lib/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2025-09-08 15:12:05 +03:00
Code Activity

Remove support for DSA Keys

Browse Source 
Solving issue #110. The original work is at !231
Some changes were needed because the newly added features in master through time

Signed-off-by: Mohammad Shehar Yaar Tausif <sheharyaar48@gmail.com>
Signed-off-by: Norbert Pocs <npocs@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
This commit is contained in:
Mohammad Shehar Yaar Tausif
2022-03-11 22:00:20 +05:30
committed by Jakub Jelen
parent 486df37a84
commit a3a13eb3a8
60 changed files with 80 additions and 2912 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
.gitlab-ci.yml
View File

@@ -19,7 +19,7 @@ stages:
stage: build stage: build
variables: variables:
CMAKE_DEFAULT_OPTIONS: "-DCMAKE_BUILD_TYPE=RelWithDebInfo -DPICKY_DEVELOPER=ON" CMAKE_DEFAULT_OPTIONS: "-DCMAKE_BUILD_TYPE=RelWithDebInfo -DPICKY_DEVELOPER=ON"
CMAKE_BUILD_OPTIONS: "-DWITH_BLOWFISH_CIPHER=ON -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON -DWITH_DEBUG_CRYPTO=ON -DWITH_DEBUG_PACKET=ON -DWITH_DEBUG_CALLTRACE=ON -DWITH_DSA=ON" CMAKE_BUILD_OPTIONS: "-DWITH_BLOWFISH_CIPHER=ON -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON -DWITH_DEBUG_CRYPTO=ON -DWITH_DEBUG_PACKET=ON -DWITH_DEBUG_CALLTRACE=ON"
CMAKE_TEST_OPTIONS: "-DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON -DWITH_BENCHMARKS=ON" CMAKE_TEST_OPTIONS: "-DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON -DWITH_BENCHMARKS=ON"
CMAKE_OPTIONS: $CMAKE_DEFAULT_OPTIONS $CMAKE_BUILD_OPTIONS $CMAKE_TEST_OPTIONS CMAKE_OPTIONS: $CMAKE_DEFAULT_OPTIONS $CMAKE_BUILD_OPTIONS $CMAKE_TEST_OPTIONS
before_script: &build before_script: &build
@@ -156,7 +156,6 @@ fedora/openssl_3.0.x/x86_64/minimal:
-DWITH_SERVER=OFF -DWITH_SERVER=OFF
-DWITH_ZLIB=OFF -DWITH_ZLIB=OFF
-DWITH_PCAP=OFF -DWITH_PCAP=OFF
-DWITH_DSA=OFF
-DUNIT_TESTING=ON -DUNIT_TESTING=ON
-DCLIENT_TESTING=ON -DCLIENT_TESTING=ON
-DWITH_GEX=OFF .. && -DWITH_GEX=OFF .. &&
@@ -220,7 +219,7 @@ fedora/libgcrypt/x86_64:
fedora/mbedtls/x86_64: fedora/mbedtls/x86_64:
extends: .fedora extends: .fedora
variables: variables:
CMAKE_ADDITIONAL_OPTIONS: "-DWITH_MBEDTLS=ON -DWITH_DEBUG_CRYPTO=ON -DWITH_DSA=OFF" CMAKE_ADDITIONAL_OPTIONS: "-DWITH_MBEDTLS=ON -DWITH_DEBUG_CRYPTO=ON "
# Unit testing only, no client and pkd testing, because cwrap is not available # Unit testing only, no client and pkd testing, because cwrap is not available
# for MinGW # for MinGW
@@ -291,7 +290,7 @@ fedora/csbuild/openssl_3.0.x:
script: script:
- csbuild - csbuild
--build-dir=obj-csbuild --build-dir=obj-csbuild
--build-cmd "rm -rf CMakeFiles CMakeCache.txt && cmake -DCMAKE_BUILD_TYPE=Debug -DPICKY_DEVELOPER=ON -DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON -DFUZZ_TESTING=ON -DWITH_DSA=ON @SRCDIR@ && make clean && make -j$(nproc)" --build-cmd "rm -rf CMakeFiles CMakeCache.txt && cmake -DCMAKE_BUILD_TYPE=Debug -DPICKY_DEVELOPER=ON -DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON -DFUZZ_TESTING=ON @SRCDIR@ && make clean && make -j$(nproc)"
--git-commit-range $CI_COMMIT_RANGE --git-commit-range $CI_COMMIT_RANGE
--color --color
--print-current --print-fixed --print-current --print-fixed
@@ -301,7 +300,7 @@ fedora/csbuild/libgcrypt:
script: script:
- csbuild - csbuild
--build-dir=obj-csbuild --build-dir=obj-csbuild
--build-cmd "rm -rf CMakeFiles CMakeCache.txt && cmake -DCMAKE_BUILD_TYPE=Debug -DPICKY_DEVELOPER=ON -DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON -DFUZZ_TESTING=ON -DWITH_GCRYPT=ON -DWITH_DSA=ON @SRCDIR@ && make clean && make -j$(nproc)" --build-cmd "rm -rf CMakeFiles CMakeCache.txt && cmake -DCMAKE_BUILD_TYPE=Debug -DPICKY_DEVELOPER=ON -DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON -DFUZZ_TESTING=ON -DWITH_GCRYPT=ON @SRCDIR@ && make clean && make -j$(nproc)"
--git-commit-range $CI_COMMIT_RANGE --git-commit-range $CI_COMMIT_RANGE
--color --color
--print-current --print-fixed --print-current --print-fixed
@@ -360,7 +359,6 @@ tumbleweed/openssl_1.1.x/x86/gcc:
-DWITH_SERVER=ON -DWITH_SERVER=ON
-DWITH_ZLIB=ON -DWITH_ZLIB=ON
-DWITH_PCAP=ON -DWITH_PCAP=ON
-DWITH_DSA=ON
-DUNIT_TESTING=ON .. -DUNIT_TESTING=ON ..
tumbleweed/openssl_1.1.x/x86_64/gcc7: tumbleweed/openssl_1.1.x/x86_64/gcc7:
@@ -376,7 +374,6 @@ tumbleweed/openssl_1.1.x/x86/gcc7:
-DCMAKE_C_COMPILER=gcc-7 -DCMAKE_CXX_COMPILER=g++-7 -DCMAKE_C_COMPILER=gcc-7 -DCMAKE_CXX_COMPILER=g++-7
$CMAKE_DEFAULT_OPTIONS $CMAKE_DEFAULT_OPTIONS
-DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON
-DWITH_DSA=ON
-DUNIT_TESTING=ON .. && -DUNIT_TESTING=ON .. &&
make -j$(nproc) && make -j$(nproc) &&
ctest --output-on-failure ctest --output-on-failure

13
ConfigureChecks.cmake
View File

@@ -143,12 +143,6 @@ if (NOT WITH_GCRYPT AND NOT WITH_MBEDTLS)
endif () endif ()
if (WITH_DSA)
if (NOT WITH_MBEDTLS)
set(HAVE_DSA 1)
endif (NOT WITH_MBEDTLS)
endif()
# FUNCTIONS # FUNCTIONS
check_function_exists(isblank HAVE_ISBLANK) check_function_exists(isblank HAVE_ISBLANK)
@@ -469,13 +463,6 @@ if (WITH_PKCS11_URI)
endif() endif()
endif() endif()
if (WITH_MBEDTLS)
if (WITH_DSA)
message(FATAL_ERROR "DSA is not supported with mbedTLS crypto")
set(HAVE_DSA 0)
endif()
endif()
# ENDIAN # ENDIAN
if (NOT WIN32) if (NOT WIN32)
test_big_endian(WORDS_BIGENDIAN) test_big_endian(WORDS_BIGENDIAN)

1
DefineOptions.cmake
View File

@@ -5,7 +5,6 @@ option(WITH_SERVER "Build with SSH server support" ON)
option(WITH_DEBUG_CRYPTO "Build with crypto debug output" OFF) option(WITH_DEBUG_CRYPTO "Build with crypto debug output" OFF)
option(WITH_DEBUG_PACKET "Build with packet debug output" OFF) option(WITH_DEBUG_PACKET "Build with packet debug output" OFF)
option(WITH_DEBUG_CALLTRACE "Build with calltrace debug output" ON) option(WITH_DEBUG_CALLTRACE "Build with calltrace debug output" ON)
option(WITH_DSA "Build with DSA" OFF)
option(WITH_GCRYPT "Compile against libgcrypt" OFF) option(WITH_GCRYPT "Compile against libgcrypt" OFF)
option(WITH_MBEDTLS "Compile against libmbedtls" OFF) option(WITH_MBEDTLS "Compile against libmbedtls" OFF)
option(WITH_BLOWFISH_CIPHER "Compile with blowfish support" OFF) option(WITH_BLOWFISH_CIPHER "Compile with blowfish support" OFF)

