mirror of https://github.com/wolfSSL/wolfssh.git
More Options
1. Added general disable flags for RSA and ECDSA. 2. Replaced HAVE_ECC, NO_RSA, NO_DSA with the general disable flags.pull/298/head
parent
ae0c5efb2f
commit
b7f073faa3
12
src/agent.c
12
src/agent.c
|
@ -379,7 +379,7 @@ static int PostUnlock(WOLFSSH_AGENT_CTX* agent,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
#ifndef NO_RSA
|
#ifndef WOLFSSH_NO_RSA
|
||||||
static int PostAddRsaId(WOLFSSH_AGENT_CTX* agent,
|
static int PostAddRsaId(WOLFSSH_AGENT_CTX* agent,
|
||||||
byte keyType, byte* key, word32 keySz,
|
byte keyType, byte* key, word32 keySz,
|
||||||
word32 nSz, word32 eSz, word32 dSz,
|
word32 nSz, word32 eSz, word32 dSz,
|
||||||
|
@ -461,6 +461,7 @@ static int PostAddRsaId(WOLFSSH_AGENT_CTX* agent,
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|
||||||
|
#ifndef WOLFSSH_NO_ECDSA
|
||||||
static int PostAddEcdsaId(WOLFSSH_AGENT_CTX* agent,
|
static int PostAddEcdsaId(WOLFSSH_AGENT_CTX* agent,
|
||||||
byte keyType, byte* key, word32 keySz,
|
byte keyType, byte* key, word32 keySz,
|
||||||
word32 curveNameSz, word32 qSz, word32 dSz,
|
word32 curveNameSz, word32 qSz, word32 dSz,
|
||||||
|
@ -527,6 +528,7 @@ static int PostAddEcdsaId(WOLFSSH_AGENT_CTX* agent,
|
||||||
WLOG_LEAVE(ret);
|
WLOG_LEAVE(ret);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
|
||||||
static int PostRemoveId(WOLFSSH_AGENT_CTX* agent,
|
static int PostRemoveId(WOLFSSH_AGENT_CTX* agent,
|
||||||
|
@ -669,7 +671,7 @@ static int PostSignRequest(WOLFSSH_AGENT_CTX* agent,
|
||||||
int sigSz = sizeof(sig);
|
int sigSz = sizeof(sig);
|
||||||
|
|
||||||
if (cur->keyType == ID_SSH_RSA) {
|
if (cur->keyType == ID_SSH_RSA) {
|
||||||
#ifndef NO_RSA
|
#ifndef WOLFSSH_NO_RSA
|
||||||
WOLFSSH_AGENT_KEY_RSA* key;
|
WOLFSSH_AGENT_KEY_RSA* key;
|
||||||
RsaKey rsa;
|
RsaKey rsa;
|
||||||
byte encSig[MAX_ENCODED_SIG_SZ];
|
byte encSig[MAX_ENCODED_SIG_SZ];
|
||||||
|
@ -714,6 +716,7 @@ static int PostSignRequest(WOLFSSH_AGENT_CTX* agent,
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
else if (cur->keyType == ID_ECDSA_SHA2_NISTP256) {
|
else if (cur->keyType == ID_ECDSA_SHA2_NISTP256) {
|
||||||
|
#ifndef WOLFSSH_NO_ECDSA
|
||||||
WOLFSSH_AGENT_KEY_ECDSA* key;
|
WOLFSSH_AGENT_KEY_ECDSA* key;
|
||||||
ecc_key ecc;
|
ecc_key ecc;
|
||||||
enum wc_HashType hashType = WC_HASH_TYPE_SHA256;
|
enum wc_HashType hashType = WC_HASH_TYPE_SHA256;
|
||||||
|
@ -764,6 +767,7 @@ static int PostSignRequest(WOLFSSH_AGENT_CTX* agent,
|
||||||
wc_ecc_free(&ecc);
|
wc_ecc_free(&ecc);
|
||||||
if (ret != 0)
|
if (ret != 0)
|
||||||
ret = WS_ECC_E;
|
ret = WS_ECC_E;
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
ret = WS_INVALID_ALGO_ID;
|
ret = WS_INVALID_ALGO_ID;
|
||||||
|
@ -946,7 +950,7 @@ static int DoAddIdentity(WOLFSSH_AGENT_CTX* agent,
|
||||||
|
|
||||||
begin += sz;
|
begin += sz;
|
||||||
if (keyType == ID_SSH_RSA) {
|
if (keyType == ID_SSH_RSA) {
|
||||||
#ifndef NO_RSA
|
#ifndef WOLFSSH_NO_RSA
|
||||||
byte* key;
|
byte* key;
|
||||||
byte* scratch;
|
byte* scratch;
|
||||||
word32 keySz, nSz, eSz, dSz, iqmpSz, pSz, qSz, commentSz;
|
word32 keySz, nSz, eSz, dSz, iqmpSz, pSz, qSz, commentSz;
|
||||||
|
@ -993,6 +997,7 @@ static int DoAddIdentity(WOLFSSH_AGENT_CTX* agent,
|
||||||
else if (keyType == ID_ECDSA_SHA2_NISTP256 ||
|
else if (keyType == ID_ECDSA_SHA2_NISTP256 ||
|
||||||
keyType == ID_ECDSA_SHA2_NISTP384 ||
|
keyType == ID_ECDSA_SHA2_NISTP384 ||
|
||||||
keyType == ID_ECDSA_SHA2_NISTP521) {
|
keyType == ID_ECDSA_SHA2_NISTP521) {
|
||||||
|
#ifndef WOLFSSH_NO_ECDSA
|
||||||
byte* key;
|
byte* key;
|
||||||
byte* scratch;
|
byte* scratch;
|
||||||
word32 keySz, curveNameSz, qSz, dSz, commentSz;
|
word32 keySz, curveNameSz, qSz, dSz, commentSz;
|
||||||
|
@ -1021,6 +1026,7 @@ static int DoAddIdentity(WOLFSSH_AGENT_CTX* agent,
|
||||||
ret = PostAddEcdsaId(agent, keyType, key, keySz,
|
ret = PostAddEcdsaId(agent, keyType, key, keySz,
|
||||||
curveNameSz, qSz, dSz, commentSz);
|
curveNameSz, qSz, dSz, commentSz);
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
ret = WS_PARSE_E;
|
ret = WS_PARSE_E;
|
||||||
|
|
106
src/internal.c
106
src/internal.c
|
@ -85,9 +85,15 @@ Flags:
|
||||||
WOLFSSH_NO_ECDH_SHA2_ED25519
|
WOLFSSH_NO_ECDH_SHA2_ED25519
|
||||||
Set when ED25519 or SHA2-256 are disabled. Set to disable use of ECDHE key
|
Set when ED25519 or SHA2-256 are disabled. Set to disable use of ECDHE key
|
||||||
exchange with prime ED25519. (It just decodes the ID for output.)
