diff --git a/src/internal.c b/src/internal.c index c744e1e..479ea62 100644 --- a/src/internal.c +++ b/src/internal.c @@ -119,6 +119,10 @@ Flags: Set when all DH algorithms are disabled. Set to disable use of all DH algorithms for key agreement. Setting this will force all DH key agreement algorithms off. + WOLFSSH_NO_ECDH + Set when all ECDH algorithms are disabled. Set to disable use of all ECDH + algorithms for key agreement. Setting this will force all ECDH key agreement + algorithms off. */ @@ -2234,29 +2238,19 @@ static INLINE int wcPrimeForId(byte id) return ECC_CURVE_INVALID; } } + +#ifndef WOLFSSH_NO_ECDSA static INLINE const char *PrimeNameForId(byte id) { switch (id) { -#ifndef WOLFSSH_NO_ECDH_SHA2_NISTP256 - case ID_ECDH_SHA2_NISTP256: - return "nistp256"; -#endif #ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP256 case ID_ECDSA_SHA2_NISTP256: return "nistp256"; #endif -#ifndef WOLFSSH_NO_ECDH_SHA2_NISTP384 - case ID_ECDH_SHA2_NISTP384: - return "nistp384"; -#endif #ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP384 case ID_ECDSA_SHA2_NISTP384: return "nistp384"; #endif -#ifndef WOLFSSH_NO_ECDH_SHA2_NISTP521 - case ID_ECDH_SHA2_NISTP521: - return "nistp521"; -#endif #ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP521 case ID_ECDSA_SHA2_NISTP521: return "nistp521"; @@ -2265,6 +2259,7 @@ static INLINE const char *PrimeNameForId(byte id) return "unknown"; } } +#endif static INLINE byte AeadModeForId(byte id) @@ -2785,7 +2780,7 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx) RsaKey key; } rsa; #endif -#ifndef WOLFSSH_NO_ECC +#ifndef WOLFSSH_NO_ECDSA struct { ecc_key key; } ecc; @@ -3098,7 +3093,7 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx) #endif } else { -#ifndef WOLFSSH_NO_ECDHE +#ifndef WOLFSSH_NO_ECDH ecc_key key; ret = wc_ecc_init(&key); #ifdef HAVE_WC_ECC_SET_RNG @@ -3254,7 +3249,7 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx) #endif } else { -#ifdef WOLFSSH_NO_ECDSA +#ifndef WOLFSSH_NO_ECDSA wc_ecc_free(&sigKeyBlock.sk.ecc.key); #endif } @@ -4120,7 +4115,7 @@ static int DoUserAuthRequestEcc(WOLFSSH* ssh, WS_UserAuthData_PublicKey* pk, #endif -#if !defined(WOLFSSH_NO_RSA) && !defined(WOLFSSH_NO_ECDSA) +#if !defined(WOLFSSH_NO_RSA) || !defined(WOLFSSH_NO_ECDSA) /* Utility for DoUserAuthRequest() */ static int DoUserAuthRequestPublicKey(WOLFSSH* ssh, WS_UserAuthData* authData, byte* buf, word32 len, word32* idx) @@ -4282,11 +4277,12 @@ static int DoUserAuthRequestPublicKey(WOLFSSH* ssh, WS_UserAuthData* authData, } else if (pkTypeId == ID_ECDSA_SHA2_NISTP256 || pkTypeId == ID_ECDSA_SHA2_NISTP384 || - pkTypeId == ID_ECDSA_SHA2_NISTP521) + pkTypeId == ID_ECDSA_SHA2_NISTP521) { #ifndef WOLFSSH_NO_ECDSA ret = DoUserAuthRequestEcc(ssh, pk, hashId, digest, digestSz); #endif + } } if (ret != WS_SUCCESS) { @@ -4364,7 +4360,7 @@ static int DoUserAuthRequest(WOLFSSH* ssh, if (authNameId == ID_USERAUTH_PASSWORD) ret = DoUserAuthRequestPassword(ssh, &authData, buf, len, &begin); -#if !defined(WOLFSSH_NO_RSA) && !defined(WOLFSSH_NO_ECDSA) +#if !defined(WOLFSSH_NO_RSA) || !defined(WOLFSSH_NO_ECDSA) else if (authNameId == ID_USERAUTH_PUBLICKEY) { authData.sf.publicKey.dataToSign = buf + *idx; ret = DoUserAuthRequestPublicKey(ssh, &authData, buf, len, &begin); @@ -6449,7 +6445,7 @@ int SendKexDhReply(WOLFSSH* ssh) byte nPad; } rsa; #endif -#ifndef WOLFSSH_NO_ECDH_SHA2_NISTP256 +#ifndef WOLFSSH_NO_ECDSA struct { ecc_key key; word32 keyBlobSz; @@ -6638,6 +6634,7 @@ int SendKexDhReply(WOLFSSH* ssh) #endif /* WOLFSSH_NO_SSH_RSA_SHA1 */ } else { +#ifndef WOLFSSH_NO_ECDSA sigKeyBlock.sk.ecc.primeName = PrimeNameForId(ssh->handshake->pubKeyId); sigKeyBlock.sk.ecc.primeNameSz = @@ -6707,6 +6704,7 @@ int SendKexDhReply(WOLFSSH* ssh) enmhashId, sigKeyBlock.sk.ecc.q, sigKeyBlock.sk.ecc.qSz); +#endif } #ifndef WOLFSSH_NO_DH_GEX_SHA256 /* If using DH-GEX include the GEX specific values. */ @@ -6950,6 +6948,7 @@ int SendKexDhReply(WOLFSSH* ssh) #endif } else { +#ifndef WOLFSSH_NO_ECDSA WLOG(WS_LOG_INFO, "Signing hash with ECDSA."); sigSz = sizeof(sig); ret = wc_ecc_sign_hash(digest, wc_HashGetDigestSize(sigHashId), @@ -6987,6 +6986,7 @@ int SendKexDhReply(WOLFSSH* ssh) WMEMCPY(sig + idx, s, sSz); } } +#endif } } } @@ -6997,7 +6997,9 @@ int SendKexDhReply(WOLFSSH* ssh) #endif } else { +#ifndef WOLFSSH_NO_ECDSA wc_ecc_free(&sigKeyBlock.sk.ecc.key); +#endif } sigBlockSz = (LENGTH_SZ * 2) + sigKeyBlock.nameSz + sigSz; @@ -7043,6 +7045,7 @@ int SendKexDhReply(WOLFSSH* ssh) #endif } else { +#ifndef WOLFSSH_NO_ECDSA c32toa(sigKeyBlock.sk.ecc.primeNameSz, output + idx); idx += LENGTH_SZ; WMEMCPY(output + idx, sigKeyBlock.sk.ecc.primeName, @@ -7053,6 +7056,7 @@ int SendKexDhReply(WOLFSSH* ssh) WMEMCPY(output + idx, sigKeyBlock.sk.ecc.q, sigKeyBlock.sk.ecc.qSz); idx += sigKeyBlock.sk.ecc.qSz; +#endif } /* Copy the server's public key. F for DE, or Q_S for ECDH. */ @@ -8168,7 +8172,7 @@ static int BuildUserAuthRequestEcc(WOLFSSH* ssh, #endif -#if !defined(WOLFSSH_NO_RSA) && !defined(WOLFSSH_NO_ECDSA) +#if !defined(WOLFSSH_NO_RSA) || !defined(WOLFSSH_NO_ECDSA) static int PrepareUserAuthRequestPublicKey(WOLFSSH* ssh, word32* payloadSz, const WS_UserAuthData* authData, WS_KeySignature* keySig) { diff --git a/src/ssh.c b/src/ssh.c index 3d4d522..68ffc15 100644 --- a/src/ssh.c +++ b/src/ssh.c @@ -1439,7 +1439,7 @@ int wolfSSH_ReadKey_buffer(const byte* in, word32 inSz, int format, #ifndef WOLFSSH_NO_RSA RsaKey rsa; #endif - #ifndef WOLFSSH_NO_ECC + #ifndef WOLFSSH_NO_ECDSA ecc_key ecc; #endif } testKey; @@ -1474,7 +1474,7 @@ int wolfSSH_ReadKey_buffer(const byte* in, word32 inSz, int format, } else { #endif -#ifndef WOLFSSH_NO_ECC +#ifndef WOLFSSH_NO_ECDSA byte curveId = ID_UNKNOWN; /* Couldn't decode as RSA testKey. Try decoding as ECC testKey. */ diff --git a/tests/api.c b/tests/api.c index 6fe21c5..b2d399b 100644 --- a/tests/api.c +++ b/tests/api.c @@ -462,14 +462,14 @@ enum WS_TestFormatTypes { }; -#ifndef NO_ECC256 +#ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP256 static const char serverKeyEccDer[] = "307702010104206109990b79d25f285a0f5d15cca15654f92b3987212da77d85" "7bb87f38c66dd5a00a06082a8648ce3d030107a144034200048113ffa42bb79c" "45747a834c61f33fad26cf22cda9a3bca561b47ce662d4c2f755439a31fb8011" "20b5124b24f578d7fd22ef4635f005586b5f63c8da1bc4f569"; static const int serverKeyEccCurveId = ECC_SECP256R1; -#elif