feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Further refactor the minimum ECC key size. Adds --with-eccminsz=BITS option. Fix for FIPSv2 which includes 192-bit support. If WOLFSSL_MIN_ECC_BITS is defined that will be used.

Browse Source
This commit is contained in:
David Garske
2020-10-16 17:18:48 -07:00
parent b13848e568
commit 5de80d8e41
8 changed files with 119 additions and 138 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
configure.ac
View File

@@ -1880,18 +1880,14 @@ then
fi
# ECC Weak Key Sizes (224-bit equiv to RSA 2048 - by default disable < 224 bit ECC)
AC_ARG_ENABLE([eccweakcurves],
[AS_HELP_STRING([--enable-eccweakcurves],[Enable ECC curves less than 224 bit (default: disabled)])],
[ ENABLED_ECCWEAKCURVES=$enableval ],
[ ENABLED_ECCWEAKCURVES=no ]
)
if test "$ENABLED_ECCWEAKCURVES" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DECC_WEAK_CURVES"
fi
# ECC Minimum Key Size
AC_ARG_WITH([eccminsz],
[AS_HELP_STRING([--with-eccminsz=BITS],[Sets the ECC minimum key size (default: 224 bits)])],
[
ENABLED_ECCMINSZ=$withval
AM_CFLAGS="$AM_CFLAGS -DECC_MIN_KEY_SZ=$withval"
]
)
# Compressed Key
AC_ARG_ENABLE([compkey],

28
src/internal.c
View File

@@ -21114,7 +21114,7 @@ exit_dpk:
int ret = ECC_CURVE_ERROR;
switch (tlsCurveId) {
#if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && defined(ECC_WEAK_CURVES)
#if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 160
#ifndef NO_ECC_SECP
case WOLFSSL_ECC_SECP160R1: return ECC_SECP160R1_OID;
#endif /* !NO_ECC_SECP */
@@ -21125,7 +21125,7 @@ exit_dpk:
case WOLFSSL_ECC_SECP160K1: return ECC_SECP160K1_OID;
#endif /* HAVE_ECC_KOBLITZ */
#endif
#if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && defined(ECC_WEAK_CURVES)
#if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 192
#ifndef NO_ECC_SECP
case WOLFSSL_ECC_SECP192R1: return ECC_SECP192R1_OID;
#endif /* !NO_ECC_SECP */
@@ -21133,7 +21133,7 @@ exit_dpk:
case WOLFSSL_ECC_SECP192K1: return ECC_SECP192K1_OID;
#endif /* HAVE_ECC_KOBLITZ */
#endif
#if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)
#if (defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 224
#ifndef NO_ECC_SECP
case WOLFSSL_ECC_SECP224R1: return ECC_SECP224R1_OID;
#endif /* !NO_ECC_SECP */
@@ -21144,7 +21144,7 @@ exit_dpk:
#ifdef HAVE_CURVE25519
case WOLFSSL_ECC_X25519: return ECC_X25519_OID;
#endif
#if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES)
#if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 256
#ifndef NO_ECC_SECP
case WOLFSSL_ECC_SECP256R1: return ECC_SECP256R1_OID;
#endif /* !NO_ECC_SECP */
@@ -21158,7 +21158,7 @@ exit_dpk:
#ifdef HAVE_CURVE448
case WOLFSSL_ECC_X448: return ECC_X448_OID;
#endif
#if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)
#if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 384
#ifndef NO_ECC_SECP
case WOLFSSL_ECC_SECP384R1: return ECC_SECP384R1_OID;
#endif /* !NO_ECC_SECP */
@@ -21166,12 +21166,12 @@ exit_dpk:
case WOLFSSL_ECC_BRAINPOOLP384R1: return ECC_BRAINPOOLP384R1_OID;
#endif /* HAVE_ECC_BRAINPOOL */
#endif
#if defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)
#if (defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 512
#ifdef HAVE_ECC_BRAINPOOL
case WOLFSSL_ECC_BRAINPOOLP512R1: return ECC_BRAINPOOLP512R1_OID;
#endif /* HAVE_ECC_BRAINPOOL */
#endif
#if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)
#if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 521
#ifndef NO_ECC_SECP
case WOLFSSL_ECC_SECP521R1: return ECC_SECP521R1_OID;
#endif /* !NO_ECC_SECP */
@@ -24763,7 +24763,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
/* returns the WOLFSSL_* version of the curve from the OID sum */
word16 GetCurveByOID(int oidSum) {
switch(oidSum) {
#if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && defined(ECC_WEAK_CURVES)
#if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 160
#ifndef NO_ECC_SECP
case ECC_SECP160R1_OID:
return WOLFSSL_ECC_SECP160R1;
@@ -24777,7 +24777,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
return WOLFSSL_ECC_SECP160K1;
#endif /* HAVE_ECC_KOBLITZ */
#endif
#if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && defined(ECC_WEAK_CURVES)
#if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 192
#ifndef NO_ECC_SECP
case ECC_SECP192R1_OID:
return WOLFSSL_ECC_SECP192R1;
@@ -24787,7 +24787,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
return WOLFSSL_ECC_SECP192K1;
#endif /* HAVE_ECC_KOBLITZ */
#endif
#if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)
#if (defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 224
#ifndef NO_ECC_SECP
case ECC_SECP224R1_OID:
return WOLFSSL_ECC_SECP224R1;
@@ -24797,7 +24797,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
return WOLFSSL_ECC_SECP224K1;
#endif /* HAVE_ECC_KOBLITZ */
#endif
#if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES)
#if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 256
#ifndef NO_ECC_SECP
case ECC_SECP256R1_OID:
return WOLFSSL_ECC_SECP256R1;
@@ -24811,7 +24811,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
return WOLFSSL_ECC_BRAINPOOLP256R1;
#endif /* HAVE_ECC_BRAINPOOL */
#endif
#if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)
#if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 384
#ifndef NO_ECC_SECP
case ECC_SECP384R1_OID:
return WOLFSSL_ECC_SECP384R1;
@@ -24821,13 +24821,13 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
return WOLFSSL_ECC_BRAINPOOLP384R1;
#endif /* HAVE_ECC_BRAINPOOL */
#endif
#if defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)
#if (defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 512
#ifdef HAVE_ECC_BRAINPOOL
case ECC_BRAINPOOLP512R1_OID:
return WOLFSSL_ECC_BRAINPOOLP512R1;
#endif /* HAVE_ECC_BRAINPOOL */
#endif
#if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)
#if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 521
#ifndef NO_ECC_SECP
case ECC_SECP521R1_OID:
return WOLFSSL_ECC_SECP521R1;

