WolfSSL
/
wolfssh
mirror of https://github.com/wolfSSL/wolfssh.git
1
0
Fork 0
Code Issues Releases Wiki Activity

More Options 

1. Added general disable flags for RSA and ECDSA.
2. Replaced HAVE_ECC, NO_RSA, NO_DSA with the general disable flags.
pull/298/head
John Safranek 2020-11-13 13:28:13 -08:00
parent ae0c5efb2f
commit b7f073faa3
No known key found for this signature in database
GPG Key ID: 8CE817DE0D3CCB4A
4 changed files with 101 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/agent.c
View File

@ -379,7 +379,7 @@ static int PostUnlock(WOLFSSH_AGENT_CTX* agent,
} }
#ifndef NO_RSA #ifndef WOLFSSH_NO_RSA
static int PostAddRsaId(WOLFSSH_AGENT_CTX* agent, static int PostAddRsaId(WOLFSSH_AGENT_CTX* agent,
byte keyType, byte* key, word32 keySz, byte keyType, byte* key, word32 keySz,
word32 nSz, word32 eSz, word32 dSz, word32 nSz, word32 eSz, word32 dSz,
@ -461,6 +461,7 @@ static int PostAddRsaId(WOLFSSH_AGENT_CTX* agent,
#endif #endif
#ifndef WOLFSSH_NO_ECDSA
static int PostAddEcdsaId(WOLFSSH_AGENT_CTX* agent, static int PostAddEcdsaId(WOLFSSH_AGENT_CTX* agent,
byte keyType, byte* key, word32 keySz, byte keyType, byte* key, word32 keySz,
word32 curveNameSz, word32 qSz, word32 dSz, word32 curveNameSz, word32 qSz, word32 dSz,
@ -527,6 +528,7 @@ static int PostAddEcdsaId(WOLFSSH_AGENT_CTX* agent,
WLOG_LEAVE(ret); WLOG_LEAVE(ret);
return ret; return ret;
} }
#endif
static int PostRemoveId(WOLFSSH_AGENT_CTX* agent, static int PostRemoveId(WOLFSSH_AGENT_CTX* agent,
@ -669,7 +671,7 @@ static int PostSignRequest(WOLFSSH_AGENT_CTX* agent,
int sigSz = sizeof(sig); int sigSz = sizeof(sig);
if (cur->keyType == ID_SSH_RSA) { if (cur->keyType == ID_SSH_RSA) {
#ifndef NO_RSA #ifndef WOLFSSH_NO_RSA
WOLFSSH_AGENT_KEY_RSA* key; WOLFSSH_AGENT_KEY_RSA* key;
RsaKey rsa; RsaKey rsa;
byte encSig[MAX_ENCODED_SIG_SZ]; byte encSig[MAX_ENCODED_SIG_SZ];
@ -714,6 +716,7 @@ static int PostSignRequest(WOLFSSH_AGENT_CTX* agent,
#endif #endif
} }
else if (cur->keyType == ID_ECDSA_SHA2_NISTP256) { else if (cur->keyType == ID_ECDSA_SHA2_NISTP256) {
#ifndef WOLFSSH_NO_ECDSA
WOLFSSH_AGENT_KEY_ECDSA* key; WOLFSSH_AGENT_KEY_ECDSA* key;
ecc_key ecc; ecc_key ecc;
enum wc_HashType hashType = WC_HASH_TYPE_SHA256; enum wc_HashType hashType = WC_HASH_TYPE_SHA256;
@ -764,6 +767,7 @@ static int PostSignRequest(WOLFSSH_AGENT_CTX* agent,
wc_ecc_free(&ecc); wc_ecc_free(&ecc);
if (ret != 0) if (ret != 0)
ret = WS_ECC_E; ret = WS_ECC_E;
#endif
} }
else else
ret = WS_INVALID_ALGO_ID; ret = WS_INVALID_ALGO_ID;
@ -946,7 +950,7 @@ static int DoAddIdentity(WOLFSSH_AGENT_CTX* agent,
begin += sz; begin += sz;
if (keyType == ID_SSH_RSA) { if (keyType == ID_SSH_RSA) {
#ifndef NO_RSA #ifndef WOLFSSH_NO_RSA
byte* key; byte* key;
byte* scratch; byte* scratch;
word32 keySz, nSz, eSz, dSz, iqmpSz, pSz, qSz, commentSz; word32 keySz, nSz, eSz, dSz, iqmpSz, pSz, qSz, commentSz;
@ -993,6 +997,7 @@ static int DoAddIdentity(WOLFSSH_AGENT_CTX* agent,
else if (keyType == ID_ECDSA_SHA2_NISTP256 || else if (keyType == ID_ECDSA_SHA2_NISTP256 ||
