mirror of https://github.com/wolfSSL/wolfssh.git
Separate the ECC disable into ECDSA and ECDHE disables.
parent
92fcd081c9
commit
717ea6a050
|
@ -119,6 +119,10 @@ Flags:
|
|||
Set when all DH algorithms are disabled. Set to disable use of all DH
|
||||
algorithms for key agreement. Setting this will force all DH key agreement
|
||||
algorithms off.
|
||||
WOLFSSH_NO_ECDH
|
||||
Set when all ECDH algorithms are disabled. Set to disable use of all ECDH
|
||||
algorithms for key agreement. Setting this will force all ECDH key agreement
|
||||
algorithms off.
|
||||
*/
|
||||
|
||||
|
||||
|
@ -2234,29 +2238,19 @@ static INLINE int wcPrimeForId(byte id)
|
|||
return ECC_CURVE_INVALID;
|
||||
}
|
||||
}
|
||||
|
||||
#ifndef WOLFSSH_NO_ECDSA
|
||||
static INLINE const char *PrimeNameForId(byte id)
|
||||
{
|
||||
switch (id) {
|
||||
#ifndef WOLFSSH_NO_ECDH_SHA2_NISTP256
|
||||
case ID_ECDH_SHA2_NISTP256:
|
||||
return "nistp256";
|
||||
#endif
|
||||
#ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP256
|
||||
case ID_ECDSA_SHA2_NISTP256:
|
||||
return "nistp256";
|
||||
#endif
|
||||
#ifndef WOLFSSH_NO_ECDH_SHA2_NISTP384
|
||||
case ID_ECDH_SHA2_NISTP384:
|
||||
return "nistp384";
|
||||
#endif
|
||||
#ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP384
|
||||
case ID_ECDSA_SHA2_NISTP384:
|
||||
return "nistp384";
|
||||
#endif
|
||||
#ifndef WOLFSSH_NO_ECDH_SHA2_NISTP521
|
||||
case ID_ECDH_SHA2_NISTP521:
|
||||
return "nistp521";
|
||||
#endif
|
||||
#ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP521
|
||||
case ID_ECDSA_SHA2_NISTP521:
|
||||
return "nistp521";
|
||||
|
@ -2265,6 +2259,7 @@ static INLINE const char *PrimeNameForId(byte id)
|
|||
return "unknown";
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
|
||||
static INLINE byte AeadModeForId(byte id)
|
||||
|
@ -2785,7 +2780,7 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
|
|||
RsaKey key;
|
||||
} rsa;
|
||||
#endif
|
||||
#ifndef WOLFSSH_NO_ECC
|
||||
#ifndef WOLFSSH_NO_ECDSA
|
||||
struct {
|
||||
ecc_key key;
|
||||
} ecc;
|
||||
|
@ -3098,7 +3093,7 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
|
|||
#endif
|
||||
}
|
||||
else {
|
||||
#ifndef WOLFSSH_NO_ECDHE
|
||||
#ifndef WOLFSSH_NO_ECDH
|
||||
ecc_key key;
|
||||
ret = wc_ecc_init(&key);
|
||||
#ifdef HAVE_WC_ECC_SET_RNG
|
||||
|
@ -3254,7 +3249,7 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
|
|||
#endif
|
||||
}
|
||||
else {
|
||||
#ifdef WOLFSSH_NO_ECDSA
|
||||
#ifndef WOLFSSH_NO_ECDSA
|
||||
wc_ecc_free(&sigKeyBlock.sk.ecc.key);
|
||||
#endif
|
||||
}
|
||||
|
@ -4120,7 +4115,7 @@ static int DoUserAuthRequestEcc(WOLFSSH* ssh, WS_UserAuthData_PublicKey* pk,
|
|||
#endif
|
||||
|
||||
|
||||
#if !defined(WOLFSSH_NO_RSA) && !defined(WOLFSSH_NO_ECDSA)
|
||||
#if !defined(WOLFSSH_NO_RSA) || !defined(WOLFSSH_NO_ECDSA)