30
src/tls.c
View File

@@ -4340,7 +4340,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
/* find supported curve */
switch (curve->name) {
#ifdef HAVE_ECC
#if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && defined(ECC_WEAK_CURVES)
#if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 160
#ifndef NO_ECC_SECP
case WOLFSSL_ECC_SECP160R1:
pkOid = oid = ECC_SECP160R1_OID;
@@ -4360,7 +4360,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
break;
#endif /* HAVE_ECC_KOBLITZ */
#endif
#if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && defined(ECC_WEAK_CURVES)
#if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 192
#ifndef NO_ECC_SECP
case WOLFSSL_ECC_SECP192R1:
pkOid = oid = ECC_SECP192R1_OID;
@@ -4374,7 +4374,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
break;
#endif /* HAVE_ECC_KOBLITZ */
#endif
#if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)
#if (defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 224
#ifndef NO_ECC_SECP
case WOLFSSL_ECC_SECP224R1:
pkOid = oid = ECC_SECP224R1_OID;
@@ -4388,7 +4388,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
break;
#endif /* HAVE_ECC_KOBLITZ */
#endif
#if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES)
#if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 256
#ifndef NO_ECC_SECP
case WOLFSSL_ECC_SECP256R1:
pkOid = oid = ECC_SECP256R1_OID;
@@ -4409,7 +4409,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
break;
#endif /* HAVE_CURVE25519 */
#ifdef HAVE_ECC
#if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES)
#if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 256
#ifdef HAVE_ECC_KOBLITZ
case WOLFSSL_ECC_SECP256K1:
pkOid = oid = ECC_SECP256K1_OID;
@@ -4436,7 +4436,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
break;
#endif /* HAVE_CURVE448 */
#ifdef HAVE_ECC
#if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)
#if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 384
#ifndef NO_ECC_SECP
case WOLFSSL_ECC_SECP384R1:
pkOid = oid = ECC_SECP384R1_OID;
@@ -4450,7 +4450,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
break;
#endif /* HAVE_ECC_BRAINPOOL */
#endif
#if defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)
#if (defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 512
#ifdef HAVE_ECC_BRAINPOOL
case WOLFSSL_ECC_BRAINPOOLP512R1:
pkOid = oid = ECC_BRAINPOOLP512R1_OID;
@@ -4458,7 +4458,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
break;
#endif /* HAVE_ECC_BRAINPOOL */
#endif
#if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)
#if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 521
#ifndef NO_ECC_SECP
case WOLFSSL_ECC_SECP521R1:
pkOid = oid = ECC_SECP521R1_OID;
@@ -9847,21 +9847,21 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
#if defined(HAVE_ECC) && defined(HAVE_SUPPORTED_CURVES)
/* list in order by strength, since not all servers choose by strength */
#if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)
#if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 521
#ifndef NO_ECC_SECP
ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_ECC_SECP521R1, ssl->heap);
if (ret != WOLFSSL_SUCCESS) return ret;
#endif
#endif
#if defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)
#if (defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 512
#ifdef HAVE_ECC_BRAINPOOL
ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_ECC_BRAINPOOLP512R1, ssl->heap);
if (ret != WOLFSSL_SUCCESS) return ret;
#endif
#endif
#if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)
#if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 384
#ifndef NO_ECC_SECP
ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_ECC_SECP384R1, ssl->heap);