keyType == ID_ECDSA_SHA2_NISTP384 || keyType == ID_ECDSA_SHA2_NISTP384 ||
keyType == ID_ECDSA_SHA2_NISTP521) { keyType == ID_ECDSA_SHA2_NISTP521) {
#ifndef WOLFSSH_NO_ECDSA
byte* key; byte* key;
byte* scratch; byte* scratch;
word32 keySz, curveNameSz, qSz, dSz, commentSz; word32 keySz, curveNameSz, qSz, dSz, commentSz;
@ -1021,6 +1026,7 @@ static int DoAddIdentity(WOLFSSH_AGENT_CTX* agent,
ret = PostAddEcdsaId(agent, keyType, key, keySz, ret = PostAddEcdsaId(agent, keyType, key, keySz,
curveNameSz, qSz, dSz, commentSz); curveNameSz, qSz, dSz, commentSz);
} }
#endif
} }
else { else {
ret = WS_PARSE_E; ret = WS_PARSE_E;

106
src/internal.c
View File

@ -85,9 +85,15 @@ Flags:
WOLFSSH_NO_ECDH_SHA2_ED25519 WOLFSSH_NO_ECDH_SHA2_ED25519
Set when ED25519 or SHA2-256 are disabled. Set to disable use of ECDHE key Set when ED25519 or SHA2-256 are disabled. Set to disable use of ECDHE key
exchange with prime ED25519. (It just decodes the ID for output.) exchange with prime ED25519. (It just decodes the ID for output.)
WOLFSSH_NO_RSA
Set when RSA is disabled. Set to disable use of RSA server and user
authentication.
WOLFSSH_NO_SSH_RSA_SHA1 WOLFSSH_NO_SSH_RSA_SHA1
Set when RSA or SHA1 are disabled. Set to disable use of RSA server Set when RSA or SHA1 are disabled. Set to disable use of RSA server
authentication. authentication.
WOLFSSH_NO_ECDSA
Set when ECC is disabled. Set to disable use of ECDSA server and user
authentication.
WOLFSSH_NO_ECDSA_SHA2_NISTP256 WOLFSSH_NO_ECDSA_SHA2_NISTP256
Set when ECC or SHA2-256 are disabled. Set to disable use of ECDSA server Set when ECC or SHA2-256 are disabled. Set to disable use of ECDSA server
authentication with prime NISTP256. authentication with prime NISTP256.
@ -745,15 +751,17 @@ int wolfSSH_ProcessBuffer(WOLFSSH_CTX* ctx,
if (type == BUFTYPE_PRIVKEY && format != WOLFSSH_FORMAT_RAW) { if (type == BUFTYPE_PRIVKEY && format != WOLFSSH_FORMAT_RAW) {
/* Check RSA key */ /* Check RSA key */
union { union {
#ifndef NO_RSA #ifndef WOLFSSH_NO_RSA
RsaKey rsa; RsaKey rsa;
#endif #endif
#ifndef WOLFSSH_NO_ECDSA
ecc_key ecc; ecc_key ecc;
#endif
} key; } key;
word32 scratch = 0; word32 scratch = 0;
int ret; int ret;
#ifndef NO_RSA #ifndef WOLFSSH_NO_RSA
if (wc_InitRsaKey(&key.rsa, NULL) < 0) if (wc_InitRsaKey(&key.rsa, NULL) < 0)
return WS_RSA_E; return WS_RSA_E;
@ -762,6 +770,7 @@ int wolfSSH_ProcessBuffer(WOLFSSH_CTX* ctx,
if (ret < 0) { if (ret < 0) {
#endif #endif
#ifndef WOLFSSH_NO_ECDSA
/* Couldn't decode as RSA key. Try decoding as ECC key. */ /* Couldn't decode as RSA key. Try decoding as ECC key. */
scratch = 0; scratch = 0;
if (wc_ecc_init_ex(&key.ecc, ctx->heap, INVALID_DEVID) != 0) if (wc_ecc_init_ex(&key.ecc, ctx->heap, INVALID_DEVID) != 0)
@ -784,7 +793,8 @@ int wolfSSH_ProcessBuffer(WOLFSSH_CTX* ctx,
if (ret != 0) if (ret != 0)
return WS_BAD_FILE_E; return WS_BAD_FILE_E;
#ifndef NO_RSA #endif
#ifndef WOLFSSH_NO_RSA
} }
#endif #endif
} }
@ -2770,12 +2780,12 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
