mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2025-07-31 19:24:42 +02:00
Disable ECC key sizes < 224 bits by default. Added --enable-eccweakcurves or ECC_WEAK_CURVES to enable smaller key sizes. Currently this option is automatically enabled if WOLFSSL_MIN_ECC_BITS is less than 224-bits.
This commit is contained in:
David Garske
14
configure.ac
14
configure.ac
@@ -1880,6 +1880,19 @@ then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
# ECC Weak Key Sizes (224-bit equiv to RSA 2048 - by default disable < 224 bit ECC)
|
||||||
|
AC_ARG_ENABLE([eccweakcurves],
|
||||||
|
[AS_HELP_STRING([--enable-eccweakcurves],[Enable ECC curves less than 224 bit (default: disabled)])],
|
||||||
|
[ ENABLED_ECCWEAKCURVES=$enableval ],
|
||||||
|
[ ENABLED_ECCWEAKCURVES=no ]
|
||||||
|
)
|
||||||
|
|
||||||
|
if test "$ENABLED_ECCWEAKCURVES" = "yes"
|
||||||
|
then
|
||||||
|
AM_CFLAGS="$AM_CFLAGS -DECC_WEAK_CURVES"
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
# Compressed Key
|
# Compressed Key
|
||||||
AC_ARG_ENABLE([compkey],
|
AC_ARG_ENABLE([compkey],
|
||||||
[AS_HELP_STRING([--enable-compkey],[Enable compressed keys support (default: disabled)])],
|
[AS_HELP_STRING([--enable-compkey],[Enable compressed keys support (default: disabled)])],
|
||||||
@@ -6042,6 +6055,7 @@ echo " * DH: $ENABLED_DH"
|
|||||||
echo " * DH Default Parameters: $ENABLED_DHDEFAULTPARAMS"
|
echo " * DH Default Parameters: $ENABLED_DHDEFAULTPARAMS"
|
||||||
echo " * ECC: $ENABLED_ECC"
|
echo " * ECC: $ENABLED_ECC"
|
||||||
echo " * ECC Custom Curves $ENABLED_ECCCUSTCURVES"
|
echo " * ECC Custom Curves $ENABLED_ECCCUSTCURVES"
|
||||||
|
echo " * ECC Weak Curves $ENABLED_ECCWEAKCURVES"
|
||||||
echo " * CURVE25519: $ENABLED_CURVE25519"
|
echo " * CURVE25519: $ENABLED_CURVE25519"
|
||||||
echo " * ED25519: $ENABLED_ED25519"
|
echo " * ED25519: $ENABLED_ED25519"
|
||||||
echo " * CURVE448: $ENABLED_CURVE448"
|
echo " * CURVE448: $ENABLED_CURVE448"
|
||||||
|
|||||||
@@ -21114,7 +21114,7 @@ exit_dpk:
|
|||||||
int ret = ECC_CURVE_ERROR;
|
int ret = ECC_CURVE_ERROR;
|
||||||
|
|
||||||
switch (tlsCurveId) {
|
switch (tlsCurveId) {
|
||||||
#if defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)
|
#if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && defined(ECC_WEAK_CURVES)
|
||||||
#ifndef NO_ECC_SECP
|
#ifndef NO_ECC_SECP
|
||||||
case WOLFSSL_ECC_SECP160R1: return ECC_SECP160R1_OID;
|
case WOLFSSL_ECC_SECP160R1: return ECC_SECP160R1_OID;
|
||||||
#endif /* !NO_ECC_SECP */
|
#endif /* !NO_ECC_SECP */
|
||||||
@@ -21125,7 +21125,7 @@ exit_dpk:
|
|||||||
case WOLFSSL_ECC_SECP160K1: return ECC_SECP160K1_OID;
|
case WOLFSSL_ECC_SECP160K1: return ECC_SECP160K1_OID;
|
||||||
#endif /* HAVE_ECC_KOBLITZ */
|
#endif /* HAVE_ECC_KOBLITZ */
|
||||||
#endif
|
#endif
|
||||||
#if defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)
|
#if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && defined(ECC_WEAK_CURVES)
|
||||||
#ifndef NO_ECC_SECP
|
#ifndef NO_ECC_SECP
|
||||||
case WOLFSSL_ECC_SECP192R1: return ECC_SECP192R1_OID;
|
case WOLFSSL_ECC_SECP192R1: return ECC_SECP192R1_OID;
|
||||||
#endif /* !NO_ECC_SECP */
|
#endif /* !NO_ECC_SECP */
|
||||||
@@ -24763,7 +24763,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