@@ -9884,7 +9884,7 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
#endif /* HAVE_FIPS */
#if defined(HAVE_ECC) && defined(HAVE_SUPPORTED_CURVES)
#if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES)
#if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 256
#ifndef NO_ECC_SECP
ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_ECC_SECP256R1, ssl->heap);
@@ -9912,7 +9912,7 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
#endif /* HAVE_FIPS */
#if defined(HAVE_ECC) && defined(HAVE_SUPPORTED_CURVES)
#if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)
#if (defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 224
#ifndef NO_ECC_SECP
ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_ECC_SECP224R1, ssl->heap);
@@ -9926,7 +9926,7 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
#endif
#ifndef HAVE_FIPS
#if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && defined(ECC_WEAK_CURVES)
#if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 192
#ifndef NO_ECC_SECP
ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_ECC_SECP192R1, ssl->heap);
@@ -9938,7 +9938,7 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
if (ret != WOLFSSL_SUCCESS) return ret;
#endif
#endif
#if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && defined(ECC_WEAK_CURVES)
#if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 160
#ifndef NO_ECC_SECP
ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_ECC_SECP160R1, ssl->heap);

107
tests/api.c
View File

@@ -58,72 +58,53 @@
#endif
/* ecc key sizes: 14, 16, 20, 24, 28, 30, 32, 40, 48, 64 */
/* logic to choose right key ECC size */
#if defined(HAVE_ALL_CURVES) && defined(ECC_WEAK_CURVES)
#ifndef KEY14
#define KEY14 14
#endif
#if !defined(KEY16)
#define KEY16 16
#endif
#if !defined(KEY20)
#define KEY20 20
#endif
#if !defined(KEY24)
#define KEY24 24
#endif
#if (defined(HAVE_ECC112) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 112
#define KEY14 14
#else
#ifndef KEY14
#define KEY14 32
#endif
#if !defined(KEY16)
#define KEY16 32
#endif
#if !defined(KEY20)
#define KEY20 32
#endif
#if !defined(KEY24)
#define KEY24 32
#endif
#define KEY14 32
#endif
#ifdef HAVE_ALL_CURVES
#if !defined(KEY28)
#define KEY28 28
#endif
#if !defined(KEY30)
#define KEY30 30
#endif
#if !defined(KEY32)
#define KEY32 32
#endif
#if !defined(KEY40)
#define KEY40 40
#endif
#if !defined(KEY48)
#define KEY48 48
#endif
#if !defined(KEY64)
#define KEY64 64
#endif
#else
#if !defined(KEY28)
#define KEY28 32
#endif
#if !defined(KEY30)
#define KEY30 32
#endif
#if !defined(KEY32)
#define KEY32 32
#endif
#if !defined(KEY40)
#define KEY40 32
#endif
#if !defined(KEY48)
#define KEY48 32
#endif
#if !defined(KEY64)
#define KEY64 32
#endif
#if (defined(HAVE_ECC128) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 128
#define KEY16 16
#else
#define KEY16 32
#endif
#if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 160
#define KEY20 20
#else
#define KEY20 32
#endif
#if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 192
#define KEY24 24
#else
#define KEY24 32
#endif
#if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)
#define KEY28 28
#else
#define KEY28 32
#endif
#if defined(HAVE_ECC239) || defined(HAVE_ALL_CURVES)
#define KEY30 30
#else
#define KEY30 32
#endif
#define KEY32 32
#if defined(HAVE_ECC320) || defined(HAVE_ALL_CURVES)
#define KEY40 40
#else
#define KEY40 32
#endif
#if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)
#define KEY48 48
#else
#define KEY48 32
#endif
#if defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)
#define KEY64 64
#else
#define KEY64 32
#endif
#if !defined(HAVE_COMP_KEY)
#if !defined(NOCOMP)
#define NOCOMP 0

