From b7f073faa31112dbaf8f270a78cc585659707a49 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Fri, 13 Nov 2020 13:28:13 -0800 Subject: [PATCH 1/4] More Options 1. Added general disable flags for RSA and ECDSA. 2. Replaced HAVE_ECC, NO_RSA, NO_DSA with the general disable flags. --- src/agent.c | 12 +++-- src/internal.c | 106 +++++++++++++++++++++++++++++++-------------- src/ssh.c | 14 +++--- wolfssh/internal.h | 12 ++++- 4 files changed, 101 insertions(+), 43 deletions(-) diff --git a/src/agent.c b/src/agent.c index 31145dc..5ea7b87 100644 --- a/src/agent.c +++ b/src/agent.c @@ -379,7 +379,7 @@ static int PostUnlock(WOLFSSH_AGENT_CTX* agent, } -#ifndef NO_RSA +#ifndef WOLFSSH_NO_RSA static int PostAddRsaId(WOLFSSH_AGENT_CTX* agent, byte keyType, byte* key, word32 keySz, word32 nSz, word32 eSz, word32 dSz, @@ -461,6 +461,7 @@ static int PostAddRsaId(WOLFSSH_AGENT_CTX* agent, #endif +#ifndef WOLFSSH_NO_ECDSA static int PostAddEcdsaId(WOLFSSH_AGENT_CTX* agent, byte keyType, byte* key, word32 keySz, word32 curveNameSz, word32 qSz, word32 dSz, @@ -527,6 +528,7 @@ static int PostAddEcdsaId(WOLFSSH_AGENT_CTX* agent, WLOG_LEAVE(ret); return ret; } +#endif static int PostRemoveId(WOLFSSH_AGENT_CTX* agent, @@ -669,7 +671,7 @@ static int PostSignRequest(WOLFSSH_AGENT_CTX* agent, int sigSz = sizeof(sig); if (cur->keyType == ID_SSH_RSA) { -#ifndef NO_RSA +#ifndef WOLFSSH_NO_RSA WOLFSSH_AGENT_KEY_RSA* key; RsaKey rsa; byte encSig[MAX_ENCODED_SIG_SZ]; @@ -714,6 +716,7 @@ static int PostSignRequest(WOLFSSH_AGENT_CTX* agent, #endif } else if (cur->keyType == ID_ECDSA_SHA2_NISTP256) { +#ifndef WOLFSSH_NO_ECDSA WOLFSSH_AGENT_KEY_ECDSA* key; ecc_key ecc; enum wc_HashType hashType = WC_HASH_TYPE_SHA256; @@ -764,6 +767,7 @@ static int PostSignRequest(WOLFSSH_AGENT_CTX* agent, wc_ecc_free(&ecc); if (ret != 0) ret = WS_ECC_E; +#endif } else ret = WS_INVALID_ALGO_ID; @@ -946,7 +950,7 @@ static int DoAddIdentity(WOLFSSH_AGENT_CTX* agent, begin += sz; if (keyType == ID_SSH_RSA) { -#ifndef NO_RSA +#ifndef WOLFSSH_NO_RSA byte* key; byte* scratch; word32 keySz, nSz, eSz, dSz, iqmpSz, pSz, qSz, commentSz; @@ -993,6 +997,7 @@ static int DoAddIdentity(WOLFSSH_AGENT_CTX* agent, else if (keyType == ID_ECDSA_SHA2_NISTP256 || keyType == ID_ECDSA_SHA2_NISTP384 || keyType == ID_ECDSA_SHA2_NISTP521) { +#ifndef WOLFSSH_NO_ECDSA byte* key; byte* scratch; word32 keySz, curveNameSz, qSz, dSz, commentSz; @@ -1021,6 +1026,7 @@ static int DoAddIdentity(WOLFSSH_AGENT_CTX* agent, ret = PostAddEcdsaId(agent, keyType, key, keySz, curveNameSz, qSz, dSz, commentSz); } +#endif } else { ret = WS_PARSE_E; diff --git a/src/internal.c b/src/internal.c index b3511cd..c744e1e 100644 --- a/src/internal.c +++ b/src/internal.c @@ -85,9 +85,15 @@ Flags: WOLFSSH_NO_ECDH_SHA2_ED25519 Set when ED25519 or SHA2-256 are disabled. Set to disable use of ECDHE key exchange with prime ED25519. (It just decodes the ID for output.) + WOLFSSH_NO_RSA + Set when RSA is disabled. Set to disable use of RSA server and user + authentication. WOLFSSH_NO_SSH_RSA_SHA1 Set when RSA or SHA1 are disabled. Set to disable use of RSA server authentication. + WOLFSSH_NO_ECDSA + Set when ECC is disabled. Set to disable use of ECDSA server and user + authentication. WOLFSSH_NO_ECDSA_SHA2_NISTP256 Set when ECC or SHA2-256 are disabled. Set to disable use of ECDSA server authentication with prime NISTP256. @@ -745,15 +751,17 @@ int wolfSSH_ProcessBuffer(WOLFSSH_CTX* ctx, if (type == BUFTYPE_PRIVKEY && format != WOLFSSH_FORMAT_RAW) { /* Check RSA key */ union { -#ifndef NO_RSA +#ifndef WOLFSSH_NO_RSA RsaKey rsa; #endif +#ifndef WOLFSSH_NO_ECDSA ecc_key ecc; +#endif } key; word32 scratch = 0; int ret; -#ifndef NO_RSA +#ifndef WOLFSSH_NO_RSA if (wc_InitRsaKey(&key.rsa, NULL) < 0) return WS_RSA_E; @@ -762,6 +770,7 @@ int wolfSSH_ProcessBuffer(WOLFSSH_CTX* ctx, if (ret < 0) { #endif +#ifndef WOLFSSH_NO_ECDSA /* Couldn't decode as RSA key. Try decoding as ECC key. */ scratch = 0; if (wc_ecc_init_ex(&key.ecc, ctx->heap, INVALID_DEVID) != 0) @@ -784,7 +793,8 @@ int wolfSSH_ProcessBuffer(WOLFSSH_CTX* ctx, if (ret != 0) return WS_BAD_FILE_E; -#ifndef NO_RSA +#endif +#ifndef WOLFSSH_NO_RSA } #endif } @@ -2770,12 +2780,12 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx) byte useRsa; word32 keySz; union { -#ifndef NO_RSA +#ifndef WOLFSSH_NO_RSA struct { RsaKey key; } rsa; #endif -#ifdef HAVE_ECC +#ifndef WOLFSSH_NO_ECC struct { ecc_key key; } ecc; @@ -2982,7 +2992,7 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx) sigKeyBlock.useRsa = ssh->handshake->pubKeyId == ID_SSH_RSA; if (sigKeyBlock.useRsa) { -#ifndef NO_RSA +#ifndef WOLFSSH_NO_RSA byte* e; word32 eSz; byte* n; @@ -3024,7 +3034,7 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx) #endif } else { -#ifdef HAVE_ECC +#ifndef WOLFSSH_NO_ECDSA byte* q; word32 qSz, pubKeyIdx = 0; int primeId; @@ -3088,7 +3098,7 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx) #endif } else { -#ifdef HAVE_ECC +#ifndef WOLFSSH_NO_ECDHE ecc_key key; ret = wc_ecc_init(&key); #ifdef HAVE_WC_ECC_SET_RNG @@ -3169,7 +3179,7 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx) } if (ret == WS_SUCCESS) { if (sigKeyBlock.useRsa) { -#ifndef NO_RSA +#ifndef WOLFSSH_NO_RSA sig = sig + begin; /* In the fuzz, sigSz ends up 1 and it has issues. */ sigSz = scratch; @@ -3201,7 +3211,7 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx) #endif } else { -#ifdef HAVE_ECC +#ifndef WOLFSSH_NO_ECDSA byte* r; byte* s; word32 rSz, sSz, asnSigSz; @@ -3239,12 +3249,12 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx) } if (sigKeyBlock.useRsa) { -#ifndef NO_RSA +#ifndef WOLFSSH_NO_RSA wc_FreeRsaKey(&sigKeyBlock.sk.rsa.key); #endif } else { -#ifdef HAVE_ECC +#ifdef WOLFSSH_NO_ECDSA wc_ecc_free(&sigKeyBlock.sk.ecc.key); #endif } @@ -3463,7 +3473,6 @@ static int DoRequestSuccess(WOLFSSH *ssh, byte *buf, word32 len, word32 *idx) *idx = begin; return ret; - } static int DoRequestFailure(WOLFSSH *ssh, byte *buf, word32 len, word32 *idx) @@ -3838,7 +3847,7 @@ static int DoUserAuthRequestPassword(WOLFSSH* ssh, WS_UserAuthData* authData, return ret; } -#ifndef NO_RSA +#ifndef WOLFSSH_NO_RSA /* Utility for DoUserAuthRequestPublicKey() */ /* returns negative for error, positive is size of digest. */ static int DoUserAuthRequestRsa(WOLFSSH* ssh, WS_UserAuthData_PublicKey* pk, @@ -3961,6 +3970,7 @@ static int DoUserAuthRequestRsa(WOLFSSH* ssh, WS_UserAuthData_PublicKey* pk, #endif +#ifndef WOLFSSH_NO_ECDSA /* Utility for DoUserAuthRequestPublicKey() */ /* returns negative for error, positive is size of digest. */ static int DoUserAuthRequestEcc(WOLFSSH* ssh, WS_UserAuthData_PublicKey* pk, @@ -4107,8 +4117,10 @@ static int DoUserAuthRequestEcc(WOLFSSH* ssh, WS_UserAuthData_PublicKey* pk, WLOG(WS_LOG_DEBUG, "Leaving DoUserAuthRequestEcc(), ret = %d", ret); return ret; } +#endif +#if !defined(WOLFSSH_NO_RSA) && !defined(WOLFSSH_NO_ECDSA) /* Utility for DoUserAuthRequest() */ static int DoUserAuthRequestPublicKey(WOLFSSH* ssh, WS_UserAuthData* authData, byte* buf, word32 len, word32* idx) @@ -4263,7 +4275,7 @@ static int DoUserAuthRequestPublicKey(WOLFSSH* ssh, WS_UserAuthData* authData, if (ret == WS_SUCCESS) { if (pkTypeId == ID_SSH_RSA) { -#ifndef NO_RSA +#ifndef WOLFSSH_NO_RSA ret = DoUserAuthRequestRsa(ssh, pk, hashId, digest, digestSz); #endif @@ -4271,8 +4283,10 @@ static int DoUserAuthRequestPublicKey(WOLFSSH* ssh, WS_UserAuthData* authData, else if (pkTypeId == ID_ECDSA_SHA2_NISTP256 || pkTypeId == ID_ECDSA_SHA2_NISTP384 || pkTypeId == ID_ECDSA_SHA2_NISTP521) +#ifndef WOLFSSH_NO_ECDSA ret = DoUserAuthRequestEcc(ssh, pk, hashId, digest, digestSz); +#endif } if (ret != WS_SUCCESS) { @@ -4289,6 +4303,7 @@ static int DoUserAuthRequestPublicKey(WOLFSSH* ssh, WS_UserAuthData* authData, WLOG(WS_LOG_DEBUG, "Leaving DoUserAuthRequestPublicKey(), ret = %d", ret); return ret; } +#endif static int DoUserAuthRequest(WOLFSSH* ssh, @@ -4349,10 +4364,12 @@ static int DoUserAuthRequest(WOLFSSH* ssh, if (authNameId == ID_USERAUTH_PASSWORD) ret = DoUserAuthRequestPassword(ssh, &authData, buf, len, &begin); +#if !defined(WOLFSSH_NO_RSA) && !defined(WOLFSSH_NO_ECDSA) else if (authNameId == ID_USERAUTH_PUBLICKEY) { authData.sf.publicKey.dataToSign = buf + *idx; ret = DoUserAuthRequestPublicKey(ssh, &authData, buf, len, &begin); } +#endif #ifdef WOLFSSH_ALLOW_USERAUTH_NONE else if (authNameId == ID_NONE) { ret = DoUserAuthRequestNone(ssh, &authData, buf, len, &begin); @@ -4409,9 +4426,11 @@ static int DoUserAuthFailure(WOLFSSH* ssh, case ID_USERAUTH_PASSWORD: authType |= WOLFSSH_USERAUTH_PASSWORD; break; +#if !defined(WOLFSSH_NO_RSA) && !defined(WOLFSSH_NO_ECDSA) case ID_USERAUTH_PUBLICKEY: authType |= WOLFSSH_USERAUTH_PUBLICKEY; break; +#endif default: break; } @@ -5460,7 +5479,7 @@ static INLINE int Encrypt(WOLFSSH* ssh, byte* cipher, const byte* input, case ID_NONE: break; -#ifdef HAVE_AES_CBC +#ifndef WOLFSSH_NO_AES_CBC case ID_AES128_CBC: if (sz % AES_BLOCK_SIZE || wc_AesCbcEncrypt(&ssh->encryptCipher.aes, cipher, input, sz) < 0) { @@ -5470,7 +5489,7 @@ static INLINE int Encrypt(WOLFSSH* ssh, byte* cipher, const byte* input, break; #endif -#ifdef WOLFSSL_AES_COUNTER +#ifndef WOLFSSH_NO_AES_CTR case ID_AES128_CTR: if (sz % AES_BLOCK_SIZE || AESCTRHELPER(&ssh->encryptCipher.aes, cipher, input, sz) < 0) { @@ -5504,7 +5523,7 @@ static INLINE int Decrypt(WOLFSSH* ssh, byte* plain, const byte* input, case ID_NONE: break; -#ifdef HAVE_AES_CBC +#ifndef WOLFSSH_NO_AES_CBC case ID_AES128_CBC: if (sz % AES_BLOCK_SIZE || wc_AesCbcDecrypt(&ssh->decryptCipher.aes, plain, input, sz) < 0) { @@ -5514,7 +5533,7 @@ static INLINE int Decrypt(WOLFSSH* ssh, byte* plain, const byte* input, break; #endif -#ifdef WOLFSSL_AES_COUNTER +#ifndef WOLFSSH_NO_AES_CTR case ID_AES128_CTR: if (sz % AES_BLOCK_SIZE || AESCTRHELPER(&ssh->decryptCipher.aes, plain, input, sz) < 0) { @@ -6419,7 +6438,7 @@ int SendKexDhReply(WOLFSSH* ssh) const char *name; word32 nameSz; union { -#ifndef NO_RSA +#ifndef WOLFSSH_NO_SSH_RSA_SHA1 struct { RsaKey key; byte e[257]; @@ -6430,6 +6449,7 @@ int SendKexDhReply(WOLFSSH* ssh) byte nPad; } rsa; #endif +#ifndef WOLFSSH_NO_ECDH_SHA2_NISTP256 struct { ecc_key key; word32 keyBlobSz; @@ -6441,6 +6461,7 @@ int SendKexDhReply(WOLFSSH* ssh) const char *primeName; word32 primeNameSz; } ecc; +#endif } sk; } sigKeyBlock; @@ -6524,7 +6545,7 @@ int SendKexDhReply(WOLFSSH* ssh) * either be RSA or ECDSA public key blob. */ if (ret == WS_SUCCESS) { if (sigKeyBlock.useRsa) { -#ifndef NO_RSA +#ifndef WOLFSSH_NO_SSH_RSA_SHA1 /* Decode the user-configured RSA private key. */ sigKeyBlock.sk.rsa.eSz = sizeof(sigKeyBlock.sk.rsa.e); sigKeyBlock.sk.rsa.nSz = sizeof(sigKeyBlock.sk.rsa.n); @@ -6614,7 +6635,7 @@ int SendKexDhReply(WOLFSSH* ssh) enmhashId, sigKeyBlock.sk.rsa.n, sigKeyBlock.sk.rsa.nSz); -#endif +#endif /* WOLFSSH_NO_SSH_RSA_SHA1 */ } else { sigKeyBlock.sk.ecc.primeName = @@ -7714,7 +7735,7 @@ typedef struct WS_KeySignature { const char *name; word32 nameSz; union { -#ifndef NO_RSA +#ifndef WOLFSSH_NO_RSA struct { RsaKey key; byte e[256]; @@ -7725,6 +7746,7 @@ typedef struct WS_KeySignature { byte nPad; } rsa; #endif +#ifndef WOLFSSH_NO_ECDSA struct { ecc_key key; word32 keyBlobSz; @@ -7736,12 +7758,17 @@ typedef struct WS_KeySignature { const char *primeName; word32 primeNameSz; } ecc; +#endif } ks; } WS_KeySignature; -static const char cannedAuths[] = "publickey,password"; -static const word32 cannedAuthsSz = sizeof(cannedAuths) - 1; +static const char cannedAuths[] = +#if !defined(WOLFSSH_NO_RSA) && !defined(WOLFSSH_NO_ECDSA) + "publickey," +#endif + "password,"; +static const word32 cannedAuthsSz = sizeof(cannedAuths) - 2; /* Updates the payload size, and maybe loads keys. */ @@ -7786,7 +7813,7 @@ static int BuildUserAuthRequestPassword(WOLFSSH* ssh, } -#ifndef NO_RSA +#ifndef WOLFSSH_NO_RSA static int PrepareUserAuthRequestRsa(WOLFSSH* ssh, word32* payloadSz, const WS_UserAuthData* authData, WS_KeySignature* keySig) { @@ -7942,6 +7969,7 @@ static int BuildUserAuthRequestRsa(WOLFSSH* ssh, #endif +#ifndef WOLFSSH_NO_ECDSA static int PrepareUserAuthRequestEcc(WOLFSSH* ssh, word32* payloadSz, const WS_UserAuthData* authData, WS_KeySignature* keySig) { @@ -8137,8 +8165,10 @@ static int BuildUserAuthRequestEcc(WOLFSSH* ssh, return ret; } +#endif +#if !defined(WOLFSSH_NO_RSA) && !defined(WOLFSSH_NO_ECDSA) static int PrepareUserAuthRequestPublicKey(WOLFSSH* ssh, word32* payloadSz, const WS_UserAuthData* authData, WS_KeySignature* keySig) { @@ -8162,14 +8192,17 @@ static int PrepareUserAuthRequestPublicKey(WOLFSSH* ssh, word32* payloadSz, } if (keySig->keySigId == ID_SSH_RSA) { -#ifndef NO_RSA +#ifndef WOLFSSH_NO_RSA ret = PrepareUserAuthRequestRsa(ssh, payloadSz, authData, keySig); #endif } else if (keySig->keySigId == ID_ECDSA_SHA2_NISTP256 || keySig->keySigId == ID_ECDSA_SHA2_NISTP384 || - keySig->keySigId == ID_ECDSA_SHA2_NISTP521) + keySig->keySigId == ID_ECDSA_SHA2_NISTP521) { +#ifndef WOLFSSH_NO_ECDSA ret = PrepareUserAuthRequestEcc(ssh, payloadSz, authData, keySig); +#endif + } else ret = WS_INVALID_ALGO_ID; @@ -8206,16 +8239,19 @@ static int BuildUserAuthRequestPublicKey(WOLFSSH* ssh, if (pk->hasSignature) { if (keySig->keySigId == ID_SSH_RSA) { -#ifndef NO_RSA +#ifndef WOLFSSH_NO_RSA ret = BuildUserAuthRequestRsa(ssh, output, &begin, authData, sigStart, sigStartIdx, keySig); #endif } else if (keySig->keySigId == ID_ECDSA_SHA2_NISTP256 || keySig->keySigId == ID_ECDSA_SHA2_NISTP384 || - keySig->keySigId == ID_ECDSA_SHA2_NISTP521) + keySig->keySigId == ID_ECDSA_SHA2_NISTP521) { +#ifndef WOLFSSH_NO_ECDSA ret = BuildUserAuthRequestEcc(ssh, output, &begin, authData, sigStart, sigStartIdx, keySig); +#endif + } } else ret = WS_INVALID_ALGO_ID; @@ -8232,14 +8268,18 @@ static void CleanupUserAuthRequestPublicKey(WS_KeySignature* keySig) { if (keySig != NULL) { if (keySig->keySigId == ID_SSH_RSA) { -#ifndef NO_RSA +#ifndef WOLFSSH_NO_RSA wc_FreeRsaKey(&keySig->ks.rsa.key); #endif } - else + else { +#ifndef WOLFSSH_NO_ECDSA wc_ecc_free(&keySig->ks.ecc.key); +#endif + } } } +#endif int SendUserAuthRequest(WOLFSSH* ssh, byte authId, int addSig) @@ -8580,7 +8620,7 @@ int SendRequestSuccess(WOLFSSH *ssh, int success) WLOG(WS_LOG_DEBUG, "Leaving SendRequestSuccess(), ret = %d", ret); return ret; } - + static int SendChannelOpen(WOLFSSH* ssh, WOLFSSH_CHANNEL* channel, byte* channelData, word32 channelDataSz) { diff --git a/src/ssh.c b/src/ssh.c index 1db4f76..3d4d522 100644 --- a/src/ssh.c +++ b/src/ssh.c @@ -726,7 +726,7 @@ int wolfSSH_connect(WOLFSSH* ssh) } if (ssh->handshake->kexId == ID_DH_GEX_SHA256) { -#ifndef NO_DH +#ifndef WOLFSSH_NO_DH ssh->error = SendKexDhGexRequest(ssh); #endif } @@ -1436,10 +1436,12 @@ int wolfSSH_ReadKey_buffer(const byte* in, word32 inSz, int format, else if (format == WOLFSSH_FORMAT_ASN1) { byte* newKey; union { - #ifndef NO_RSA + #ifndef WOLFSSH_NO_RSA RsaKey rsa; #endif - ecc_key ecc; + #ifndef WOLFSSH_NO_ECC + ecc_key ecc; + #endif } testKey; word32 scratch = 0; @@ -1456,7 +1458,7 @@ int wolfSSH_ReadKey_buffer(const byte* in, word32 inSz, int format, } *outSz = inSz; WMEMCPY(newKey, in, inSz); -#ifndef NO_RSA +#ifndef WOLFSSH_NO_RSA /* TODO: This is copied and modified from a function in src/internal.c. This and that code should be combined into a single function. */ if (wc_InitRsaKey(&testKey.rsa, heap) < 0) @@ -1472,6 +1474,7 @@ int wolfSSH_ReadKey_buffer(const byte* in, word32 inSz, int format, } else { #endif +#ifndef WOLFSSH_NO_ECC byte curveId = ID_UNKNOWN; /* Couldn't decode as RSA testKey. Try decoding as ECC testKey. */ @@ -1500,7 +1503,8 @@ int wolfSSH_ReadKey_buffer(const byte* in, word32 inSz, int format, } else return WS_BAD_FILE_E; -#ifndef NO_RSA +#endif +#ifndef WOLFSSH_NO_RSA } #endif } diff --git a/wolfssh/internal.h b/wolfssh/internal.h index 9b83276..a76e1e7 100644 --- a/wolfssh/internal.h +++ b/wolfssh/internal.h @@ -131,6 +131,14 @@ extern "C" { #endif +#ifdef NO_RSA + #define WOLFSSH_NO_RSA +#endif +#ifndef HAVE_ECC + #define WOLFSSH_NO_ECDSA + #define WOLFSSH_NO_ECDHE +#endif + #if defined(NO_RSA) || defined(NO_SHA) #define WOLFSSH_NO_SSH_RSA_SHA1 #endif @@ -386,7 +394,7 @@ typedef struct HandshakeInfo { byte* kexInit; word32 kexInitSz; -#ifndef NO_DH +#ifndef WOLFSSH_NO_DH word32 dhGexMinSz; word32 dhGexPreferredSz; word32 dhGexMaxSz; @@ -398,7 +406,7 @@ typedef struct HandshakeInfo { byte useEcc; union { -#ifndef NO_DH +#ifndef WOLFSSH_NO_DH DhKey dh; #endif ecc_key ecc; From 92fcd081c9d83241d4e77377b2b09e8989f381bf Mon Sep 17 00:00:00 2001 From: John Safranek Date: Wed, 25 Nov 2020 11:10:00 -0800 Subject: [PATCH 2/4] More Options 1. When setting the disable options, unset them first. Avoids duplicate definition warnings. 2. Regrouped some of the bulk disable options. 3. Detect when a complete set of an algorithm is disabled, and set the bulk disable option for it. --- wolfssh/internal.h | 89 +++++++++++++++++++++++++++++++++------------- 1 file changed, 64 insertions(+), 25 deletions(-) diff --git a/wolfssh/internal.h b/wolfssh/internal.h index a76e1e7..a2dbce0 100644 --- a/wolfssh/internal.h +++ b/wolfssh/internal.h @@ -66,13 +66,34 @@ extern "C" { * the derived options and any override options leave wolfSSH without * at least one algorithm to use, throw an error. */ +#ifdef NO_RSA + #undef WOLFSSH_NO_RSA + #define WOLFSSH_NO_RSA +#endif + +#ifndef HAVE_ECC + #undef WOLFSSH_NO_ECDSA + #define WOLFSSH_NO_ECDSA + #undef WOLFSSH_NO_ECDHE + #define WOLFSSH_NO_ECDHE +#endif + +#ifdef NO_DH + #undef WOLFSSH_NO_DH + #define WOLFSSH_NO_DH +#endif + + #if defined(NO_HMAC) || defined(NO_SHA) + #undef WOLFSSH_NO_HMAC_SHA1 #define WOLFSSH_NO_HMAC_SHA1 #endif #if defined(NO_HMAC) || defined(NO_SHA) + #undef WOLFSSH_NO_HMAC_SHA1_96 #define WOLFSSH_NO_HMAC_SHA1_96 #endif #if