byte useRsa; byte useRsa;
word32 keySz; word32 keySz;
union { union {
#ifndef NO_RSA #ifndef WOLFSSH_NO_RSA
struct { struct {
RsaKey key; RsaKey key;
} rsa; } rsa;
#endif #endif
#ifdef HAVE_ECC #ifndef WOLFSSH_NO_ECC
struct { struct {
ecc_key key; ecc_key key;
} ecc; } ecc;
@ -2982,7 +2992,7 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
sigKeyBlock.useRsa = ssh->handshake->pubKeyId == ID_SSH_RSA; sigKeyBlock.useRsa = ssh->handshake->pubKeyId == ID_SSH_RSA;
if (sigKeyBlock.useRsa) { if (sigKeyBlock.useRsa) {
#ifndef NO_RSA #ifndef WOLFSSH_NO_RSA
byte* e; byte* e;
word32 eSz; word32 eSz;
byte* n; byte* n;
@ -3024,7 +3034,7 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
#endif #endif
} }
else { else {
#ifdef HAVE_ECC #ifndef WOLFSSH_NO_ECDSA
byte* q; byte* q;
word32 qSz, pubKeyIdx = 0; word32 qSz, pubKeyIdx = 0;
int primeId; int primeId;
@ -3088,7 +3098,7 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
#endif #endif
} }
else { else {
#ifdef HAVE_ECC #ifndef WOLFSSH_NO_ECDHE
ecc_key key; ecc_key key;
ret = wc_ecc_init(&key); ret = wc_ecc_init(&key);
#ifdef HAVE_WC_ECC_SET_RNG #ifdef HAVE_WC_ECC_SET_RNG
@ -3169,7 +3179,7 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
} }
if (ret == WS_SUCCESS) { if (ret == WS_SUCCESS) {
if (sigKeyBlock.useRsa) { if (sigKeyBlock.useRsa) {
#ifndef NO_RSA #ifndef WOLFSSH_NO_RSA
sig = sig + begin; sig = sig + begin;
/* In the fuzz, sigSz ends up 1 and it has issues. */ /* In the fuzz, sigSz ends up 1 and it has issues. */
sigSz = scratch; sigSz = scratch;
@ -3201,7 +3211,7 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
#endif #endif
} }
else { else {
#ifdef HAVE_ECC #ifndef WOLFSSH_NO_ECDSA
byte* r; byte* r;
byte* s; byte* s;
word32 rSz, sSz, asnSigSz; word32 rSz, sSz, asnSigSz;
@ -3239,12 +3249,12 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
} }
if (sigKeyBlock.useRsa) { if (sigKeyBlock.useRsa) {
#ifndef NO_RSA #ifndef WOLFSSH_NO_RSA
wc_FreeRsaKey(&sigKeyBlock.sk.rsa.key); wc_FreeRsaKey(&sigKeyBlock.sk.rsa.key);
#endif #endif
} }
else { else {
#ifdef HAVE_ECC #ifdef WOLFSSH_NO_ECDSA
wc_ecc_free(&sigKeyBlock.sk.ecc.key); wc_ecc_free(&sigKeyBlock.sk.ecc.key);
#endif #endif
} }
@ -3463,7 +3473,6 @@ static int DoRequestSuccess(WOLFSSH *ssh, byte *buf, word32 len, word32 *idx)
*idx = begin; *idx = begin;
return ret; return ret;
} }
static int DoRequestFailure(WOLFSSH *ssh, byte *buf, word32 len, word32 *idx) static int DoRequestFailure(WOLFSSH *ssh, byte *buf, word32 len, word32 *idx)
@ -3838,7 +3847,7 @@ static int DoUserAuthRequestPassword(WOLFSSH* ssh, WS_UserAuthData* authData,
return ret; return ret;
} }
#ifndef NO_RSA #ifndef WOLFSSH_NO_RSA
/* Utility for DoUserAuthRequestPublicKey() */ /* Utility for DoUserAuthRequestPublicKey() */
/* returns negative for error, positive is size of digest. */ /* returns negative for error, positive is size of digest. */
static int DoUserAuthRequestRsa(WOLFSSH* ssh, WS_UserAuthData_PublicKey* pk, static int DoUserAuthRequestRsa(WOLFSSH* ssh, WS_UserAuthData_PublicKey* pk,
