Skip to content
Snippets Groups Projects
Commit c9a3d13d authored by Stephen Hurd's avatar Stephen Hurd
Browse files

Use external cryptlib

parent 48eac5a0
No related branches found
No related tags found
No related merge requests found
Showing
with 7 additions and 547 deletions
cmake_minimum_required(VERSION 3.22) cmake_minimum_required(VERSION 3.22)
project (SyncTERM C) project (SyncTERM C)
include("FetchContent") include("FetchContent")
add_subdirectory(cryptlib)
FetchContent_Declare( FetchContent_Declare(
XPDevPlus XPDevPlus
...@@ -10,6 +9,13 @@ FetchContent_Declare( ...@@ -10,6 +9,13 @@ FetchContent_Declare(
) )
FetchContent_MakeAvailable(XPDevPlus) FetchContent_MakeAvailable(XPDevPlus)
FetchContent_Declare(
CryptlibBuild
GIT_REPOSITORY https://gitlab.synchro.net/Deuce/cryptlib.git
CMAKE_ARGS -DCMAKE_INSTALL_PREFIX=${CMAKE_BINARY_DIR}/cryptlib
)
FetchContent_MakeAvailable(CryptlibBuild)
# CPack stuff... # CPack stuff...
set(CPACK_PACKAGE_NAME SyncTERM) set(CPACK_PACKAGE_NAME SyncTERM)
set(CPACK_PACKAGE_VENDOR Deuce) set(CPACK_PACKAGE_VENDOR Deuce)
...@@ -58,7 +64,6 @@ set(SOURCE ...@@ -58,7 +64,6 @@ set(SOURCE
add_executable(syncterm ${SOURCE}) add_executable(syncterm ${SOURCE})
target_link_libraries(syncterm cryptlib xpdevplus) target_link_libraries(syncterm cryptlib xpdevplus)
add_dependencies(syncterm CryptlibBuild)
target_include_directories(syncterm PRIVATE ${CMAKE_BINARY_DIR}) target_include_directories(syncterm PRIVATE ${CMAKE_BINARY_DIR})
if(CMAKE_SYSTEM_NAME STREQUAL "NetBSD") if(CMAKE_SYSTEM_NAME STREQUAL "NetBSD")
......
cmake_minimum_required(VERSION 3.15)
project (Cryptlib C)
include("ExternalProject")
ExternalProject_Add(
CryptlibBuild
SOURCE_DIR ${CMAKE_CURRENT_SOURCE_DIR}/dist
UPDATE_COMMAND ""
CONFIGURE_COMMAND ""
BUILD_COMMAND ""
INSTALL_COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/build.sh ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_BINARY_DIR}
)
add_library(cryptlib STATIC IMPORTED GLOBAL)
set_target_properties(cryptlib PROPERTIES IMPORTED_LOCATION ${CMAKE_BINARY_DIR}/libcl.a)
add_dependencies(cryptlib CryptlibBuild)
#target_link_libraries(cryptlib INTERFACE ${CMAKE_BINARY_DIR}/libcl.a)
#target_include_directories(cryptlib INTERFACE ${CMAKE_BINARY_DIR})
#!/bin/sh
rm -rf "$1/tmp"
mkdir "$1/tmp"
echo "Extracting Cryptlib"
unzip -oa -d "$1/tmp" "$1/dist/cryptlib.zip"
echo "Patching..."
for patch in `find "$1/patches" -type f`
do
patch -t -d "$1/tmp" < $patch
done
echo "Building..."
make -C "$1/tmp"
cp "$1/tmp/libcl.a" "$1/tmp/cryptlib.h" $2
rm -rf "$1/tmp"
