Separate the ECC disable into ECDSA and ECDHE disables.

Author: ejohnstown

src/internal.c

@@ -119,6 +119,10 @@
     Set when all DH algorithms are disabled. Set to disable use of all DH
     algorithms for key agreement. Setting this will force all DH key agreement
     algorithms off.
+  WOLFSSH_NO_ECDH
+    Set when all ECDH algorithms are disabled. Set to disable use of all ECDH
+    algorithms for key agreement. Setting this will force all ECDH key agreement
+    algorithms off.
 */
 
 
@@ -2234,29 +2238,19 @@ static INLINE int wcPrimeForId(byte id)
             return ECC_CURVE_INVALID;
     }
 }
+
+#ifndef WOLFSSH_NO_ECDSA
 static INLINE const char *PrimeNameForId(byte id)
 {
     switch (id) {
-#ifndef WOLFSSH_NO_ECDH_SHA2_NISTP256
-        case ID_ECDH_SHA2_NISTP256:
-            return "nistp256";
-#endif
 #ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP256
         case ID_ECDSA_SHA2_NISTP256:
             return "nistp256";
 #endif
-#ifndef WOLFSSH_NO_ECDH_SHA2_NISTP384
-        case ID_ECDH_SHA2_NISTP384:
-            return "nistp384";
-#endif
 #ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP384
         case ID_ECDSA_SHA2_NISTP384:
             return "nistp384";
 #endif
-#ifndef WOLFSSH_NO_ECDH_SHA2_NISTP521
-        case ID_ECDH_SHA2_NISTP521:
-            return "nistp521";
-#endif
 #ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP521
         case ID_ECDSA_SHA2_NISTP521:
             return "nistp521";
@@ -2265,6 +2259,7 @@ static INLINE const char *PrimeNameForId(byte id)
             return "unknown";
     }
 }
+#endif
 
 
 static INLINE byte AeadModeForId(byte id)
@@ -2785,7 +2780,7 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
                 RsaKey   key;
             } rsa;
 #endif
-#ifndef WOLFSSH_NO_ECC
+#ifndef WOLFSSH_NO_ECDSA
             struct {
                 ecc_key key;
             } ecc;
@@ -3098,7 +3093,7 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
 #endif
             }
             else {
-#ifndef WOLFSSH_NO_ECDHE
+#ifndef WOLFSSH_NO_ECDH
                 ecc_key key;
                 ret = wc_ecc_init(&key);
 #ifdef HAVE_WC_ECC_SET_RNG
@@ -3254,7 +3249,7 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
 #endif
         }
         else {
-#ifdef WOLFSSH_NO_ECDSA
+#ifndef WOLFSSH_NO_ECDSA
             wc_ecc_free(&sigKeyBlock.sk.ecc.key);
 #endif
         }
@@ -4120,7 +4115,7 @@ static int DoUserAuthRequestEcc(WOLFSSH* ssh, WS_UserAuthData_PublicKey* pk,
 #endif
 
 
-#if !defined(WOLFSSH_NO_RSA) && !defined(WOLFSSH_NO_ECDSA)
+#if !defined(WOLFSSH_NO_RSA) || !defined(WOLFSSH_NO_ECDSA)
 /* Utility for DoUserAuthRequest() */
 static int DoUserAuthRequestPublicKey(WOLFSSH* ssh, WS_UserAuthData* authData,
                                       byte* buf, word32 len, word32* idx)
@@ -4282,11 +4277,12 @@ static int DoUserAuthRequestPublicKey(WOLFSSH* ssh, WS_UserAuthData* authData,
                 }
                 else if (pkTypeId == ID_ECDSA_SHA2_NISTP256 ||
                          pkTypeId == ID_ECDSA_SHA2_NISTP384 ||
-                         pkTypeId == ID_ECDSA_SHA2_NISTP521)
+                         pkTypeId == ID_ECDSA_SHA2_NISTP521) {
 #ifndef WOLFSSH_NO_ECDSA
                     ret = DoUserAuthRequestEcc(ssh, pk,
                                                hashId, digest, digestSz);
 #endif
+                }
             }
 
             if (ret != WS_SUCCESS) {
@@ -4364,7 +4360,7 @@ static int DoUserAuthRequest(WOLFSSH* ssh,
 