|
exchange with prime ED25519. (It just decodes the ID for output.)
|
||||||
|
WOLFSSH_NO_RSA
|
||||||
|
Set when RSA is disabled. Set to disable use of RSA server and user
|
||||||
|
authentication.
|
||||||
WOLFSSH_NO_SSH_RSA_SHA1
|
WOLFSSH_NO_SSH_RSA_SHA1
|
||||||
Set when RSA or SHA1 are disabled. Set to disable use of RSA server
|
Set when RSA or SHA1 are disabled. Set to disable use of RSA server
|
||||||
authentication.
|
authentication.
|
||||||
|
WOLFSSH_NO_ECDSA
|
||||||
|
Set when ECC is disabled. Set to disable use of ECDSA server and user
|
||||||
|
authentication.
|
||||||
WOLFSSH_NO_ECDSA_SHA2_NISTP256
|
WOLFSSH_NO_ECDSA_SHA2_NISTP256
|
||||||
Set when ECC or SHA2-256 are disabled. Set to disable use of ECDSA server
|
Set when ECC or SHA2-256 are disabled. Set to disable use of ECDSA server
|
||||||
authentication with prime NISTP256.
|
authentication with prime NISTP256.
|
||||||
|
@ -745,15 +751,17 @@ int wolfSSH_ProcessBuffer(WOLFSSH_CTX* ctx,
|
||||||
if (type == BUFTYPE_PRIVKEY && format != WOLFSSH_FORMAT_RAW) {
|
if (type == BUFTYPE_PRIVKEY && format != WOLFSSH_FORMAT_RAW) {
|
||||||
/* Check RSA key */
|
/* Check RSA key */
|
||||||
union {
|
union {
|
||||||
#ifndef NO_RSA
|
#ifndef WOLFSSH_NO_RSA
|
||||||
RsaKey rsa;
|
RsaKey rsa;
|
||||||
#endif
|
#endif
|
||||||
|
#ifndef WOLFSSH_NO_ECDSA
|
||||||
ecc_key ecc;
|
ecc_key ecc;
|
||||||
|
#endif
|
||||||
} key;
|
} key;
|
||||||
word32 scratch = 0;
|
word32 scratch = 0;
|
||||||
int ret;
|
int ret;
|
||||||
|
|
||||||
#ifndef NO_RSA
|
#ifndef WOLFSSH_NO_RSA
|
||||||
if (wc_InitRsaKey(&key.rsa, NULL) < 0)
|
if (wc_InitRsaKey(&key.rsa, NULL) < 0)
|
||||||
return WS_RSA_E;
|
return WS_RSA_E;
|
||||||
|
|
||||||
|
@ -762,6 +770,7 @@ int wolfSSH_ProcessBuffer(WOLFSSH_CTX* ctx,
|
||||||
|
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
#endif
|
#endif
|
||||||
|
#ifndef WOLFSSH_NO_ECDSA
|
||||||
/* Couldn't decode as RSA key. Try decoding as ECC key. */
|
/* Couldn't decode as RSA key. Try decoding as ECC key. */
|
||||||
scratch = 0;
|
scratch = 0;
|
||||||
if (wc_ecc_init_ex(&key.ecc, ctx->heap, INVALID_DEVID) != 0)
|
if (wc_ecc_init_ex(&key.ecc, ctx->heap, INVALID_DEVID) != 0)
|
||||||
|
@ -784,7 +793,8 @@ int wolfSSH_ProcessBuffer(WOLFSSH_CTX* ctx,
|
||||||
|
|
||||||
if (ret != 0)
|
if (ret != 0)
|
||||||
return WS_BAD_FILE_E;
|
return WS_BAD_FILE_E;
|
||||||
#ifndef NO_RSA
|
#endif
|
||||||
|
#ifndef WOLFSSH_NO_RSA
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
@ -2770,12 +2780,12 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
|
||||||
byte useRsa;
|
byte useRsa;
|
||||||
word32 keySz;
|
word32 keySz;
|
||||||
union {
|
union {
|
||||||
#ifndef NO_RSA
|
#ifndef WOLFSSH_NO_RSA
|
||||||
struct {
|
struct {
|
||||||
RsaKey key;
|
RsaKey key;
|
||||||
} rsa;
|
} rsa;
|
||||||
#endif
|
#endif
|
||||||
#ifdef HAVE_ECC
|
#ifndef WOLFSSH_NO_ECC
|
||||||
struct {
|
struct {
|
||||||
ecc_key key;
|
ecc_key key;
|
||||||
} ecc;
|
} ecc;
|
||||||
|
@ -2982,7 +2992,7 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
|
||||||
sigKeyBlock.useRsa = ssh->handshake->pubKeyId == ID_SSH_RSA;
|
sigKeyBlock.useRsa = ssh->handshake->pubKeyId == ID_SSH_RSA;
|
||||||
|
|
||||||
if (sigKeyBlock.useRsa) {
|
if (sigKeyBlock.useRsa) {
|
||||||
#ifndef NO_RSA
|
#ifndef WOLFSSH_NO_RSA
|
||||||
byte* e;
|
byte* e;
|
||||||
word32 eSz;
|
word32 eSz;
|
||||||
byte* n;
|
byte* n;
|
||||||
|
@ -3024,7 +3034,7 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
#ifdef HAVE_ECC
|
#ifndef WOLFSSH_NO_ECDSA
|
||||||
byte* q;
|
byte* q;
|