File deleted
--- ../tmp2/tools/ccopts.sh 2019-03-04 16:32:32.000000000 -0500
+++ tools/ccopts.sh 2019-06-03 16:56:55.005703000 -0400
@@ -393,7 +393,6 @@
# of large-displacement jumps, so if you're tuning the code for size/speed
# you can try -fpic to see if you get any improvement.
-if [ $SHARED -gt 0 ] ; then
case $OSNAME in
'Darwin')
CCARGS="$CCARGS -fPIC -fno-common" ;;
@@ -420,7 +419,6 @@
*)
CCARGS="$CCARGS -fPIC" ;;
esac ;
-fi
# Conversely, if we're building a static lib and the system requires it, set
# up static lib-specific options.
--- ../tmp2/session/sess_attr.c 2019-02-05 18:18:28.000000000 -0500
+++ session/sess_attr.c 2019-06-03 17:06:34.378151000 -0400
@@ -102,11 +102,13 @@
/* If there's already a network socket specified then we can't set a
server name as well */
+/*
if( sessionInfoPtr->networkSocket != CRYPT_ERROR )
{
return( exitErrorInited( sessionInfoPtr,
CRYPT_SESSINFO_NETWORKSOCKET ) );
}
+*/
/* Parse the server name. The PKI protocols all use HTTP as their
substrate so if it's not SSH or SSL/TLS we require HTTP */
--- session/ssl_kmgmt.c.orig 2019-01-11 01:54:56.000000000 -0500
+++ session/ssl_kmgmt.c 2020-01-23 18:18:40.754040000 -0500
@@ -448,7 +448,7 @@
status = krnlSendMessage( createInfo.cryptHandle,
IMESSAGE_SETATTRIBUTE,
( MESSAGE_CAST ) &eccParams,
- CRYPT_IATTRIBUTE_KEY_DLPPARAM );
+ CRYPT_IATTRIBUTE_KEY_ECCPARAM );
}
else
#endif /* USE_ECDH */
--- ../tmp2/session/ssh2_authc.c 2018-12-14 17:31:34.000000000 -0500
+++ session/ssh2_authc.c 2019-06-03 16:41:49.956986000 -0400
@@ -868,7 +868,7 @@
if( !cryptStatusError( status ) )
{
status = CRYPT_OK; /* readUint32() returns a count value */
- if( noPrompts <= 0 || noPrompts > 4 )
+ if( noPrompts < 0 || noPrompts > 4 )
{
/* Requesting zero or more than a small number of prompts is
suspicious */
@@ -876,49 +876,52 @@
}
}
}
- if( cryptStatusOK( status ) )
+ if( noPrompts > 0 )
{
- status = readString32( &stream, promptBuffer,
+ if( cryptStatusOK( status ) )
+ {
+ status = readString32( &stream, promptBuffer,
CRYPT_MAX_TEXTSIZE, &promptLength );
- if( cryptStatusOK( status ) && promptLength <= 0 )
+ if( cryptStatusOK( status ) && promptLength <= 0 )
+ {
+ /* We must have at least some sort of prompt given that we
+ require num_prompts to be nonzero */
+ status = CRYPT_ERROR_BADDATA;
+ }
+ }
+ sMemDisconnect( &stream );
+ if( cryptStatusError( status ) )
{
- /* We must have at least some sort of prompt given that we
- require num_prompts to be nonzero */
- status = CRYPT_ERROR_BADDATA;
+ retExt( status,
+ ( status, SESSION_ERRINFO,
+ "Invalid PAM authentication request packet" ) );
}
- }
- sMemDisconnect( &stream );
- if( cryptStatusError( status ) )
- {
- retExt( status,
- ( status, SESSION_ERRINFO,
- "Invalid PAM authentication request packet" ) );
- }
- REQUIRES( nameLength >= 0 && nameLength <= CRYPT_MAX_TEXTSIZE );
- REQUIRES( promptLength >= 1 && promptLength <= CRYPT_MAX_TEXTSIZE );
+ REQUIRES( nameLength >= 0 && nameLength <= CRYPT_MAX_TEXTSIZE );