@ -3961,6 +3970,7 @@ static int DoUserAuthRequestRsa(WOLFSSH* ssh, WS_UserAuthData_PublicKey* pk,
#endif #endif
#ifndef WOLFSSH_NO_ECDSA
/* Utility for DoUserAuthRequestPublicKey() */ /* Utility for DoUserAuthRequestPublicKey() */
/* returns negative for error, positive is size of digest. */ /* returns negative for error, positive is size of digest. */
static int DoUserAuthRequestEcc(WOLFSSH* ssh, WS_UserAuthData_PublicKey* pk, static int DoUserAuthRequestEcc(WOLFSSH* ssh, WS_UserAuthData_PublicKey* pk,
@ -4107,8 +4117,10 @@ static int DoUserAuthRequestEcc(WOLFSSH* ssh, WS_UserAuthData_PublicKey* pk,
WLOG(WS_LOG_DEBUG, "Leaving DoUserAuthRequestEcc(), ret = %d", ret); WLOG(WS_LOG_DEBUG, "Leaving DoUserAuthRequestEcc(), ret = %d", ret);
return ret; return ret;
} }
#endif
#if !defined(WOLFSSH_NO_RSA) && !defined(WOLFSSH_NO_ECDSA)
/* Utility for DoUserAuthRequest() */ /* Utility for DoUserAuthRequest() */
static int DoUserAuthRequestPublicKey(WOLFSSH* ssh, WS_UserAuthData* authData, static int DoUserAuthRequestPublicKey(WOLFSSH* ssh, WS_UserAuthData* authData,
byte* buf, word32 len, word32* idx) byte* buf, word32 len, word32* idx)
@ -4263,7 +4275,7 @@ static int DoUserAuthRequestPublicKey(WOLFSSH* ssh, WS_UserAuthData* authData,
if (ret == WS_SUCCESS) { if (ret == WS_SUCCESS) {
if (pkTypeId == ID_SSH_RSA) { if (pkTypeId == ID_SSH_RSA) {
#ifndef NO_RSA #ifndef WOLFSSH_NO_RSA
ret = DoUserAuthRequestRsa(ssh, pk, ret = DoUserAuthRequestRsa(ssh, pk,
hashId, digest, digestSz); hashId, digest, digestSz);
#endif #endif
@ -4271,8 +4283,10 @@ static int DoUserAuthRequestPublicKey(WOLFSSH* ssh, WS_UserAuthData* authData,
else if (pkTypeId == ID_ECDSA_SHA2_NISTP256 || else if (pkTypeId == ID_ECDSA_SHA2_NISTP256 ||
pkTypeId == ID_ECDSA_SHA2_NISTP384 || pkTypeId == ID_ECDSA_SHA2_NISTP384 ||
pkTypeId == ID_ECDSA_SHA2_NISTP521) pkTypeId == ID_ECDSA_SHA2_NISTP521)
#ifndef WOLFSSH_NO_ECDSA
ret = DoUserAuthRequestEcc(ssh, pk, ret = DoUserAuthRequestEcc(ssh, pk,
hashId, digest, digestSz); hashId, digest, digestSz);
#endif
} }
if (ret != WS_SUCCESS) { if (ret != WS_SUCCESS) {
@ -4289,6 +4303,7 @@ static int DoUserAuthRequestPublicKey(WOLFSSH* ssh, WS_UserAuthData* authData,
WLOG(WS_LOG_DEBUG, "Leaving DoUserAuthRequestPublicKey(), ret = %d", ret); WLOG(WS_LOG_DEBUG, "Leaving DoUserAuthRequestPublicKey(), ret = %d", ret);
return ret; return ret;
} }
#endif
static int DoUserAuthRequest(WOLFSSH* ssh, static int DoUserAuthRequest(WOLFSSH* ssh,
@ -4349,10 +4364,12 @@ static int DoUserAuthRequest(WOLFSSH* ssh,
if (authNameId == ID_USERAUTH_PASSWORD) if (authNameId == ID_USERAUTH_PASSWORD)
ret = DoUserAuthRequestPassword(ssh, &authData, buf, len, &begin); ret = DoUserAuthRequestPassword(ssh, &authData, buf, len, &begin);
#if !defined(WOLFSSH_NO_RSA) && !defined(WOLFSSH_NO_ECDSA)
else if (authNameId == ID_USERAUTH_PUBLICKEY) { else if (authNameId == ID_USERAUTH_PUBLICKEY) {
authData.sf.publicKey.dataToSign = buf + *idx; authData.sf.publicKey.dataToSign = buf + *idx;