defined(HAVE_ECC384) +#elif defined(WOLFSSH_NO_ECDSA_SHA2_NISTP384) static const char serverKeyEccDer[] = "3081a402010104303eadd2bbbf05a7be3a3f7c28151289de5bb3644d7011761d" "b56f2a0362fba64f98e64ff986dc4fb8efdb2d6b8da57142a00706052b810400" @@ -478,7 +478,7 @@ static const char serverKeyEccDer[] = "b4c6a4cf5e97bd7e51e975e3e9217261506eb9cf3c493d3eb88d467b5f27ebab" "2161c00066febd"; static const int serverKeyEccCurveId = ECC_SECP384R1; -#elif defined(HAVE_ECC521) +#elif defined(WOLFSSH_NO_ECDSA_SHA2_NISTP521) static const char serverKeyEccDer[] = "3081dc0201010442004ca4d86428d9400e7b2df3912eb996c195895043af92e8" "6de70ae4df46f22a291a6bb2748aae82580df6c39f49b3ed82f1789ece1b657d" @@ -490,6 +490,7 @@ static const char serverKeyEccDer[] = static const int serverKeyEccCurveId = ECC_SECP521R1; #endif +#ifndef WOLFSSH_NO_SSH_RSA_SHA1 static const char serverKeyRsaDer[] = "308204a30201000282010100da5dad2514761559f340fd3cb86230b36dc0f9ec" "ec8b831e9e429cca416ad38ae15234e00d13627ed40fae5c4d04f18dfac5ad77" @@ -529,6 +530,7 @@ static const char serverKeyRsaDer[] = "731fba275c82f8ad311edef33772cb47d2cdf7f87f0039db8d2aca4ec1cee215" "89d63a61ae9da230a585ae38ea4674dc023aace95fa3c6734f73819056c3ce77" "5f5bba6c42f121"; +#endif static void test_wolfSSH_CTX_UsePrivateKey_buffer(void) @@ -591,9 +593,11 @@ static void test_wolfSSH_CTX_UsePrivateKey_buffer(void) TEST_GOOD_FORMAT_ASN1)); AssertNotNull(ctx->privateKey); AssertIntNE(0, ctx->privateKeySz); +#ifndef WOLFSSH_NO_ECDSA AssertIntEQ(serverKeyEccCurveId, ctx->useEcc); +#endif -#ifndef NO_RSA +#ifndef WOLFSSH_NO_RSA lastKey = ctx->privateKey; lastKeySz = ctx->privateKeySz; AssertIntEQ(WS_SUCCESS, diff --git a/wolfssh/internal.h b/wolfssh/internal.h index a2dbce0..683a440 100644 --- a/wolfssh/internal.h +++ b/wolfssh/internal.h @@ -74,8 +74,8 @@ extern "C" { #ifndef HAVE_ECC #undef WOLFSSH_NO_ECDSA #define WOLFSSH_NO_ECDSA - #undef WOLFSSH_NO_ECDHE - #define WOLFSSH_NO_ECDHE + #undef WOLFSSH_NO_ECDH + #define WOLFSSH_NO_ECDH #endif #ifdef NO_DH @@ -115,15 +115,15 @@ extern "C" { #undef WOLFSSH_NO_DH_GEX_SHA256 #define WOLFSSH_NO_DH_GEX_SHA256 #endif -#if defined(WOLFSSH_NO_ECDHE) || defined(NO_SHA256) || defined(NO_ECC256) +#if defined(WOLFSSH_NO_ECDH) || defined(NO_SHA256) || defined(NO_ECC256) #undef WOLFSSH_NO_ECDH_SHA2_NISTP256 #define WOLFSSH_NO_ECDH_SHA2_NISTP256 #endif -#if defined(WOLFSSH_NO_ECDHE) || !defined(WOLFSSL_SHA384) || !defined(HAVE_ECC384) +#if defined(WOLFSSH_NO_ECDH) || !defined(WOLFSSL_SHA384) || !defined(HAVE_ECC384) #undef WOLFSSH_NO_ECDH_SHA2_NISTP384 #define WOLFSSH_NO_ECDH_SHA2_NISTP384 #endif -#if defined(WOLFSSH_NO_ECDHE) || !defined(WOLFSSL_SHA512) || !defined(HAVE_ECC521) +#if defined(WOLFSSH_NO_ECDH) || !defined(WOLFSSL_SHA512) || !defined(HAVE_ECC521) #undef WOLFSSH_NO_ECDH_SHA2_NISTP521 #define WOLFSSH_NO_ECDH_SHA2_NISTP521 #endif @@ -152,8 +152,8 @@ extern "C" { #if defined(WOLFSSH_NO_ECDH_SHA2_NISTP256) && \ defined(WOLFSSH_NO_ECDH_SHA2_NISTP384) && \ defined(WOLFSSH_NO_ECDH_SHA2_NISTP521) - #undef WOLFSSH_NO_ECDHE - #define WOLFSSH_NO_ECDHE + #undef WOLFSSH_NO_ECDH + #define WOLFSSH_NO_ECDH #endif #if defined(WOLFSSH_NO_RSA) || defined(NO_SHA)