WolfSSL
/
wolfssh
mirror of https://github.com/wolfSSL/wolfssh.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #298 from ejohnstown/options 

More Options
pull/318/head
JacobBarthelmeh 2021-02-03 04:13:34 +07:00 committed by GitHub
parent ae0c5efb2f bbd3d76291
commit 52c60faa8c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 226 additions and 89 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
examples/echoserver/echoserver.c
View File

@ -1610,6 +1610,11 @@ THREAD_RETURN WOLFSSH_THREAD echoserver_test(void* args)
userEcc = 1;
peerEcc = 1;
#endif
#ifndef HAVE_ECC
/* If wolfCrypt isn't built with ECC, force ECC off. */
userEcc = 0;
peerEcc = 0;
#endif
if (wolfSSH_Init() != WS_SUCCESS) {
fprintf(stderr, "Couldn't initialize wolfSSH.\n");

12
src/agent.c
View File

@ -379,7 +379,7 @@ static int PostUnlock(WOLFSSH_AGENT_CTX* agent,
}
#ifndef NO_RSA
#ifndef WOLFSSH_NO_RSA
static int PostAddRsaId(WOLFSSH_AGENT_CTX* agent,
byte keyType, byte* key, word32 keySz,
word32 nSz, word32 eSz, word32 dSz,
@ -461,6 +461,7 @@ static int PostAddRsaId(WOLFSSH_AGENT_CTX* agent,
#endif
#ifndef WOLFSSH_NO_ECDSA
static int PostAddEcdsaId(WOLFSSH_AGENT_CTX* agent,
byte keyType, byte* key, word32 keySz,
word32 curveNameSz, word32 qSz, word32 dSz,
@ -527,6 +528,7 @@ static int PostAddEcdsaId(WOLFSSH_AGENT_CTX* agent,
WLOG_LEAVE(ret);
return ret;
}
#endif
static int PostRemoveId(WOLFSSH_AGENT_CTX* agent,
@ -669,7 +671,7 @@ static int PostSignRequest(WOLFSSH_AGENT_CTX* agent,
int sigSz = sizeof(sig);
if (cur->keyType == ID_SSH_RSA) {
#ifndef NO_RSA
#ifndef WOLFSSH_NO_RSA
WOLFSSH_AGENT_KEY_RSA* key;
RsaKey rsa;
byte encSig[MAX_ENCODED_SIG_SZ];
@ -714,6 +716,7 @@ static int PostSignRequest(WOLFSSH_AGENT_CTX* agent,
#endif
}
else if (cur->keyType == ID_ECDSA_SHA2_NISTP256) {
#ifndef WOLFSSH_NO_ECDSA
WOLFSSH_AGENT_KEY_ECDSA* key;
ecc_key ecc;
enum wc_HashType hashType = WC_HASH_TYPE_SHA256;
@ -764,6 +767,7 @@ static int PostSignRequest(WOLFSSH_AGENT_CTX* agent,
wc_ecc_free(&ecc);
if (ret != 0)
ret = WS_ECC_E;
#endif
}
else
ret = WS_INVALID_ALGO_ID;
@ -946,7 +950,7 @@ static int DoAddIdentity(WOLFSSH_AGENT_CTX* agent,
begin += sz;
if (keyType == ID_SSH_RSA) {
#ifndef NO_RSA
#ifndef WOLFSSH_NO_RSA
byte* key;
byte* scratch;
word32 keySz, nSz, eSz, dSz, iqmpSz, pSz, qSz, commentSz;
@ -993,6 +997,7 @@ static int DoAddIdentity(WOLFSSH_AGENT_CTX* agent,
else if (keyType == ID_ECDSA_SHA2_NISTP256 ||
keyType == ID_ECDSA_SHA2_NISTP384 ||
keyType == ID_ECDSA_SHA2_NISTP521) {
#ifndef WOLFSSH_NO_ECDSA
byte* key;
byte* scratch;
word32 keySz, curveNameSz, qSz, dSz, commentSz;
@ -1021,6 +1026,7 @@ static int DoAddIdentity(WOLFSSH_AGENT_CTX* agent,
ret = PostAddEcdsaId(agent, keyType, key, keySz,
curveNameSz, qSz, dSz, commentSz);
}
#endif
}
else {
ret = WS_PARSE_E;

136
src/internal.c
View File

@ -85,9 +85,15 @@ Flags:
WOLFSSH_NO_ECDH_SHA2_ED25519
Set when ED25519 or SHA2-256 are disabled. Set to disable use of ECDHE key
exchange with prime ED25519. (It just decodes the ID for output.)
WOLFSSH_NO_RSA
Set when RSA is disabled. Set to disable use of RSA server and user
authentication.
WOLFSSH_NO_SSH_RSA_SHA1
Set when RSA or SHA1 are disabled. Set to disable use of RSA server
authentication.
WOLFSSH_NO_ECDSA
Set when ECC is disabled. Set to disable use of ECDSA server and user
authentication.
WOLFSSH_NO_ECDSA_SHA2_NISTP256
Set when ECC or SHA2-256 are disabled. Set to disable use of ECDSA server
authentication with prime NISTP256.
@ -113,6 +119,10 @@ Flags:
Set when all DH algorithms are disabled. Set to disable use of all DH
algorithms for key agreement. Setting this will force all DH key agreement
algorithms off.