defined(NO_HMAC) || defined(NO_SHA256) + #undef WOLFSSH_NO_HMAC_SHA2_256 #define WOLFSSH_NO_HMAC_SHA2_256 #endif #if defined(WOLFSSH_NO_HMAC_SHA1) && \ @@ -82,35 +103,33 @@ extern "C" { #endif -#ifdef WOLFSSH_NO_DH +#if defined(WOLFSSH_NO_DH) || defined(NO_SHA) #undef WOLFSSH_NO_DH_GROUP1_SHA1 #define WOLFSSH_NO_DH_GROUP1_SHA1 +#endif +#if defined(WOLFSSH_NO_DH) || defined(NO_SHA) #undef WOLFSSH_NO_DH_GROUP14_SHA1 #define WOLFSSH_NO_DH_GROUP14_SHA1 +#endif +#if defined(WOLFSSH_NO_DH) || defined(NO_SHA256) #undef WOLFSSH_NO_DH_GEX_SHA256 #define WOLFSSH_NO_DH_GEX_SHA256 #endif - -#if defined(NO_DH) || defined(NO_SHA) - #define WOLFSSH_NO_DH_GROUP1_SHA1 -#endif -#if defined(NO_DH) || defined(NO_SHA) - #define WOLFSSH_NO_DH_GROUP14_SHA1 -#endif -#if defined(NO_DH) || defined(NO_SHA256) - #define WOLFSSH_NO_DH_GEX_SHA256 -#endif -#if !defined(HAVE_ECC) || defined(NO_SHA256) || defined(NO_ECC256) +#if defined(WOLFSSH_NO_ECDHE) || defined(NO_SHA256) || defined(NO_ECC256) + #undef WOLFSSH_NO_ECDH_SHA2_NISTP256 #define WOLFSSH_NO_ECDH_SHA2_NISTP256 #endif -#if !defined(HAVE_ECC) || !defined(WOLFSSL_SHA384) || !defined(HAVE_ECC384) +#if defined(WOLFSSH_NO_ECDHE) || !defined(WOLFSSL_SHA384) || !defined(HAVE_ECC384) + #undef WOLFSSH_NO_ECDH_SHA2_NISTP384 #define WOLFSSH_NO_ECDH_SHA2_NISTP384 #endif -#if !defined(HAVE_ECC) || !defined(WOLFSSL_SHA512) || !defined(HAVE_ECC521) +#if defined(WOLFSSH_NO_ECDHE) || !defined(WOLFSSL_SHA512) || !defined(HAVE_ECC521) + #undef WOLFSSH_NO_ECDH_SHA2_NISTP521 #define WOLFSSH_NO_ECDH_SHA2_NISTP521 #endif #if !defined(HAVE_ED25519) || defined(NO_SHA256) || 1 /* ED25519 isn't supported yet. Force disabled. */ + #undef WOLFSSH_NO_ECDH_SHA2_ED25519 #define WOLFSSH_NO_ECDH_SHA2_ED25519 #endif @@ -127,28 +146,33 @@ extern "C" { #if defined(WOLFSSH_NO_DH_GROUP1_SHA1) && \ defined(WOLFSSH_NO_DH_GROUP14_SHA1) && \ defined(WOLFSSH_NO_DH_GEX_SHA256) + #undef WOLFSSH_NO_DH #define WOLFSSH_NO_DH #endif - - -#ifdef NO_RSA - #define WOLFSSH_NO_RSA -#endif -#ifndef HAVE_ECC - #define WOLFSSH_NO_ECDSA +#if defined(WOLFSSH_NO_ECDH_SHA2_NISTP256) && \ + defined(WOLFSSH_NO_ECDH_SHA2_NISTP384) && \ + defined(WOLFSSH_NO_ECDH_SHA2_NISTP521) + #undef WOLFSSH_NO_ECDHE #define WOLFSSH_NO_ECDHE #endif -#if defined(NO_RSA) || defined(NO_SHA) +#if defined(WOLFSSH_NO_RSA) || defined(NO_SHA) + #undef WOLFSSH_NO_SSH_RSA_SHA1 #define WOLFSSH_NO_SSH_RSA_SHA1 #endif -#if !defined(HAVE_ECC) || defined(NO_SHA256) || defined(NO_ECC256) +#if defined(WOLFSSH_NO_ECDSA) || \ + defined(NO_SHA256) || defined(NO_ECC256) + #undef WOLFSSH_NO_ECDSA_SHA2_NISTP256 #define WOLFSSH_NO_ECDSA_SHA2_NISTP256 #endif -#if !defined(HAVE_ECC) || !defined(WOLFSSL_SHA384) || !defined(HAVE_ECC384) +#if defined(WOLFSSH_NO_ECDSA) || \ + !defined(WOLFSSL_SHA384) || !defined(HAVE_ECC384) + #undef WOLFSSH_NO_ECDSA_SHA2_NISTP384 #define WOLFSSH_NO_ECDSA_SHA2_NISTP384 #endif -#if !defined(HAVE_ECC) || !defined(WOLFSSL_SHA512) || !defined(HAVE_ECC521) +#if defined(WOLFSSH_NO_ECDSA) || \ + !defined(WOLFSSL_SHA512) || !defined(HAVE_ECC521) + #undef WOLFSSH_NO_ECDSA_SHA2_NISTP521 #define WOLFSSH_NO_ECDSA_SHA2_NISTP521 #endif #if defined(WOLFSSH_NO_SHA_RSA_SHA1) && \ @@ -158,6 +182,17 @@ extern "C" { #error "You need at least one signing algorithm." #endif +#ifdef WOLFSSH_NO_SHA_RSA_SHA1 + #undef WOLFSSH_NO_RSA + #define WOLFSSH_NO_RSA +#endif +#if defined(WOLFSSH_NO_ECDSA_SHA2_NISTP256) && \ + defined(WOLFSSH_NO_ECDSA_SHA2_NISTP384) && \ + defined(WOLFSSH_NO_ECDSA_SHA2_NISTP521) + #undef WOLFSSH_NO_ECDSA + #define WOLFSSH_NO_ECDSA +#endif + #ifdef WOLFSSH_NO_AEAD #undef WOLFSSH_NO_AES_GCM @@ -165,12 +200,15 @@ extern "C" { #endif #if defined(NO_AES) || !defined(HAVE_AES_CBC) + #undef WOLFSSH_NO_AES_CBC #define WOLFSSH_NO_AES_CBC #endif #if defined(NO_AES) || !defined(WOLFSSL_AES_COUNTER) + #undef WOLFSSH_NO_AES_CTR #define WOLFSSH_NO_AES_CTR #endif #if defined(NO_AES) || !defined(HAVE_AESGCM) + #undef WOLFSSH_NO_AES_GCM #define WOLFSSH_NO_AES_GCM #endif @@ -181,6 +219,7 @@ extern "C" { #endif #if defined(WOLFSSH_NO_AES_GCM) + #undef WOLFSSH_NO_AEAD #define WOLFSSH_NO_AEAD #endif From 717ea6a050b01f2f387a26557b8e7e9d9eacd100 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Thu, 7 Jan 2021 11:33:32 -0800 Subject: [PATCH 3/4] Separate the ECC disable into ECDSA and ECDHE disables. --- src/internal.c | 44 ++++++++++++++++++++++++-------------------- src/ssh.c | 4 ++-- tests/api.c | 12 ++++++++---- wolfssh/internal.h | 14 +++++++------- 4 files changed, 41 insertions(+), 33 deletions(-) diff --git a/src/internal.c b/src/internal.c index c744e1e..479ea62 100644 --- a/src/internal.c +++ b/src/internal.c @@ -119,6 +119,10 @@ Flags: Set when all DH algorithms are disabled. Set to disable use of all DH algorithms for key agreement. Setting this will force all DH key agreement algorithms off. + WOLFSSH_NO_ECDH + Set when all ECDH algorithms are disabled. Set to disable use of all ECDH + algorithms for key agreement. Setting this will force all ECDH key agreement + algorithms off. */ @@ -2234,29 +2238,19 @@ static INLINE int wcPrimeForId(byte id) return ECC_CURVE_INVALID; } } + +#ifndef WOLFSSH_NO_ECDSA static INLINE const char *PrimeNameForId(byte id) { switch (id) { -#ifndef WOLFSSH_NO_ECDH_SHA2_NISTP256 - case ID_ECDH_SHA2_NISTP256: - return "nistp256"; -#endif #ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP256 case ID_ECDSA_SHA2_NISTP256: return "nistp256"; #endif -#ifndef WOLFSSH_NO_ECDH_SHA2_NISTP384 - case ID_ECDH_SHA2_NISTP384: - return "nistp384"; -#endif #ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP384 case ID_ECDSA_SHA2_NISTP384: return "nistp384"; #endif -#ifndef WOLFSSH_NO_ECDH_SHA2_NISTP521 - case ID_ECDH_SHA2_NISTP521: - return "nistp521"; -#endif #ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP521 case ID_ECDSA_SHA2_NISTP521: return "nistp521"; @@ -2265,6 +2259,7 @@ static INLINE const char *PrimeNameForId(byte id) return "unknown"; } } +#endif static INLINE byte AeadModeForId(byte id) @@ -2785,7 +2780,7 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx) RsaKey key; } rsa; #endif -#ifndef WOLFSSH_NO_ECC +#ifndef WOLFSSH_NO_ECDSA struct { ecc_key key; } ecc; @@ -3098,7 +3093,7 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx) #endif } else { -#ifndef WOLFSSH_NO_ECDHE +#ifndef WOLFSSH_NO_ECDH ecc_key key; ret = wc_ecc_init(&key); #ifdef HAVE_WC_ECC_SET_RNG @@ -3254,7 +3249,7 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx) #endif } else { -#ifdef WOLFSSH_NO_ECDSA +#ifndef WOLFSSH_NO_ECDSA wc_ecc_free(&sigKeyBlock.sk.ecc.key); #endif } @@ -4120,7 +4115,7 @@ static int DoUserAuthRequestEcc(WOLFSSH* ssh, WS_UserAuthData_PublicKey* pk, #endif -#if !defined(WOLFSSH_NO_RSA) && !defined(WOLFSSH_NO_ECDSA) +#if !defined(WOLFSSH_NO_RSA) || !defined(WOLFSSH_NO_ECDSA) /* Utility for DoUserAuthRequest() */ static int DoUserAuthRequestPublicKey(WOLFSSH* ssh, WS_UserAuthData* authData, byte* buf, word32 len, word32* idx) @@ -4282,11 +4277,12 @@ static int DoUserAuthRequestPublicKey(WOLFSSH* ssh, WS_UserAuthData* authData, } else if (pkTypeId == ID_ECDSA_SHA2_NISTP256 || pkTypeId == ID_ECDSA_SHA2_NISTP384 || - pkTypeId == ID_ECDSA_SHA2_NISTP521) + pkTypeId == ID_ECDSA_SHA2_NISTP521) { #ifndef WOLFSSH_NO_ECDSA ret = DoUserAuthRequestEcc(ssh, pk, hashId, digest, digestSz); #endif + } } if (ret != WS_SUCCESS) { @@ -4364,7 +4360,7 @@ static int DoUserAuthRequest(WOLFSSH* ssh, if (authNameId == ID_USERAUTH_PASSWORD) ret = DoUserAuthRequestPassword(ssh, &authData, buf, len, &begin); -#if !defined(WOLFSSH_NO_RSA) && !defined(WOLFSSH_NO_ECDSA) +#if !defined(WOLFSSH_NO_RSA) || !defined(WOLFSSH_NO_ECDSA) else if (authNameId == ID_USERAUTH_PUBLICKEY) { authData.sf.publicKey.dataToSign = buf + *idx; ret = DoUserAuthRequestPublicKey(ssh, &authData, buf, len, &begin); @@ -6449,7 +6445,7 @@ int SendKexDhReply(WOLFSSH* ssh) byte nPad; } rsa; #endif -#ifndef WOLFSSH_NO_ECDH_SHA2_NISTP256 +#ifndef WOLFSSH_NO_ECDSA struct { ecc_key key; word32 keyBlobSz; @@ -6638,6 +6634,7 @@ int SendKexDhReply(WOLFSSH* ssh) #endif /* WOLFSSH_NO_SSH_RSA_SHA1 */ } else { +#ifndef WOLFSSH_NO_ECDSA sigKeyBlock.sk.ecc.primeName = PrimeNameForId(ssh->handshake->pubKeyId); sigKeyBlock.sk.ecc.primeNameSz = @@ -6707,6 +6704,7 @@ int SendKexDhReply(WOLFSSH* ssh) enmhashId, sigKeyBlock.sk.ecc.q, sigKeyBlock.sk.ecc.qSz); +#endif } #ifndef WOLFSSH_NO_DH_GEX_SHA256 /* If using DH-GEX include the GEX specific values. */ @@ -6950,6 +6948,7 @@ int SendKexDhReply(WOLFSSH* ssh) #endif } else { +#ifndef WOLFSSH_NO_ECDSA WLOG(WS_LOG_INFO, "Signing hash with ECDSA."); sigSz = sizeof(sig); ret = wc_ecc_sign_hash(digest, wc_HashGetDigestSize(sigHashId), @@ -6987,6 +6986,7 @@ int SendKexDhReply(WOLFSSH* ssh) WMEMCPY(sig + idx, s, sSz); } } +#endif } } } @@ -6997,7 +6997,9 @@ int SendKexDhReply(WOLFSSH* ssh) #endif } else { +#ifndef WOLFSSH_NO_ECDSA wc_ecc_free(&sigKeyBlock.sk.ecc.key); +#endif } sigBlockSz = (LENGTH_SZ * 2) + sigKeyBlock.nameSz + sigSz; @@ -7043,6 +7045,7 @@ int SendKexDhReply(WOLFSSH* ssh) #endif } else { +#ifndef WOLFSSH_NO_ECDSA c32toa(sigKeyBlock.sk.ecc.primeNameSz, output + idx); idx += LENGTH_SZ; WMEMCPY(output + idx, sigKeyBlock.sk.ecc.primeName, @@ -7053,6 +7056,7 @@ int SendKexDhReply(WOLFSSH* ssh) WMEMCPY(output + idx, sigKeyBlock.sk.ecc.q, sigKeyBlock.sk.ecc.qSz); idx += sigKeyBlock.sk.ecc.qSz; +#endif } /* Copy the server's public key. F for DE, or Q_S for ECDH. */ @@ -8168,7 +8172,7 @@ static int BuildUserAuthRequestEcc(WOLFSSH* ssh, #endif -#if !defined(WOLFSSH_NO_RSA) && !defined(WOLFSSH_NO_ECDSA) +#if !defined(WOLFSSH_NO_RSA) || !defined(WOLFSSH_NO_ECDSA) static int PrepareUserAuthRequestPublicKey(WOLFSSH* ssh, word32* payloadSz, const WS_UserAuthData* authData, WS_KeySignature* keySig) { diff --git a/src/ssh.c b/src/ssh.c index 3d4d522..68ffc15 100644 --- a/src/ssh.c +++ b/src/ssh.c @@ -1439,7 +1439,7 @@ int wolfSSH_ReadKey_buffer(const byte* in, word32 inSz, int format, #ifndef WOLFSSH_NO_RSA RsaKey rsa; #endif - #ifndef WOLFSSH_NO_ECC + #ifndef WOLFSSH_NO_ECDSA ecc_key ecc; #endif } testKey; @@ -1474,7 +1474,7 @@ int wolfSSH_ReadKey_buffer(const byte* in, word32 inSz, int format, } else { #endif -#ifndef WOLFSSH_NO_ECC +#ifndef WOLFSSH_NO_ECDSA byte curveId = ID_UNKNOWN; /* Couldn't decode as RSA testKey. Try decoding as ECC testKey. */ diff --git a/tests/api.c b/tests/api.c index 6fe21c5..b2d399b 100644 --- a/tests/api.c +++ b/tests/api.c @@ -462,14 +462,14 @@ enum WS_TestFormatTypes { }; -#ifndef NO_ECC256 +#ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP256 static const char serverKeyEccDer[] = "307702010104206109990b79d25f285a0f5d15cca15654f92b3987212da77d85" "7bb87f38c66dd5a00a06082a8648ce3d030107a144034200048113ffa42bb79c" "45747a834c61f33fad26cf22cda9a3bca561b47ce662d4c2f755439a31fb8011" "20b5124b24f578d7fd22ef4635f005586b5f63c8da1bc4f569"; static const int serverKeyEccCurveId = ECC_SECP256R1; -#elif defined(HAVE_ECC384) +#elif defined(WOLFSSH_NO_ECDSA_SHA2_NISTP384) static const char serverKeyEccDer[] = "3081a402010104303eadd2bbbf05a7be3a3f7c28151289de5bb3644d7011761d" "b56f2a0362fba64f98e64ff986dc4fb8efdb2d6b8da57142a00706052b810400" @@ -478,7 +478,7 @@ static const char serverKeyEccDer[] = "b4c6a4cf5e97bd7e51e975e3e9217261506eb9cf3c493d3eb88d467b5f27ebab" "2161c00066febd"; static const int serverKeyEccCurveId = ECC_SECP384R1; -#elif defined(HAVE_ECC521) +#elif defined(WOLFSSH_NO_ECDSA_SHA2_NISTP521) static const char serverKeyEccDer[] = "3081dc0201010442004ca4d86428d9400e7b2df3912eb996c195895043af92e8" "6de70ae4df46f22a291a6bb2748aae82580df6c39f49b3ed82f1789ece1b657d" @@ -490,6 +490,7 @@ static const char serverKeyEccDer[] = static const int serverKeyEccCurveId = ECC_SECP521R1; #endif +#ifndef WOLFSSH_NO_SSH_RSA_SHA1 static const char serverKeyRsaDer[] = "308204a30201000282010100da5dad2514761559f340fd3cb86230b36dc0f9ec" "ec8b831e9e429cca416ad38ae15234e00d13627ed40fae5c4d04f18dfac5ad77" @@ -529,6 +530,7 @@ static const char serverKeyRsaDer[] = "731fba275c82f8ad311edef33772cb47d2cdf7f87f0039db8d2aca4ec1cee215" "89d63a61ae9da230a585ae38ea4674dc023aace95fa3c6734f73819056c3ce77" "5f5bba6c42f121"; +#endif static void test_wolfSSH_CTX_UsePrivateKey_buffer(void) @@ -591,9 +593,11 @@ static void test_wolfSSH_CTX_UsePrivateKey_buffer(void) TEST_GOOD_FORMAT_ASN1)); AssertNotNull(ctx->privateKey); AssertIntNE(0, ctx->privateKeySz); +#ifndef WOLFSSH_NO_ECDSA AssertIntEQ(serverKeyEccCurveId, ctx->useEcc); +#endif -#ifndef NO_RSA +#ifndef WOLFSSH_NO_RSA lastKey = ctx->privateKey; lastKeySz = ctx->privateKeySz; AssertIntEQ(WS_SUCCESS, diff --git a/wolfssh/internal.h b/wolfssh/internal.h index a2dbce0..683a440 100644 --- a/wolfssh/internal.h +++ b/wolfssh/internal.h @@ -74,8 +74,8 @@ extern "C" { #ifndef HAVE_ECC #undef WOLFSSH_NO_ECDSA #define WOLFSSH_NO_ECDSA - #undef WOLFSSH_NO_ECDHE - #define WOLFSSH_NO_ECDHE + #undef WOLFSSH_NO_ECDH + #define WOLFSSH_NO_ECDH #endif #ifdef NO_DH @@ -115,15 +115,15 @@ extern "C" { #undef WOLFSSH_NO_DH_GEX_SHA256 #define WOLFSSH_NO_DH_GEX_SHA256 #endif -#if defined(WOLFSSH_NO_ECDHE) || defined(NO_SHA256) || defined(NO_ECC256) +#if defined(WOLFSSH_NO_ECDH) || defined(NO_SHA256) || defined(NO_ECC256) #undef WOLFSSH_NO_ECDH_SHA2_NISTP256 #define WOLFSSH_NO_ECDH_SHA2_NISTP256 #endif -#if defined(WOLFSSH_NO_ECDHE) || !defined(WOLFSSL_SHA384) || !defined(HAVE_ECC384) +#if