24
wolfcrypt/src/ecc.c
View File

@@ -75,7 +75,7 @@ ECC Curve Types:
ECC Curve Sizes:
* ECC_USER_CURVES: Allows custom combination of key sizes below
* HAVE_ALL_CURVES: Enable all key sizes (on unless ECC_USER_CURVES is defined)
* ECC_WEAK_CURVES: Enable support for weak keys < 224 bits
* ECC_MIN_KEY_SZ: Minimum supported ECC key size
* HAVE_ECC112: 112 bit key
* HAVE_ECC128: 128 bit key
* HAVE_ECC160: 160 bit key
@@ -180,37 +180,37 @@ enum {
*/
/* 256-bit curve on by default whether user curves or not */
#if (defined(HAVE_ECC112) || defined(HAVE_ALL_CURVES)) && defined(ECC_WEAK_CURVES)
#if (defined(HAVE_ECC112) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 112
#define ECC112
#endif
#if (defined(HAVE_ECC128) || defined(HAVE_ALL_CURVES)) && defined(ECC_WEAK_CURVES)
#if (defined(HAVE_ECC128) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 128
#define ECC128
#endif
#if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && defined(ECC_WEAK_CURVES)
#if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 160
#define ECC160
#endif
#if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && defined(ECC_WEAK_CURVES)
#if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 192
#define ECC192
#endif
#if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)
#if (defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 224
#define ECC224
#endif
#if defined(HAVE_ECC239) || defined(HAVE_ALL_CURVES)
#if (defined(HAVE_ECC239) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 239
#define ECC239
#endif
#if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES)
#if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 256
#define ECC256
#endif
#if defined(HAVE_ECC320) || defined(HAVE_ALL_CURVES)
#if (defined(HAVE_ECC320) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 320
#define ECC320
#endif
#if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)
#if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 384
#define ECC384
#endif
#if defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)
#if (defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 512
#define ECC512
#endif
#if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)
#if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 521
#define ECC521
#endif