ret = DoUserAuthRequestPublicKey(ssh, &authData, buf, len, &begin); ret = DoUserAuthRequestPublicKey(ssh, &authData, buf, len, &begin);
} }
#endif
#ifdef WOLFSSH_ALLOW_USERAUTH_NONE #ifdef WOLFSSH_ALLOW_USERAUTH_NONE
else if (authNameId == ID_NONE) { else if (authNameId == ID_NONE) {
ret = DoUserAuthRequestNone(ssh, &authData, buf, len, &begin); ret = DoUserAuthRequestNone(ssh, &authData, buf, len, &begin);
@ -4409,9 +4426,11 @@ static int DoUserAuthFailure(WOLFSSH* ssh,
case ID_USERAUTH_PASSWORD: case ID_USERAUTH_PASSWORD:
authType |= WOLFSSH_USERAUTH_PASSWORD; authType |= WOLFSSH_USERAUTH_PASSWORD;
break; break;
#if !defined(WOLFSSH_NO_RSA) && !defined(WOLFSSH_NO_ECDSA)
case ID_USERAUTH_PUBLICKEY: case ID_USERAUTH_PUBLICKEY:
authType |= WOLFSSH_USERAUTH_PUBLICKEY; authType |= WOLFSSH_USERAUTH_PUBLICKEY;
break; break;
#endif
default: default:
break; break;
} }
@ -5460,7 +5479,7 @@ static INLINE int Encrypt(WOLFSSH* ssh, byte* cipher, const byte* input,
case ID_NONE: case ID_NONE:
break; break;
#ifdef HAVE_AES_CBC #ifndef WOLFSSH_NO_AES_CBC
case ID_AES128_CBC: case ID_AES128_CBC:
if (sz % AES_BLOCK_SIZE || wc_AesCbcEncrypt(&ssh->encryptCipher.aes, if (sz % AES_BLOCK_SIZE || wc_AesCbcEncrypt(&ssh->encryptCipher.aes,
cipher, input, sz) < 0) { cipher, input, sz) < 0) {
@ -5470,7 +5489,7 @@ static INLINE int Encrypt(WOLFSSH* ssh, byte* cipher, const byte* input,
break; break;
#endif #endif
#ifdef WOLFSSL_AES_COUNTER #ifndef WOLFSSH_NO_AES_CTR
case ID_AES128_CTR: case ID_AES128_CTR:
if (sz % AES_BLOCK_SIZE || AESCTRHELPER(&ssh->encryptCipher.aes, if (sz % AES_BLOCK_SIZE || AESCTRHELPER(&ssh->encryptCipher.aes,
cipher, input, sz) < 0) { cipher, input, sz) < 0) {
@ -5504,7 +5523,7 @@ static INLINE int Decrypt(WOLFSSH* ssh, byte* plain, const byte* input,
case ID_NONE: case ID_NONE:
break; break;
#ifdef HAVE_AES_CBC #ifndef WOLFSSH_NO_AES_CBC
case ID_AES128_CBC: case ID_AES128_CBC:
if (sz % AES_BLOCK_SIZE || wc_AesCbcDecrypt(&ssh->decryptCipher.aes, if (sz % AES_BLOCK_SIZE || wc_AesCbcDecrypt(&ssh->decryptCipher.aes,
plain, input, sz) < 0) { plain, input, sz) < 0) {
@ -5514,7 +5533,7 @@ static INLINE int Decrypt(WOLFSSH* ssh, byte* plain, const byte* input,
break; break;
#endif #endif
#ifdef WOLFSSL_AES_COUNTER #ifndef WOLFSSH_NO_AES_CTR
case ID_AES128_CTR: case ID_AES128_CTR:
if (sz % AES_BLOCK_SIZE || AESCTRHELPER(&ssh->decryptCipher.aes, if (sz % AES_BLOCK_SIZE || AESCTRHELPER(&ssh->decryptCipher.aes,
plain, input, sz) < 0) { plain, input, sz) < 0) {
@ -6419,7 +6438,7 @@ int SendKexDhReply(WOLFSSH* ssh)
const char *name; const char *name;
word32 nameSz; word32 nameSz;
union { union {
#ifndef NO_RSA #ifndef WOLFSSH_NO_SSH_RSA_SHA1
struct { struct {
RsaKey key; RsaKey key;
byte e[257]; byte e[257];
@ -6430,6 +6449,7 @@ int SendKexDhReply(WOLFSSH* ssh)
byte nPad; byte nPad;
} rsa; } rsa;
#endif #endif
#ifndef WOLFSSH_NO_ECDH_SHA2_NISTP256
struct { struct {
ecc_key key; ecc_key key;
word32 keyBlobSz; word32 keyBlobSz;
