kex: List also the SHA2 extension when ordering hostkey algorithms
By default, the list of already stored known host types is preferred, but this selection so far ignored the SHA2 extension and excluded these keys in the KEXINIT list leading to not using this extension if not explicitly enabled from configuration. This commit extends the default list with the SHA2 signatures algoritms and compares only base types so they can be listed in the KEXINIT list. This adjust the tests to expect the full list of algorithms to pass. Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Этот коммит содержится в:
Jakub Jelen
Andreas Schneider
родитель
27fe60954c
Коммит
531b80a60b
22
src/kex.c
22
src/kex.c
@ -38,6 +38,7 @@
|
|||||||
#include "libssh/curve25519.h"
|
#include "libssh/curve25519.h"
|
||||||
#include "libssh/knownhosts.h"
|
#include "libssh/knownhosts.h"
|
||||||
#include "libssh/misc.h"
|
#include "libssh/misc.h"
|
||||||
|
#include "libssh/pki.h"
|
||||||
|
|
||||||
#ifdef WITH_BLOWFISH_CIPHER
|
#ifdef WITH_BLOWFISH_CIPHER
|
||||||
# if defined(HAVE_OPENSSL_BLOWFISH_H) || defined(HAVE_LIBGCRYPT) || defined(HAVE_LIBMBEDCRYPTO)
|
# if defined(HAVE_OPENSSL_BLOWFISH_H) || defined(HAVE_LIBGCRYPT) || defined(HAVE_LIBMBEDCRYPTO)
|
||||||
@ -635,6 +636,8 @@ char *ssh_client_select_hostkeys(ssh_session session)
|
|||||||
"ecdsa-sha2-nistp521",
|
"ecdsa-sha2-nistp521",
|
||||||
"ecdsa-sha2-nistp384",
|
"ecdsa-sha2-nistp384",
|
||||||
"ecdsa-sha2-nistp256",
|
"ecdsa-sha2-nistp256",
|
||||||
|
"rsa-sha2-512",
|
||||||
|
"rsa-sha2-256",
|
||||||
"ssh-rsa",
|
"ssh-rsa",
|
||||||
#ifdef HAVE_DSA
|
#ifdef HAVE_DSA
|
||||||
"ssh-dss",
|
"ssh-dss",
|
||||||
@ -660,31 +663,32 @@ char *ssh_client_select_hostkeys(ssh_session session)
|
|||||||
|
|
||||||
for (i = 0; preferred_hostkeys[i] != NULL; ++i) {
|
for (i = 0; preferred_hostkeys[i] != NULL; ++i) {
|
||||||
bool found = false;
|
bool found = false;
|
||||||
|
/* This is a signature type: We list also the SHA2 extensions */
|
||||||
|
enum ssh_keytypes_e base_preferred =
|
||||||
|
ssh_key_type_from_signature_name(preferred_hostkeys[i]);
|
||||||
|
|
||||||
for (it = ssh_list_get_iterator(algo_list);
|
for (it = ssh_list_get_iterator(algo_list);
|
||||||
it != NULL;
|
it != NULL;
|
||||||
it = it->next) {
|
it = it->next) {
|
||||||
const char *algo = ssh_iterator_value(const char *, it);
|
const char *algo = ssh_iterator_value(const char *, it);
|
||||||
int cmp;
|
/* This is always key type so we do not have to care for the
|
||||||
int ok;
|
* SHA2 extension */
|
||||||
|
enum ssh_keytypes_e base_algo = ssh_key_type_from_name(algo);
|
||||||
|
|
||||||
cmp = strcmp(preferred_hostkeys[i], algo);
|
if (base_preferred == base_algo) {
|
||||||
if (cmp == 0) {
|
/* Matching the keys already verified it is a known type */
|
||||||
ok = ssh_verify_existing_algo(SSH_HOSTKEYS, algo);
|
|
||||||
if (ok) {
|
|
||||||
if (needcomma) {
|
if (needcomma) {
|
||||||
strncat(methods_buffer,
|
strncat(methods_buffer,
|
||||||
",",
|
",",
|
||||||
sizeof(methods_buffer) - strlen(methods_buffer) - 1);
|
sizeof(methods_buffer) - strlen(methods_buffer) - 1);
|
||||||
}
|
}
|
||||||
strncat(methods_buffer,
|
strncat(methods_buffer,
|
||||||
algo,
|
preferred_hostkeys[i],
|
||||||
sizeof(methods_buffer) - strlen(methods_buffer) - 1);
|
sizeof(methods_buffer) - strlen(methods_buffer) - 1);
|
||||||
needcomma = 1;
|
needcomma = 1;
|
||||||
found = true;
|
found = true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
/* Collect the rest of the algorithms in other buffer, that will
|
/* Collect the rest of the algorithms in other buffer, that will
|
||||||
* follow the preferred buffer. This will signalize all the algorithms
|
* follow the preferred buffer. This will signalize all the algorithms
|
||||||
* we are willing to accept.
|
* we are willing to accept.
|
||||||
@ -744,7 +748,7 @@ int ssh_set_client_kex(ssh_session session)
|
|||||||
|
|
||||||
memset(client->methods, 0, KEX_METHODS_SIZE * sizeof(char **));
|
memset(client->methods, 0, KEX_METHODS_SIZE * sizeof(char **));
|
||||||
/* first check if we have specific host key methods */
|
/* first check if we have specific host key methods */
|
||||||
if(session->opts.wanted_methods[SSH_HOSTKEYS] == NULL){
|
if (session->opts.wanted_methods[SSH_HOSTKEYS] == NULL) {
|
||||||
/* Only if no override */
|
/* Only if no override */
|
||||||
session->opts.wanted_methods[SSH_HOSTKEYS] =
|
session->opts.wanted_methods[SSH_HOSTKEYS] =
|
||||||
ssh_client_select_hostkeys(session);
|
ssh_client_select_hostkeys(session);
|
||||||
|
|||||||
@ -312,8 +312,9 @@ torture_knownhosts_algorithms(void **state)
|
|||||||
const char *knownhosts_file = *state;
|
const char *knownhosts_file = *state;
|
||||||
char *algo_list = NULL;
|
char *algo_list = NULL;
|
||||||
ssh_session session;
|
ssh_session session;
|
||||||
const char *expect = "ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521,"
|
const char *expect = "ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,"
|
||||||
"ecdsa-sha2-nistp384,ecdsa-sha2-nistp256"
|
"ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,"
|
||||||
|
"ecdsa-sha2-nistp256"
|
||||||
#ifdef HAVE_DSA
|
#ifdef HAVE_DSA
|
||||||
",ssh-dss"
|
",ssh-dss"
|
||||||
#endif
|
#endif
|
||||||
@ -341,8 +342,9 @@ torture_knownhosts_algorithms_global(void **state)
|
|||||||
const char *knownhosts_file = *state;
|
const char *knownhosts_file = *state;
|
||||||
char *algo_list = NULL;
|
char *algo_list = NULL;
|
||||||
ssh_session session;
|
ssh_session session;
|
||||||
const char *expect = "ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521,"
|
const char *expect = "ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,"
|
||||||
"ecdsa-sha2-nistp384,ecdsa-sha2-nistp256"
|
"ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,"
|
||||||
|
"ecdsa-sha2-nistp256"
|
||||||
#ifdef HAVE_DSA
|
#ifdef HAVE_DSA
|
||||||
",ssh-dss"
|
",ssh-dss"
|
||||||
#endif
|
#endif
|
||||||
|
|||||||
Загрузка…
x
Ссылка в новой задаче
Block a user