WolfSSL
/
wolfssh
mirror of https://github.com/wolfSSL/wolfssh.git
1
0
Fork 0
Code Issues Releases Wiki Activity

KEX Cipher Lists 

1. Fix using the MAC algorithm list from the WOLFSSH object when matching
   the peer's algorithm.
2. Fix polarity checking WOLFSSH_NO_SHA1_SOFT_DISABLE.
3. Remove some redundant size constants. Use strlen().
4. Rearrange the canned key algorithm names, add the missing items, and
   add guards.
5. Whitespace.
pull/661/head
John Safranek 2024-02-27 17:28:11 -08:00
parent c8e00a409b
commit cfe99cc696
1 changed files with 31 additions and 74 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
src/internal.c
View File

@ -583,7 +583,7 @@ static const char cannedKexAlgoNames[] =
#if !defined(WOLFSSH_NO_DH_GEX_SHA256)
"diffie-hellman-group-exchange-sha256,"
#endif
#ifndef WOLFSSH_NO_SHA1_SOFT_DISABLE
#ifdef WOLFSSH_NO_SHA1_SOFT_DISABLE
#if !defined(WOLFSSH_NO_DH_GROUP14_SHA1)
"diffie-hellman-group14-sha1,"
#endif
@ -630,12 +630,19 @@ static const char cannedKexAlgoNames[] =
static const char cannedKeyAlgoRsaSha2_512Names[] = "rsa-sha2-512";
#endif
#ifdef WOLFSSH_CERTS
static const char cannedKeyAlgoNames[] =
"rsa-sha2-256,x509v3-ssh-rsa,ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp256";
#else
static const char cannedKeyAlgoNames[] = "rsa-sha2-256,ecdsa-sha2-nistp256";
#endif
"rsa-sha2-256,"
"ecdsa-sha2-nistp256,"
#ifdef WOLFSSH_CERTS
"x509v3-ecdsa-sha2-nistp256,"
#ifdef WOLFSSH_NO_SHA1_SOFT_DISABLE
"x509v3-ssh-rsa,"
#endif /* WOLFSSH_NO_SHA1_SOFT_DISABLE */
#endif /* WOLFSSH_CERTS */
#ifdef WOLFSSH_NO_SHA1_SOFT_DISABLE
"ssh-rsa,"
#endif /* WOLFSSH_NO_SHA1_SOFT_DISABLE */
"";
static const char cannedEncAlgoNames[] =
#if !defined(WOLFSSH_NO_AES_GCM)
@ -710,9 +717,6 @@ WOLFSSH_CTX* CtxInit(WOLFSSH_CTX* ctx, byte side, void* heap)
ctx->maxPacketSz = DEFAULT_MAX_PACKET_SZ;
ctx->sshProtoIdStr = sshProtoIdStr;
ctx->algoListKex = cannedKexAlgoNames;
#if 0
ctx->algoListKey = cannedKeyAlgoNames;
#endif
ctx->algoListCipher = cannedEncAlgoNames;
ctx->algoListMac = cannedMacAlgoNames;
@ -3674,7 +3678,7 @@ static int DoKexInit(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
cannedAlgoNamesSz = AlgoListSz(ssh->algoListMac);
cannedListSz = (word32)sizeof(cannedList);
ret = GetNameListRaw(cannedList, &cannedListSz,
(const byte*)cannedMacAlgoNames, cannedAlgoNamesSz);
(const byte*)ssh->algoListMac, cannedAlgoNamesSz);
}
if (ret == WS_SUCCESS) {
algoId = MatchIdLists(side, list, listSz, cannedList, cannedListSz);
@ -3802,7 +3806,8 @@ static int DoKexInit(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
}
if (ret == WS_SUCCESS) {
ret = HashUpdate(hash, hashId, (const byte*)ssh->ctx->sshProtoIdStr, strSz);
ret = HashUpdate(hash, hashId,
(const byte*)ssh->ctx->sshProtoIdStr, strSz);
}
if (ret == WS_SUCCESS) {
@ -8992,51 +8997,6 @@ static int BuildNameList(char* buf, word32 bufSz,
}
/* -1 for the null */
#ifndef WOLFSSH_NO_SSH_RSA_SHA1
static const word32 cannedKeyAlgoSshRsaNamesSz =
(word32)sizeof(cannedKeyAlgoSshRsaNames) - 1;
#endif
#ifndef WOLFSSH_NO_RSA_SHA2_256
static const word32 cannedKeyAlgoRsaSha2_256NamesSz =
(word32)sizeof(cannedKeyAlgoRsaSha2_256Names) - 1;
#endif
#ifndef WOLFSSH_NO_RSA_SHA2_512
static const word32 cannedKeyAlgoRsaSha2_512NamesSz =
(word32)sizeof(cannedKeyAlgoRsaSha2_512Names) - 1;
#endif
#ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP256
static const word32 cannedKeyAlgoEcc256NamesSz =
(word32)sizeof(cannedKeyAlgoEcc256Names) - 1;
#endif
#ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP384
static const word32 cannedKeyAlgoEcc384NamesSz =
(word32)sizeof(cannedKeyAlgoEcc384Names) - 1;
#endif
#ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP521
static const word32 cannedKeyAlgoEcc521NamesSz =
(word32)sizeof(cannedKeyAlgoEcc521Names) - 1;
#endif
#ifdef WOLFSSH_CERTS
#ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP256
static const word32 cannedKeyAlgoX509Ecc256NamesSz =
(word32)sizeof(cannedKeyAlgoX509Ecc256Names) - 1;
#endif
#ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP384
static const word32 cannedKeyAlgoX509Ecc384NamesSz =
(word32)sizeof(cannedKeyAlgoX509Ecc384Names) - 1;
#endif
#ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP521
static const word32 cannedKeyAlgoX509Ecc521NamesSz =
(word32)sizeof(cannedKeyAlgoX509Ecc521Names) - 1;
#endif
#endif /* WOLFSSH_CERTS */
static const word32 cannedKeyAlgoNamesSz =
(word32)sizeof(cannedKeyAlgoNames) - 1;
int SendKexInit(WOLFSSH* ssh)
{
byte* output = NULL;
@ -11250,12 +11210,14 @@ int SendServiceAccept(WOLFSSH* ssh, byte serviceId)
#define WS_EXTINFO_EXTENSION_COUNT 1
static const char serverSigAlgsName[] = "server-sig-algs";
static word32 serverSigAlgsNameSz = (word32)sizeof(serverSigAlgsName) - 1;
int SendExtInfo(WOLFSSH* ssh)
{
byte* output;
word32 idx;
word32 cannedKeyAlgoNamesSz = 0;
word32 serverSigAlgsNameSz = 0;
int ret = WS_SUCCESS;
WLOG(WS_LOG_DEBUG, "Entering SendExtInfo()");
@ -11265,6 +11227,8 @@ int SendExtInfo(WOLFSSH* ssh)
}
if (ret == WS_SUCCESS) {
cannedKeyAlgoNamesSz = AlgoListSz(cannedKeyAlgoNames);
serverSigAlgsNameSz = AlgoListSz(serverSigAlgsName);
ret = PreparePacket(ssh, MSG_ID_SZ + UINT32_SZ + (LENGTH_SZ * 2)
+ serverSigAlgsNameSz + cannedKeyAlgoNamesSz);
}
@ -11482,19 +11446,16 @@ static int BuildUserAuthRequestRsa(WOLFSSH* ssh,
#ifndef WOLFSSH_NO_SSH_RSA_SHA1
case ID_SSH_RSA:
names = cannedKeyAlgoSshRsaNames;
namesSz = cannedKeyAlgoSshRsaNamesSz;
break;
#endif
#ifndef WOLFSSH_NO_RSA_SHA2_256
case ID_RSA_SHA2_256:
names = cannedKeyAlgoRsaSha2_256Names;
namesSz = cannedKeyAlgoRsaSha2_256NamesSz;
break;
#endif
#ifndef WOLFSSH_NO_RSA_SHA2_512
case ID_RSA_SHA2_512:
names = cannedKeyAlgoRsaSha2_512Names;
namesSz = cannedKeyAlgoRsaSha2_512NamesSz;
break;
#endif
default:
@ -11503,6 +11464,7 @@ static int BuildUserAuthRequestRsa(WOLFSSH* ssh,
}
if (ret == WS_SUCCESS) {
namesSz = (word32)WSTRLEN(names);
c32toa(keySig->sigSz + namesSz + LENGTH_SZ * 2, output + begin);
begin += LENGTH_SZ;
c32toa(namesSz, output + begin);
@ -11916,19 +11878,16 @@ static int BuildUserAuthRequestEcc(WOLFSSH* ssh,
#ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP256
case ID_ECDSA_SHA2_NISTP256:
names = cannedKeyAlgoEcc256Names;
namesSz = cannedKeyAlgoEcc256NamesSz;
break;
#endif
#ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP384
case ID_ECDSA_SHA2_NISTP384:
names = cannedKeyAlgoEcc384Names;
namesSz = cannedKeyAlgoEcc384NamesSz;
break;
#endif
#ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP521
case ID_ECDSA_SHA2_NISTP521:
names = cannedKeyAlgoEcc521Names;
namesSz = cannedKeyAlgoEcc521NamesSz;
break;
#endif
default:
@ -11937,6 +11896,8 @@ static int BuildUserAuthRequestEcc(WOLFSSH* ssh,
}
if (ret == WS_SUCCESS) {
namesSz = (word32)WSTRLEN(names);
c32toa(rSz + rPad + sSz + sPad + namesSz + LENGTH_SZ * 4,
output + begin);
begin += LENGTH_SZ;
@ -12160,37 +12121,31 @@ static int BuildUserAuthRequestEccCert(WOLFSSH* ssh,
#ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP256
case ID_ECDSA_SHA2_NISTP256:
names = cannedKeyAlgoEcc256Names;
namesSz = cannedKeyAlgoEcc256NamesSz;
break;
#endif
#ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP384
case ID_ECDSA_SHA2_NISTP384:
names = cannedKeyAlgoEcc384Names;
namesSz = cannedKeyAlgoEcc384NamesSz;
break;
#endif
#ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP521
case ID_ECDSA_SHA2_NISTP521:
names = cannedKeyAlgoEcc521Names;
namesSz = cannedKeyAlgoEcc521NamesSz;
break;
#endif
#ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP256
case ID_X509V3_ECDSA_SHA2_NISTP256:
names = cannedKeyAlgoX509Ecc256Names;
namesSz = cannedKeyAlgoX509Ecc256NamesSz;
break;
#endif
#ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP384
case ID_X509V3_ECDSA_SHA2_NISTP384:
names = cannedKeyAlgoX509Ecc384Names;
namesSz = cannedKeyAlgoX509Ecc384NamesSz;
break;
#endif
#ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP521
case ID_X509V3_ECDSA_SHA2_NISTP521:
names = cannedKeyAlgoX509Ecc521Names;
namesSz = cannedKeyAlgoX509Ecc521NamesSz;
break;
#endif
default:
@ -12199,6 +12154,8 @@ static int BuildUserAuthRequestEccCert(WOLFSSH* ssh,
}
if (ret == WS_SUCCESS) {
namesSz = (word32)WSTRLEN(names);
c32toa(rSz + rPad + sSz + sPad + namesSz+ LENGTH_SZ * 4,
output + begin);
begin += LENGTH_SZ;