|
||||
/* Utility for DoUserAuthRequest() */
|
||||
static int DoUserAuthRequestPublicKey(WOLFSSH* ssh, WS_UserAuthData* authData,
|
||||
byte* buf, word32 len, word32* idx)
|
||||
|
@ -4282,11 +4277,12 @@ static int DoUserAuthRequestPublicKey(WOLFSSH* ssh, WS_UserAuthData* authData,
|
|||
}
|
||||
else if (pkTypeId == ID_ECDSA_SHA2_NISTP256 ||
|
||||
pkTypeId == ID_ECDSA_SHA2_NISTP384 ||
|
||||
pkTypeId == ID_ECDSA_SHA2_NISTP521)
|
||||
pkTypeId == ID_ECDSA_SHA2_NISTP521) {
|
||||
#ifndef WOLFSSH_NO_ECDSA
|
||||
ret = DoUserAuthRequestEcc(ssh, pk,
|
||||
hashId, digest, digestSz);
|
||||
#endif
|
||||
}
|
||||
}
|
||||
|
||||
if (ret != WS_SUCCESS) {
|
||||
|
@ -4364,7 +4360,7 @@ static int DoUserAuthRequest(WOLFSSH* ssh,
|
|||
|
||||
if (authNameId == ID_USERAUTH_PASSWORD)
|
||||
ret = DoUserAuthRequestPassword(ssh, &authData, buf, len, &begin);
|
||||
#if !defined(WOLFSSH_NO_RSA) && !defined(WOLFSSH_NO_ECDSA)
|
||||
#if !defined(WOLFSSH_NO_RSA) || !defined(WOLFSSH_NO_ECDSA)
|
||||
else if (authNameId == ID_USERAUTH_PUBLICKEY) {
|
||||
authData.sf.publicKey.dataToSign = buf + *idx;
|
||||
ret = DoUserAuthRequestPublicKey(ssh, &authData, buf, len, &begin);
|
||||
|
@ -6449,7 +6445,7 @@ int SendKexDhReply(WOLFSSH* ssh)
|
|||
byte nPad;
|
||||
} rsa;
|
||||
#endif
|
||||
#ifndef WOLFSSH_NO_ECDH_SHA2_NISTP256
|
||||
#ifndef WOLFSSH_NO_ECDSA
|
||||
struct {
|
||||
ecc_key key;
|
||||
word32 keyBlobSz;
|
||||
|
@ -6638,6 +6634,7 @@ int SendKexDhReply(WOLFSSH* ssh)
|
|||
#endif /* WOLFSSH_NO_SSH_RSA_SHA1 */
|
||||
}
|
||||
else {
|
||||
#ifndef WOLFSSH_NO_ECDSA
|
||||
sigKeyBlock.sk.ecc.primeName =
|
||||
PrimeNameForId(ssh->handshake->pubKeyId);
|
||||
sigKeyBlock.sk.ecc.primeNameSz =
|
||||
|
@ -6707,6 +6704,7 @@ int SendKexDhReply(WOLFSSH* ssh)
|
|||
enmhashId,
|
||||
sigKeyBlock.sk.ecc.q,
|
||||
sigKeyBlock.sk.ecc.qSz);
|
||||
#endif
|
||||
}
|
||||
#ifndef WOLFSSH_NO_DH_GEX_SHA256
|
||||
/* If using DH-GEX include the GEX specific values. */
|
||||
|
@ -6950,6 +6948,7 @@ int SendKexDhReply(WOLFSSH* ssh)
|
|||
#endif
|
||||
}
|
||||
else {
|
||||
#ifndef WOLFSSH_NO_ECDSA
|
||||
WLOG(WS_LOG_INFO, "Signing hash with ECDSA.");
|
||||
sigSz = sizeof(sig);
|
||||
ret = wc_ecc_sign_hash(digest, wc_HashGetDigestSize(sigHashId),
|
||||
|
@ -6987,6 +6986,7 @@ int SendKexDhReply(WOLFSSH* ssh)
|
|||
WMEMCPY(sig + idx, s, sSz);
|
||||
}
|
||||
}
|
||||
#endif
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -6997,7 +6997,9 @@ int SendKexDhReply(WOLFSSH* ssh)
|
|||
#endif
|
||||
}
|
||||
else {
|
||||
#ifndef WOLFSSH_NO_ECDSA
|
||||
wc_ecc_free(&sigKeyBlock.sk.ecc.key);
|
||||
#endif
|
||||
}
|
||||
|
||||
sigBlockSz = (LENGTH_SZ * 2) + sigKeyBlock.nameSz + sigSz;
|
||||
|
@ -7043,6 +7045,7 @@ int SendKexDhReply(WOLFSSH* ssh)
|
|||
#endif
|
||||
}
|
||||
else {
|
||||
#ifndef WOLFSSH_NO_ECDSA