||||||
word32 qSz, pubKeyIdx = 0;
|
word32 qSz, pubKeyIdx = 0;
|
||||||
int primeId;
|
int primeId;
|
||||||
|
@ -3088,7 +3098,7 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
#ifdef HAVE_ECC
|
#ifndef WOLFSSH_NO_ECDHE
|
||||||
ecc_key key;
|
ecc_key key;
|
||||||
ret = wc_ecc_init(&key);
|
ret = wc_ecc_init(&key);
|
||||||
#ifdef HAVE_WC_ECC_SET_RNG
|
#ifdef HAVE_WC_ECC_SET_RNG
|
||||||
|
@ -3169,7 +3179,7 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
|
||||||
}
|
}
|
||||||
if (ret == WS_SUCCESS) {
|
if (ret == WS_SUCCESS) {
|
||||||
if (sigKeyBlock.useRsa) {
|
if (sigKeyBlock.useRsa) {
|
||||||
#ifndef NO_RSA
|
#ifndef WOLFSSH_NO_RSA
|
||||||
sig = sig + begin;
|
sig = sig + begin;
|
||||||
/* In the fuzz, sigSz ends up 1 and it has issues. */
|
/* In the fuzz, sigSz ends up 1 and it has issues. */
|
||||||
sigSz = scratch;
|
sigSz = scratch;
|
||||||
|
@ -3201,7 +3211,7 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
#ifdef HAVE_ECC
|
#ifndef WOLFSSH_NO_ECDSA
|
||||||
byte* r;
|
byte* r;
|
||||||
byte* s;
|
byte* s;
|
||||||
word32 rSz, sSz, asnSigSz;
|
word32 rSz, sSz, asnSigSz;
|
||||||
|
@ -3239,12 +3249,12 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
|
||||||
}
|
}
|
||||||
|
|
||||||
if (sigKeyBlock.useRsa) {
|
if (sigKeyBlock.useRsa) {
|
||||||
#ifndef NO_RSA
|
#ifndef WOLFSSH_NO_RSA
|
||||||
wc_FreeRsaKey(&sigKeyBlock.sk.rsa.key);
|
wc_FreeRsaKey(&sigKeyBlock.sk.rsa.key);
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
#ifdef HAVE_ECC
|
#ifdef WOLFSSH_NO_ECDSA
|
||||||
wc_ecc_free(&sigKeyBlock.sk.ecc.key);
|
wc_ecc_free(&sigKeyBlock.sk.ecc.key);
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
@ -3463,7 +3473,6 @@ static int DoRequestSuccess(WOLFSSH *ssh, byte *buf, word32 len, word32 *idx)
|
||||||
*idx = begin;
|
*idx = begin;
|
||||||
|
|
||||||
return ret;
|
return ret;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static int DoRequestFailure(WOLFSSH *ssh, byte *buf, word32 len, word32 *idx)
|
static int DoRequestFailure(WOLFSSH *ssh, byte *buf, word32 len, word32 *idx)
|
||||||
|
@ -3838,7 +3847,7 @@ static int DoUserAuthRequestPassword(WOLFSSH* ssh, WS_UserAuthData* authData,
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifndef NO_RSA
|
#ifndef WOLFSSH_NO_RSA
|
||||||
/* Utility for DoUserAuthRequestPublicKey() */
|
/* Utility for DoUserAuthRequestPublicKey() */
|
||||||
/* returns negative for error, positive is size of digest. */
|
/* returns negative for error, positive is size of digest. */
|
||||||
static int DoUserAuthRequestRsa(WOLFSSH* ssh, WS_UserAuthData_PublicKey* pk,
|
static int DoUserAuthRequestRsa(WOLFSSH* ssh, WS_UserAuthData_PublicKey* pk,
|
||||||
|
@ -3961,6 +3970,7 @@ static int DoUserAuthRequestRsa(WOLFSSH* ssh, WS_UserAuthData_PublicKey* pk,
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|
||||||
|
#ifndef WOLFSSH_NO_ECDSA
|
||||||
/* Utility for DoUserAuthRequestPublicKey() */
|
/* Utility for DoUserAuthRequestPublicKey() */
|
||||||
/* returns negative for error, positive is size of digest. */
|
/* returns negative for error, positive is size of digest. */
|
||||||
static int DoUserAuthRequestEcc(WOLFSSH* ssh, WS_UserAuthData_PublicKey* pk,
|
static int DoUserAuthRequestEcc(WOLFSSH* ssh, WS_UserAuthData_PublicKey* pk,
|
||||||
|
@ -4107,8 +4117,10 @@ static int DoUserAuthRequestEcc(WOLFSSH* ssh, WS_UserAuthData_PublicKey* pk,
|
||||||
WLOG(WS_LOG_DEBUG, "Leaving DoUserAuthRequestEcc(), ret = %d", ret);
|
WLOG(WS_LOG_DEBUG, "Leaving DoUserAuthRequestEcc(), ret = %d", ret);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