defined(WOLFSSH_NO_ECDH) || !defined(WOLFSSL_SHA384) || !defined(HAVE_ECC384) #undef WOLFSSH_NO_ECDH_SHA2_NISTP384 #define WOLFSSH_NO_ECDH_SHA2_NISTP384 #endif -#if defined(WOLFSSH_NO_ECDHE) || !defined(WOLFSSL_SHA512) || !defined(HAVE_ECC521) +#if defined(WOLFSSH_NO_ECDH) || !defined(WOLFSSL_SHA512) || !defined(HAVE_ECC521) #undef WOLFSSH_NO_ECDH_SHA2_NISTP521 #define WOLFSSH_NO_ECDH_SHA2_NISTP521 #endif @@ -152,8 +152,8 @@ extern "C" { #if defined(WOLFSSH_NO_ECDH_SHA2_NISTP256) && \ defined(WOLFSSH_NO_ECDH_SHA2_NISTP384) && \ defined(WOLFSSH_NO_ECDH_SHA2_NISTP521) - #undef WOLFSSH_NO_ECDHE - #define WOLFSSH_NO_ECDHE + #undef WOLFSSH_NO_ECDH + #define WOLFSSH_NO_ECDH #endif #if defined(WOLFSSH_NO_RSA) || defined(NO_SHA) From bbd3d762913c04b015fd8cd7a616e9bec4734028 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Tue, 2 Feb 2021 11:45:21 -0800 Subject: [PATCH 4/4] Add some option disables to the api test and the echoserver. --- examples/echoserver/echoserver.c | 5 +++ tests/api.c | 53 ++++++++++++++++++++++++-------- 2 files changed, 45 insertions(+), 13 deletions(-) diff --git a/examples/echoserver/echoserver.c b/examples/echoserver/echoserver.c index 7e0e98a..a4cc2db 100644 --- a/examples/echoserver/echoserver.c +++ b/examples/echoserver/echoserver.c @@ -1610,6 +1610,11 @@ THREAD_RETURN WOLFSSH_THREAD echoserver_test(void* args) userEcc = 1; peerEcc = 1; #endif +#ifndef HAVE_ECC + /* If wolfCrypt isn't built with ECC, force ECC off. */ + userEcc = 0; + peerEcc = 0; +#endif if (wolfSSH_Init() != WS_SUCCESS) { fprintf(stderr, "Couldn't initialize wolfSSH.\n"); diff --git a/tests/api.c b/tests/api.c index b2d399b..b741fc1 100644 --- a/tests/api.c +++ b/tests/api.c @@ -537,14 +537,31 @@ static void test_wolfSSH_CTX_UsePrivateKey_buffer(void) { #ifndef WOLFSSH_NO_SERVER WOLFSSH_CTX* ctx; +#ifdef HAVE_ECC byte* eccKey; + word32 eccKeySz; +#endif +#ifndef NO_RSA byte* rsaKey; - byte* lastKey; - word32 eccKeySz, rsaKeySz, lastKeySz; + word32 rsaKeySz; +#endif + byte* lastKey = NULL; + word32 lastKeySz = 0; - AssertIntEQ(0, ConvertHexToBin(serverKeyEccDer, &eccKey, &eccKeySz, - serverKeyRsaDer, &rsaKey, &rsaKeySz, - NULL, NULL, NULL, NULL, NULL, NULL)); +#ifdef HAVE_ECC + AssertIntEQ(0, + ConvertHexToBin(serverKeyEccDer, &eccKey, &eccKeySz, + NULL, NULL, NULL, + NULL, NULL, NULL, + NULL, NULL, NULL)); +#endif +#ifndef NO_RSA + AssertIntEQ(0, + ConvertHexToBin(serverKeyRsaDer, &rsaKey, &rsaKeySz, + NULL, NULL, NULL, + NULL, NULL, NULL, + NULL, NULL, NULL)); +#endif AssertNotNull(ctx = wolfSSH_CTX_new(WOLFSSH_ENDPOINT_SERVER, NULL)); AssertNull(ctx->privateKey); @@ -568,7 +585,7 @@ static void test_wolfSSH_CTX_UsePrivateKey_buffer(void) /* Fail: ctx set, key set, others bad */ AssertIntNE(WS_SUCCESS, wolfSSH_CTX_UsePrivateKey_buffer(ctx, - rsaKey, 0, TEST_BAD_FORMAT_NEXT)); + lastKey, 0, TEST_BAD_FORMAT_NEXT)); AssertNull(ctx->privateKey); AssertIntEQ(0, ctx->privateKeySz); AssertIntEQ(0, ctx->useEcc); @@ -582,39 +599,49 @@ static void test_wolfSSH_CTX_UsePrivateKey_buffer(void) /* Fail: ctx set, key set, keySz set, format invalid */ AssertIntNE(WS_SUCCESS, wolfSSH_CTX_UsePrivateKey_buffer(ctx, - rsaKey, rsaKeySz, TEST_GOOD_FORMAT_PEM)); + lastKey, lastKeySz, TEST_GOOD_FORMAT_PEM)); AssertNull(ctx->privateKey); AssertIntEQ(0, ctx->privateKeySz); AssertIntEQ(0, ctx->useEcc); /* Pass */ +#ifdef HAVE_ECC + lastKey = ctx->privateKey; + lastKeySz = ctx->privateKeySz; + AssertIntEQ(WS_SUCCESS, wolfSSH_CTX_UsePrivateKey_buffer(ctx, eccKey, eccKeySz, TEST_GOOD_FORMAT_ASN1)); AssertNotNull(ctx->privateKey); AssertIntNE(0, ctx->privateKeySz); -#ifndef WOLFSSH_NO_ECDSA AssertIntEQ(serverKeyEccCurveId, ctx->useEcc); + + AssertIntEQ(0, (lastKey == ctx->privateKey)); + AssertIntNE(lastKeySz, ctx->privateKeySz); #endif -#ifndef WOLFSSH_NO_RSA +#ifndef NO_RSA lastKey = ctx->privateKey; lastKeySz = ctx->privateKeySz; + AssertIntEQ(WS_SUCCESS, wolfSSH_CTX_UsePrivateKey_buffer(ctx, rsaKey, rsaKeySz, TEST_GOOD_FORMAT_ASN1)); AssertNotNull(ctx->privateKey); AssertIntNE(0, ctx->privateKeySz); AssertIntEQ(0, ctx->useEcc); + AssertIntEQ(0, (lastKey == ctx->privateKey)); AssertIntNE(lastKeySz, ctx->privateKeySz); -#else - (void)lastKey; - (void)lastKeySz; #endif wolfSSH_CTX_free(ctx); - FreeBins(eccKey, rsaKey, NULL, NULL); +#ifdef HAVE_ECC + FreeBins(eccKey, NULL, NULL, NULL); +#endif +#ifndef NO_RSA + FreeBins(rsaKey, NULL, NULL, NULL); +#endif #endif /* WOLFSSH_NO_SERVER */ }