From 4055d91c11e44603263fb21882480ed70b27a26d Mon Sep 17 00:00:00 2001 From: John Safranek Date: Fri, 21 Aug 2020 16:57:43 -0700 Subject: [PATCH 1/2] ECC Update for wolfSSL v4.5.0 wolfSSL v4.5.0 introduced a new function, `wc_ecc_set_rng()`, which is present when ECC_TIMING_RESISTANCE is enabled. Added a check to the configure script for that function, and disable calls to the function if it isn't present. This allows wolfSSH to build against older versions of wolfSSL. --- configure.ac | 2 +- src/internal.c | 17 ++++++++++++++++- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index eeda1ef..f93c43a 100644 --- a/configure.ac +++ b/configure.ac @@ -52,11 +52,11 @@ AC_CHECK_SIZEOF([long]) AC_CHECK_SIZEOF([off_t]) # Check headers/libs -AC_CHECK_FUNCS([gethostbyname getaddrinfo gettimeofday inet_ntoa memset socket]) AC_CHECK_HEADERS([sys/select.h sys/time.h pty.h util.h termios.h]) AC_CHECK_LIB([network],[socket]) AC_CHECK_LIB([util],[forkpty]) AC_CHECK_LIB([wolfssl],[wolfCrypt_Init],,[AC_MSG_ERROR([libwolfssl is required for ${PACKAGE}. It can be obtained from https://www.wolfssl.com/download.html/ .])]) +AC_CHECK_FUNCS([gethostbyname getaddrinfo gettimeofday inet_ntoa memset socket wc_ecc_set_rng]) # DEBUG DEBUG_CFLAGS="-g -O0" diff --git a/src/internal.c b/src/internal.c index 83151e7..7ca11d1 100644 --- a/src/internal.c +++ b/src/internal.c @@ -2766,6 +2766,10 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx) ret = wc_ecc_init_ex(&sigKeyBlock.sk.ecc.key, ssh->ctx->heap, INVALID_DEVID); +#ifdef HAVE_WC_ECC_SET_RNG + if (ret == WS_SUCCESS) + ret = wc_ecc_set_rng(&sigKeyBlock.sk.ecc.key, ssh->rng); +#endif if (ret != 0) ret = WS_ECC_E; else @@ -2814,6 +2818,10 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx) else { ecc_key key; ret = wc_ecc_init(&key); +#ifdef HAVE_WC_ECC_SET_RNG + if (ret == WS_SUCCESS) + ret = wc_ecc_set_rng(&key, ssh->rng); +#endif if (ret == 0) ret = wc_ecc_import_x963(f, fSz, &key); if (ret == 0) @@ -6400,6 +6408,10 @@ int SendKexDhReply(WOLFSSH* ssh) if (ret == 0) ret = wc_ecc_init_ex(&privKey, ssh->ctx->heap, INVALID_DEVID); +#ifdef HAVE_WC_ECC_SET_RNG + if (ret == 0) + ret = wc_ecc_set_rng(&privKey, ssh->rng); +#endif if (ret == 0) ret = wc_ecc_import_x963_ex(ssh->handshake->e, @@ -6908,7 +6920,10 @@ int SendKexDhInit(WOLFSSH* ssh) if (ret == 0) ret = wc_ecc_init_ex(privKey, ssh->ctx->heap, INVALID_DEVID); - +#ifdef HAVE_WC_ECC_SET_RNG + if (ret == 0) + ret = wc_ecc_set_rng(privKey, ssh->rng); +#endif if (ret == 0) ret = wc_ecc_make_key_ex(ssh->rng, wc_ecc_get_curve_size_from_id(primeId), From 7aedc310459d5a6bca01fbdc0948a4a932480487 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Mon, 24 Aug 2020 09:37:15 -0700 Subject: [PATCH 2/2] Add comment block to internal.c to start listing all the flags used in the file. --- src/internal.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/internal.c b/src/internal.c index 7ca11d1..fc26891 100644 --- a/src/internal.c +++ b/src/internal.c @@ -48,6 +48,16 @@ #endif +/* +Flags: + HAVE_WC_ECC_SET_RNG + Set by configure if wc_ecc_set_rng() discovered in wolfCrypt. Disables + use of the function if the flag isn't set. If using wolfCrypt v4.5.0 or + later, and not building with configure, set this flag. + default: off +*/ + + static const char sshProtoIdStr[] = "SSH-2.0-wolfSSHv" LIBWOLFSSH_VERSION_STRING "\r\n";