|||||||
/* returns the WOLFSSL_* version of the curve from the OID sum */
|
/* returns the WOLFSSL_* version of the curve from the OID sum */
|
||||||
word16 GetCurveByOID(int oidSum) {
|
word16 GetCurveByOID(int oidSum) {
|
||||||
switch(oidSum) {
|
switch(oidSum) {
|
||||||
#if defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)
|
#if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && defined(ECC_WEAK_CURVES)
|
||||||
#ifndef NO_ECC_SECP
|
#ifndef NO_ECC_SECP
|
||||||
case ECC_SECP160R1_OID:
|
case ECC_SECP160R1_OID:
|
||||||
return WOLFSSL_ECC_SECP160R1;
|
return WOLFSSL_ECC_SECP160R1;
|
||||||
@@ -24777,7 +24777,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
|||||||
return WOLFSSL_ECC_SECP160K1;
|
return WOLFSSL_ECC_SECP160K1;
|
||||||
#endif /* HAVE_ECC_KOBLITZ */
|
#endif /* HAVE_ECC_KOBLITZ */
|
||||||
#endif
|
#endif
|
||||||
#if defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)
|
#if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && defined(ECC_WEAK_CURVES)
|
||||||
#ifndef NO_ECC_SECP
|
#ifndef NO_ECC_SECP
|
||||||
case ECC_SECP192R1_OID:
|
case ECC_SECP192R1_OID:
|
||||||
return WOLFSSL_ECC_SECP192R1;
|
return WOLFSSL_ECC_SECP192R1;
|
||||||
|
|||||||
@@ -4340,7 +4340,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
|
|||||||
/* find supported curve */
|
/* find supported curve */
|
||||||
switch (curve->name) {
|
switch (curve->name) {
|
||||||
#ifdef HAVE_ECC
|
#ifdef HAVE_ECC
|
||||||
#if defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)
|
#if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && defined(ECC_WEAK_CURVES)
|
||||||
#ifndef NO_ECC_SECP
|
#ifndef NO_ECC_SECP
|
||||||
case WOLFSSL_ECC_SECP160R1:
|
case WOLFSSL_ECC_SECP160R1:
|
||||||
pkOid = oid = ECC_SECP160R1_OID;
|
pkOid = oid = ECC_SECP160R1_OID;
|
||||||
@@ -4360,7 +4360,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
|
|||||||
break;
|
break;
|
||||||
#endif /* HAVE_ECC_KOBLITZ */
|
#endif /* HAVE_ECC_KOBLITZ */
|
||||||
#endif
|
#endif
|
||||||
#if defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)
|
#if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && defined(ECC_WEAK_CURVES)
|
||||||
#ifndef NO_ECC_SECP
|
#ifndef NO_ECC_SECP
|
||||||
case WOLFSSL_ECC_SECP192R1:
|
case WOLFSSL_ECC_SECP192R1:
|
||||||
pkOid = oid = ECC_SECP192R1_OID;
|
pkOid = oid = ECC_SECP192R1_OID;
|
||||||
@@ -9926,7 +9926,7 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifndef HAVE_FIPS
|
#ifndef HAVE_FIPS
|
||||||
#if defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)
|
#if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && defined(ECC_WEAK_CURVES)
|
||||||
#ifndef NO_ECC_SECP
|
#ifndef NO_ECC_SECP
|
||||||
ret = TLSX_UseSupportedCurve(extensions,
|
ret = TLSX_UseSupportedCurve(extensions,
|
||||||
WOLFSSL_ECC_SECP192R1, ssl->heap);
|
WOLFSSL_ECC_SECP192R1, ssl->heap);
|
||||||
@@ -9938,7 +9938,7 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
|
|||||||
if (ret != WOLFSSL_SUCCESS) return ret;
|
if (ret != WOLFSSL_SUCCESS) return ret;
|
||||||
#endif
|
#endif
|
||||||
#endif
|
#endif
|
||||||
#if defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)
|
#if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && defined(ECC_WEAK_CURVES)
|
||||||