|
||||||
|
#if !defined(WOLFSSH_NO_RSA) && !defined(WOLFSSH_NO_ECDSA)
|
||||||
/* Utility for DoUserAuthRequest() */
|
/* Utility for DoUserAuthRequest() */
|
||||||
static int DoUserAuthRequestPublicKey(WOLFSSH* ssh, WS_UserAuthData* authData,
|
static int DoUserAuthRequestPublicKey(WOLFSSH* ssh, WS_UserAuthData* authData,
|
||||||
byte* buf, word32 len, word32* idx)
|
byte* buf, word32 len, word32* idx)
|
||||||
|
@ -4263,7 +4275,7 @@ static int DoUserAuthRequestPublicKey(WOLFSSH* ssh, WS_UserAuthData* authData,
|
||||||
|
|
||||||
if (ret == WS_SUCCESS) {
|
if (ret == WS_SUCCESS) {
|
||||||
if (pkTypeId == ID_SSH_RSA) {
|
if (pkTypeId == ID_SSH_RSA) {
|
||||||
#ifndef NO_RSA
|
#ifndef WOLFSSH_NO_RSA
|
||||||
ret = DoUserAuthRequestRsa(ssh, pk,
|
ret = DoUserAuthRequestRsa(ssh, pk,
|
||||||
hashId, digest, digestSz);
|
hashId, digest, digestSz);
|
||||||
#endif
|
#endif
|
||||||
|
@ -4271,8 +4283,10 @@ static int DoUserAuthRequestPublicKey(WOLFSSH* ssh, WS_UserAuthData* authData,
|
||||||
else if (pkTypeId == ID_ECDSA_SHA2_NISTP256 ||
|
else if (pkTypeId == ID_ECDSA_SHA2_NISTP256 ||
|
||||||
pkTypeId == ID_ECDSA_SHA2_NISTP384 ||
|
pkTypeId == ID_ECDSA_SHA2_NISTP384 ||
|
||||||
pkTypeId == ID_ECDSA_SHA2_NISTP521)
|
pkTypeId == ID_ECDSA_SHA2_NISTP521)
|
||||||
|
#ifndef WOLFSSH_NO_ECDSA
|
||||||
ret = DoUserAuthRequestEcc(ssh, pk,
|
ret = DoUserAuthRequestEcc(ssh, pk,
|
||||||
hashId, digest, digestSz);
|
hashId, digest, digestSz);
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ret != WS_SUCCESS) {
|
if (ret != WS_SUCCESS) {
|
||||||
|
@ -4289,6 +4303,7 @@ static int DoUserAuthRequestPublicKey(WOLFSSH* ssh, WS_UserAuthData* authData,
|
||||||
WLOG(WS_LOG_DEBUG, "Leaving DoUserAuthRequestPublicKey(), ret = %d", ret);
|
WLOG(WS_LOG_DEBUG, "Leaving DoUserAuthRequestPublicKey(), ret = %d", ret);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
|
||||||
static int DoUserAuthRequest(WOLFSSH* ssh,
|
static int DoUserAuthRequest(WOLFSSH* ssh,
|
||||||
|
@ -4349,10 +4364,12 @@ static int DoUserAuthRequest(WOLFSSH* ssh,
|
||||||
|
|
||||||
if (authNameId == ID_USERAUTH_PASSWORD)
|
if (authNameId == ID_USERAUTH_PASSWORD)
|
||||||
ret = DoUserAuthRequestPassword(ssh, &authData, buf, len, &begin);
|
ret = DoUserAuthRequestPassword(ssh, &authData, buf, len, &begin);
|
||||||
|
#if !defined(WOLFSSH_NO_RSA) && !defined(WOLFSSH_NO_ECDSA)
|
||||||
else if (authNameId == ID_USERAUTH_PUBLICKEY) {
|
else if (authNameId == ID_USERAUTH_PUBLICKEY) {
|
||||||
authData.sf.publicKey.dataToSign = buf + *idx;
|
authData.sf.publicKey.dataToSign = buf + *idx;
|
||||||
ret = DoUserAuthRequestPublicKey(ssh, &authData, buf, len, &begin);
|
ret = DoUserAuthRequestPublicKey(ssh, &authData, buf, len, &begin);
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
#ifdef WOLFSSH_ALLOW_USERAUTH_NONE
|
#ifdef WOLFSSH_ALLOW_USERAUTH_NONE
|
||||||
else if (authNameId == ID_NONE) {
|
else if (authNameId == ID_NONE) {
|
||||||
ret = DoUserAuthRequestNone(ssh, &authData, buf, len, &begin);
|
ret = DoUserAuthRequestNone(ssh, &authData, buf, len, &begin);
|
||||||
|
@ -4409,9 +4426,11 @@ static int DoUserAuthFailure(WOLFSSH* ssh,
|
||||||
case ID_USERAUTH_PASSWORD:
|
case ID_USERAUTH_PASSWORD:
|
||||||
authType |= WOLFSSH_USERAUTH_PASSWORD;
|
authType |= WOLFSSH_USERAUTH_PASSWORD;
|
||||||
break;
|
break;
|
||||||
|
#if !defined(WOLFSSH_NO_RSA) && !defined(WOLFSSH_NO_ECDSA)
|
||||||
case ID_USERAUTH_PUBLICKEY:
|
case ID_USERAUTH_PUBLICKEY:
|
||||||
authType |= WOLFSSH_USERAUTH_PUBLICKEY;
|
authType |= WOLFSSH_USERAUTH_PUBLICKEY;