3
config.h.cmake
View File

@@ -91,9 +91,6 @@
/* Define to 1 if you have elliptic curve cryptography */ /* Define to 1 if you have elliptic curve cryptography */
#cmakedefine HAVE_ECC 1 #cmakedefine HAVE_ECC 1
/* Define to 1 if you have DSA */
#cmakedefine HAVE_DSA 1
/* Define to 1 if you have gl_flags as a glob_t sturct member */ /* Define to 1 if you have gl_flags as a glob_t sturct member */
#cmakedefine HAVE_GLOB_GL_FLAGS_MEMBER 1 #cmakedefine HAVE_GLOB_GL_FLAGS_MEMBER 1

4
doc/guided_tour.dox
View File

@@ -5,7 +5,7 @@
A SSH session goes through the following steps: A SSH session goes through the following steps:
- Before connecting to the server, you can set up if you wish one or other - Before connecting to the server, you can set up if you wish one or other
server public key authentication, i.e. DSA or RSA. You can choose server public key authentication, i.e. RSA, ED25519 or ECDSA. You can choose
cryptographic algorithms you trust and compression algorithms if any. You cryptographic algorithms you trust and compression algorithms if any. You
must of course set up the hostname. must of course set up the hostname.
@@ -15,7 +15,7 @@ A SSH session goes through the following steps:
file. file.
- The client must authenticate: the classical ways are password, or - The client must authenticate: the classical ways are password, or
public keys (from dsa and rsa key-pairs generated by openssh). public keys (from ecdsa, ed25519 and rsa key-pairs generated by openssh).
If a SSH agent is running, it is possible to use it. If a SSH agent is running, it is possible to use it.
- Now that the user has been authenticated, you must open one or several - Now that the user has been authenticated, you must open one or several

2
doc/mainpage.dox
View File

@@ -20,7 +20,7 @@ the interesting functions as you go.
The libssh library provides: The libssh library provides:
- <strong>Key Exchange Methods</strong>: <i>curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521</i>, diffie-hellman-group1-sha1, diffie-hellman-group14-sha1 - <strong>Key Exchange Methods</strong>: <i>curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521</i>, diffie-hellman-group1-sha1, diffie-hellman-group14-sha1
- <strong>Public Key Algorithms</strong>: ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, ssh-rsa, rsa-sha2-512, rsa-sha2-256,ssh-dss - <strong>Public Key Algorithms</strong>: ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, ssh-rsa, rsa-sha2-512, rsa-sha2-256
- <strong>Ciphers</strong>: <i>aes256-ctr, aes192-ctr, aes128-ctr</i>, aes256-cbc (rijndael-cbc@lysator.liu.se), aes192-cbc, aes128-cbc, 3des-cbc, blowfish-cbc - <strong>Ciphers</strong>: <i>aes256-ctr, aes192-ctr, aes128-ctr</i>, aes256-cbc (rijndael-cbc@lysator.liu.se), aes192-cbc, aes128-cbc, 3des-cbc, blowfish-cbc
- <strong>Compression Schemes</strong>: zlib, <i>zlib@openssh.com</i>, none - <strong>Compression Schemes</strong>: zlib, <i>zlib@openssh.com</i>, none
- <strong>MAC hashes</strong>: hmac-sha1, hmac-sha2-256, hmac-sha2-512, hmac-md5 - <strong>MAC hashes</strong>: hmac-sha1, hmac-sha2-256, hmac-sha2-512, hmac-md5

29
examples/keygen2.c
View File

@@ -52,7 +52,6 @@ static struct argp_option options[] = {
"Accepted values are: " "Accepted values are: "
"1024, 2048, 3072 (default), 4096, and 8192 for TYPE=\"rsa\"; " "1024, 2048, 3072 (default), 4096, and 8192 for TYPE=\"rsa\"; "
"256 (default), 384, and 521 for TYPE=\"ecdsa\"; " "256 (default), 384, and 521 for TYPE=\"ecdsa\"; "
"1024 (default) and 2048 for TYPE=\"dsa\"; "
"can be omitted for TYPE=\"ed25519\" " "can be omitted for TYPE=\"ed25519\" "
"(it will be ignored if provided).\n", "(it will be ignored if provided).\n",
.group = 0 .group = 0
@@ -86,7 +85,7 @@ static struct argp_option options[] = {
.flags = 0, .flags = 0,
.doc = "The type of the key to be generated. " .doc = "The type of the key to be generated. "
"Accepted values are: " "Accepted values are: "
"\"rsa\", \"ecdsa\", \"ed25519\", and \"dsa\".\n", "\"rsa\", \"ecdsa\", and \"ed25519\".\n",
.group = 0 .group = 0
}, },
{ {
@@ -153,9 +152,6 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state)
if (!strcmp(arg, "rsa")) { if (!strcmp(arg, "rsa")) {
arguments->type = SSH_KEYTYPE_RSA; arguments->type = SSH_KEYTYPE_RSA;
} }
else if (!strcmp(arg, "dsa")) {
arguments->type = SSH_KEYTYPE_DSS;
}
else if (!strcmp(arg, "ecdsa")) { else if (!strcmp(arg, "ecdsa")) {
arguments->type = SSH_KEYTYPE_ECDSA; arguments->type = SSH_KEYTYPE_ECDSA;
} }
@@ -253,29 +249,6 @@ static int validate_args(struct arguments_st *args)
} }
} }
break;
case SSH_KEYTYPE_DSS:
switch (args->bits) {
case 0:
/* If not provided, use default value */
args->bits = 1024;
break;
case 1024:
case 2048:
break;
default:
fprintf(stderr, "Error: Invalid bits parameter provided\n");
rc = EINVAL;
break;
}
if (args->file == NULL) {
args->file = strdup("id_dsa");
if (args->file == NULL) {
rc = ENOMEM;
break;
}
}
break; break;
case SSH_KEYTYPE_ED25519: case SSH_KEYTYPE_ED25519:
/* Ignore value and overwrite with a zero */ /* Ignore value and overwrite with a zero */

11
examples/proxy.c
View File

@@ -142,14 +142,6 @@ static struct argp_option options[] = {
.doc = "Set the host key.", .doc = "Set the host key.",
.group = 0 .group = 0
}, },
{
.name = "dsakey",
.key = 'd',
.arg = "FILE",
.flags = 0,
.doc = "Set the dsa key.",
.group = 0
},
{ {
.name = "rsakey", .name = "rsakey",
.key = 'r', .key = 'r',
@@ -180,9 +172,6 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) {
case 'p': case 'p':
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_BINDPORT_STR, arg); ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_BINDPORT_STR, arg);
break; break;
case 'd':
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_DSAKEY, arg);
break;
case 'k': case 'k':
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, arg); ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, arg);
break; break;

12
examples/samplesshd-cb.c
View File

@@ -172,14 +172,6 @@ static struct argp_option options[] = {
.doc = "Set the host key.", .doc = "Set the host key.",
.group = 0 .group = 0
}, },
{
.name = "dsakey",
.key = 'd',
.arg = "FILE",
.flags = 0,
.doc = "Set the dsa key.",
.group = 0
},
{ {
.name = "rsakey", .name = "rsakey",
.key = 'r', .key = 'r',
@@ -218,9 +210,6 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) {
case 'p': case 'p':
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_BINDPORT_STR, arg); ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_BINDPORT_STR, arg);
break; break;
case 'd':
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_DSAKEY, arg);
break;
case 'k': case 'k':
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, arg); ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, arg);
break; break;
@@ -278,7 +267,6 @@ int main(int argc, char **argv){
sshbind=ssh_bind_new(); sshbind=ssh_bind_new();
session=ssh_new(); session=ssh_new();
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_DSAKEY, KEYS_FOLDER "ssh_host_dsa_key");
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_RSAKEY, KEYS_FOLDER "ssh_host_rsa_key"); ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_RSAKEY, KEYS_FOLDER "ssh_host_rsa_key");
#ifdef HAVE_ARGP_H #ifdef HAVE_ARGP_H