#ifndef NO_ECC_SECP
|
#ifndef NO_ECC_SECP
|
||||||
ret = TLSX_UseSupportedCurve(extensions,
|
ret = TLSX_UseSupportedCurve(extensions,
|
||||||
WOLFSSL_ECC_SECP160R1, ssl->heap);
|
WOLFSSL_ECC_SECP160R1, ssl->heap);
|
||||||
|
|||||||
@@ -75,6 +75,7 @@ ECC Curve Types:
|
|||||||
ECC Curve Sizes:
|
ECC Curve Sizes:
|
||||||
* ECC_USER_CURVES: Allows custom combination of key sizes below
|
* ECC_USER_CURVES: Allows custom combination of key sizes below
|
||||||
* HAVE_ALL_CURVES: Enable all key sizes (on unless ECC_USER_CURVES is defined)
|
* HAVE_ALL_CURVES: Enable all key sizes (on unless ECC_USER_CURVES is defined)
|
||||||
|
* ECC_WEAK_CURVES: Enable support for weak keys < 224 bits
|
||||||
* HAVE_ECC112: 112 bit key
|
* HAVE_ECC112: 112 bit key
|
||||||
* HAVE_ECC128: 128 bit key
|
* HAVE_ECC128: 128 bit key
|
||||||
* HAVE_ECC160: 160 bit key
|
* HAVE_ECC160: 160 bit key
|
||||||
@@ -179,16 +180,16 @@ enum {
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
/* 256-bit curve on by default whether user curves or not */
|
/* 256-bit curve on by default whether user curves or not */
|
||||||
#if defined(HAVE_ECC112) || defined(HAVE_ALL_CURVES)
|
#if (defined(HAVE_ECC112) || defined(HAVE_ALL_CURVES)) && defined(ECC_WEAK_CURVES)
|
||||||
#define ECC112
|
#define ECC112
|
||||||
#endif
|
#endif
|
||||||
#if defined(HAVE_ECC128) || defined(HAVE_ALL_CURVES)
|
#if (defined(HAVE_ECC128) || defined(HAVE_ALL_CURVES)) && defined(ECC_WEAK_CURVES)
|
||||||
#define ECC128
|
#define ECC128
|
||||||
#endif
|
#endif
|
||||||
#if defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)
|
#if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && defined(ECC_WEAK_CURVES)
|
||||||
#define ECC160
|
#define ECC160
|
||||||
#endif
|
#endif
|
||||||
#if defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)
|
#if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && defined(ECC_WEAK_CURVES)
|
||||||
#define ECC192
|
#define ECC192
|
||||||
#endif
|
#endif
|
||||||
#if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)
|
#if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)
|
||||||
|
|||||||
@@ -93,7 +93,7 @@
|
|||||||
#define MAX_ECC_BITS 256
|
#define MAX_ECC_BITS 256
|
||||||
#elif defined(HAVE_ECC239)
|
#elif defined(HAVE_ECC239)
|
||||||
#define MAX_ECC_BITS 239
|
#define MAX_ECC_BITS 239
|
||||||
#elif defined(HAVE_ECC224)
|
#elif defined(HAVE_ECC224) && !defined(ECC_WEAK_CURVES)
|
||||||
#define MAX_ECC_BITS 224
|
#define MAX_ECC_BITS 224
|
||||||
#elif defined(HAVE_ECC192)
|
#elif defined(HAVE_ECC192)
|
||||||
#define MAX_ECC_BITS 192
|
#define MAX_ECC_BITS 192
|
||||||
|
|||||||
@@ -1749,6 +1749,13 @@ extern void uITRON4_free(void *p) ;
|
|||||||
#define HAVE_ALL_CURVES
|
#define HAVE_ALL_CURVES
|
||||||
#endif
|
#endif
|
||||||
#endif
|
#endif
|
||||||
|
#ifndef ECC_WEAK_CURVES
|
||||||
|
/* if building TLS to enable < 224 then allow weak curves */
|
||||||
|
/* Note: ECC 224-bit is equiv to RSA 2048 bit */
|
||||||
|
#if defined(WOLFSSL_MIN_ECC_BITS) && WOLFSSL_MIN_ECC_BITS < 224
|
||||||
|
#define ECC_WEAK_CURVES
|
||||||
|
#endif
|
||||||
|
#endif
|
||||||
|
|
||||||
/* ECC Configs */
|
/* ECC Configs */
|
||||||
#ifdef HAVE_ECC
|
#ifdef HAVE_ECC
|
||||||
|
|||||||
Reference in New Issue
Block a user