WOLFSSH_NO_ECDH
Set when all ECDH algorithms are disabled. Set to disable use of all ECDH
algorithms for key agreement. Setting this will force all ECDH key agreement
algorithms off.
*/
@ -745,15 +755,17 @@ int wolfSSH_ProcessBuffer(WOLFSSH_CTX* ctx,
if (type == BUFTYPE_PRIVKEY && format != WOLFSSH_FORMAT_RAW) {
/* Check RSA key */
union {
#ifndef NO_RSA
#ifndef WOLFSSH_NO_RSA
RsaKey rsa;
#endif
#ifndef WOLFSSH_NO_ECDSA
ecc_key ecc;
#endif
} key;
word32 scratch = 0;
int ret;
#ifndef NO_RSA
#ifndef WOLFSSH_NO_RSA
if (wc_InitRsaKey(&key.rsa, NULL) < 0)
return WS_RSA_E;
@ -762,6 +774,7 @@ int wolfSSH_ProcessBuffer(WOLFSSH_CTX* ctx,
if (ret < 0) {
#endif
#ifndef WOLFSSH_NO_ECDSA
/* Couldn't decode as RSA key. Try decoding as ECC key. */
scratch = 0;
if (wc_ecc_init_ex(&key.ecc, ctx->heap, INVALID_DEVID) != 0)
@ -784,7 +797,8 @@ int wolfSSH_ProcessBuffer(WOLFSSH_CTX* ctx,
if (ret != 0)
return WS_BAD_FILE_E;
#ifndef NO_RSA
#endif
#ifndef WOLFSSH_NO_RSA
}
#endif
}
@ -2224,29 +2238,19 @@ static INLINE int wcPrimeForId(byte id)
return ECC_CURVE_INVALID;
}
}
#ifndef WOLFSSH_NO_ECDSA
static INLINE const char *PrimeNameForId(byte id)
{
switch (id) {
#ifndef WOLFSSH_NO_ECDH_SHA2_NISTP256
case ID_ECDH_SHA2_NISTP256:
return "nistp256";
#endif
#ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP256
case ID_ECDSA_SHA2_NISTP256:
return "nistp256";
#endif
#ifndef WOLFSSH_NO_ECDH_SHA2_NISTP384
case ID_ECDH_SHA2_NISTP384:
return "nistp384";
#endif
#ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP384
case ID_ECDSA_SHA2_NISTP384:
return "nistp384";
#endif
#ifndef WOLFSSH_NO_ECDH_SHA2_NISTP521
case ID_ECDH_SHA2_NISTP521:
return "nistp521";
#endif
#ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP521
case ID_ECDSA_SHA2_NISTP521:
return "nistp521";
@ -2255,6 +2259,7 @@ static INLINE const char *PrimeNameForId(byte id)
return "unknown";
}
}
#endif
static INLINE byte AeadModeForId(byte id)
@ -2770,12 +2775,12 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
byte useRsa;
word32 keySz;
union {
#ifndef NO_RSA
#ifndef WOLFSSH_NO_RSA
struct {
RsaKey key;
} rsa;
#endif
#ifdef HAVE_ECC
#ifndef WOLFSSH_NO_ECDSA
struct {
ecc_key key;
} ecc;
@ -2982,7 +2987,7 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
sigKeyBlock.useRsa = ssh->handshake->pubKeyId == ID_SSH_RSA;
if (sigKeyBlock.useRsa) {
#ifndef NO_RSA
#ifndef WOLFSSH_NO_RSA
byte* e;
word32 eSz;
byte* n;
@ -3024,7 +3029,7 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
#endif
}
else {
#ifdef HAVE_ECC
#ifndef WOLFSSH_NO_ECDSA
byte* q;
word32 qSz, pubKeyIdx = 0;
int primeId;
@ -3088,7 +3093,7 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
#endif
}
else {
#ifdef HAVE_ECC
#ifndef WOLFSSH_NO_ECDH
ecc_key key;
ret = wc_ecc_init(&key);
#ifdef HAVE_WC_ECC_SET_RNG
@ -3169,7 +3174,7 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
}
if (ret == WS_SUCCESS) {
if (sigKeyBlock.useRsa) {
#ifndef NO_RSA
#ifndef WOLFSSH_NO_RSA
sig = sig + begin;
/* In the fuzz, sigSz ends up 1 and it has issues. */
sigSz = scratch;
@ -3201,7 +3206,7 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
#endif
}
else {
#ifdef HAVE_ECC
#ifndef WOLFSSH_NO_ECDSA
byte* r;
byte* s;
word32 rSz, sSz, asnSigSz;
@ -3239,12 +3244,12 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
}
if (sigKeyBlock.useRsa) {
#ifndef NO_RSA
#ifndef WOLFSSH_NO_RSA
wc_FreeRsaKey(&sigKeyBlock.sk.rsa.key);
#endif
}
else {
#ifdef HAVE_ECC
#ifndef WOLFSSH_NO_ECDSA
wc_ecc_free(&sigKeyBlock.sk.ecc.key);
#endif
}