13
examples/samplesshd-kbdint.c
View File

@@ -112,14 +112,6 @@ static struct argp_option options[] = {
.doc = "Set the host key.", .doc = "Set the host key.",
.group = 0 .group = 0
}, },
{
.name = "dsakey",
.key = 'd',
.arg = "FILE",
.flags = 0,
.doc = "Set the dsa key.",
.group = 0
},
{ {
.name = "rsakey", .name = "rsakey",
.key = 'r', .key = 'r',
@@ -151,9 +143,6 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) {
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_BINDPORT_STR, arg); ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_BINDPORT_STR, arg);
port = atoi(arg); port = atoi(arg);
break; break;
case 'd':
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_DSAKEY, arg);
break;
case 'k': case 'k':
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, arg); ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, arg);
break; break;
@@ -306,8 +295,6 @@ int main(int argc, char **argv){
sshbind=ssh_bind_new(); sshbind=ssh_bind_new();
session=ssh_new(); session=ssh_new();
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_DSAKEY,
KEYS_FOLDER "ssh_host_dsa_key");
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_RSAKEY, ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_RSAKEY,
KEYS_FOLDER "ssh_host_rsa_key"); KEYS_FOLDER "ssh_host_rsa_key");

1
examples/ssh_client.c
View File

@@ -94,7 +94,6 @@ static void usage(void)
"Options :\n" "Options :\n"
" -l user : log in as user\n" " -l user : log in as user\n"
" -p port : connect to port\n" " -p port : connect to port\n"
" -d : use DSS to verify host public key\n"
" -r : use RSA to verify host public key\n" " -r : use RSA to verify host public key\n"
" -F file : parse configuration file instead of default one\n" " -F file : parse configuration file instead of default one\n"
#ifdef WITH_PCAP #ifdef WITH_PCAP

28
examples/ssh_server.c
View File

@@ -58,16 +58,11 @@ The goal is to show the API in action.
static void set_default_keys(ssh_bind sshbind, static void set_default_keys(ssh_bind sshbind,
int rsa_already_set, int rsa_already_set,
int dsa_already_set,
int ecdsa_already_set) { int ecdsa_already_set) {
if (!rsa_already_set) { if (!rsa_already_set) {
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_RSAKEY, ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_RSAKEY,
KEYS_FOLDER "ssh_host_rsa_key"); KEYS_FOLDER "ssh_host_rsa_key");
} }
if (!dsa_already_set) {
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_DSAKEY,
KEYS_FOLDER "ssh_host_dsa_key");
}
if (!ecdsa_already_set) { if (!ecdsa_already_set) {
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_ECDSAKEY, ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_ECDSAKEY,
KEYS_FOLDER "ssh_host_ecdsa_key"); KEYS_FOLDER "ssh_host_ecdsa_key");
@@ -109,14 +104,6 @@ static struct argp_option options[] = {
"Implies no default keys.", "Implies no default keys.",
.group = 0 .group = 0
}, },
{
.name = "dsakey",
.key = 'd',
.arg = "FILE",
.flags = 0,
.doc = "Set the dsa key.",
.group = 0
},
{ {
.name = "rsakey", .name = "rsakey",
.key = 'r', .key = 'r',
@@ -182,7 +169,7 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) {
* know is a pointer to our arguments structure. */ * know is a pointer to our arguments structure. */
ssh_bind sshbind = state->input; ssh_bind sshbind = state->input;
static int no_default_keys = 0; static int no_default_keys = 0;
static int rsa_already_set = 0, dsa_already_set = 0, ecdsa_already_set = 0; static int rsa_already_set = 0, ecdsa_already_set = 0;
switch (key) { switch (key) {
case 'n': case 'n':
@@ -191,10 +178,6 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) {
case 'p': case 'p':
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_BINDPORT_STR, arg); ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_BINDPORT_STR, arg);
break; break;
case 'd':
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_DSAKEY, arg);
dsa_already_set = 1;
break;
case 'k': case 'k':
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, arg); ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, arg);
/* We can't track the types of keys being added with this /* We can't track the types of keys being added with this
@@ -239,7 +222,6 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) {
if (!no_default_keys) { if (!no_default_keys) {
set_default_keys(sshbind, set_default_keys(sshbind,
rsa_already_set, rsa_already_set,
dsa_already_set,
ecdsa_already_set); ecdsa_already_set);
} }
@@ -256,18 +238,14 @@ static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL};
static int parse_opt(int argc, char **argv, ssh_bind sshbind) { static int parse_opt(int argc, char **argv, ssh_bind sshbind) {
int no_default_keys = 0; int no_default_keys = 0;
int rsa_already_set = 0; int rsa_already_set = 0;
int dsa_already_set = 0;
int ecdsa_already_set = 0; int ecdsa_already_set = 0;
int key; int key;
while((key = getopt(argc, argv, "a:d:e:k:np:P:r:u:v")) != -1) { while((key = getopt(argc, argv, "a:e:k:np:P:r:u:v")) != -1) {
if (key == 'n') { if (key == 'n') {
no_default_keys = 1; no_default_keys = 1;
} else if (key == 'p') { } else if (key == 'p') {
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_BINDPORT_STR, optarg); ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_BINDPORT_STR, optarg);
} else if (key == 'd') {
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_DSAKEY, optarg);
dsa_already_set = 1;
} else if (key == 'k') { } else if (key == 'k') {
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, optarg); ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, optarg);
/* We can't track the types of keys being added with this /* We can't track the types of keys being added with this
@@ -299,7 +277,6 @@ static int parse_opt(int argc, char **argv, ssh_bind sshbind) {
"libssh %s -- a Secure Shell protocol implementation\n" "libssh %s -- a Secure Shell protocol implementation\n"
"\n" "\n"
" -a, --authorizedkeys=FILE Set the authorized keys file.\n" " -a, --authorizedkeys=FILE Set the authorized keys file.\n"
" -d, --dsakey=FILE Set the dsa key.\n"
" -e, --ecdsakey=FILE Set the ecdsa key.\n" " -e, --ecdsakey=FILE Set the ecdsa key.\n"
" -k, --hostkey=FILE Set a host key. Can be used multiple times.\n" " -k, --hostkey=FILE Set a host key. Can be used multiple times.\n"
" Implies no default keys.\n" " Implies no default keys.\n"
@@ -329,7 +306,6 @@ static int parse_opt(int argc, char **argv, ssh_bind sshbind) {
if (!no_default_keys) { if (!no_default_keys) {
set_default_keys(sshbind, set_default_keys(sshbind,
rsa_already_set, rsa_already_set,
dsa_already_set,
ecdsa_already_set); ecdsa_already_set);
} }

14
examples/sshd_direct-tcpip.c
View File

@@ -15,7 +15,7 @@ clients must be made or how a client should react.
/* /*
Example: Example:
./sshd_direct-tcpip -v -p 2022 -d serverkey.dsa -r serverkey.rsa 127.0.0.1 ./sshd_direct-tcpip -v -p 2022 -r serverkey.rsa 127.0.0.1
*/ */
#include "config.h" #include "config.h"
@@ -586,14 +586,6 @@ static struct argp_option options[] = {
.doc = "Set the host key.", .doc = "Set the host key.",
.group = 0 .group = 0
}, },
{
.name = "dsakey",
.key = 'd',
.arg = "FILE",
.flags = 0,
.doc = "Set the dsa key.",
.group = 0
},
{ {
.name = "rsakey", .name = "rsakey",
.key = 'r', .key = 'r',
@@ -626,9 +618,6 @@ parse_opt (int key, char *arg, struct argp_state *state)
case 'p': case 'p':
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_BINDPORT_STR, arg); ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_BINDPORT_STR, arg);
break; break;
case 'd':
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_DSAKEY, arg);
break;
case 'k': case 'k':
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, arg); ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, arg);
break; break;
@@ -685,7 +674,6 @@ main(int argc, char **argv)
session = ssh_new(); session = ssh_new();
mainloop = ssh_event_new(); mainloop = ssh_event_new();
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_DSAKEY, KEYS_FOLDER "ssh_host_dsa_key");
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_RSAKEY, KEYS_FOLDER "ssh_host_rsa_key"); ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_RSAKEY, KEYS_FOLDER "ssh_host_rsa_key");
#ifdef HAVE_ARGP_H #ifdef HAVE_ARGP_H