|
||||||
break;
|
break;
|
||||||
|
#endif
|
||||||
default:
|
default:
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
@ -5460,7 +5479,7 @@ static INLINE int Encrypt(WOLFSSH* ssh, byte* cipher, const byte* input,
|
||||||
case ID_NONE:
|
case ID_NONE:
|
||||||
break;
|
break;
|
||||||
|
|
||||||
#ifdef HAVE_AES_CBC
|
#ifndef WOLFSSH_NO_AES_CBC
|
||||||
case ID_AES128_CBC:
|
case ID_AES128_CBC:
|
||||||
if (sz % AES_BLOCK_SIZE || wc_AesCbcEncrypt(&ssh->encryptCipher.aes,
|
if (sz % AES_BLOCK_SIZE || wc_AesCbcEncrypt(&ssh->encryptCipher.aes,
|
||||||
cipher, input, sz) < 0) {
|
cipher, input, sz) < 0) {
|
||||||
|
@ -5470,7 +5489,7 @@ static INLINE int Encrypt(WOLFSSH* ssh, byte* cipher, const byte* input,
|
||||||
break;
|
break;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef WOLFSSL_AES_COUNTER
|
#ifndef WOLFSSH_NO_AES_CTR
|
||||||
case ID_AES128_CTR:
|
case ID_AES128_CTR:
|
||||||
if (sz % AES_BLOCK_SIZE || AESCTRHELPER(&ssh->encryptCipher.aes,
|
if (sz % AES_BLOCK_SIZE || AESCTRHELPER(&ssh->encryptCipher.aes,
|
||||||
cipher, input, sz) < 0) {
|
cipher, input, sz) < 0) {
|
||||||
|
@ -5504,7 +5523,7 @@ static INLINE int Decrypt(WOLFSSH* ssh, byte* plain, const byte* input,
|
||||||
case ID_NONE:
|
case ID_NONE:
|
||||||
break;
|
break;
|
||||||
|
|
||||||
#ifdef HAVE_AES_CBC
|
#ifndef WOLFSSH_NO_AES_CBC
|
||||||
case ID_AES128_CBC:
|
case ID_AES128_CBC:
|
||||||
if (sz % AES_BLOCK_SIZE || wc_AesCbcDecrypt(&ssh->decryptCipher.aes,
|
if (sz % AES_BLOCK_SIZE || wc_AesCbcDecrypt(&ssh->decryptCipher.aes,
|
||||||
plain, input, sz) < 0) {
|
plain, input, sz) < 0) {
|
||||||
|
@ -5514,7 +5533,7 @@ static INLINE int Decrypt(WOLFSSH* ssh, byte* plain, const byte* input,
|
||||||
break;
|
break;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef WOLFSSL_AES_COUNTER
|
#ifndef WOLFSSH_NO_AES_CTR
|
||||||
case ID_AES128_CTR:
|
case ID_AES128_CTR:
|
||||||
if (sz % AES_BLOCK_SIZE || AESCTRHELPER(&ssh->decryptCipher.aes,
|
if (sz % AES_BLOCK_SIZE || AESCTRHELPER(&ssh->decryptCipher.aes,
|
||||||
plain, input, sz) < 0) {
|
plain, input, sz) < 0) {
|
||||||
|
@ -6419,7 +6438,7 @@ int SendKexDhReply(WOLFSSH* ssh)
|
||||||
const char *name;
|
const char *name;
|
||||||
word32 nameSz;
|
word32 nameSz;
|
||||||
union {
|
union {
|
||||||
#ifndef NO_RSA
|
#ifndef WOLFSSH_NO_SSH_RSA_SHA1
|
||||||
struct {
|
struct {
|
||||||
RsaKey key;
|
RsaKey key;
|
||||||
byte e[257];
|
byte e[257];
|
||||||
|
@ -6430,6 +6449,7 @@ int SendKexDhReply(WOLFSSH* ssh)
|
||||||
byte nPad;
|
byte nPad;
|
||||||
} rsa;
|
} rsa;
|
||||||
#endif
|
#endif
|
||||||
|
#ifndef WOLFSSH_NO_ECDH_SHA2_NISTP256
|
||||||
struct {
|
struct {
|
||||||
ecc_key key;
|
ecc_key key;
|
||||||
word32 keyBlobSz;
|
word32 keyBlobSz;
|
||||||
|
@ -6441,6 +6461,7 @@ int SendKexDhReply(WOLFSSH* ssh)
|
||||||
const char *primeName;
|
const char *primeName;
|
||||||
word32 primeNameSz;
|
word32 primeNameSz;
|
||||||
} ecc;
|
} ecc;
|
||||||
|
#endif
|
||||||
} sk;
|
} sk;
|
||||||
} sigKeyBlock;
|
} sigKeyBlock;
|
||||||
|
|
||||||
|
@ -6524,7 +6545,7 @@ int SendKexDhReply(WOLFSSH* ssh)
|
||||||
* either be RSA or ECDSA public key blob. */
|
* either be RSA or ECDSA public key blob. */
|
||||||
if (ret == WS_SUCCESS) {
|
if (ret == WS_SUCCESS) {
|
||||||
if (sigKeyBlock.useRsa) {
|
if (sigKeyBlock.useRsa) {
|
||||||
#ifndef NO_RSA
|
#ifndef WOLFSSH_NO_SSH_RSA_SHA1
|
||||||
/* Decode the user-configured RSA private key. */
|
/* Decode the user-configured RSA private key. */
|
||||||
sigKeyBlock.sk.rsa.eSz = sizeof(sigKeyBlock.sk.rsa.e);