|
||||
c32toa(sigKeyBlock.sk.ecc.primeNameSz, output + idx);
|
||||
idx += LENGTH_SZ;
|
||||
WMEMCPY(output + idx, sigKeyBlock.sk.ecc.primeName,
|
||||
|
@ -7053,6 +7056,7 @@ int SendKexDhReply(WOLFSSH* ssh)
|
|||
WMEMCPY(output + idx, sigKeyBlock.sk.ecc.q,
|
||||
sigKeyBlock.sk.ecc.qSz);
|
||||
idx += sigKeyBlock.sk.ecc.qSz;
|
||||
#endif
|
||||
}
|
||||
|
||||
/* Copy the server's public key. F for DE, or Q_S for ECDH. */
|
||||
|
@ -8168,7 +8172,7 @@ static int BuildUserAuthRequestEcc(WOLFSSH* ssh,
|
|||
#endif
|
||||
|
||||
|
||||
#if !defined(WOLFSSH_NO_RSA) && !defined(WOLFSSH_NO_ECDSA)
|
||||
#if !defined(WOLFSSH_NO_RSA) || !defined(WOLFSSH_NO_ECDSA)
|
||||
static int PrepareUserAuthRequestPublicKey(WOLFSSH* ssh, word32* payloadSz,
|
||||
const WS_UserAuthData* authData, WS_KeySignature* keySig)
|
||||
{
|
||||
|
|
|
@ -1439,7 +1439,7 @@ int wolfSSH_ReadKey_buffer(const byte* in, word32 inSz, int format,
|
|||
#ifndef WOLFSSH_NO_RSA
|
||||
RsaKey rsa;
|
||||
#endif
|
||||
#ifndef WOLFSSH_NO_ECC
|
||||
#ifndef WOLFSSH_NO_ECDSA
|
||||
ecc_key ecc;
|
||||
#endif
|
||||
} testKey;
|
||||
|
@ -1474,7 +1474,7 @@ int wolfSSH_ReadKey_buffer(const byte* in, word32 inSz, int format,
|
|||
}
|
||||
else {
|
||||
#endif
|
||||
#ifndef WOLFSSH_NO_ECC
|
||||
#ifndef WOLFSSH_NO_ECDSA
|
||||
byte curveId = ID_UNKNOWN;
|
||||
|
||||
/* Couldn't decode as RSA testKey. Try decoding as ECC testKey. */
|
||||
|
|
12
tests/api.c
12
tests/api.c
|
@ -462,14 +462,14 @@ enum WS_TestFormatTypes {
|
|||
};
|
||||
|
||||
|
||||
#ifndef NO_ECC256
|
||||
#ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP256
|
||||
static const char serverKeyEccDer[] =
|
||||
"307702010104206109990b79d25f285a0f5d15cca15654f92b3987212da77d85"
|
||||
"7bb87f38c66dd5a00a06082a8648ce3d030107a144034200048113ffa42bb79c"
|
||||
"45747a834c61f33fad26cf22cda9a3bca561b47ce662d4c2f755439a31fb8011"
|
||||
"20b5124b24f578d7fd22ef4635f005586b5f63c8da1bc4f569";
|
||||
static const int serverKeyEccCurveId = ECC_SECP256R1;
|
||||
#elif defined(HAVE_ECC384)
|
||||
#elif defined(WOLFSSH_NO_ECDSA_SHA2_NISTP384)
|
||||
static const char serverKeyEccDer[] =
|
||||
"3081a402010104303eadd2bbbf05a7be3a3f7c28151289de5bb3644d7011761d"
|
||||
"b56f2a0362fba64f98e64ff986dc4fb8efdb2d6b8da57142a00706052b810400"
|
||||
|
@ -478,7 +478,7 @@ static const char serverKeyEccDer[] =
|
|||
"b4c6a4cf5e97bd7e51e975e3e9217261506eb9cf3c493d3eb88d467b5f27ebab"
|
||||
"2161c00066febd";
|
||||
static const int serverKeyEccCurveId = ECC_SECP384R1;
|
||||
#elif defined(HAVE_ECC521)
|
||||
#elif defined(WOLFSSH_NO_ECDSA_SHA2_NISTP521)
|
||||
static const char serverKeyEccDer[] =
|
||||
"3081dc0201010442004ca4d86428d9400e7b2df3912eb996c195895043af92e8"
|
||||
"6de70ae4df46f22a291a6bb2748aae82580df6c39f49b3ed82f1789ece1b657d"
|
||||
|