+ REQUIRES( promptLength >= 1 && promptLength <= CRYPT_MAX_TEXTSIZE );
- /* Make sure that we're being asked for some form of password
- authentication. This assumes that the prompt string begins with the
- word "password" (which always seems to be the case), if it isn't then
- it may be necessary to do a substring search */
- if( promptLength < 8 || \
- !strIsPrintable( promptBuffer, promptLength ) || \
- strCompare( promptBuffer, "Password", 8 ) )
- {
- /* The following may produce somewhat inconsistent results in terms
- of what it reports because it's unclear what 'name' actually is,
- on the off chance that something fills this in it could produce
- a less appropriate error message than the prompt, but we
- opportunistically try it in case it contains something useful */
- retExt( CRYPT_ERROR_BADDATA,
- ( CRYPT_ERROR_BADDATA, SESSION_ERRINFO,
- "Server requested unknown PAM authentication type '%s'",
- ( nameLength > 0 ) ? \
- sanitiseString( nameBuffer, CRYPT_MAX_TEXTSIZE, \
- nameLength ) : \
- sanitiseString( promptBuffer, CRYPT_MAX_TEXTSIZE, \
- promptLength ) ) );
- }
+ /* Make sure that we're being asked for some form of password
+ authentication. This assumes that the prompt string begins with the
+ word "password" (which always seems to be the case), if it isn't then
+ it may be necessary to do a substring search */
+ if( promptLength < 8 || \
+ !strIsPrintable( promptBuffer, promptLength ) || \
+ strCompare( promptBuffer, "Password", 8 ) )
+ {
+ /* The following may produce somewhat inconsistent results in terms
+ of what it reports because it's unclear what 'name' actually is,
+ on the off chance that something fills this in it could produce
+ a less appropriate error message than the prompt, but we
+ opportunistically try it in case it contains something useful */
+ retExt( CRYPT_ERROR_BADDATA,
+ ( CRYPT_ERROR_BADDATA, SESSION_ERRINFO,
+ "Server requested unknown PAM authentication type '%s'",
+ ( nameLength > 0 ) ? \
+ sanitiseString( nameBuffer, CRYPT_MAX_TEXTSIZE, \
+ nameLength ) : \
+ sanitiseString( promptBuffer, CRYPT_MAX_TEXTSIZE, \
+ promptLength ) ) );
+ }
+ }
REQUIRES( passwordPtr != NULL && \
passwordPtr->valueLength > 0 && \
--- misc/config.h.orig 2018-02-15 02:26:59.017103000 -0500
+++ misc/config.h 2018-02-15 02:27:50.400787000 -0500
@@ -9,6 +9,9 @@
#define _CONFIG_DEFINED
+#define USE_PROBLEMATIC_ALGORITHMS
+#define USE_SSH_EXTENDED
+#define USE_CERTLEVEL_STANDARD
/****************************************************************************
* *
* Custom Configuration Profiles *
--- cert/ext_add.c.orig 2018-02-24 01:38:55.995138000 -0500
+++ cert/ext_add.c 2018-02-24 01:39:08.783152000 -0500
@@ -451,9 +451,11 @@
a non-blob. In addition it forces the caller to use the (recommended)
normal attribute handling mechanism, which allows for proper type
checking */
+#if 0
if( !( flags & ATTR_FLAG_BLOB ) && \
oidToAttribute( attributeType, oid, oidLength ) != NULL )
return( CRYPT_ERROR_PERMISSION );
+#endif