|
sigKeyBlock.sk.rsa.eSz = sizeof(sigKeyBlock.sk.rsa.e);
|
||||||
sigKeyBlock.sk.rsa.nSz = sizeof(sigKeyBlock.sk.rsa.n);
|
sigKeyBlock.sk.rsa.nSz = sizeof(sigKeyBlock.sk.rsa.n);
|
||||||
|
@ -6614,7 +6635,7 @@ int SendKexDhReply(WOLFSSH* ssh)
|
||||||
enmhashId,
|
enmhashId,
|
||||||
sigKeyBlock.sk.rsa.n,
|
sigKeyBlock.sk.rsa.n,
|
||||||
sigKeyBlock.sk.rsa.nSz);
|
sigKeyBlock.sk.rsa.nSz);
|
||||||
#endif
|
#endif /* WOLFSSH_NO_SSH_RSA_SHA1 */
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
sigKeyBlock.sk.ecc.primeName =
|
sigKeyBlock.sk.ecc.primeName =
|
||||||
|
@ -7714,7 +7735,7 @@ typedef struct WS_KeySignature {
|
||||||
const char *name;
|
const char *name;
|
||||||
word32 nameSz;
|
word32 nameSz;
|
||||||
union {
|
union {
|
||||||
#ifndef NO_RSA
|
#ifndef WOLFSSH_NO_RSA
|
||||||
struct {
|
struct {
|
||||||
RsaKey key;
|
RsaKey key;
|
||||||
byte e[256];
|
byte e[256];
|
||||||
|
@ -7725,6 +7746,7 @@ typedef struct WS_KeySignature {
|
||||||
byte nPad;
|
byte nPad;
|
||||||
} rsa;
|
} rsa;
|
||||||
#endif
|
#endif
|
||||||
|
#ifndef WOLFSSH_NO_ECDSA
|
||||||
struct {
|
struct {
|
||||||
ecc_key key;
|
ecc_key key;
|
||||||
word32 keyBlobSz;
|
word32 keyBlobSz;
|
||||||
|
@ -7736,12 +7758,17 @@ typedef struct WS_KeySignature {
|
||||||
const char *primeName;
|
const char *primeName;
|
||||||
word32 primeNameSz;
|
word32 primeNameSz;
|
||||||
} ecc;
|
} ecc;
|
||||||
|
#endif
|
||||||
} ks;
|
} ks;
|
||||||
} WS_KeySignature;
|
} WS_KeySignature;
|
||||||
|
|
||||||
|
|
||||||
static const char cannedAuths[] = "publickey,password";
|
static const char cannedAuths[] =
|
||||||
static const word32 cannedAuthsSz = sizeof(cannedAuths) - 1;
|
#if !defined(WOLFSSH_NO_RSA) && !defined(WOLFSSH_NO_ECDSA)
|
||||||
|
"publickey,"
|
||||||
|
#endif
|
||||||
|
"password,";
|
||||||
|
static const word32 cannedAuthsSz = sizeof(cannedAuths) - 2;
|
||||||
|
|
||||||
|
|
||||||
/* Updates the payload size, and maybe loads keys. */
|
/* Updates the payload size, and maybe loads keys. */
|
||||||
|
@ -7786,7 +7813,7 @@ static int BuildUserAuthRequestPassword(WOLFSSH* ssh,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
#ifndef NO_RSA
|
#ifndef WOLFSSH_NO_RSA
|
||||||
static int PrepareUserAuthRequestRsa(WOLFSSH* ssh, word32* payloadSz,
|
static int PrepareUserAuthRequestRsa(WOLFSSH* ssh, word32* payloadSz,
|
||||||
const WS_UserAuthData* authData, WS_KeySignature* keySig)
|
const WS_UserAuthData* authData, WS_KeySignature* keySig)
|
||||||
{
|
{
|
||||||
|
@ -7942,6 +7969,7 @@ static int BuildUserAuthRequestRsa(WOLFSSH* ssh,
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|
||||||
|
#ifndef WOLFSSH_NO_ECDSA
|
||||||
static int PrepareUserAuthRequestEcc(WOLFSSH* ssh, word32* payloadSz,
|
static int PrepareUserAuthRequestEcc(WOLFSSH* ssh, word32* payloadSz,
|
||||||
const WS_UserAuthData* authData, WS_KeySignature* keySig)
|
const WS_UserAuthData* authData, WS_KeySignature* keySig)
|
||||||
{
|
{
|
||||||
|
@ -8137,8 +8165,10 @@ static int BuildUserAuthRequestEcc(WOLFSSH* ssh,
|
||||||
|
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
|
||||||
|
#if !defined(WOLFSSH_NO_RSA) && !defined(WOLFSSH_NO_ECDSA)
|
||||||
static int PrepareUserAuthRequestPublicKey(WOLFSSH* ssh, word32* payloadSz,
|
static int PrepareUserAuthRequestPublicKey(WOLFSSH* ssh, word32* payloadSz,
|
||||||
const WS_UserAuthData* authData, WS_KeySignature* keySig)
|
const WS_UserAuthData* authData, WS_KeySignature* keySig)
|
||||||
{
|
{
|
||||||
|
@ -8162,14 +8192,17 @@ static int PrepareUserAuthRequestPublicKey(WOLFSSH* ssh, word32* payloadSz,