2
include/libssh/bind.h
View File

@@ -39,11 +39,9 @@ struct ssh_bind_struct {
char *wanted_methods[SSH_KEX_METHODS]; char *wanted_methods[SSH_KEX_METHODS];
char *banner; char *banner;
char *ecdsakey; char *ecdsakey;
char *dsakey;
char *rsakey; char *rsakey;
char *ed25519key; char *ed25519key;
ssh_key ecdsa; ssh_key ecdsa;
ssh_key dsa;
ssh_key rsa; ssh_key rsa;
ssh_key ed25519; ssh_key ed25519;
char *bindaddr; char *bindaddr;

4
include/libssh/keys.h
View File

@@ -29,26 +29,22 @@ struct ssh_public_key_struct {
int type; int type;
const char *type_c; /* Don't free it ! it is static */ const char *type_c; /* Don't free it ! it is static */
#if defined(HAVE_LIBGCRYPT) #if defined(HAVE_LIBGCRYPT)
gcry_sexp_t dsa_pub;
gcry_sexp_t rsa_pub; gcry_sexp_t rsa_pub;
#elif defined(HAVE_LIBCRYPTO) #elif defined(HAVE_LIBCRYPTO)
EVP_PKEY *key_pub; EVP_PKEY *key_pub;
#elif defined(HAVE_LIBMBEDCRYPTO) #elif defined(HAVE_LIBMBEDCRYPTO)
mbedtls_pk_context *rsa_pub; mbedtls_pk_context *rsa_pub;
void *dsa_pub;
#endif #endif
}; };
struct ssh_private_key_struct { struct ssh_private_key_struct {
int type; int type;
#if defined(HAVE_LIBGCRYPT) #if defined(HAVE_LIBGCRYPT)
gcry_sexp_t dsa_priv;
gcry_sexp_t rsa_priv; gcry_sexp_t rsa_priv;
#elif defined(HAVE_LIBCRYPTO) #elif defined(HAVE_LIBCRYPTO)
EVP_PKEY *key_priv; EVP_PKEY *key_priv;
#elif defined(HAVE_LIBMBEDCRYPTO) #elif defined(HAVE_LIBMBEDCRYPTO)
mbedtls_pk_context *rsa_priv; mbedtls_pk_context *rsa_priv;
void *dsa_priv;
#endif #endif
}; };

1
include/libssh/libcrypto.h
View File

@@ -26,7 +26,6 @@
#ifdef HAVE_LIBCRYPTO #ifdef HAVE_LIBCRYPTO
#include "libssh/libssh.h" #include "libssh/libssh.h"
#include <openssl/dsa.h>
#include <openssl/rsa.h> #include <openssl/rsa.h>
#include <openssl/sha.h> #include <openssl/sha.h>
#include <openssl/md5.h> #include <openssl/md5.h>

4
include/libssh/libssh.h
View File

@@ -272,12 +272,12 @@ enum ssh_error_types_e {
/* some types for keys */ /* some types for keys */
enum ssh_keytypes_e{ enum ssh_keytypes_e{
SSH_KEYTYPE_UNKNOWN=0, SSH_KEYTYPE_UNKNOWN=0,
SSH_KEYTYPE_DSS=1, SSH_KEYTYPE_DSS=1, /* deprecated */
SSH_KEYTYPE_RSA, SSH_KEYTYPE_RSA,
SSH_KEYTYPE_RSA1, SSH_KEYTYPE_RSA1,
SSH_KEYTYPE_ECDSA, /* deprecated */ SSH_KEYTYPE_ECDSA, /* deprecated */
SSH_KEYTYPE_ED25519, SSH_KEYTYPE_ED25519,
SSH_KEYTYPE_DSS_CERT01, SSH_KEYTYPE_DSS_CERT01, /* deprecated */
SSH_KEYTYPE_RSA_CERT01, SSH_KEYTYPE_RSA_CERT01,
SSH_KEYTYPE_ECDSA_P256, SSH_KEYTYPE_ECDSA_P256,
SSH_KEYTYPE_ECDSA_P384, SSH_KEYTYPE_ECDSA_P384,

14
include/libssh/pki.h
View File

@@ -57,13 +57,11 @@ struct ssh_key_struct {
const char *type_c; /* Don't free it ! it is static */ const char *type_c; /* Don't free it ! it is static */
int ecdsa_nid; int ecdsa_nid;
#if defined(HAVE_LIBGCRYPT) #if defined(HAVE_LIBGCRYPT)
gcry_sexp_t dsa;
gcry_sexp_t rsa; gcry_sexp_t rsa;
gcry_sexp_t ecdsa; gcry_sexp_t ecdsa;
#elif defined(HAVE_LIBMBEDCRYPTO) #elif defined(HAVE_LIBMBEDCRYPTO)
mbedtls_pk_context *rsa; mbedtls_pk_context *rsa;
mbedtls_ecdsa_context *ecdsa; mbedtls_ecdsa_context *ecdsa;
void *dsa;
#elif defined(HAVE_LIBCRYPTO) #elif defined(HAVE_LIBCRYPTO)
/* This holds either ENGINE key for PKCS#11 support or just key in /* This holds either ENGINE key for PKCS#11 support or just key in
* high-level format */ * high-level format */
@@ -85,7 +83,6 @@ struct ssh_signature_struct {
enum ssh_digest_e hash_type; enum ssh_digest_e hash_type;
const char *type_c; const char *type_c;
#if defined(HAVE_LIBGCRYPT) #if defined(HAVE_LIBGCRYPT)
gcry_sexp_t dsa_sig;
gcry_sexp_t rsa_sig; gcry_sexp_t rsa_sig;
gcry_sexp_t ecdsa_sig; gcry_sexp_t ecdsa_sig;
#elif defined(HAVE_LIBMBEDCRYPTO) #elif defined(HAVE_LIBMBEDCRYPTO)
@@ -124,12 +121,11 @@ enum ssh_digest_e ssh_key_hash_from_name(const char *name);
((t) >= SSH_KEYTYPE_ECDSA_P256 && (t) <= SSH_KEYTYPE_ECDSA_P521) ((t) >= SSH_KEYTYPE_ECDSA_P256 && (t) <= SSH_KEYTYPE_ECDSA_P521)
#define is_cert_type(kt)\ #define is_cert_type(kt)\
((kt) == SSH_KEYTYPE_DSS_CERT01 ||\ ((kt) == SSH_KEYTYPE_RSA_CERT01 ||\
(kt) == SSH_KEYTYPE_RSA_CERT01 ||\ (kt) == SSH_KEYTYPE_SK_ECDSA_CERT01 ||\
(kt) == SSH_KEYTYPE_SK_ECDSA_CERT01 ||\ (kt) == SSH_KEYTYPE_SK_ED25519_CERT01 ||\
(kt) == SSH_KEYTYPE_SK_ED25519_CERT01 ||\ ((kt) >= SSH_KEYTYPE_ECDSA_P256_CERT01 &&\
((kt) >= SSH_KEYTYPE_ECDSA_P256_CERT01 &&\ (kt) <= SSH_KEYTYPE_ED25519_CERT01))
(kt) <= SSH_KEYTYPE_ED25519_CERT01))
/* SSH Signature Functions */ /* SSH Signature Functions */
ssh_signature ssh_signature_new(void); ssh_signature ssh_signature_new(void);