/* Find the correct place in the list to insert the new element */
if( DATAPTR_ISSET( listHead ) )
--- ../cl-old/cryptlib.h 2021-03-16 04:15:50.265534000 -0400
+++ ./cryptlib.h 2021-03-16 06:53:47.582168000 -0400
@@ -1215,6 +1215,7 @@
CRYPT_SESSINFO_SSH_CHANNEL_ARG1,/* SSH channel argument 1 */
CRYPT_SESSINFO_SSH_CHANNEL_ARG2,/* SSH channel argument 2 */
CRYPT_SESSINFO_SSH_CHANNEL_ACTIVE,/* SSH channel active */
+ CRYPT_SESSINFO_SSH_OPTIONS, /* SSH protocol options */
CRYPT_SESSINFO_SSL_OPTIONS, /* SSL/TLS protocol options */
CRYPT_SESSINFO_SSL_SUBPROTOCOL, /* SSL/TLS additional sub-protocol */
CRYPT_SESSINFO_SSL_WSPROTOCOL, /* SSL/TLS WebSockets sub-protocol */
@@ -1680,6 +1681,14 @@
#define CRYPT_SSLOPTION_SUITEB_256 0x200 /* vanish in future releases) */
#ifdef _CRYPT_DEFINED
#define CRYPT_SSLOPTION_MAX 0x7F /* Defines for range checking */
+#endif /* _CRYPT_DEFINED */
+
+/* SSH protocol options. */
+
+#define CRYPT_SSHOPTION_NONE 0x000
+#define CRYPT_SSHOPTION_NONE_AUTH 0x001 /* Try none authentication */
+#ifdef _CRYPT_DEFINED
+#define CRYPT_SSHOPTION_MAX 0x01 /* Defines for range checking */
#endif /* _CRYPT_DEFINED */
/****************************************************************************
diff -ur ../cl-old/kernel/attr_acl.c ./kernel/attr_acl.c
--- ../cl-old/kernel/attr_acl.c 2021-03-16 04:15:50.398060000 -0400
+++ ./kernel/attr_acl.c 2021-03-16 06:53:47.606473000 -0400
@@ -3731,6 +3731,12 @@
ST_NONE, ST_NONE, ST_SESS_SSH | ST_SESS_SSH_SVR,
MKPERM_SSH_EXT( RWx_xxx ),
ROUTE( OBJECT_TYPE_SESSION ) ),
+ MKACL_N( /* SSH protocol options */
+ CRYPT_SESSINFO_SSH_OPTIONS,
+ ST_NONE, ST_NONE, ST_SESS_SSH,
+ MKPERM_SSH_EXT( Rxx_RWx ),
+ ROUTE( OBJECT_TYPE_SESSION ),
+ RANGE( CRYPT_SSHOPTION_NONE, CRYPT_SSHOPTION_MAX ) ),
MKACL_N( /* SSL/TLS protocol options */
CRYPT_SESSINFO_SSL_OPTIONS,
@@ -4653,7 +4659,7 @@
static_assert( CRYPT_CERTINFO_FIRST_EXTENSION == 2200, "Attribute value" );
static_assert( CRYPT_CERTINFO_FIRST_CMS == 2500, "Attribute value" );
static_assert( CRYPT_SESSINFO_FIRST_SPECIFIC == 6016, "Attribute value" );
- static_assert( CRYPT_SESSINFO_LAST_SPECIFIC == 6031, "Attribute value" );
+ static_assert( CRYPT_SESSINFO_LAST_SPECIFIC == 6032, "Attribute value" );
static_assert( CRYPT_CERTFORMAT_LAST == 12, "Attribute value" );
/* Perform a consistency check on the attribute ACLs. The ACLs are
diff -ur ../cl-old/session/ssh.c ./session/ssh.c
--- ../cl-old/session/ssh.c 2021-03-16 04:15:50.257467000 -0400
+++ ./session/ssh.c 2021-03-16 06:53:47.638940000 -0400
@@ -980,6 +980,18 @@
type == CRYPT_SESSINFO_SSH_CHANNEL_ARG2 || \
type == CRYPT_SESSINFO_SSH_CHANNEL_ACTIVE );
+ if( type == CRYPT_SESSINFO_SSH_OPTIONS )
+ {
+ int *valuePtr = ( int * ) data;
+
+ *valuePtr = CRYPT_SSHOPTION_NONE;
+ if( TEST_FLAG( sessionInfoPtr->protocolFlags,
+ SSH_PFLAG_DUMMYUSERAUTH ) )
+ *valuePtr |= CRYPT_SSHOPTION_NONE_AUTH;
+
+ return( CRYPT_OK );
+ }
+
if( type == CRYPT_SESSINFO_SSH_CHANNEL || \
type == CRYPT_SESSINFO_SSH_CHANNEL_ACTIVE )
{