@ -3463,7 +3468,6 @@ static int DoRequestSuccess(WOLFSSH *ssh, byte *buf, word32 len, word32 *idx)
*idx = begin;
return ret;
}
static int DoRequestFailure(WOLFSSH *ssh, byte *buf, word32 len, word32 *idx)
@ -3838,7 +3842,7 @@ static int DoUserAuthRequestPassword(WOLFSSH* ssh, WS_UserAuthData* authData,
return ret;
}
#ifndef NO_RSA
#ifndef WOLFSSH_NO_RSA
/* Utility for DoUserAuthRequestPublicKey() */
/* returns negative for error, positive is size of digest. */
static int DoUserAuthRequestRsa(WOLFSSH* ssh, WS_UserAuthData_PublicKey* pk,
@ -3961,6 +3965,7 @@ static int DoUserAuthRequestRsa(WOLFSSH* ssh, WS_UserAuthData_PublicKey* pk,
#endif
#ifndef WOLFSSH_NO_ECDSA
/* Utility for DoUserAuthRequestPublicKey() */
/* returns negative for error, positive is size of digest. */
static int DoUserAuthRequestEcc(WOLFSSH* ssh, WS_UserAuthData_PublicKey* pk,
@ -4107,8 +4112,10 @@ static int DoUserAuthRequestEcc(WOLFSSH* ssh, WS_UserAuthData_PublicKey* pk,
WLOG(WS_LOG_DEBUG, "Leaving DoUserAuthRequestEcc(), ret = %d", ret);
return ret;
}
#endif
#if !defined(WOLFSSH_NO_RSA) || !defined(WOLFSSH_NO_ECDSA)
/* Utility for DoUserAuthRequest() */
static int DoUserAuthRequestPublicKey(WOLFSSH* ssh, WS_UserAuthData* authData,
byte* buf, word32 len, word32* idx)
@ -4263,16 +4270,19 @@ static int DoUserAuthRequestPublicKey(WOLFSSH* ssh, WS_UserAuthData* authData,
if (ret == WS_SUCCESS) {
if (pkTypeId == ID_SSH_RSA) {
#ifndef NO_RSA
#ifndef WOLFSSH_NO_RSA
ret = DoUserAuthRequestRsa(ssh, pk,
hashId, digest, digestSz);
#endif
}
else if (pkTypeId == ID_ECDSA_SHA2_NISTP256 ||
pkTypeId == ID_ECDSA_SHA2_NISTP384 ||
pkTypeId == ID_ECDSA_SHA2_NISTP521)
pkTypeId == ID_ECDSA_SHA2_NISTP521) {
#ifndef WOLFSSH_NO_ECDSA
ret = DoUserAuthRequestEcc(ssh, pk,
hashId, digest, digestSz);
#endif
}
}
if (ret != WS_SUCCESS) {
@ -4289,6 +4299,7 @@ static int DoUserAuthRequestPublicKey(WOLFSSH* ssh, WS_UserAuthData* authData,
WLOG(WS_LOG_DEBUG, "Leaving DoUserAuthRequestPublicKey(), ret = %d", ret);
return ret;
}
#endif
static int DoUserAuthRequest(WOLFSSH* ssh,
@ -4349,10 +4360,12 @@ static int DoUserAuthRequest(WOLFSSH* ssh,
if (authNameId == ID_USERAUTH_PASSWORD)
ret = DoUserAuthRequestPassword(ssh, &authData, buf, len, &begin);
#if !defined(WOLFSSH_NO_RSA) || !defined(WOLFSSH_NO_ECDSA)
else if (authNameId == ID_USERAUTH_PUBLICKEY) {
authData.sf.publicKey.dataToSign = buf + *idx;
ret = DoUserAuthRequestPublicKey(ssh, &authData, buf, len, &begin);
}
#endif
#ifdef WOLFSSH_ALLOW_USERAUTH_NONE
else if (authNameId == ID_NONE) {
ret = DoUserAuthRequestNone(ssh, &authData, buf, len, &begin);
@ -4409,9 +4422,11 @@ static int DoUserAuthFailure(WOLFSSH* ssh,
case ID_USERAUTH_PASSWORD:
authType |= WOLFSSH_USERAUTH_PASSWORD;
break;
#if !defined(WOLFSSH_NO_RSA) && !defined(WOLFSSH_NO_ECDSA)
case ID_USERAUTH_PUBLICKEY:
authType |= WOLFSSH_USERAUTH_PUBLICKEY;
break;
#endif
default:
break;
}
@ -5460,7 +5475,7 @@ static INLINE int Encrypt(WOLFSSH* ssh, byte* cipher, const byte* input,
case ID_NONE:
break;
#ifdef HAVE_AES_CBC
#ifndef WOLFSSH_NO_AES_CBC
case ID_AES128_CBC:
if (sz % AES_BLOCK_SIZE || wc_AesCbcEncrypt(&ssh->encryptCipher.aes,
cipher, input, sz) < 0) {
@ -5470,7 +5485,7 @@ static INLINE int Encrypt(WOLFSSH* ssh, byte* cipher, const byte* input,
break;
#endif
#ifdef WOLFSSL_AES_COUNTER
#ifndef WOLFSSH_NO_AES_CTR
case ID_AES128_CTR:
if (sz % AES_BLOCK_SIZE || AESCTRHELPER(&ssh->encryptCipher.aes,
cipher, input, sz) < 0) {
@ -5504,7 +5519,7 @@ static INLINE int Decrypt(WOLFSSH* ssh, byte* plain, const byte* input,