14
include/libssh/pki_priv.h
View File

@@ -38,8 +38,6 @@ int bcrypt_pbkdf(const char *pass,
#define RSA_HEADER_BEGIN "-----BEGIN RSA PRIVATE KEY-----" #define RSA_HEADER_BEGIN "-----BEGIN RSA PRIVATE KEY-----"
#define RSA_HEADER_END "-----END RSA PRIVATE KEY-----" #define RSA_HEADER_END "-----END RSA PRIVATE KEY-----"
#define DSA_HEADER_BEGIN "-----BEGIN DSA PRIVATE KEY-----"
#define DSA_HEADER_END "-----END DSA PRIVATE KEY-----"
#define ECDSA_HEADER_BEGIN "-----BEGIN EC PRIVATE KEY-----" #define ECDSA_HEADER_BEGIN "-----BEGIN EC PRIVATE KEY-----"
#define ECDSA_HEADER_END "-----END EC PRIVATE KEY-----" #define ECDSA_HEADER_END "-----END EC PRIVATE KEY-----"
#define OPENSSH_HEADER_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----" #define OPENSSH_HEADER_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----"
@@ -65,7 +63,6 @@ enum ssh_digest_e ssh_key_type_to_hash(ssh_session session,
/* SSH Key Functions */ /* SSH Key Functions */
ssh_key pki_key_dup(const ssh_key key, int demote); ssh_key pki_key_dup(const ssh_key key, int demote);
int pki_key_generate_rsa(ssh_key key, int parameter); int pki_key_generate_rsa(ssh_key key, int parameter);
int pki_key_generate_dss(ssh_key key, int parameter);
int pki_key_generate_ecdsa(ssh_key key, int parameter); int pki_key_generate_ecdsa(ssh_key key, int parameter);
int pki_key_generate_ed25519(ssh_key key); int pki_key_generate_ed25519(ssh_key key);
@@ -91,11 +88,6 @@ int pki_import_privkey_buffer(enum ssh_keytypes_e type,
ssh_key *pkey); ssh_key *pkey);
/* SSH Public Key Functions */ /* SSH Public Key Functions */
int pki_pubkey_build_dss(ssh_key key,
ssh_string p,
ssh_string q,
ssh_string g,
ssh_string pubkey);
int pki_pubkey_build_rsa(ssh_key key, int pki_pubkey_build_rsa(ssh_key key,
ssh_string e, ssh_string e,
ssh_string n); ssh_string n);
@@ -103,12 +95,6 @@ int pki_pubkey_build_ecdsa(ssh_key key, int nid, ssh_string e);
ssh_string pki_publickey_to_blob(const ssh_key key); ssh_string pki_publickey_to_blob(const ssh_key key);
/* SSH Private Key Functions */ /* SSH Private Key Functions */
int pki_privkey_build_dss(ssh_key key,
ssh_string p,
ssh_string q,
ssh_string g,
ssh_string pubkey,
ssh_string privkey);
int pki_privkey_build_rsa(ssh_key key, int pki_privkey_build_rsa(ssh_key key,
ssh_string n, ssh_string n,
ssh_string e, ssh_string e,

2
include/libssh/server.h
View File

@@ -40,7 +40,7 @@ enum ssh_bind_options_e {
SSH_BIND_OPTIONS_BINDPORT, SSH_BIND_OPTIONS_BINDPORT,
SSH_BIND_OPTIONS_BINDPORT_STR, SSH_BIND_OPTIONS_BINDPORT_STR,
SSH_BIND_OPTIONS_HOSTKEY, SSH_BIND_OPTIONS_HOSTKEY,
SSH_BIND_OPTIONS_DSAKEY, SSH_BIND_OPTIONS_DSAKEY, /* deprecated */
SSH_BIND_OPTIONS_RSAKEY, SSH_BIND_OPTIONS_RSAKEY,
SSH_BIND_OPTIONS_BANNER, SSH_BIND_OPTIONS_BANNER,
SSH_BIND_OPTIONS_LOG_VERBOSITY, SSH_BIND_OPTIONS_LOG_VERBOSITY,

1
include/libssh/session.h
View File

@@ -191,7 +191,6 @@ struct ssh_session_struct {
/* server host keys */ /* server host keys */
struct { struct {
ssh_key rsa_key; ssh_key rsa_key;
ssh_key dsa_key;
ssh_key ecdsa_key; ssh_key ecdsa_key;
ssh_key ed25519_key; ssh_key ed25519_key;
/* The type of host key wanted by client */ /* The type of host key wanted by client */

2
src/auth.c
View File

@@ -1502,7 +1502,6 @@ int ssh_userauth_agent_pubkey(ssh_session session,
key->type_c = ssh_key_type_to_char(key->type); key->type_c = ssh_key_type_to_char(key->type);
key->flags = SSH_KEY_FLAG_PUBLIC; key->flags = SSH_KEY_FLAG_PUBLIC;
#ifndef HAVE_LIBCRYPTO #ifndef HAVE_LIBCRYPTO
key->dsa = publickey->dsa_pub;
key->rsa = publickey->rsa_pub; key->rsa = publickey->rsa_pub;
#else #else
key->key = publickey->key_pub; key->key = publickey->key_pub;
@@ -1511,7 +1510,6 @@ int ssh_userauth_agent_pubkey(ssh_session session,
rc = ssh_userauth_agent_publickey(session, username, key); rc = ssh_userauth_agent_publickey(session, username, key);
#ifndef HAVE_LIBCRYPTO #ifndef HAVE_LIBCRYPTO
key->dsa = NULL;
key->rsa = NULL; key->rsa = NULL;
#else #else
key->key = NULL; key->key = NULL;

45
src/bind.c
View File

@@ -150,11 +150,10 @@ static int ssh_bind_import_keys(ssh_bind sshbind) {
int rc; int rc;
if (sshbind->ecdsakey == NULL && if (sshbind->ecdsakey == NULL &&
sshbind->dsakey == NULL &&
sshbind->rsakey == NULL && sshbind->rsakey == NULL &&
sshbind->ed25519key == NULL) { sshbind->ed25519key == NULL) {
ssh_set_error(sshbind, SSH_FATAL, ssh_set_error(sshbind, SSH_FATAL,
"ECDSA, ED25519, DSA, or RSA host key file must be set"); "ECDSA, ED25519, or RSA host key file must be set");
return SSH_ERROR; return SSH_ERROR;
} }
@@ -181,30 +180,6 @@ static int ssh_bind_import_keys(ssh_bind sshbind) {
} }
#endif #endif
#ifdef HAVE_DSA
if (sshbind->dsa == NULL && sshbind->dsakey != NULL) {
rc = ssh_pki_import_privkey_file(sshbind->dsakey,
NULL,
NULL,
NULL,
&sshbind->dsa);
if (rc == SSH_ERROR || rc == SSH_EOF) {
ssh_set_error(sshbind, SSH_FATAL,
"Failed to import private DSA host key");
return SSH_ERROR;
}
if (ssh_key_type(sshbind->dsa) != SSH_KEYTYPE_DSS) {
ssh_set_error(sshbind, SSH_FATAL,
"The DSA host key has the wrong type: %d",
ssh_key_type(sshbind->dsa));
ssh_key_free(sshbind->dsa);
sshbind->dsa = NULL;
return SSH_ERROR;
}
}
#endif
if (sshbind->rsa == NULL && sshbind->rsakey != NULL) { if (sshbind->rsa == NULL && sshbind->rsakey != NULL) {
rc = ssh_pki_import_privkey_file(sshbind->rsakey, rc = ssh_pki_import_privkey_file(sshbind->rsakey,
NULL, NULL,
@@ -256,7 +231,6 @@ int ssh_bind_listen(ssh_bind sshbind) {
int rc; int rc;
if (sshbind->rsa == NULL && if (sshbind->rsa == NULL &&
sshbind->dsa == NULL &&
sshbind->ecdsa == NULL && sshbind->ecdsa == NULL &&
sshbind->ed25519 == NULL) { sshbind->ed25519 == NULL) {
rc = ssh_bind_import_keys(sshbind); rc = ssh_bind_import_keys(sshbind);
@@ -273,8 +247,6 @@ int ssh_bind_listen(ssh_bind sshbind) {
fd = bind_socket(sshbind, host, sshbind->bindport); fd = bind_socket(sshbind, host, sshbind->bindport);
if (fd == SSH_INVALID_SOCKET) { if (fd == SSH_INVALID_SOCKET) {
ssh_key_free(sshbind->dsa);
sshbind->dsa = NULL;
ssh_key_free(sshbind->rsa); ssh_key_free(sshbind->rsa);
sshbind->rsa = NULL; sshbind->rsa = NULL;
/* XXX should this clear also other structures that were allocated */ /* XXX should this clear also other structures that were allocated */
@@ -287,8 +259,6 @@ int ssh_bind_listen(ssh_bind sshbind) {
"Listening to socket %d: %s", "Listening to socket %d: %s",
fd, ssh_strerror(errno, err_msg, SSH_ERRNO_MSG_MAX)); fd, ssh_strerror(errno, err_msg, SSH_ERRNO_MSG_MAX));
CLOSE_SOCKET(fd); CLOSE_SOCKET(fd);
ssh_key_free(sshbind->dsa);
sshbind->dsa = NULL;
ssh_key_free(sshbind->rsa); ssh_key_free(sshbind->rsa);
sshbind->rsa = NULL; sshbind->rsa = NULL;
/* XXX should this clear also other structures that were allocated */ /* XXX should this clear also other structures that were allocated */
@@ -401,13 +371,10 @@ void ssh_bind_free(ssh_bind sshbind){
SAFE_FREE(sshbind->config_dir); SAFE_FREE(sshbind->config_dir);
SAFE_FREE(sshbind->pubkey_accepted_key_types); SAFE_FREE(sshbind->pubkey_accepted_key_types);
SAFE_FREE(sshbind->dsakey);
SAFE_FREE(sshbind->rsakey); SAFE_FREE(sshbind->rsakey);
SAFE_FREE(sshbind->ecdsakey); SAFE_FREE(sshbind->ecdsakey);
SAFE_FREE(sshbind->ed25519key); SAFE_FREE(sshbind->ed25519key);
ssh_key_free(sshbind->dsa);
sshbind->dsa = NULL;
ssh_key_free(sshbind->rsa); ssh_key_free(sshbind->rsa);
sshbind->rsa = NULL; sshbind->rsa = NULL;
ssh_key_free(sshbind->ecdsa); ssh_key_free(sshbind->ecdsa);
@@ -531,7 +498,6 @@ int ssh_bind_accept_fd(ssh_bind sshbind, ssh_session session, socket_t fd)
* only using ssh_bind_accept_fd to manage sockets ourselves. * only using ssh_bind_accept_fd to manage sockets ourselves.
*/ */
if (sshbind->rsa == NULL && if (sshbind->rsa == NULL &&
sshbind->dsa == NULL &&
sshbind->ecdsa == NULL && sshbind->ecdsa == NULL &&
sshbind->ed25519 == NULL) { sshbind->ed25519 == NULL) {
rc = ssh_bind_import_keys(sshbind); rc = ssh_bind_import_keys(sshbind);
@@ -548,15 +514,6 @@ int ssh_bind_accept_fd(ssh_bind sshbind, ssh_session session, socket_t fd)
return SSH_ERROR; return SSH_ERROR;
} }
} }
#endif
#ifdef HAVE_DSA
if (sshbind->dsa) {
session->srv.dsa_key = ssh_key_dup(sshbind->dsa);
if (session->srv.dsa_key == NULL) {
ssh_set_error_oom(sshbind);
return SSH_ERROR;
}
}
#endif #endif
if (sshbind->rsa) { if (sshbind->rsa) {
session->srv.rsa_key = ssh_key_dup(sshbind->rsa); session->srv.rsa_key = ssh_key_dup(sshbind->rsa);