22
wolfcrypt/test/test.c
View File

@@ -21868,43 +21868,43 @@ static int ecc_test(void)
return -9900;
#endif
#if (defined(HAVE_ECC112) || defined(HAVE_ALL_CURVES)) && defined(ECC_WEAK_CURVES)
#if (defined(HAVE_ECC112) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 112
ret = ecc_test_curve(&rng, 14);
if (ret < 0) {
goto done;
}
#endif /* HAVE_ECC112 */
#if (defined(HAVE_ECC128) || defined(HAVE_ALL_CURVES)) && defined(ECC_WEAK_CURVES)
#if (defined(HAVE_ECC128) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 128
ret = ecc_test_curve(&rng, 16);
if (ret < 0) {
goto done;
}
#endif /* HAVE_ECC128 */
#if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && defined(ECC_WEAK_CURVES)
#if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 160
ret = ecc_test_curve(&rng, 20);
if (ret < 0) {
goto done;
}
#endif /* HAVE_ECC160 */
#if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && defined(ECC_WEAK_CURVES)
#if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 192
ret = ecc_test_curve(&rng, 24);
if (ret < 0) {
goto done;
}
#endif /* HAVE_ECC192 */
#if (defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)) && defined(ECC_WEAK_CURVES)
#if (defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 224
ret = ecc_test_curve(&rng, 28);
if (ret < 0) {
goto done;
}
#endif /* HAVE_ECC224 */
#if defined(HAVE_ECC239) || defined(HAVE_ALL_CURVES)
#if (defined(HAVE_ECC239) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 239
ret = ecc_test_curve(&rng, 30);
if (ret < 0) {
goto done;
}
#endif /* HAVE_ECC239 */
#if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES)
#if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 256
ret = ecc_test_curve(&rng, 32);
if (ret < 0) {
goto done;
@@ -21921,25 +21921,25 @@ static int ecc_test(void)
goto done;
}
#endif /* !NO_ECC256 */
#if defined(HAVE_ECC320) || defined(HAVE_ALL_CURVES)
#if (defined(HAVE_ECC320) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 320
ret = ecc_test_curve(&rng, 40);
if (ret < 0) {
goto done;
}
#endif /* HAVE_ECC320 */
#if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)
#if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 384
ret = ecc_test_curve(&rng, 48);
if (ret < 0) {
goto done;
}
#endif /* HAVE_ECC384 */
#if defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)
#if (defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 512
ret = ecc_test_curve(&rng, 64);
if (ret < 0) {
goto done;
}
#endif /* HAVE_ECC512 */
#if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)
#if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && defined(ECC_MIN_KEY_SZ) && ECC_MIN_KEY_SZ <= 521
ret = ecc_test_curve(&rng, 66);
if (ret < 0) {
goto done;

8
wolfssl/wolfcrypt/ecc.h
View File

@@ -93,7 +93,7 @@
#define MAX_ECC_BITS 256
#elif defined(HAVE_ECC239)
#define MAX_ECC_BITS 239
#elif defined(HAVE_ECC224) && !defined(ECC_WEAK_CURVES)
#elif defined(HAVE_ECC224)
#define MAX_ECC_BITS 224
#elif defined(HAVE_ECC192)
#define MAX_ECC_BITS 192
@@ -125,11 +125,7 @@ enum {
ECC_MAXNAME = 16, /* MAX CURVE NAME LENGTH */
SIG_HEADER_SZ = 7, /* ECC signature header size (30 81 87 02 42 [R] 02 42 [S]) */
ECC_BUFSIZE = 256, /* for exported keys temp buffer */
#ifdef ECC_WEAK_CURVES
ECC_MINSIZE = 14, /* MIN Private Key size */
#else
ECC_MINSIZE = 20, /* MIN Private Key size */
#endif
ECC_MINSIZE = ECC_MIN_KEY_SZ/8, /* MIN Private Key size */
ECC_MAXSIZE = 66, /* MAX Private Key size */
ECC_MAXSIZE_GEN = 74, /* MAX Buffer size required when generating ECC keys*/
ECC_MAX_OID_LEN = 16,

18
wolfssl/wolfcrypt/settings.h
View File

@@ -1749,11 +1749,19 @@ extern void uITRON4_free(void *p) ;
#define HAVE_ALL_CURVES
#endif
#endif
#ifndef ECC_WEAK_CURVES
/* if building TLS to enable < 224 then allow weak curves */
/* Note: ECC 224-bit is equiv to RSA 2048 bit */
#if defined(WOLFSSL_MIN_ECC_BITS) && WOLFSSL_MIN_ECC_BITS < 224
#define ECC_WEAK_CURVES
/* The minimum allowed ECC key size */
/* Note: 224-bits is equivelant to 2048-bit RSA */
#ifndef ECC_MIN_KEY_SZ
#ifdef WOLFSSL_MIN_ECC_BITS
#define ECC_MIN_KEY_SZ WOLFSSL_MIN_ECC_BITS
#else
#if defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION == 2
/* FIPSv2 includes 192-bit support */
#define ECC_MIN_KEY_SZ 192
#else
#define ECC_MIN_KEY_SZ 224
#endif
#endif
#endif