@@ -1010,11 +1022,13 @@
type == CRYPT_SESSINFO_SSH_CHANNEL_TYPE || \
type == CRYPT_SESSINFO_SSH_CHANNEL_ARG1 || \
type == CRYPT_SESSINFO_SSH_CHANNEL_ARG2 || \
+ type == CRYPT_SESSINFO_SSH_OPTIONS || \
type == CRYPT_SESSINFO_SSH_CHANNEL_ACTIVE );
/* Get the data value if it's an integer parameter */
if( type == CRYPT_SESSINFO_SSH_CHANNEL || \
- type == CRYPT_SESSINFO_SSH_CHANNEL_ACTIVE )
+ type == CRYPT_SESSINFO_SSH_CHANNEL_ACTIVE || \
+ type == CRYPT_SESSINFO_SSH_OPTIONS)
value = *( ( int * ) data );
/* If we're selecting a channel and there's unwritten data from a
@@ -1038,6 +1052,13 @@
return( createChannel( sessionInfoPtr ) );
}
+ if( type == CRYPT_SESSINFO_SSH_OPTIONS )
+ {
+ if (value & CRYPT_SSHOPTION_NONE_AUTH)
+ SET_FLAG( sessionInfoPtr->protocolFlags, SSH_PFLAG_DUMMYUSERAUTH );
+ return( CRYPT_OK );
+ }
+
/* If we 're setting the channel-active attribute, this implicitly
activates or deactivates the channel rather than setting any
attribute value */
@@ -1165,8 +1186,6 @@
SESSION_FLAG_NONE, /* Flags */
SSH_PORT, /* SSH port */
SESSION_NEEDS_USERID | /* Client attributes */
- SESSION_NEEDS_PASSWORD | \
- SESSION_NEEDS_KEYORPASSWORD | \
SESSION_NEEDS_PRIVKEYSIGN,
/* The client private key is optional, but if present it has
to be signature-capable */
diff -ur ../cl-old/session/ssh2_authc.c ./session/ssh2_authc.c
--- ../cl-old/session/ssh2_authc.c 2021-03-16 04:15:50.264206000 -0400
+++ ./session/ssh2_authc.c 2021-03-16 07:46:47.873769000 -0400
@@ -315,13 +315,22 @@
assert( isWritePtr( authAlgo, sizeof( CRYPT_ALGO_TYPE ) ) );
assert( isWritePtr( furtherAuthRequired, sizeof( BOOLEAN ) ) );
- REQUIRES( isShortIntegerRangeNZ( length ) );
REQUIRES( usedPasswordAuth == TRUE || usedPasswordAuth == FALSE );
/* Clear return values */
*authAlgo = CRYPT_ALGO_NONE;
*furtherAuthRequired = FALSE;
+ if (length == 0 && GET_FLAG( sessionInfoPtr->protocolFlags, SSH_PFLAG_DUMMYUSERAUTH ) && !usedPasswordAuth)
+ {
+ CLEAR_FLAG( sessionInfoPtr->protocolFlags, SSH_PFLAG_DUMMYUSERAUTH );
+ *furtherAuthRequired = TRUE;
+ *authAlgo = CRYPT_PSEUDOALGO_PASSWORD;
+ return( CRYPT_OK );
+ }
+
+ REQUIRES( isShortIntegerRangeNZ( length ) );
+
/* Before we can try and interpret the response, we have to check for an
empty response */
if( length >= LENGTH_SIZE && \
@@ -647,6 +656,8 @@
SSH_MSG_USERAUTH_REQUEST );
if( cryptStatusError( status ) )
return( status );
+ if (passwordPtr == NULL && GET_FLAG( sessionInfoPtr->protocolFlags, SSH_PFLAG_DUMMYUSERAUTH ))
+ return( OK_SPECIAL );
if( usePasswordAuth )
{
/* byte type = SSH_MSG_USERAUTH_REQUEST
@@ -1220,6 +1231,11 @@
auth required */
if( !hasPassword )
{
+ if (length == 0)
+ {
+ return( reportAuthFailure( sessionInfoPtr, CRYPT_PSEUDOALGO_PASSWORD,
+ requiredAuthAlgo, TRUE ) );
+ }
return( reportAuthFailure( sessionInfoPtr, CRYPT_ALGO_RSA,
requiredAuthAlgo, TRUE ) );
}
--- misc/config.h.orig 2021-01-25 23:06:22.266896000 -0500
+++ misc/config.h 2021-01-25 23:31:45.451504000 -0500
@@ -494,7 +494,7 @@