2
src/curve25519.c
View File

@@ -381,7 +381,7 @@ static SSH_PACKET_CALLBACK(ssh_packet_server_curve25519_init){
ssh_string q_s_string = NULL; ssh_string q_s_string = NULL;
ssh_string server_pubkey_blob = NULL; ssh_string server_pubkey_blob = NULL;
/* SSH host keys (rsa,dsa,ecdsa) */ /* SSH host keys (rsa, ed25519 and ecdsa) */
ssh_key privkey = NULL; ssh_key privkey = NULL;
enum ssh_digest_e digest = SSH_DIGEST_AUTO; enum ssh_digest_e digest = SSH_DIGEST_AUTO;
ssh_string sig_blob = NULL; ssh_string sig_blob = NULL;

2
src/ecdh_crypto.c
View File

@@ -431,7 +431,7 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init)
/* ECDH keys */ /* ECDH keys */
ssh_string q_c_string = NULL; ssh_string q_c_string = NULL;
ssh_string q_s_string = NULL; ssh_string q_s_string = NULL;
/* SSH host keys (rsa,dsa,ecdsa) */ /* SSH host keys (rsa, ed25519 and ecdsa) */
ssh_key privkey; ssh_key privkey;
enum ssh_digest_e digest = SSH_DIGEST_AUTO; enum ssh_digest_e digest = SSH_DIGEST_AUTO;
ssh_string sig_blob = NULL; ssh_string sig_blob = NULL;

2
src/ecdh_gcrypt.c
View File

@@ -271,7 +271,7 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
ssh_string q_s_string; ssh_string q_s_string;
gcry_sexp_t param = NULL; gcry_sexp_t param = NULL;
gcry_sexp_t key = NULL; gcry_sexp_t key = NULL;
/* SSH host keys (rsa,dsa,ecdsa) */ /* SSH host keys (rsa, ed25519 and ecdsa) */
ssh_key privkey; ssh_key privkey;
enum ssh_digest_e digest = SSH_DIGEST_AUTO; enum ssh_digest_e digest = SSH_DIGEST_AUTO;
ssh_string sig_blob = NULL; ssh_string sig_blob = NULL;

14
src/kex.c
View File

@@ -118,14 +118,6 @@
#define EC_PUBLIC_KEY_ALGORITHMS "" #define EC_PUBLIC_KEY_ALGORITHMS ""
#endif /* HAVE_ECC */ #endif /* HAVE_ECC */
#ifdef HAVE_DSA
#define DSA_HOSTKEYS ",ssh-dss"
#define DSA_PUBLIC_KEY_ALGORITHMS ",ssh-dss-cert-v01@openssh.com"
#else
#define DSA_HOSTKEYS ""
#define DSA_PUBLIC_KEY_ALGORITHMS ""
#endif /* HAVE_DSA */
#ifdef WITH_INSECURE_NONE #ifdef WITH_INSECURE_NONE
#define NONE ",none" #define NONE ",none"
#else #else
@@ -138,8 +130,7 @@
EC_SK_HOSTKEYS \ EC_SK_HOSTKEYS \
"rsa-sha2-512," \ "rsa-sha2-512," \
"rsa-sha2-256," \ "rsa-sha2-256," \
"ssh-rsa" \ "ssh-rsa"
DSA_HOSTKEYS
#define DEFAULT_HOSTKEYS "ssh-ed25519," \ #define DEFAULT_HOSTKEYS "ssh-ed25519," \
EC_HOSTKEYS \ EC_HOSTKEYS \
"sk-ssh-ed25519@openssh.com," \ "sk-ssh-ed25519@openssh.com," \
@@ -152,8 +143,7 @@
EC_PUBLIC_KEY_ALGORITHMS \ EC_PUBLIC_KEY_ALGORITHMS \
"rsa-sha2-512-cert-v01@openssh.com," \ "rsa-sha2-512-cert-v01@openssh.com," \
"rsa-sha2-256-cert-v01@openssh.com," \ "rsa-sha2-256-cert-v01@openssh.com," \
"ssh-rsa-cert-v01@openssh.com" \ "ssh-rsa-cert-v01@openssh.com," \
DSA_PUBLIC_KEY_ALGORITHMS "," \
HOSTKEYS HOSTKEYS
#define DEFAULT_PUBLIC_KEY_ALGORITHMS "ssh-ed25519-cert-v01@openssh.com," \ #define DEFAULT_PUBLIC_KEY_ALGORITHMS "ssh-ed25519-cert-v01@openssh.com," \
EC_PUBLIC_KEY_ALGORITHMS \ EC_PUBLIC_KEY_ALGORITHMS \

4
src/known_hosts.c
View File

@@ -70,7 +70,7 @@
* @param[out] found_type A pointer to a string to be set with the found key * @param[out] found_type A pointer to a string to be set with the found key
* type. * type.
* *
* @returns The found_type type of key (ie "dsa","ssh-rsa"). Don't * @returns The found_type type of key (ie "ssh-rsa"). Don't
* free that value. NULL if no match was found or the file * free that value. NULL if no match was found or the file
* was not found. * was not found.
*/ */
@@ -152,7 +152,7 @@ static int check_public_key(ssh_session session, char **tokens) {
char *pubkey_64; char *pubkey_64;
int rc; int rc;
/* ssh-dss or ssh-rsa */ /* ssh-rsa, ssh-ed25519, .. */
pubkey_64 = tokens[2]; pubkey_64 = tokens[2];
pubkey_buffer = base64_to_bin(pubkey_64); pubkey_buffer = base64_to_bin(pubkey_64);

7
src/knownhosts.c
View File

@@ -482,13 +482,6 @@ static const char *ssh_known_host_sigs_from_hostkey_type(enum ssh_keytypes_e typ
return "ssh-ed25519"; return "ssh-ed25519";
case SSH_KEYTYPE_SK_ED25519: case SSH_KEYTYPE_SK_ED25519:
return "sk-ssh-ed25519@openssh.com"; return "sk-ssh-ed25519@openssh.com";
#ifdef HAVE_DSA
case SSH_KEYTYPE_DSS:
return "ssh-dss";
#else
SSH_LOG(SSH_LOG_WARN, "DSS keys are not supported by this build");
break;
#endif
#ifdef HAVE_ECC #ifdef HAVE_ECC
case SSH_KEYTYPE_ECDSA_P256: case SSH_KEYTYPE_ECDSA_P256:
return "ecdsa-sha2-nistp256"; return "ecdsa-sha2-nistp256";