case ID_NONE:
break;
#ifdef HAVE_AES_CBC
#ifndef WOLFSSH_NO_AES_CBC
case ID_AES128_CBC:
if (sz % AES_BLOCK_SIZE || wc_AesCbcDecrypt(&ssh->decryptCipher.aes,
plain, input, sz) < 0) {
@ -5514,7 +5529,7 @@ static INLINE int Decrypt(WOLFSSH* ssh, byte* plain, const byte* input,
break;
#endif
#ifdef WOLFSSL_AES_COUNTER
#ifndef WOLFSSH_NO_AES_CTR
case ID_AES128_CTR:
if (sz % AES_BLOCK_SIZE || AESCTRHELPER(&ssh->decryptCipher.aes,
plain, input, sz) < 0) {
@ -6419,7 +6434,7 @@ int SendKexDhReply(WOLFSSH* ssh)
const char *name;
word32 nameSz;
union {
#ifndef NO_RSA
#ifndef WOLFSSH_NO_SSH_RSA_SHA1
struct {
RsaKey key;
byte e[257];
@ -6430,6 +6445,7 @@ int SendKexDhReply(WOLFSSH* ssh)
byte nPad;
} rsa;
#endif
#ifndef WOLFSSH_NO_ECDSA
struct {
ecc_key key;
word32 keyBlobSz;
@ -6441,6 +6457,7 @@ int SendKexDhReply(WOLFSSH* ssh)
const char *primeName;
word32 primeNameSz;
} ecc;
#endif
} sk;
} sigKeyBlock;
@ -6524,7 +6541,7 @@ int SendKexDhReply(WOLFSSH* ssh)
* either be RSA or ECDSA public key blob. */
if (ret == WS_SUCCESS) {
if (sigKeyBlock.useRsa) {
#ifndef NO_RSA
#ifndef WOLFSSH_NO_SSH_RSA_SHA1
/* Decode the user-configured RSA private key. */
sigKeyBlock.sk.rsa.eSz = sizeof(sigKeyBlock.sk.rsa.e);
sigKeyBlock.sk.rsa.nSz = sizeof(sigKeyBlock.sk.rsa.n);
@ -6614,9 +6631,10 @@ int SendKexDhReply(WOLFSSH* ssh)
enmhashId,
sigKeyBlock.sk.rsa.n,
sigKeyBlock.sk.rsa.nSz);
#endif
#endif /* WOLFSSH_NO_SSH_RSA_SHA1 */
}
else {
#ifndef WOLFSSH_NO_ECDSA
sigKeyBlock.sk.ecc.primeName =
PrimeNameForId(ssh->handshake->pubKeyId);
sigKeyBlock.sk.ecc.primeNameSz =
@ -6686,6 +6704,7 @@ int SendKexDhReply(WOLFSSH* ssh)
enmhashId,
sigKeyBlock.sk.ecc.q,
sigKeyBlock.sk.ecc.qSz);
#endif
}
#ifndef WOLFSSH_NO_DH_GEX_SHA256
/* If using DH-GEX include the GEX specific values. */
@ -6929,6 +6948,7 @@ int SendKexDhReply(WOLFSSH* ssh)
#endif
}
else {
#ifndef WOLFSSH_NO_ECDSA
WLOG(WS_LOG_INFO, "Signing hash with ECDSA.");
sigSz = sizeof(sig);
ret = wc_ecc_sign_hash(digest, wc_HashGetDigestSize(sigHashId),
@ -6966,6 +6986,7 @@ int SendKexDhReply(WOLFSSH* ssh)
WMEMCPY(sig + idx, s, sSz);
}
}
#endif
}
}
}
@ -6976,7 +6997,9 @@ int SendKexDhReply(WOLFSSH* ssh)
#endif
}
else {
#ifndef WOLFSSH_NO_ECDSA
wc_ecc_free(&sigKeyBlock.sk.ecc.key);
#endif
}
sigBlockSz = (LENGTH_SZ * 2) + sigKeyBlock.nameSz + sigSz;
@ -7022,6 +7045,7 @@ int SendKexDhReply(WOLFSSH* ssh)
#endif
}
else {
#ifndef WOLFSSH_NO_ECDSA
c32toa(sigKeyBlock.sk.ecc.primeNameSz, output + idx);
idx += LENGTH_SZ;
WMEMCPY(output + idx, sigKeyBlock.sk.ecc.primeName,
@ -7032,6 +7056,7 @@ int SendKexDhReply(WOLFSSH* ssh)
WMEMCPY(output + idx, sigKeyBlock.sk.ecc.q,
sigKeyBlock.sk.ecc.qSz);
idx += sigKeyBlock.sk.ecc.qSz;
#endif
}
/* Copy the server's public key. F for DE, or Q_S for ECDH. */
@ -7714,7 +7739,7 @@ typedef struct WS_KeySignature {
const char *name;
word32 nameSz;
union {
#ifndef NO_RSA
#ifndef WOLFSSH_NO_RSA
struct {
RsaKey key;
byte e[256];
@ -7725,6 +7750,7 @@ typedef struct WS_KeySignature {
byte nPad;
} rsa;
#endif
#ifndef WOLFSSH_NO_ECDSA
struct {
ecc_key key;
word32 keyBlobSz;
@ -7736,12 +7762,17 @@ typedef struct WS_KeySignature {
const char *primeName;
word32 primeNameSz;
} ecc;
#endif
} ks;
} WS_KeySignature;
static const char cannedAuths[] = "publickey,password";
static const word32 cannedAuthsSz = sizeof(cannedAuths) - 1;
static const char cannedAuths[] =
#if !defined(WOLFSSH_NO_RSA) && !defined(WOLFSSH_NO_ECDSA)
"publickey,"
#endif
"password,";