indirectly as a result of any use of cryptlib with this change made. If
you receive the code with the safety features already disabled, you must
immediately obtain and use an original, unmodified version */
-/* #define USE_PKCS12 */
+#define USE_PKCS12
/* Going beyond the PKCS #12 read capability which exists solely to allow
the import of keys supplied in that format by third parties, cryptlib has
a PKCS #12 write capability. This exists purely to allow the export of
@@ -509,7 +509,7 @@
PKCS #12 read capability, as well as the fact that PKCS #12 write is an
unsupported facility with special-case usage restrictions that doesn't
work like any normal keyset */
-/* #define USE_PKCS12_WRITE */
+#define USE_PKCS12_WRITE
#define USE_PKCS15
#define USE_PGPKEYS
--- ../tmp2/misc/consts.h 2019-02-22 19:36:36.000000000 -0500
+++ misc/consts.h 2019-06-03 18:05:43.345982000 -0400
@@ -226,7 +226,7 @@
creating things like certs containing MPEGs of themselves playing with
their cat */
-#define MAX_ATTRIBUTE_SIZE 1024
+#define MAX_ATTRIBUTE_SIZE 4096
/* Some objects contain internal buffers used to process data whose size can
be specified by the user, the following is the minimum and maximum size
--- bn/bn_asm.c.orig 2019-07-15 17:03:25.346831000 -0400
+++ bn/bn_asm.c 2019-07-15 17:03:40.227005000 -0400
@@ -81,7 +81,7 @@
#ifndef BN_ASM /* pcg */
-#if defined(BN_LLONG) || defined(BN_UMULT_HIGH)
+#if defined(BN_LLONG) || defined(BN_UMULT_HIGH) || defined(BN_UMULT_LOHI)
BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num,
BN_ULONG w)
diff -ur ../cl-old/random/unix.c ./random/unix.c
--- ../cl-old/random/unix.c 2021-03-29 22:36:37.000000000 -0700
+++ ./random/unix.c 2021-03-29 22:38:03.000000000 -0700
@@ -505,7 +505,9 @@
amount of output so typically gets
truncated at SYSCTL_BUFFER_SIZE */
#endif /* KERN_PROC2 */
+#ifdef GPROF_COUNT
{ 3, { CTL_KERN, KERN_PROF, GPROF_COUNT }, 10 },
+#endif
/* If kernel is compiled for profiling,
an array of statistical program
counter counts. This typically isn't
--- ./session/ssl_hs.c.orig 2020-01-24 18:02:09.710811000 -0500
+++ ./session/ssl_hs.c 2020-01-24 18:02:24.220573000 -0500
@@ -223,6 +223,7 @@
if( cryptStatusError( status ) )
return( status );
sessionInfoPtr->cryptBlocksize = queryInfo.blockSize;
+ CLEAR_FLAG( sessionInfoPtr->protocolFlags, SSL_PFLAG_GCM );
}
return( CRYPT_OK );
--- ../tmp2/tools/ccopts.sh 2019-03-04 16:32:32.000000000 -0500
+++ tools/ccopts.sh 2019-06-03 16:22:10.631518000 -0400
@@ -250,13 +250,13 @@
done
# /dev/crypto support
- for includepath in $DEVCRYPTOPATHS ; do
- if [ -f $includepath ] ; then
- echo "/dev/crypto interface detected, enabling crypto hardware support." >&2 ;
- CCARGS="$CCARGS -DHAS_DEVCRYPTO -I"$(dirname $includepath)"" ;
- break ;
- fi
- done
+ #for includepath in $DEVCRYPTOPATHS ; do
+ # if [ -f $includepath ] ; then
+ # echo "/dev/crypto interface detected, enabling crypto hardware support." >&2 ;
+ # CCARGS="$CCARGS -DHAS_DEVCRYPTO -I"$(dirname $includepath)"" ;
+ # break ;