18
src/legacy.c
View File

@@ -84,7 +84,6 @@ int ssh_userauth_pubkey(ssh_session session,
key->type_c = ssh_key_type_to_char(key->type); key->type_c = ssh_key_type_to_char(key->type);
key->flags = SSH_KEY_FLAG_PRIVATE|SSH_KEY_FLAG_PUBLIC; key->flags = SSH_KEY_FLAG_PRIVATE|SSH_KEY_FLAG_PUBLIC;
#ifndef HAVE_LIBCRYPTO #ifndef HAVE_LIBCRYPTO
key->dsa = privatekey->dsa_priv;
key->rsa = privatekey->rsa_priv; key->rsa = privatekey->rsa_priv;
#else #else
key->key = privatekey->key_priv; key->key = privatekey->key_priv;
@@ -92,7 +91,6 @@ int ssh_userauth_pubkey(ssh_session session,
rc = ssh_userauth_publickey(session, username, key); rc = ssh_userauth_publickey(session, username, key);
#ifndef HAVE_LIBCRYPTO #ifndef HAVE_LIBCRYPTO
key->dsa = NULL;
key->rsa = NULL; key->rsa = NULL;
#else #else
key->key = NULL; key->key = NULL;
@@ -358,13 +356,6 @@ void publickey_free(ssh_public_key key) {
} }
switch(key->type) { switch(key->type) {
case SSH_KEYTYPE_DSS:
#ifdef HAVE_LIBGCRYPT
gcry_sexp_release(key->dsa_pub);
#elif defined HAVE_LIBCRYPTO
EVP_PKEY_free(key->key_pub);
#endif /* HAVE_LIBGCRYPT */
break;
case SSH_KEYTYPE_RSA: case SSH_KEYTYPE_RSA:
#ifdef HAVE_LIBGCRYPT #ifdef HAVE_LIBGCRYPT
gcry_sexp_release(key->rsa_pub); gcry_sexp_release(key->rsa_pub);
@@ -396,7 +387,6 @@ ssh_public_key publickey_from_privatekey(ssh_private_key prv) {
privkey->type_c = ssh_key_type_to_char(privkey->type); privkey->type_c = ssh_key_type_to_char(privkey->type);
privkey->flags = SSH_KEY_FLAG_PRIVATE | SSH_KEY_FLAG_PUBLIC; privkey->flags = SSH_KEY_FLAG_PRIVATE | SSH_KEY_FLAG_PUBLIC;
#ifndef HAVE_LIBCRYPTO #ifndef HAVE_LIBCRYPTO
privkey->dsa = prv->dsa_priv;
privkey->rsa = prv->rsa_priv; privkey->rsa = prv->rsa_priv;
#else #else
privkey->key = prv->key_priv; privkey->key = prv->key_priv;
@@ -404,7 +394,6 @@ ssh_public_key publickey_from_privatekey(ssh_private_key prv) {
rc = ssh_pki_export_privkey_to_pubkey(privkey, &pubkey); rc = ssh_pki_export_privkey_to_pubkey(privkey, &pubkey);
#ifndef HAVE_LIBCRYPTO #ifndef HAVE_LIBCRYPTO
privkey->dsa = NULL;
privkey->rsa = NULL; privkey->rsa = NULL;
#else #else
privkey->key = NULL; privkey->key = NULL;
@@ -455,10 +444,8 @@ ssh_private_key privatekey_from_file(ssh_session session,
privkey->type = key->type; privkey->type = key->type;
#ifndef HAVE_LIBCRYPTO #ifndef HAVE_LIBCRYPTO
privkey->dsa_priv = key->dsa;
privkey->rsa_priv = key->rsa; privkey->rsa_priv = key->rsa;
key->dsa = NULL;
key->rsa = NULL; key->rsa = NULL;
#else #else
privkey->key_priv = key->key; privkey->key_priv = key->key;
@@ -483,7 +470,6 @@ void privatekey_free(ssh_private_key prv) {
} }
#ifdef HAVE_LIBGCRYPT #ifdef HAVE_LIBGCRYPT
gcry_sexp_release(prv->dsa_priv);
gcry_sexp_release(prv->rsa_priv); gcry_sexp_release(prv->rsa_priv);
#elif defined HAVE_LIBCRYPTO #elif defined HAVE_LIBCRYPTO
EVP_PKEY_free(prv->key_priv); EVP_PKEY_free(prv->key_priv);
@@ -552,8 +538,6 @@ ssh_public_key publickey_from_string(ssh_session session, ssh_string pubkey_s) {
pubkey->type_c = key->type_c; pubkey->type_c = key->type_c;
#ifndef HAVE_LIBCRYPTO #ifndef HAVE_LIBCRYPTO
pubkey->dsa_pub = key->dsa;
key->dsa = NULL;
pubkey->rsa_pub = key->rsa; pubkey->rsa_pub = key->rsa;
key->rsa = NULL; key->rsa = NULL;
#else #else
@@ -584,7 +568,6 @@ ssh_string publickey_to_string(ssh_public_key pubkey) {
key->type_c = pubkey->type_c; key->type_c = pubkey->type_c;
#ifndef HAVE_LIBCRYPTO #ifndef HAVE_LIBCRYPTO
key->dsa = pubkey->dsa_pub;
key->rsa = pubkey->rsa_pub; key->rsa = pubkey->rsa_pub;
#else #else
key->key = pubkey->key_pub; key->key = pubkey->key_pub;
@@ -596,7 +579,6 @@ ssh_string publickey_to_string(ssh_public_key pubkey) {
} }
#ifndef HAVE_LIBCRYPTO #ifndef HAVE_LIBCRYPTO
key->dsa = NULL;
key->rsa = NULL; key->rsa = NULL;
#else #else
key->key = NULL; key->key = NULL;

6
src/libcrypto.c
View File

@@ -45,7 +45,6 @@
#include <openssl/sha.h> #include <openssl/sha.h>
#include <openssl/md5.h> #include <openssl/md5.h>
#if OPENSSL_VERSION_NUMBER < 0x30000000L #if OPENSSL_VERSION_NUMBER < 0x30000000L
#include <openssl/dsa.h>
#include <openssl/rsa.h> #include <openssl/rsa.h>
#include <openssl/hmac.h> #include <openssl/hmac.h>
#else #else
@@ -1566,11 +1565,6 @@ evp_dup_pkey(const char *name, const ssh_key key, int demote, ssh_key new_key)
return SSH_OK; return SSH_OK;
} }
int evp_dup_dsa_pkey(const ssh_key key, ssh_key new_key, int demote)
{
return evp_dup_pkey("DSA", key, demote, new_key);
}
int evp_dup_rsa_pkey(const ssh_key key, ssh_key new_key, int demote) int evp_dup_rsa_pkey(const ssh_key key, ssh_key new_key, int demote)
{ {
return evp_dup_pkey("RSA", key, demote, new_key); return evp_dup_pkey("RSA", key, demote, new_key);