         if (authNameId == ID_USERAUTH_PASSWORD)
             ret = DoUserAuthRequestPassword(ssh, &authData, buf, len, &begin);
-#if !defined(WOLFSSH_NO_RSA) && !defined(WOLFSSH_NO_ECDSA)
+#if !defined(WOLFSSH_NO_RSA) || !defined(WOLFSSH_NO_ECDSA)
         else if (authNameId == ID_USERAUTH_PUBLICKEY) {
             authData.sf.publicKey.dataToSign = buf + *idx;
             ret = DoUserAuthRequestPublicKey(ssh, &authData, buf, len, &begin);
@@ -6449,7 +6445,7 @@ int SendKexDhReply(WOLFSSH* ssh)
                 byte nPad;
             } rsa;
 #endif
-#ifndef WOLFSSH_NO_ECDH_SHA2_NISTP256
+#ifndef WOLFSSH_NO_ECDSA
             struct {
                 ecc_key key;
                 word32 keyBlobSz;
@@ -6638,6 +6634,7 @@ int SendKexDhReply(WOLFSSH* ssh)
 #endif /* WOLFSSH_NO_SSH_RSA_SHA1 */
         }
         else {
+#ifndef WOLFSSH_NO_ECDSA
             sigKeyBlock.sk.ecc.primeName =
                                        PrimeNameForId(ssh->handshake->pubKeyId);
             sigKeyBlock.sk.ecc.primeNameSz =
@@ -6707,6 +6704,7 @@ int SendKexDhReply(WOLFSSH* ssh)
                                     enmhashId,
                                     sigKeyBlock.sk.ecc.q,
                                     sigKeyBlock.sk.ecc.qSz);
+#endif
         }
 #ifndef WOLFSSH_NO_DH_GEX_SHA256
         /* If using DH-GEX include the GEX specific values. */
@@ -6950,6 +6948,7 @@ int SendKexDhReply(WOLFSSH* ssh)
 #endif
             }
             else {
+#ifndef WOLFSSH_NO_ECDSA
                 WLOG(WS_LOG_INFO, "Signing hash with ECDSA.");
                 sigSz = sizeof(sig);
                 ret = wc_ecc_sign_hash(digest, wc_HashGetDigestSize(sigHashId),
@@ -6987,6 +6986,7 @@ int SendKexDhReply(WOLFSSH* ssh)
                         WMEMCPY(sig + idx, s, sSz);
                     }
                 }
+#endif
             }
         }
     }
@@ -6997,7 +6997,9 @@ int SendKexDhReply(WOLFSSH* ssh)
 #endif
     }
     else {
+#ifndef WOLFSSH_NO_ECDSA
         wc_ecc_free(&sigKeyBlock.sk.ecc.key);
+#endif
     }
 
     sigBlockSz = (LENGTH_SZ * 2) + sigKeyBlock.nameSz + sigSz;
@@ -7043,6 +7045,7 @@ int SendKexDhReply(WOLFSSH* ssh)
 #endif
         }
         else {
+#ifndef WOLFSSH_NO_ECDSA
             c32toa(sigKeyBlock.sk.ecc.primeNameSz, output + idx);
             idx += LENGTH_SZ;
             WMEMCPY(output + idx, sigKeyBlock.sk.ecc.primeName,
@@ -7053,6 +7056,7 @@ int SendKexDhReply(WOLFSSH* ssh)
             WMEMCPY(output + idx, sigKeyBlock.sk.ecc.q,
                     sigKeyBlock.sk.ecc.qSz);
             idx += sigKeyBlock.sk.ecc.qSz;
+#endif
         }
 
         /* Copy the server's public key. F for DE, or Q_S for ECDH. */
@@ -8168,7 +8172,7 @@ static int BuildUserAuthRequestEcc(WOLFSSH* ssh,
 #endif
 
 
-#if !defined(WOLFSSH_NO_RSA) && !defined(WOLFSSH_NO_ECDSA)
+#if !defined(WOLFSSH_NO_RSA) || !defined(WOLFSSH_NO_ECDSA)
 static int PrepareUserAuthRequestPublicKey(WOLFSSH* ssh, word32* payloadSz,
         const WS_UserAuthData* authData, WS_KeySignature* keySig)
 {

src/ssh.c

@@ -1439,7 +1439,7 @@ int wolfSSH_ReadKey_buffer(const byte* in, word32 inSz, int format,
             #ifndef WOLFSSH_NO_RSA
                 RsaKey rsa;
             #endif
-            #ifndef WOLFSSH_NO_ECC
+            #ifndef WOLFSSH_NO_ECDSA
                 ecc_key ecc;
             #endif
         } testKey;
@@ -1474,7 +1474,7 @@ int wolfSSH_ReadKey_buffer(const byte* in, word32 inSz, int format,
         }
         else {
 #endif
-#ifndef WOLFSSH_NO_ECC
+#ifndef WOLFSSH_NO_ECDSA
             byte curveId = ID_UNKNOWN;
 
             /* Couldn't decode as RSA testKey. Try decoding as ECC testKey. */

tests/api.c

@@ -462,14 +462,14 @@ enum WS_TestFormatTypes {
 };
 