@ -6441,6 +6461,7 @@ int SendKexDhReply(WOLFSSH* ssh)
const char *primeName; const char *primeName;
word32 primeNameSz; word32 primeNameSz;
} ecc; } ecc;
#endif
} sk; } sk;
} sigKeyBlock; } sigKeyBlock;
@ -6524,7 +6545,7 @@ int SendKexDhReply(WOLFSSH* ssh)
* either be RSA or ECDSA public key blob. */ * either be RSA or ECDSA public key blob. */
if (ret == WS_SUCCESS) { if (ret == WS_SUCCESS) {
if (sigKeyBlock.useRsa) { if (sigKeyBlock.useRsa) {
#ifndef NO_RSA #ifndef WOLFSSH_NO_SSH_RSA_SHA1
/* Decode the user-configured RSA private key. */ /* Decode the user-configured RSA private key. */
sigKeyBlock.sk.rsa.eSz = sizeof(sigKeyBlock.sk.rsa.e); sigKeyBlock.sk.rsa.eSz = sizeof(sigKeyBlock.sk.rsa.e);
sigKeyBlock.sk.rsa.nSz = sizeof(sigKeyBlock.sk.rsa.n); sigKeyBlock.sk.rsa.nSz = sizeof(sigKeyBlock.sk.rsa.n);
@ -6614,7 +6635,7 @@ int SendKexDhReply(WOLFSSH* ssh)
enmhashId, enmhashId,
sigKeyBlock.sk.rsa.n, sigKeyBlock.sk.rsa.n,
sigKeyBlock.sk.rsa.nSz); sigKeyBlock.sk.rsa.nSz);
#endif #endif /* WOLFSSH_NO_SSH_RSA_SHA1 */
} }
else { else {
sigKeyBlock.sk.ecc.primeName = sigKeyBlock.sk.ecc.primeName =
@ -7714,7 +7735,7 @@ typedef struct WS_KeySignature {
const char *name; const char *name;
word32 nameSz; word32 nameSz;
union { union {
#ifndef NO_RSA #ifndef WOLFSSH_NO_RSA
struct { struct {
RsaKey key; RsaKey key;
byte e[256]; byte e[256];
@ -7725,6 +7746,7 @@ typedef struct WS_KeySignature {
byte nPad; byte nPad;
} rsa; } rsa;
#endif #endif
#ifndef WOLFSSH_NO_ECDSA
struct { struct {
ecc_key key; ecc_key key;
word32 keyBlobSz; word32 keyBlobSz;
@ -7736,12 +7758,17 @@ typedef struct WS_KeySignature {
const char *primeName; const char *primeName;
word32 primeNameSz; word32 primeNameSz;
} ecc; } ecc;
#endif
} ks; } ks;
} WS_KeySignature; } WS_KeySignature;
static const char cannedAuths[] = "publickey,password"; static const char cannedAuths[] =
static const word32 cannedAuthsSz = sizeof(cannedAuths) - 1; #if !defined(WOLFSSH_NO_RSA) && !defined(WOLFSSH_NO_ECDSA)
"publickey,"
#endif
"password,";
static const word32 cannedAuthsSz = sizeof(cannedAuths) - 2;
/* Updates the payload size, and maybe loads keys. */ /* Updates the payload size, and maybe loads keys. */
@ -7786,7 +7813,7 @@ static int BuildUserAuthRequestPassword(WOLFSSH* ssh,
} }
#ifndef NO_RSA #ifndef WOLFSSH_NO_RSA
static int PrepareUserAuthRequestRsa(WOLFSSH* ssh, word32* payloadSz, static int PrepareUserAuthRequestRsa(WOLFSSH* ssh, word32* payloadSz,
const WS_UserAuthData* authData, WS_KeySignature* keySig) const WS_UserAuthData* authData, WS_KeySignature* keySig)
{ {
@ -7942,6 +7969,7 @@ static int BuildUserAuthRequestRsa(WOLFSSH* ssh,
#endif #endif
#ifndef WOLFSSH_NO_ECDSA
static int PrepareUserAuthRequestEcc(WOLFSSH* ssh, word32* payloadSz, static int PrepareUserAuthRequestEcc(WOLFSSH* ssh, word32* payloadSz,
const WS_UserAuthData* authData, WS_KeySignature* keySig) const WS_UserAuthData* authData, WS_KeySignature* keySig)
{ {
@ -8137,8 +8165,10 @@ static int BuildUserAuthRequestEcc(WOLFSSH* ssh,