static const word32 cannedAuthsSz = sizeof(cannedAuths) - 2;
/* Updates the payload size, and maybe loads keys. */
@ -7786,7 +7817,7 @@ static int BuildUserAuthRequestPassword(WOLFSSH* ssh,
}
#ifndef NO_RSA
#ifndef WOLFSSH_NO_RSA
static int PrepareUserAuthRequestRsa(WOLFSSH* ssh, word32* payloadSz,
const WS_UserAuthData* authData, WS_KeySignature* keySig)
{
@ -7942,6 +7973,7 @@ static int BuildUserAuthRequestRsa(WOLFSSH* ssh,
#endif
#ifndef WOLFSSH_NO_ECDSA
static int PrepareUserAuthRequestEcc(WOLFSSH* ssh, word32* payloadSz,
const WS_UserAuthData* authData, WS_KeySignature* keySig)
{
@ -8137,8 +8169,10 @@ static int BuildUserAuthRequestEcc(WOLFSSH* ssh,
return ret;
}
#endif
#if !defined(WOLFSSH_NO_RSA) || !defined(WOLFSSH_NO_ECDSA)
static int PrepareUserAuthRequestPublicKey(WOLFSSH* ssh, word32* payloadSz,
const WS_UserAuthData* authData, WS_KeySignature* keySig)
{
@ -8162,14 +8196,17 @@ static int PrepareUserAuthRequestPublicKey(WOLFSSH* ssh, word32* payloadSz,
}
if (keySig->keySigId == ID_SSH_RSA) {
#ifndef NO_RSA
#ifndef WOLFSSH_NO_RSA
ret = PrepareUserAuthRequestRsa(ssh, payloadSz, authData, keySig);
#endif
}
else if (keySig->keySigId == ID_ECDSA_SHA2_NISTP256 ||
keySig->keySigId == ID_ECDSA_SHA2_NISTP384 ||
keySig->keySigId == ID_ECDSA_SHA2_NISTP521)
keySig->keySigId == ID_ECDSA_SHA2_NISTP521) {
#ifndef WOLFSSH_NO_ECDSA
ret = PrepareUserAuthRequestEcc(ssh, payloadSz, authData, keySig);
#endif
}
else
ret = WS_INVALID_ALGO_ID;
@ -8206,16 +8243,19 @@ static int BuildUserAuthRequestPublicKey(WOLFSSH* ssh,
if (pk->hasSignature) {
if (keySig->keySigId == ID_SSH_RSA) {
#ifndef NO_RSA
#ifndef WOLFSSH_NO_RSA
ret = BuildUserAuthRequestRsa(ssh, output, &begin,
authData, sigStart, sigStartIdx, keySig);
#endif
}
else if (keySig->keySigId == ID_ECDSA_SHA2_NISTP256 ||
keySig->keySigId == ID_ECDSA_SHA2_NISTP384 ||
keySig->keySigId == ID_ECDSA_SHA2_NISTP521)
keySig->keySigId == ID_ECDSA_SHA2_NISTP521) {
#ifndef WOLFSSH_NO_ECDSA
ret = BuildUserAuthRequestEcc(ssh, output, &begin,
authData, sigStart, sigStartIdx, keySig);
#endif
}
}
else
ret = WS_INVALID_ALGO_ID;
@ -8232,14 +8272,18 @@ static void CleanupUserAuthRequestPublicKey(WS_KeySignature* keySig)
{
if (keySig != NULL) {
if (keySig->keySigId == ID_SSH_RSA) {
#ifndef NO_RSA
#ifndef WOLFSSH_NO_RSA
wc_FreeRsaKey(&keySig->ks.rsa.key);
#endif
}
else
else {
#ifndef WOLFSSH_NO_ECDSA
wc_ecc_free(&keySig->ks.ecc.key);
#endif
}
}
}
#endif
int SendUserAuthRequest(WOLFSSH* ssh, byte authId, int addSig)
@ -8580,7 +8624,7 @@ int SendRequestSuccess(WOLFSSH *ssh, int success)
WLOG(WS_LOG_DEBUG, "Leaving SendRequestSuccess(), ret = %d", ret);
return ret;
}
static int SendChannelOpen(WOLFSSH* ssh, WOLFSSH_CHANNEL* channel,
byte* channelData, word32 channelDataSz)
{

14
src/ssh.c
View File

@ -726,7 +726,7 @@ int wolfSSH_connect(WOLFSSH* ssh)
}
if (ssh->handshake->kexId == ID_DH_GEX_SHA256) {
#ifndef NO_DH
#ifndef WOLFSSH_NO_DH
ssh->error = SendKexDhGexRequest(ssh);
#endif
}
@ -1436,10 +1436,12 @@ int wolfSSH_ReadKey_buffer(const byte* in, word32 inSz, int format,
else if (format == WOLFSSH_FORMAT_ASN1) {
byte* newKey;
union {
#ifndef NO_RSA
#ifndef WOLFSSH_NO_RSA
RsaKey rsa;
#endif
ecc_key ecc;
#ifndef WOLFSSH_NO_ECDSA
ecc_key ecc;
#endif
} testKey;
word32 scratch = 0;
@ -1456,7 +1458,7 @@ int wolfSSH_ReadKey_buffer(const byte* in, word32 inSz, int format,
}
*outSz = inSz;
WMEMCPY(newKey, in, inSz);
#ifndef NO_RSA
#ifndef WOLFSSH_NO_RSA
/* TODO: This is copied and modified from a function in src/internal.c.