|
||||||
}
|
}
|
||||||
|
|
||||||
if (keySig->keySigId == ID_SSH_RSA) {
|
if (keySig->keySigId == ID_SSH_RSA) {
|
||||||
#ifndef NO_RSA
|
#ifndef WOLFSSH_NO_RSA
|
||||||
ret = PrepareUserAuthRequestRsa(ssh, payloadSz, authData, keySig);
|
ret = PrepareUserAuthRequestRsa(ssh, payloadSz, authData, keySig);
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
else if (keySig->keySigId == ID_ECDSA_SHA2_NISTP256 ||
|
else if (keySig->keySigId == ID_ECDSA_SHA2_NISTP256 ||
|
||||||
keySig->keySigId == ID_ECDSA_SHA2_NISTP384 ||
|
keySig->keySigId == ID_ECDSA_SHA2_NISTP384 ||
|
||||||
keySig->keySigId == ID_ECDSA_SHA2_NISTP521)
|
keySig->keySigId == ID_ECDSA_SHA2_NISTP521) {
|
||||||
|
#ifndef WOLFSSH_NO_ECDSA
|
||||||
ret = PrepareUserAuthRequestEcc(ssh, payloadSz, authData, keySig);
|
ret = PrepareUserAuthRequestEcc(ssh, payloadSz, authData, keySig);
|
||||||
|
#endif
|
||||||
|
}
|
||||||
else
|
else
|
||||||
ret = WS_INVALID_ALGO_ID;
|
ret = WS_INVALID_ALGO_ID;
|
||||||
|
|
||||||
|
@ -8206,16 +8239,19 @@ static int BuildUserAuthRequestPublicKey(WOLFSSH* ssh,
|
||||||
|
|
||||||
if (pk->hasSignature) {
|
if (pk->hasSignature) {
|
||||||
if (keySig->keySigId == ID_SSH_RSA) {
|
if (keySig->keySigId == ID_SSH_RSA) {
|
||||||
#ifndef NO_RSA
|
#ifndef WOLFSSH_NO_RSA
|
||||||
ret = BuildUserAuthRequestRsa(ssh, output, &begin,
|
ret = BuildUserAuthRequestRsa(ssh, output, &begin,
|
||||||
authData, sigStart, sigStartIdx, keySig);
|
authData, sigStart, sigStartIdx, keySig);
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
else if (keySig->keySigId == ID_ECDSA_SHA2_NISTP256 ||
|
else if (keySig->keySigId == ID_ECDSA_SHA2_NISTP256 ||
|
||||||
keySig->keySigId == ID_ECDSA_SHA2_NISTP384 ||
|
keySig->keySigId == ID_ECDSA_SHA2_NISTP384 ||
|
||||||
keySig->keySigId == ID_ECDSA_SHA2_NISTP521)
|
keySig->keySigId == ID_ECDSA_SHA2_NISTP521) {
|
||||||
|
#ifndef WOLFSSH_NO_ECDSA
|
||||||
ret = BuildUserAuthRequestEcc(ssh, output, &begin,
|
ret = BuildUserAuthRequestEcc(ssh, output, &begin,
|
||||||
authData, sigStart, sigStartIdx, keySig);
|
authData, sigStart, sigStartIdx, keySig);
|
||||||
|
#endif
|
||||||
|
}
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
ret = WS_INVALID_ALGO_ID;
|
ret = WS_INVALID_ALGO_ID;
|
||||||
|
@ -8232,14 +8268,18 @@ static void CleanupUserAuthRequestPublicKey(WS_KeySignature* keySig)
|
||||||
{
|
{
|
||||||
if (keySig != NULL) {
|
if (keySig != NULL) {
|
||||||
if (keySig->keySigId == ID_SSH_RSA) {
|
if (keySig->keySigId == ID_SSH_RSA) {
|
||||||
#ifndef NO_RSA
|
#ifndef WOLFSSH_NO_RSA
|
||||||
wc_FreeRsaKey(&keySig->ks.rsa.key);
|
wc_FreeRsaKey(&keySig->ks.rsa.key);
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
else
|
else {
|
||||||
|
#ifndef WOLFSSH_NO_ECDSA
|
||||||
wc_ecc_free(&keySig->ks.ecc.key);
|
wc_ecc_free(&keySig->ks.ecc.key);
|
||||||
|
#endif
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
|
||||||
int SendUserAuthRequest(WOLFSSH* ssh, byte authId, int addSig)
|
int SendUserAuthRequest(WOLFSSH* ssh, byte authId, int addSig)
|
||||||
|
@ -8580,7 +8620,7 @@ int SendRequestSuccess(WOLFSSH *ssh, int success)
|
||||||
WLOG(WS_LOG_DEBUG, "Leaving SendRequestSuccess(), ret = %d", ret);
|
WLOG(WS_LOG_DEBUG, "Leaving SendRequestSuccess(), ret = %d", ret);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int SendChannelOpen(WOLFSSH* ssh, WOLFSSH_CHANNEL* channel,
|
static int SendChannelOpen(WOLFSSH* ssh, WOLFSSH_CHANNEL* channel,
|
||||||
byte* channelData, word32 channelDataSz)
|
byte* channelData, word32 channelDataSz)
|
||||||