return ret; return ret;
} }
#endif
#if !defined(WOLFSSH_NO_RSA) && !defined(WOLFSSH_NO_ECDSA)
static int PrepareUserAuthRequestPublicKey(WOLFSSH* ssh, word32* payloadSz, static int PrepareUserAuthRequestPublicKey(WOLFSSH* ssh, word32* payloadSz,
const WS_UserAuthData* authData, WS_KeySignature* keySig) const WS_UserAuthData* authData, WS_KeySignature* keySig)
{ {
@ -8162,14 +8192,17 @@ static int PrepareUserAuthRequestPublicKey(WOLFSSH* ssh, word32* payloadSz,
} }
if (keySig->keySigId == ID_SSH_RSA) { if (keySig->keySigId == ID_SSH_RSA) {
#ifndef NO_RSA #ifndef WOLFSSH_NO_RSA
ret = PrepareUserAuthRequestRsa(ssh, payloadSz, authData, keySig); ret = PrepareUserAuthRequestRsa(ssh, payloadSz, authData, keySig);
#endif #endif
} }
else if (keySig->keySigId == ID_ECDSA_SHA2_NISTP256 || else if (keySig->keySigId == ID_ECDSA_SHA2_NISTP256 ||
keySig->keySigId == ID_ECDSA_SHA2_NISTP384 || keySig->keySigId == ID_ECDSA_SHA2_NISTP384 ||
keySig->keySigId == ID_ECDSA_SHA2_NISTP521) keySig->keySigId == ID_ECDSA_SHA2_NISTP521) {
#ifndef WOLFSSH_NO_ECDSA
ret = PrepareUserAuthRequestEcc(ssh, payloadSz, authData, keySig); ret = PrepareUserAuthRequestEcc(ssh, payloadSz, authData, keySig);
#endif
}
else else
ret = WS_INVALID_ALGO_ID; ret = WS_INVALID_ALGO_ID;
@ -8206,16 +8239,19 @@ static int BuildUserAuthRequestPublicKey(WOLFSSH* ssh,
if (pk->hasSignature) { if (pk->hasSignature) {
if (keySig->keySigId == ID_SSH_RSA) { if (keySig->keySigId == ID_SSH_RSA) {
#ifndef NO_RSA #ifndef WOLFSSH_NO_RSA
ret = BuildUserAuthRequestRsa(ssh, output, &begin, ret = BuildUserAuthRequestRsa(ssh, output, &begin,
authData, sigStart, sigStartIdx, keySig); authData, sigStart, sigStartIdx, keySig);
#endif #endif
} }
else if (keySig->keySigId == ID_ECDSA_SHA2_NISTP256 || else if (keySig->keySigId == ID_ECDSA_SHA2_NISTP256 ||
keySig->keySigId == ID_ECDSA_SHA2_NISTP384 || keySig->keySigId == ID_ECDSA_SHA2_NISTP384 ||
keySig->keySigId == ID_ECDSA_SHA2_NISTP521) keySig->keySigId == ID_ECDSA_SHA2_NISTP521) {
#ifndef WOLFSSH_NO_ECDSA
ret = BuildUserAuthRequestEcc(ssh, output, &begin, ret = BuildUserAuthRequestEcc(ssh, output, &begin,
authData, sigStart, sigStartIdx, keySig); authData, sigStart, sigStartIdx, keySig);
#endif
}
} }
else else
ret = WS_INVALID_ALGO_ID; ret = WS_INVALID_ALGO_ID;
@ -8232,14 +8268,18 @@ static void CleanupUserAuthRequestPublicKey(WS_KeySignature* keySig)
{ {
if (keySig != NULL) { if (keySig != NULL) {
if (keySig->keySigId == ID_SSH_RSA) { if (keySig->keySigId == ID_SSH_RSA) {
#ifndef NO_RSA #ifndef WOLFSSH_NO_RSA
wc_FreeRsaKey(&keySig->ks.rsa.key); wc_FreeRsaKey(&keySig->ks.rsa.key);
#endif #endif
} }
else else {
#ifndef WOLFSSH_NO_ECDSA
wc_ecc_free(&keySig->ks.ecc.key); wc_ecc_free(&keySig->ks.ecc.key);
#endif
}
} }
} }
#endif
int SendUserAuthRequest(WOLFSSH* ssh, byte authId, int addSig) int SendUserAuthRequest(WOLFSSH* ssh, byte authId, int addSig)
@ -8580,7 +8620,7 @@ int SendRequestSuccess(WOLFSSH *ssh, int success)