This and that code should be combined into a single function. */
if (wc_InitRsaKey(&testKey.rsa, heap) < 0)
@ -1472,6 +1474,7 @@ int wolfSSH_ReadKey_buffer(const byte* in, word32 inSz, int format,
}
else {
#endif
#ifndef WOLFSSH_NO_ECDSA
byte curveId = ID_UNKNOWN;
/* Couldn't decode as RSA testKey. Try decoding as ECC testKey. */
@ -1500,7 +1503,8 @@ int wolfSSH_ReadKey_buffer(const byte* in, word32 inSz, int format,
}
else
return WS_BAD_FILE_E;
#ifndef NO_RSA
#endif
#ifndef WOLFSSH_NO_RSA
}
#endif
}

59
tests/api.c
View File

@ -462,14 +462,14 @@ enum WS_TestFormatTypes {
};
#ifndef NO_ECC256
#ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP256
static const char serverKeyEccDer[] =
"307702010104206109990b79d25f285a0f5d15cca15654f92b3987212da77d85"
"7bb87f38c66dd5a00a06082a8648ce3d030107a144034200048113ffa42bb79c"
"45747a834c61f33fad26cf22cda9a3bca561b47ce662d4c2f755439a31fb8011"
"20b5124b24f578d7fd22ef4635f005586b5f63c8da1bc4f569";
static const int serverKeyEccCurveId = ECC_SECP256R1;
#elif defined(HAVE_ECC384)
#elif defined(WOLFSSH_NO_ECDSA_SHA2_NISTP384)
static const char serverKeyEccDer[] =
"3081a402010104303eadd2bbbf05a7be3a3f7c28151289de5bb3644d7011761d"
"b56f2a0362fba64f98e64ff986dc4fb8efdb2d6b8da57142a00706052b810400"
@ -478,7 +478,7 @@ static const char serverKeyEccDer[] =
"b4c6a4cf5e97bd7e51e975e3e9217261506eb9cf3c493d3eb88d467b5f27ebab"
"2161c00066febd";
static const int serverKeyEccCurveId = ECC_SECP384R1;
#elif defined(HAVE_ECC521)
#elif defined(WOLFSSH_NO_ECDSA_SHA2_NISTP521)
static const char serverKeyEccDer[] =
"3081dc0201010442004ca4d86428d9400e7b2df3912eb996c195895043af92e8"
"6de70ae4df46f22a291a6bb2748aae82580df6c39f49b3ed82f1789ece1b657d"
@ -490,6 +490,7 @@ static const char serverKeyEccDer[] =
static const int serverKeyEccCurveId = ECC_SECP521R1;
#endif
#ifndef WOLFSSH_NO_SSH_RSA_SHA1
static const char serverKeyRsaDer[] =
"308204a30201000282010100da5dad2514761559f340fd3cb86230b36dc0f9ec"
"ec8b831e9e429cca416ad38ae15234e00d13627ed40fae5c4d04f18dfac5ad77"
@ -529,20 +530,38 @@ static const char serverKeyRsaDer[] =
"731fba275c82f8ad311edef33772cb47d2cdf7f87f0039db8d2aca4ec1cee215"
"89d63a61ae9da230a585ae38ea4674dc023aace95fa3c6734f73819056c3ce77"
"5f5bba6c42f121";
#endif
static void test_wolfSSH_CTX_UsePrivateKey_buffer(void)
{
#ifndef WOLFSSH_NO_SERVER
WOLFSSH_CTX* ctx;
#ifdef HAVE_ECC
byte* eccKey;
word32 eccKeySz;
#endif
#ifndef NO_RSA
byte* rsaKey;
byte* lastKey;
word32 eccKeySz, rsaKeySz, lastKeySz;
word32 rsaKeySz;
#endif
byte* lastKey = NULL;
word32 lastKeySz = 0;
AssertIntEQ(0, ConvertHexToBin(serverKeyEccDer, &eccKey, &eccKeySz,
serverKeyRsaDer, &rsaKey, &rsaKeySz,
NULL, NULL, NULL, NULL, NULL, NULL));
#ifdef HAVE_ECC
AssertIntEQ(0,
ConvertHexToBin(serverKeyEccDer, &eccKey, &eccKeySz,
NULL, NULL, NULL,
NULL, NULL, NULL,
NULL, NULL, NULL));
#endif
#ifndef NO_RSA
AssertIntEQ(0,
ConvertHexToBin(serverKeyRsaDer, &rsaKey, &rsaKeySz,
NULL, NULL, NULL,
NULL, NULL, NULL,
NULL, NULL, NULL));
#endif
AssertNotNull(ctx = wolfSSH_CTX_new(WOLFSSH_ENDPOINT_SERVER, NULL));
AssertNull(ctx->privateKey);
@ -566,7 +585,7 @@ static void test_wolfSSH_CTX_UsePrivateKey_buffer(void)
/* Fail: ctx set, key set, others bad */
AssertIntNE(WS_SUCCESS,
wolfSSH_CTX_UsePrivateKey_buffer(ctx,