+ # fi
+ #done
fi
if [ -f /usr/include/zlib.h ] ; then
--- ../tmp2/misc/os_detect.h 2019-01-31 14:57:46.000000000 -0500
+++ misc/os_detect.h 2019-06-03 18:26:42.394038000 -0400
@@ -566,6 +566,9 @@
#include <machine/endian.h>
#elif defined( __NetBSD__ )
#include <sys/endian.h>
+ #elif defined( __FreeBSD__ )
+ #include <sys/endian.h>
+ #elif defined(__MINGW32__)
#else
#include <endian.h>
#endif /* Apple vs. everyone else */
--- session/ssl_hs.c.orig 2018-11-14 23:22:26.000000000 -0500
+++ session/ssl_hs.c 2020-01-23 18:23:41.236235000 -0500
@@ -240,6 +240,7 @@
const CIPHERSUITE_INFO **cipherSuiteInfo;
const BOOLEAN isServer = isServer( sessionInfoPtr ) ? TRUE : FALSE;
BOOLEAN allowDH = algoAvailable( CRYPT_ALGO_DH ) ? TRUE : FALSE;
+ BOOLEAN allowECCAuth = TRUE;
BOOLEAN allowECC = ( algoAvailable( CRYPT_ALGO_ECDH ) && \
algoAvailable( CRYPT_ALGO_ECDSA ) ) ? TRUE : FALSE;
BOOLEAN allowRSA = algoAvailable( CRYPT_ALGO_RSA ) ? TRUE : FALSE;
@@ -268,7 +269,7 @@
{
/* There's no server private key present, we're limited to PSK
suites */
- allowECC = allowRSA = FALSE;
+ allowECC = allowRSA = allowECCAuth = FALSE;
}
else
{
@@ -278,7 +279,7 @@
capable */
if( !checkContextCapability( sessionInfoPtr->privateKey,
MESSAGE_CHECK_PKC_SIGN ) )
- allowDH = allowECC = FALSE;
+ allowDH = allowECC = allowECCAuth = FALSE;
/* To be usable for ECC or RSA the server key has to itself be
an ECC or RSA key */
@@ -286,13 +287,16 @@
IMESSAGE_GETATTRIBUTE, &pkcAlgo,
CRYPT_CTXINFO_ALGO );
if( cryptStatusError( status ) )
- allowECC = allowRSA = FALSE;
+ allowECC = allowRSA = allowECCAuth = FALSE;
else
{
if( !isEccAlgo( pkcAlgo ) )
allowECC = FALSE;
if( pkcAlgo != CRYPT_ALGO_RSA )
+ {
allowRSA = FALSE;
+ allowECCAuth = FALSE;
+ }
}
}
}
@@ -443,8 +447,13 @@
( cipherSuiteInfoPtr->flags & CIPHERSUITE_FLAG_DH ) )
continue;
if( !allowECC && \
- ( cipherSuiteInfoPtr->flags & CIPHERSUITE_FLAG_ECC ) )
+ ( cipherSuiteInfoPtr->flags & CIPHERSUITE_FLAG_ECC ) && \
+ ( cipherSuiteInfoPtr->authAlgo != CRYPT_ALGO_RSA) )
continue;
+ if( !allowECCAuth && \
+ ( cipherSuiteInfoPtr->flags & CIPHERSUITE_FLAG_ECC ) && \
+ ( cipherSuiteInfoPtr->authAlgo == CRYPT_ALGO_RSA) )
+ continue;
if( !allowTLS12 && \
( cipherSuiteInfoPtr->flags & CIPHERSUITE_FLAG_TLS12 ) )
continue;
@@ -521,7 +530,7 @@
find out that we can use it */
if( altSuiteIndex < cipherSuiteInfoSize )
{
- REQUIRES( allowECC );
+ REQUIRES( allowECCAuth );
handshakeInfo->eccSuiteInfoPtr = cipherSuiteInfo[ altSuiteIndex ];
}
--- session/ssh2_crypt.c.orig 2020-04-29 14:08:11.580413000 -0400
+++ session/ssh2_crypt.c 2020-04-29 14:08:27.391588000 -0400
@@ -265,7 +265,7 @@
/* Load the appropriate static ECDH key parameters */
status = krnlSendMessage( iECDHContext, IMESSAGE_SETATTRIBUTE,
( MESSAGE_CAST ) &eccKeySize,
- CRYPT_IATTRIBUTE_KEY_DLPPARAM );
+ CRYPT_IATTRIBUTE_KEY_ECCPARAM );
if( cryptStatusError( status ) )
{
krnlSendNotifier( iECDHContext, IMESSAGE_DECREFCOUNT );
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment