA2_NISTP256) && !defined(WOLFSSH_NO_DH_GEX_SHA256) - "," +#if !defined(WOLFSSH_NO_ECDH_SHA2_NISTP384) + "ecdh-sha2-nistp384," +#endif +#if !defined(WOLFSSH_NO_ECDH_SHA2_NISTP256) + "ecdh-sha2-nistp256," #endif #if !defined(WOLFSSH_NO_DH_GEX_SHA256) - "diffie-hellman-group-exchange-sha256" -#endif -#if (!defined(WOLFSSH_NO_ECDH_SHA2_NISTP256) || !defined(WOLFSSH_NO_DH_GEX_SHA256))\ - && !defined(WOLFSSH_NO_DH_GROUP14_SHA1) - "," + "diffie-hellman-group-exchange-sha256," #endif #if !defined(WOLFSSH_NO_DH_GROUP14_SHA1) - "diffie-hellman-group14-sha1" -#endif -#if (!defined(WOLFSSH_NO_ECDH_SHA2_NISTP256) || !defined(WOLFSSH_NO_DH_GEX_SHA256) \ - || !defined(WOLFSSH_NO_DH_GROUP14_SHA1)) && !defined(WOLFSSH_NO_DH_GROUP1_SHA1) - "," + "diffie-hellman-group14-sha1," #endif #if !defined(WOLFSSH_NO_DH_GROUP1_SHA1) - "diffie-hellman-group1-sha1" + "diffie-hellman-group1-sha1," #endif - ; /* This is a little awkward. */ -#if defined(WOLFSSH_NO_ECDH_SHA2_NISTP256) && defined(WOLFSSH_NO_DH_GEX_SHA256)\ - && defined(WOLFSSH_NO_DH_GROUP14_SHA1) && defined(WOLFSSH_NO_DH_GROUP1_SHA1) - #warning "You need at least one of ECDH-SHA2-NISTP256, DH-GEX-SHA256, " - "DH-GROUP14-SHA1 or DH-GROUP1-SHA1" + ""; + +#if defined(WOLFSSH_NO_ECDH_SHA2_NISTP256) && \ + defined(WOLFSSH_NO_DH_GEX_SHA256) && \ + defined(WOLFSSH_NO_DH_GROUP14_SHA1) && \ + defined(WOLFSSH_NO_DH_GROUP1_SHA1) && \ + defined(WOLFSSH_NO_ECDH_SHA2_NISTP521) && \ + defined(WOLFSSH_NO_ECDH_SHA2_NISTP384) + #warning "You need at least one key exchange algorithm." #endif static const char cannedNoneNames[] = "none"; -static const word32 cannedEncAlgoNamesSz = sizeof(cannedEncAlgoNames) - 1; -static const word32 cannedMacAlgoNamesSz = sizeof(cannedMacAlgoNames) - 1; +/* -1 for the null, some are -1 for the comma */ +static const word32 cannedEncAlgoNamesSz = sizeof(cannedEncAlgoNames) - 2; +static const word32 cannedMacAlgoNamesSz = sizeof(cannedMacAlgoNames) - 2; static const word32 cannedKeyAlgoClientNamesSz = - sizeof(cannedKeyAlgoClientNames) - 1; + sizeof(cannedKeyAlgoClientNames) - 2; static const word32 cannedKeyAlgoRsaNamesSz = sizeof(cannedKeyAlgoRsaNames) - 1; static const word32 cannedKeyAlgoEcc256NamesSz = sizeof(cannedKeyAlgoEcc256Names) - 1; @@ -6255,7 +6290,7 @@ static const word32 cannedKeyAlgoEcc384NamesSz = sizeof(cannedKeyAlgoEcc384Names) - 1; static const word32 cannedKeyAlgoEcc521NamesSz = sizeof(cannedKeyAlgoEcc521Names) - 1; -static const word32 cannedKexAlgoNamesSz = sizeof(cannedKexAlgoNames) - 1; +static const word32 cannedKexAlgoNamesSz = sizeof(cannedKexAlgoNames) - 2; static const word32 cannedNoneNamesSz = sizeof(cannedNoneNames) - 1; diff --git a/tests/api.c b/tests/api.c index 3e6b63d..6fe21c5 100644 --- a/tests/api.c +++ b/tests/api.c @@ -462,11 +462,33 @@ enum WS_TestFormatTypes { }; +#ifndef NO_ECC256 static const char serverKeyEccDer[] = "307702010104206109990b79d25f285a0f5d15cca15654f92b3987212da77d85" "7bb87f38c66dd5a00a06082a8648ce3d030107a144034200048113ffa42bb79c" "45747a834c61f33fad26cf22cda9a3bca561b47ce662d4c2f755439a31fb8011" "20b5124b24f578d7fd22ef4635f005586b5f63c8da1bc4f569"; +static const int serverKeyEccCurveId = ECC_SECP256R1; +#elif defined(HAVE_ECC384) +static const char serverKeyEccDer[] = + "3081a402010104303eadd2bbbf05a7be3a3f7c28151289de5bb3644d7011761d" + "b56f2a0362fba64f98e64ff986dc4fb8efdb2d6b8da57142a00706052b810400" + "22a1640362000438d62be418ff573fd0e020d48876c4e1121dfb2d6ebee4895d" + "7724316d46a23105873f2986d5c712803a6f471ab86850eb063e108961349cf8" + "b4c6a4cf5e97bd7e51e975e3e9217261506eb9cf3c493d3eb88d467b5f27ebab" + "2161c00066febd"; +static const int serverKeyEccCurveId = ECC_SECP384R1; +#elif defined(HAVE_ECC521) +static const char serverKeyEccDer[] = + "3081dc0201010442004ca4d86428d9400e7b2df3912eb996c195895043af92e8" + "6de70ae4df46f22a291a6bb2748aae82580df6c39f49b3ed82f1789ece1b657d" + "45438cff156534354575a00706052b81040023a18189038186000401f8d0a7c3" + "c58d841957969f213a94f3da550edf76d8dd171531f35bb069c8bc300d6f6b37" + "d18046a9717f2c6f59519c827095b29a6313306218c235769400d0f96d000a19" + "3ba346652beb409a9a45c597a3ed932dd5aaae96bf2f317e5a7ac7458b3c6cdb" + "aa90c355382cdfcdca7377d92eb20a5e8c74237ca5a345b19e3f1a2290b154"; +static const int serverKeyEccCurveId = ECC_SECP521R1; +#endif static const char serverKeyRsaDer[] = "308204a30201000282010100da5dad2514761559f340fd3cb86230b36dc0f9ec" @@ -569,7 +591,7 @@ static void test_wolfSSH_CTX_UsePrivateKey_buffer(void) TEST_GOOD_FORMAT_ASN1)); AssertNotNull(ctx->privateKey); AssertIntNE(0, ctx->privateKeySz); - AssertIntEQ(ECC_SECP256R1, ctx->useEcc); + AssertIntEQ(serverKeyEccCurveId, ctx->useEcc); #ifndef NO_RSA lastKey = ctx->privateKey;