{
|
{
|
||||||
|
|
14
src/ssh.c
14
src/ssh.c
|
@ -726,7 +726,7 @@ int wolfSSH_connect(WOLFSSH* ssh)
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ssh->handshake->kexId == ID_DH_GEX_SHA256) {
|
if (ssh->handshake->kexId == ID_DH_GEX_SHA256) {
|
||||||
#ifndef NO_DH
|
#ifndef WOLFSSH_NO_DH
|
||||||
ssh->error = SendKexDhGexRequest(ssh);
|
ssh->error = SendKexDhGexRequest(ssh);
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
@ -1436,10 +1436,12 @@ int wolfSSH_ReadKey_buffer(const byte* in, word32 inSz, int format,
|
||||||
else if (format == WOLFSSH_FORMAT_ASN1) {
|
else if (format == WOLFSSH_FORMAT_ASN1) {
|
||||||
byte* newKey;
|
byte* newKey;
|
||||||
union {
|
union {
|
||||||
#ifndef NO_RSA
|
#ifndef WOLFSSH_NO_RSA
|
||||||
RsaKey rsa;
|
RsaKey rsa;
|
||||||
#endif
|
#endif
|
||||||
ecc_key ecc;
|
#ifndef WOLFSSH_NO_ECC
|
||||||
|
ecc_key ecc;
|
||||||
|
#endif
|
||||||
} testKey;
|
} testKey;
|
||||||
word32 scratch = 0;
|
word32 scratch = 0;
|
||||||
|
|
||||||
|
@ -1456,7 +1458,7 @@ int wolfSSH_ReadKey_buffer(const byte* in, word32 inSz, int format,
|
||||||
}
|
}
|
||||||
*outSz = inSz;
|
*outSz = inSz;
|
||||||
WMEMCPY(newKey, in, inSz);
|
WMEMCPY(newKey, in, inSz);
|
||||||
#ifndef NO_RSA
|
#ifndef WOLFSSH_NO_RSA
|
||||||
/* TODO: This is copied and modified from a function in src/internal.c.
|
/* TODO: This is copied and modified from a function in src/internal.c.
|
||||||
This and that code should be combined into a single function. */
|
This and that code should be combined into a single function. */
|
||||||
if (wc_InitRsaKey(&testKey.rsa, heap) < 0)
|
if (wc_InitRsaKey(&testKey.rsa, heap) < 0)
|
||||||
|
@ -1472,6 +1474,7 @@ int wolfSSH_ReadKey_buffer(const byte* in, word32 inSz, int format,
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
#endif
|
#endif
|
||||||
|
#ifndef WOLFSSH_NO_ECC
|
||||||
byte curveId = ID_UNKNOWN;
|
byte curveId = ID_UNKNOWN;
|
||||||
|
|
||||||
/* Couldn't decode as RSA testKey. Try decoding as ECC testKey. */
|
/* Couldn't decode as RSA testKey. Try decoding as ECC testKey. */
|
||||||
|
@ -1500,7 +1503,8 @@ int wolfSSH_ReadKey_buffer(const byte* in, word32 inSz, int format,
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
return WS_BAD_FILE_E;
|
return WS_BAD_FILE_E;
|
||||||
#ifndef NO_RSA
|
#endif
|
||||||
|
#ifndef WOLFSSH_NO_RSA
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
|
@ -131,6 +131,14 @@ extern "C" {
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|
||||||
|
#ifdef NO_RSA
|
||||||
|
#define WOLFSSH_NO_RSA
|
||||||
|
#endif
|
||||||
|
#ifndef HAVE_ECC
|
||||||
|
#define WOLFSSH_NO_ECDSA
|
||||||
|
#define WOLFSSH_NO_ECDHE
|
||||||
|
#endif
|
||||||
|
|
||||||
#if defined(NO_RSA) || defined(NO_SHA)
|
#if defined(NO_RSA) || defined(NO_SHA)
|
||||||
#define WOLFSSH_NO_SSH_RSA_SHA1
|
#define WOLFSSH_NO_SSH_RSA_SHA1
|
||||||
#endif
|
#endif
|
||||||
|
@ -386,7 +394,7 @@ typedef struct HandshakeInfo {
|
||||||
byte* kexInit;
|
byte* kexInit;
|
||||||
word32 kexInitSz;
|
word32 kexInitSz;
|
||||||
|
|
||||||
#ifndef NO_DH
|
#ifndef WOLFSSH_NO_DH
|
||||||
word32 dhGexMinSz;
|
word32 dhGexMinSz;
|
||||||
word32 dhGexPreferredSz;
|
word32 dhGexPreferredSz;
|
||||||
word32 dhGexMaxSz;
|
word32 dhGexMaxSz;
|
||||||
|
@ -398,7 +406,7 @@ typedef struct HandshakeInfo {
|
||||||
|
|
||||||
byte useEcc;
|
byte useEcc;
|
||||||
union {
|
union {
|
||||||
#ifndef NO_DH
|
#ifndef WOLFSSH_NO_DH
|
||||||
DhKey dh;
|
DhKey dh;
|
||||||
#endif
|
#endif
|
||||||
ecc_key ecc;
|
ecc_key ecc;
|
||||||
|
|
Loading…
Reference in New Issue