@ -490,6 +490,7 @@ static const char serverKeyEccDer[] =
|
|||
static const int serverKeyEccCurveId = ECC_SECP521R1;
|
||||
#endif
|
||||
|
||||
#ifndef WOLFSSH_NO_SSH_RSA_SHA1
|
||||
static const char serverKeyRsaDer[] =
|
||||
"308204a30201000282010100da5dad2514761559f340fd3cb86230b36dc0f9ec"
|
||||
"ec8b831e9e429cca416ad38ae15234e00d13627ed40fae5c4d04f18dfac5ad77"
|
||||
|
@ -529,6 +530,7 @@ static const char serverKeyRsaDer[] =
|
|||
"731fba275c82f8ad311edef33772cb47d2cdf7f87f0039db8d2aca4ec1cee215"
|
||||
"89d63a61ae9da230a585ae38ea4674dc023aace95fa3c6734f73819056c3ce77"
|
||||
"5f5bba6c42f121";
|
||||
#endif
|
||||
|
||||
|
||||
static void test_wolfSSH_CTX_UsePrivateKey_buffer(void)
|
||||
|
@ -591,9 +593,11 @@ static void test_wolfSSH_CTX_UsePrivateKey_buffer(void)
|
|||
TEST_GOOD_FORMAT_ASN1));
|
||||
AssertNotNull(ctx->privateKey);
|
||||
AssertIntNE(0, ctx->privateKeySz);
|
||||
#ifndef WOLFSSH_NO_ECDSA
|
||||
AssertIntEQ(serverKeyEccCurveId, ctx->useEcc);
|
||||
#endif
|
||||
|
||||
#ifndef NO_RSA
|
||||
#ifndef WOLFSSH_NO_RSA
|
||||
lastKey = ctx->privateKey;
|
||||
lastKeySz = ctx->privateKeySz;
|
||||
AssertIntEQ(WS_SUCCESS,
|
||||
|
|
|
@ -74,8 +74,8 @@ extern "C" {
|
|||
#ifndef HAVE_ECC
|
||||
#undef WOLFSSH_NO_ECDSA
|
||||
#define WOLFSSH_NO_ECDSA
|
||||
#undef WOLFSSH_NO_ECDHE
|
||||
#define WOLFSSH_NO_ECDHE
|
||||
#undef WOLFSSH_NO_ECDH
|
||||
#define WOLFSSH_NO_ECDH
|
||||
#endif
|
||||
|
||||
#ifdef NO_DH
|
||||
|
@ -115,15 +115,15 @@ extern "C" {
|
|||
#undef WOLFSSH_NO_DH_GEX_SHA256
|
||||
#define WOLFSSH_NO_DH_GEX_SHA256
|
||||
#endif
|
||||
#if defined(WOLFSSH_NO_ECDHE) || defined(NO_SHA256) || defined(NO_ECC256)
|
||||
#if defined(WOLFSSH_NO_ECDH) || defined(NO_SHA256) || defined(NO_ECC256)
|
||||
#undef WOLFSSH_NO_ECDH_SHA2_NISTP256
|
||||
#define WOLFSSH_NO_ECDH_SHA2_NISTP256
|
||||
#endif
|
||||
#if defined(WOLFSSH_NO_ECDHE) || !defined(WOLFSSL_SHA384) || !defined(HAVE_ECC384)
|
||||
#if defined(WOLFSSH_NO_ECDH) || !defined(WOLFSSL_SHA384) || !defined(HAVE_ECC384)
|
||||
#undef WOLFSSH_NO_ECDH_SHA2_NISTP384
|
||||
#define WOLFSSH_NO_ECDH_SHA2_NISTP384
|
||||
#endif
|
||||
#if defined(WOLFSSH_NO_ECDHE) || !defined(WOLFSSL_SHA512) || !defined(HAVE_ECC521)
|
||||
#if defined(WOLFSSH_NO_ECDH) || !defined(WOLFSSL_SHA512) || !defined(HAVE_ECC521)
|
||||
#undef WOLFSSH_NO_ECDH_SHA2_NISTP521
|
||||
#define WOLFSSH_NO_ECDH_SHA2_NISTP521
|
||||
#endif
|
||||
|
@ -152,8 +152,8 @@ extern "C" {
|
|||
#if defined(WOLFSSH_NO_ECDH_SHA2_NISTP256) && \
|
||||
defined(WOLFSSH_NO_ECDH_SHA2_NISTP384) && \
|
||||
defined(WOLFSSH_NO_ECDH_SHA2_NISTP521)
|
||||
#undef WOLFSSH_NO_ECDHE
|
||||
#define WOLFSSH_NO_ECDHE
|
||||
#undef WOLFSSH_NO_ECDH
|
||||
#define WOLFSSH_NO_ECDH
|
||||
#endif
|
||||
|
||||
#if defined(WOLFSSH_NO_RSA) || defined(NO_SHA)
|
||||
|
|
Loading…
Reference in New Issue