rsaKey, 0, TEST_BAD_FORMAT_NEXT));
lastKey, 0, TEST_BAD_FORMAT_NEXT));
AssertNull(ctx->privateKey);
AssertIntEQ(0, ctx->privateKeySz);
AssertIntEQ(0, ctx->useEcc);
@ -580,12 +599,16 @@ static void test_wolfSSH_CTX_UsePrivateKey_buffer(void)
/* Fail: ctx set, key set, keySz set, format invalid */
AssertIntNE(WS_SUCCESS, wolfSSH_CTX_UsePrivateKey_buffer(ctx,
rsaKey, rsaKeySz, TEST_GOOD_FORMAT_PEM));
lastKey, lastKeySz, TEST_GOOD_FORMAT_PEM));
AssertNull(ctx->privateKey);
AssertIntEQ(0, ctx->privateKeySz);
AssertIntEQ(0, ctx->useEcc);
/* Pass */
#ifdef HAVE_ECC
lastKey = ctx->privateKey;
lastKeySz = ctx->privateKeySz;
AssertIntEQ(WS_SUCCESS,
wolfSSH_CTX_UsePrivateKey_buffer(ctx, eccKey, eccKeySz,
TEST_GOOD_FORMAT_ASN1));
@ -593,24 +616,32 @@ static void test_wolfSSH_CTX_UsePrivateKey_buffer(void)
AssertIntNE(0, ctx->privateKeySz);
AssertIntEQ(serverKeyEccCurveId, ctx->useEcc);
AssertIntEQ(0, (lastKey == ctx->privateKey));
AssertIntNE(lastKeySz, ctx->privateKeySz);
#endif
#ifndef NO_RSA
lastKey = ctx->privateKey;
lastKeySz = ctx->privateKeySz;
AssertIntEQ(WS_SUCCESS,
wolfSSH_CTX_UsePrivateKey_buffer(ctx, rsaKey, rsaKeySz,
TEST_GOOD_FORMAT_ASN1));
AssertNotNull(ctx->privateKey);
AssertIntNE(0, ctx->privateKeySz);
AssertIntEQ(0, ctx->useEcc);
AssertIntEQ(0, (lastKey == ctx->privateKey));
AssertIntNE(lastKeySz, ctx->privateKeySz);
#else
(void)lastKey;
(void)lastKeySz;
#endif
wolfSSH_CTX_free(ctx);
FreeBins(eccKey, rsaKey, NULL, NULL);
#ifdef HAVE_ECC
FreeBins(eccKey, NULL, NULL, NULL);
#endif
#ifndef NO_RSA
FreeBins(rsaKey, NULL, NULL, NULL);
#endif
#endif /* WOLFSSH_NO_SERVER */
}

89
wolfssh/internal.h
View File

@ -66,13 +66,34 @@ extern "C" {
* the derived options and any override options leave wolfSSH without
* at least one algorithm to use, throw an error. */
#ifdef NO_RSA
#undef WOLFSSH_NO_RSA
#define WOLFSSH_NO_RSA
#endif
#ifndef HAVE_ECC
#undef WOLFSSH_NO_ECDSA
#define WOLFSSH_NO_ECDSA
#undef WOLFSSH_NO_ECDH
#define WOLFSSH_NO_ECDH
#endif
#ifdef NO_DH
#undef WOLFSSH_NO_DH
#define WOLFSSH_NO_DH
#endif
#if defined(NO_HMAC) || defined(NO_SHA)
#undef WOLFSSH_NO_HMAC_SHA1
#define WOLFSSH_NO_HMAC_SHA1
#endif
#if defined(NO_HMAC) || defined(NO_SHA)
#undef WOLFSSH_NO_HMAC_SHA1_96
#define WOLFSSH_NO_HMAC_SHA1_96
#endif
#if defined(NO_HMAC) || defined(NO_SHA256)
#undef WOLFSSH_NO_HMAC_SHA2_256
#define WOLFSSH_NO_HMAC_SHA2_256
#endif
#if defined(WOLFSSH_NO_HMAC_SHA1) && \
@ -82,35 +103,33 @@ extern "C" {
#endif
#ifdef WOLFSSH_NO_DH
#if defined(WOLFSSH_NO_DH) || defined(NO_SHA)
#undef WOLFSSH_NO_DH_GROUP1_SHA1
#define WOLFSSH_NO_DH_GROUP1_SHA1
#endif
#if defined(WOLFSSH_NO_DH) || defined(NO_SHA)
#undef WOLFSSH_NO_DH_GROUP14_SHA1
#define WOLFSSH_NO_DH_GROUP14_SHA1
#endif
#if defined(WOLFSSH_NO_DH) || defined(NO_SHA256)
#undef WOLFSSH_NO_DH_GEX_SHA256
#define WOLFSSH_NO_DH_GEX_SHA256
#endif
#if defined(NO_DH) || defined(NO_SHA)
#define WOLFSSH_NO_DH_GROUP1_SHA1
#endif
#if defined(NO_DH) || defined(NO_SHA)
#define WOLFSSH_NO_DH_GROUP14_SHA1
#endif
#if defined(NO_DH) || defined(NO_SHA256)
#define WOLFSSH_NO_DH_GEX_SHA256
#endif
#if !defined(HAVE_ECC) || defined(NO_SHA256) || defined(NO_ECC256)
#if defined(WOLFSSH_NO_ECDH) || defined(NO_SHA256) || defined(NO_ECC256)
#undef WOLFSSH_NO_ECDH_SHA2_NISTP256