WLOG(WS_LOG_DEBUG, "Leaving SendRequestSuccess(), ret = %d", ret); WLOG(WS_LOG_DEBUG, "Leaving SendRequestSuccess(), ret = %d", ret);
return ret; return ret;
} }
static int SendChannelOpen(WOLFSSH* ssh, WOLFSSH_CHANNEL* channel, static int SendChannelOpen(WOLFSSH* ssh, WOLFSSH_CHANNEL* channel,
byte* channelData, word32 channelDataSz) byte* channelData, word32 channelDataSz)
{ {

14
src/ssh.c
View File

@ -726,7 +726,7 @@ int wolfSSH_connect(WOLFSSH* ssh)
} }
if (ssh->handshake->kexId == ID_DH_GEX_SHA256) { if (ssh->handshake->kexId == ID_DH_GEX_SHA256) {
#ifndef NO_DH #ifndef WOLFSSH_NO_DH
ssh->error = SendKexDhGexRequest(ssh); ssh->error = SendKexDhGexRequest(ssh);
#endif #endif
} }
@ -1436,10 +1436,12 @@ int wolfSSH_ReadKey_buffer(const byte* in, word32 inSz, int format,
else if (format == WOLFSSH_FORMAT_ASN1) { else if (format == WOLFSSH_FORMAT_ASN1) {
byte* newKey; byte* newKey;
union { union {
#ifndef NO_RSA #ifndef WOLFSSH_NO_RSA
RsaKey rsa; RsaKey rsa;
#endif #endif
ecc_key ecc; #ifndef WOLFSSH_NO_ECC
ecc_key ecc;
#endif
} testKey; } testKey;
word32 scratch = 0; word32 scratch = 0;
@ -1456,7 +1458,7 @@ int wolfSSH_ReadKey_buffer(const byte* in, word32 inSz, int format,
} }
*outSz = inSz; *outSz = inSz;
WMEMCPY(newKey, in, inSz); WMEMCPY(newKey, in, inSz);
#ifndef NO_RSA #ifndef WOLFSSH_NO_RSA
/* TODO: This is copied and modified from a function in src/internal.c. /* TODO: This is copied and modified from a function in src/internal.c.
This and that code should be combined into a single function. */ This and that code should be combined into a single function. */
if (wc_InitRsaKey(&testKey.rsa, heap) < 0) if (wc_InitRsaKey(&testKey.rsa, heap) < 0)
@ -1472,6 +1474,7 @@ int wolfSSH_ReadKey_buffer(const byte* in, word32 inSz, int format,
} }
else { else {
#endif #endif
#ifndef WOLFSSH_NO_ECC
byte curveId = ID_UNKNOWN; byte curveId = ID_UNKNOWN;
/* Couldn't decode as RSA testKey. Try decoding as ECC testKey. */ /* Couldn't decode as RSA testKey. Try decoding as ECC testKey. */
@ -1500,7 +1503,8 @@ int wolfSSH_ReadKey_buffer(const byte* in, word32 inSz, int format,
} }
else else
return WS_BAD_FILE_E; return WS_BAD_FILE_E;
#ifndef NO_RSA #endif
#ifndef WOLFSSH_NO_RSA
} }
#endif #endif
} }

12
wolfssh/internal.h
View File

@ -131,6 +131,14 @@ extern "C" {
#endif #endif
#ifdef NO_RSA
#define WOLFSSH_NO_RSA
#endif
#ifndef HAVE_ECC
#define WOLFSSH_NO_ECDSA
#define WOLFSSH_NO_ECDHE
#endif
#if defined(NO_RSA) || defined(NO_SHA) #if defined(NO_RSA) || defined(NO_SHA)
#define WOLFSSH_NO_SSH_RSA_SHA1 #define WOLFSSH_NO_SSH_RSA_SHA1
#endif #endif
@ -386,7 +394,7 @@ typedef struct HandshakeInfo {
byte* kexInit; byte* kexInit;
word32 kexInitSz; word32 kexInitSz;
#ifndef NO_DH #ifndef WOLFSSH_NO_DH
word32 dhGexMinSz; word32 dhGexMinSz;
word32 dhGexPreferredSz; word32 dhGexPreferredSz;
word32 dhGexMaxSz; word32 dhGexMaxSz;
@ -398,7 +406,7 @@ typedef struct HandshakeInfo {
byte useEcc; byte useEcc;
union { union {
#ifndef NO_DH #ifndef WOLFSSH_NO_DH
DhKey dh; DhKey dh;
#endif #endif
ecc_key ecc; ecc_key ecc;