 
-#ifndef NO_ECC256
+#ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP256
 static const char serverKeyEccDer[] =
     "307702010104206109990b79d25f285a0f5d15cca15654f92b3987212da77d85"
     "7bb87f38c66dd5a00a06082a8648ce3d030107a144034200048113ffa42bb79c"
     "45747a834c61f33fad26cf22cda9a3bca561b47ce662d4c2f755439a31fb8011"
     "20b5124b24f578d7fd22ef4635f005586b5f63c8da1bc4f569";
 static const int serverKeyEccCurveId = ECC_SECP256R1;
-#elif defined(HAVE_ECC384)
+#elif defined(WOLFSSH_NO_ECDSA_SHA2_NISTP384)
 static const char serverKeyEccDer[] =
     "3081a402010104303eadd2bbbf05a7be3a3f7c28151289de5bb3644d7011761d"
     "b56f2a0362fba64f98e64ff986dc4fb8efdb2d6b8da57142a00706052b810400"
@@ -478,7 +478,7 @@ static const char serverKeyEccDer[] =
     "b4c6a4cf5e97bd7e51e975e3e9217261506eb9cf3c493d3eb88d467b5f27ebab"
     "2161c00066febd";
 static const int serverKeyEccCurveId = ECC_SECP384R1;
-#elif defined(HAVE_ECC521)
+#elif defined(WOLFSSH_NO_ECDSA_SHA2_NISTP521)
 static const char serverKeyEccDer[] =
     "3081dc0201010442004ca4d86428d9400e7b2df3912eb996c195895043af92e8"
     "6de70ae4df46f22a291a6bb2748aae82580df6c39f49b3ed82f1789ece1b657d"
@@ -490,6 +490,7 @@ static const char serverKeyEccDer[] =
 static const int serverKeyEccCurveId = ECC_SECP521R1;
 #endif
 
+#ifndef WOLFSSH_NO_SSH_RSA_SHA1
 static const char serverKeyRsaDer[] =
     "308204a30201000282010100da5dad2514761559f340fd3cb86230b36dc0f9ec"
     "ec8b831e9e429cca416ad38ae15234e00d13627ed40fae5c4d04f18dfac5ad77"
@@ -529,6 +530,7 @@ static const char serverKeyRsaDer[] =
     "731fba275c82f8ad311edef33772cb47d2cdf7f87f0039db8d2aca4ec1cee215"
     "89d63a61ae9da230a585ae38ea4674dc023aace95fa3c6734f73819056c3ce77"
     "5f5bba6c42f121";
+#endif
 
 
 static void test_wolfSSH_CTX_UsePrivateKey_buffer(void)
@@ -591,9 +593,11 @@ static void test_wolfSSH_CTX_UsePrivateKey_buffer(void)
                                          TEST_GOOD_FORMAT_ASN1));
     AssertNotNull(ctx->privateKey);
     AssertIntNE(0, ctx->privateKeySz);
+#ifndef WOLFSSH_NO_ECDSA
     AssertIntEQ(serverKeyEccCurveId, ctx->useEcc);
+#endif
 
-#ifndef NO_RSA
+#ifndef WOLFSSH_NO_RSA
     lastKey = ctx->privateKey;
     lastKeySz = ctx->privateKeySz;
     AssertIntEQ(WS_SUCCESS,

wolfssh/internal.h

@@ -74,8 +74,8 @@ extern "C" {
 #ifndef HAVE_ECC
     #undef WOLFSSH_NO_ECDSA
     #define WOLFSSH_NO_ECDSA
-    #undef WOLFSSH_NO_ECDHE
-    #define WOLFSSH_NO_ECDHE
+    #undef WOLFSSH_NO_ECDH
+    #define WOLFSSH_NO_ECDH
 #endif
 
 #ifdef NO_DH
@@ -115,15 +115,15 @@ extern "C" {
     #undef WOLFSSH_NO_DH_GEX_SHA256
     #define WOLFSSH_NO_DH_GEX_SHA256
 #endif
-#if defined(WOLFSSH_NO_ECDHE) || defined(NO_SHA256) || defined(NO_ECC256)
+#if defined(WOLFSSH_NO_ECDH) || defined(NO_SHA256) || defined(NO_ECC256)
     #undef WOLFSSH_NO_ECDH_SHA2_NISTP256
     #define WOLFSSH_NO_ECDH_SHA2_NISTP256
 #endif
-#if defined(WOLFSSH_NO_ECDHE) || !defined(WOLFSSL_SHA384) || !defined(HAVE_ECC384)
+#if defined(WOLFSSH_NO_ECDH) || !defined(WOLFSSL_SHA384) || !defined(HAVE_ECC384)
     #undef WOLFSSH_NO_ECDH_SHA2_NISTP384
     #define WOLFSSH_NO_ECDH_SHA2_NISTP384
 #endif
-#if defined(WOLFSSH_NO_ECDHE) || !defined(WOLFSSL_SHA512) || !defined(HAVE_ECC521)
+#if defined(WOLFSSH_NO_ECDH) || !defined(WOLFSSL_SHA512) || !defined(HAVE_ECC521)
     #undef WOLFSSH_NO_ECDH_SHA2_NISTP521
     #define WOLFSSH_NO_ECDH_SHA2_NISTP521
 #endif
@@ -152,8 +152,8 @@ extern "C" {
 #if defined(WOLFSSH_NO_ECDH_SHA2_NISTP256) && \
     defined(WOLFSSH_NO_ECDH_SHA2_NISTP384) && \
     defined(WOLFSSH_NO_ECDH_SHA2_NISTP521)
-    #undef WOLFSSH_NO_ECDHE
-    #define WOLFSSH_NO_ECDHE
+    #undef WOLFSSH_NO_ECDH
+    #define WOLFSSH_NO_ECDH
 #endif
 
 #if defined(WOLFSSH_NO_RSA) || defined(NO_SHA)