#define WOLFSSH_NO_ECDH_SHA2_NISTP256
#endif
#if !defined(HAVE_ECC) || !defined(WOLFSSL_SHA384) || !defined(HAVE_ECC384)
#if defined(WOLFSSH_NO_ECDH) || !defined(WOLFSSL_SHA384) || !defined(HAVE_ECC384)
#undef WOLFSSH_NO_ECDH_SHA2_NISTP384
#define WOLFSSH_NO_ECDH_SHA2_NISTP384
#endif
#if !defined(HAVE_ECC) || !defined(WOLFSSL_SHA512) || !defined(HAVE_ECC521)
#if defined(WOLFSSH_NO_ECDH) || !defined(WOLFSSL_SHA512) || !defined(HAVE_ECC521)
#undef WOLFSSH_NO_ECDH_SHA2_NISTP521
#define WOLFSSH_NO_ECDH_SHA2_NISTP521
#endif
#if !defined(HAVE_ED25519) || defined(NO_SHA256) || 1
/* ED25519 isn't supported yet. Force disabled. */
#undef WOLFSSH_NO_ECDH_SHA2_ED25519
#define WOLFSSH_NO_ECDH_SHA2_ED25519
#endif
@ -127,20 +146,33 @@ extern "C" {
#if defined(WOLFSSH_NO_DH_GROUP1_SHA1) && \
defined(WOLFSSH_NO_DH_GROUP14_SHA1) && \
defined(WOLFSSH_NO_DH_GEX_SHA256)
#undef WOLFSSH_NO_DH
#define WOLFSSH_NO_DH
#endif
#if defined(WOLFSSH_NO_ECDH_SHA2_NISTP256) && \
defined(WOLFSSH_NO_ECDH_SHA2_NISTP384) && \
defined(WOLFSSH_NO_ECDH_SHA2_NISTP521)
#undef WOLFSSH_NO_ECDH
#define WOLFSSH_NO_ECDH
#endif
#if defined(NO_RSA) || defined(NO_SHA)
#if defined(WOLFSSH_NO_RSA) || defined(NO_SHA)
#undef WOLFSSH_NO_SSH_RSA_SHA1
#define WOLFSSH_NO_SSH_RSA_SHA1
#endif
#if !defined(HAVE_ECC) || defined(NO_SHA256) || defined(NO_ECC256)
#if defined(WOLFSSH_NO_ECDSA) || \
defined(NO_SHA256) || defined(NO_ECC256)
#undef WOLFSSH_NO_ECDSA_SHA2_NISTP256
#define WOLFSSH_NO_ECDSA_SHA2_NISTP256
#endif
#if !defined(HAVE_ECC) || !defined(WOLFSSL_SHA384) || !defined(HAVE_ECC384)
#if defined(WOLFSSH_NO_ECDSA) || \
!defined(WOLFSSL_SHA384) || !defined(HAVE_ECC384)
#undef WOLFSSH_NO_ECDSA_SHA2_NISTP384
#define WOLFSSH_NO_ECDSA_SHA2_NISTP384
#endif
#if !defined(HAVE_ECC) || !defined(WOLFSSL_SHA512) || !defined(HAVE_ECC521)
#if defined(WOLFSSH_NO_ECDSA) || \
!defined(WOLFSSL_SHA512) || !defined(HAVE_ECC521)
#undef WOLFSSH_NO_ECDSA_SHA2_NISTP521
#define WOLFSSH_NO_ECDSA_SHA2_NISTP521
#endif
#if defined(WOLFSSH_NO_SHA_RSA_SHA1) && \
@ -150,6 +182,17 @@ extern "C" {
#error "You need at least one signing algorithm."
#endif
#ifdef WOLFSSH_NO_SHA_RSA_SHA1
#undef WOLFSSH_NO_RSA
#define WOLFSSH_NO_RSA
#endif
#if defined(WOLFSSH_NO_ECDSA_SHA2_NISTP256) && \
defined(WOLFSSH_NO_ECDSA_SHA2_NISTP384) && \
defined(WOLFSSH_NO_ECDSA_SHA2_NISTP521)
#undef WOLFSSH_NO_ECDSA
#define WOLFSSH_NO_ECDSA
#endif
#ifdef WOLFSSH_NO_AEAD
#undef WOLFSSH_NO_AES_GCM
@ -157,12 +200,15 @@ extern "C" {
#endif
#if defined(NO_AES) || !defined(HAVE_AES_CBC)
#undef WOLFSSH_NO_AES_CBC
#define WOLFSSH_NO_AES_CBC
#endif
#if defined(NO_AES) || !defined(WOLFSSL_AES_COUNTER)
#undef WOLFSSH_NO_AES_CTR
#define WOLFSSH_NO_AES_CTR
#endif
#if defined(NO_AES) || !defined(HAVE_AESGCM)
#undef WOLFSSH_NO_AES_GCM
#define WOLFSSH_NO_AES_GCM
#endif
@ -173,6 +219,7 @@ extern "C" {
#endif
#if defined(WOLFSSH_NO_AES_GCM)
#undef WOLFSSH_NO_AEAD
#define WOLFSSH_NO_AEAD
#endif
@ -386,7 +433,7 @@ typedef struct HandshakeInfo {
byte* kexInit;
word32 kexInitSz;
#ifndef NO_DH
#ifndef WOLFSSH_NO_DH
word32 dhGexMinSz;
word32 dhGexPreferredSz;
word32 dhGexMaxSz;
@ -398,7 +445,7 @@ typedef struct HandshakeInfo {
byte useEcc;
union {
#ifndef NO_DH
#ifndef WOLFSSH_NO_DH
DhKey dh;
#endif
ecc_key ecc;