53
src/options.c
View File

@@ -419,7 +419,7 @@ int ssh_options_set_algo(ssh_session session,
* - SSH_OPTIONS_HOSTKEYS: * - SSH_OPTIONS_HOSTKEYS:
* Set the preferred server host key types (const char *, * Set the preferred server host key types (const char *,
* comma-separated list). ex: * comma-separated list). ex:
* "ssh-rsa,ssh-dss,ecdh-sha2-nistp256". The list can be * "ssh-rsa,ecdh-sha2-nistp256". The list can be
* prepended by +,-,^ which will append, remove or move to * prepended by +,-,^ which will append, remove or move to
* the beginning (prioritizing) of the default list * the beginning (prioritizing) of the default list
* respectively. Giving an empty list after + and ^ will * respectively. Giving an empty list after + and ^ will
@@ -428,7 +428,7 @@ int ssh_options_set_algo(ssh_session session,
* - SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES: * - SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES:
* Set the preferred public key algorithms to be used for * Set the preferred public key algorithms to be used for
* authentication (const char *, comma-separated list). ex: * authentication (const char *, comma-separated list). ex:
* "ssh-rsa,rsa-sha2-256,ssh-dss,ecdh-sha2-nistp256" * "ssh-rsa,rsa-sha2-256,ecdh-sha2-nistp256"
* The list can be prepended by +,-,^ which will append, * The list can be prepended by +,-,^ which will append,
* remove or move to the beginning (prioritizing) of the * remove or move to the beginning (prioritizing) of the
* default list respectively. Giving an empty list * default list respectively. Giving an empty list
@@ -1353,7 +1353,6 @@ int ssh_options_getopt(ssh_session session, int *argcptr, char **argv)
int argc = *argcptr; int argc = *argcptr;
int debuglevel = 0; int debuglevel = 0;
int usersa = 0; int usersa = 0;
int usedss = 0;
int compress = 0; int compress = 0;
int cont = 1; int cont = 1;
size_t current = 0; size_t current = 0;
@@ -1367,7 +1366,7 @@ int ssh_options_getopt(ssh_session session, int *argcptr, char **argv)
} }
opterr = 0; /* shut up getopt */ opterr = 0; /* shut up getopt */
while((opt = getopt(argc, argv, "c:i:Cl:p:vb:rd12")) != -1) { while((opt = getopt(argc, argv, "c:i:Cl:p:vb:r12")) != -1) {
switch(opt) { switch(opt) {
case 'l': case 'l':
user = optarg; user = optarg;
@@ -1381,9 +1380,6 @@ int ssh_options_getopt(ssh_session session, int *argcptr, char **argv)
case 'r': case 'r':
usersa++; usersa++;
break; break;
case 'd':
usedss++;
break;
case 'c': case 'c':
cipher = optarg; cipher = optarg;
break; break;
@@ -1446,11 +1442,6 @@ int ssh_options_getopt(ssh_session session, int *argcptr, char **argv)
optind++; optind++;
} }
if (usersa && usedss) {
ssh_set_error(session, SSH_FATAL, "Either RSA or DSS must be chosen");
cont = 0;
}
ssh_set_log_level(debuglevel); ssh_set_log_level(debuglevel);
optind = saveoptind; optind = saveoptind;
@@ -1742,8 +1733,8 @@ static int ssh_bind_set_algo(ssh_bind sshbind,
* *
* - SSH_BIND_OPTIONS_HOSTKEY: * - SSH_BIND_OPTIONS_HOSTKEY:
* Set the path to an ssh host key, regardless * Set the path to an ssh host key, regardless
* of type. Only one key from each key type * of type. Only one key from per key type
* (RSA, DSA, ECDSA) is allowed in an ssh_bind * (RSA, ED25519 and ECDSA) is allowed in an ssh_bind
* at a time, and later calls to this function * at a time, and later calls to this function
* with this option for the same key type will * with this option for the same key type will
* override prior calls (const char *). * override prior calls (const char *).
@@ -1779,10 +1770,6 @@ static int ssh_bind_set_algo(ssh_bind sshbind,
* SSH_BIND_OPTIONS_LOG_VERBOSITY above (const * SSH_BIND_OPTIONS_LOG_VERBOSITY above (const
* char *). * char *).
* *
* - SSH_BIND_OPTIONS_DSAKEY:
* Set the path to the ssh host dsa key, SSHv2
* only (const char *).
*
* - SSH_BIND_OPTIONS_RSAKEY: * - SSH_BIND_OPTIONS_RSAKEY:
* Set the path to the ssh host rsa key, SSHv2 * Set the path to the ssh host rsa key, SSHv2
* only (const char *). * only (const char *).
@@ -1794,6 +1781,9 @@ static int ssh_bind_set_algo(ssh_bind sshbind,
* - SSH_BIND_OPTIONS_BANNER: * - SSH_BIND_OPTIONS_BANNER:
* Set the server banner sent to clients (const char *). * Set the server banner sent to clients (const char *).
* *
* - SSH_BIND_OPTIONS_DSAKEY:
* This is DEPRECATED, please do not use
*
* - SSH_BIND_OPTIONS_IMPORT_KEY: * - SSH_BIND_OPTIONS_IMPORT_KEY:
* Set the Private Key for the server directly (ssh_key) * Set the Private Key for the server directly (ssh_key)
* *
@@ -1905,17 +1895,6 @@ int ssh_bind_options_set(ssh_bind sshbind, enum ssh_bind_options_e type,
key_type = ssh_key_type(key); key_type = ssh_key_type(key);
switch (key_type) { switch (key_type) {
case SSH_KEYTYPE_DSS:
#ifdef HAVE_DSA
bind_key_loc = &sshbind->dsa;
bind_key_path_loc = &sshbind->dsakey;
#else
ssh_set_error(sshbind,
SSH_FATAL,
"DSS key used and libssh compiled "
"without DSA support");
#endif
break;
case SSH_KEYTYPE_ECDSA_P256: case SSH_KEYTYPE_ECDSA_P256:
case SSH_KEYTYPE_ECDSA_P384: case SSH_KEYTYPE_ECDSA_P384:
case SSH_KEYTYPE_ECDSA_P521: case SSH_KEYTYPE_ECDSA_P521:
@@ -1979,16 +1958,6 @@ int ssh_bind_options_set(ssh_bind sshbind, enum ssh_bind_options_e type,
key_type = ssh_key_type(key); key_type = ssh_key_type(key);
switch (key_type) { switch (key_type) {
case SSH_KEYTYPE_DSS:
#ifdef HAVE_DSA
bind_key_loc = &sshbind->dsa;
#else
ssh_set_error(sshbind,
SSH_FATAL,
"DSA key used and libssh compiled "
"without DSA support");
#endif
break;
case SSH_KEYTYPE_ECDSA_P256: case SSH_KEYTYPE_ECDSA_P256:
case SSH_KEYTYPE_ECDSA_P384: case SSH_KEYTYPE_ECDSA_P384:
case SSH_KEYTYPE_ECDSA_P521: case SSH_KEYTYPE_ECDSA_P521:
@@ -2085,12 +2054,6 @@ int ssh_bind_options_set(ssh_bind sshbind, enum ssh_bind_options_e type,
ssh_set_log_level(i & 0xffffU); ssh_set_log_level(i & 0xffffU);
} }
break; break;
case SSH_BIND_OPTIONS_DSAKEY:
rc = ssh_bind_set_key(sshbind, &sshbind->dsakey, value);
if (rc < 0) {
return -1;
}
break;
case SSH_BIND_OPTIONS_RSAKEY: case SSH_BIND_OPTIONS_RSAKEY:
rc = ssh_bind_set_key(sshbind, &sshbind->rsakey, value); rc = ssh_bind_set_key(sshbind, &sshbind->rsakey, value);
if (rc < 0) { if (rc < 0) {

141
src/pki.c
View File

@@ -77,13 +77,6 @@ enum ssh_keytypes_e pki_privatekey_type_from_string(const char *privkey)
{ {
char *start = NULL; char *start = NULL;
#ifdef HAVE_DSA
start = strstr(privkey, DSA_HEADER_BEGIN);
if (start != NULL) {
return SSH_KEYTYPE_DSS;
}
#endif /* HAVE_DSA */
start = strstr(privkey, RSA_HEADER_BEGIN); start = strstr(privkey, RSA_HEADER_BEGIN);
if (start != NULL) { if (start != NULL) {
return SSH_KEYTYPE_RSA; return SSH_KEYTYPE_RSA;
@@ -208,9 +201,9 @@ void ssh_key_free (ssh_key key)
/** /**
* @brief returns the type of a ssh key * @brief returns the type of a ssh key
* @param[in] key the ssh_key handle * @param[in] key the ssh_key handle
* @returns one of SSH_KEYTYPE_RSA, SSH_KEYTYPE_DSS, * @returns one of SSH_KEYTYPE_RSA,
* SSH_KEYTYPE_ECDSA_P256, SSH_KEYTYPE_ECDSA_P384, * SSH_KEYTYPE_ECDSA_P256, SSH_KEYTYPE_ECDSA_P384,
* SSH_KEYTYPE_ECDSA_P521, SSH_KEYTYPE_ED25519, SSH_KEYTYPE_DSS_CERT01, * SSH_KEYTYPE_ECDSA_P521, SSH_KEYTYPE_ED25519,
* SSH_KEYTYPE_RSA_CERT01, SSH_KEYTYPE_ECDSA_P256_CERT01, * SSH_KEYTYPE_RSA_CERT01, SSH_KEYTYPE_ECDSA_P256_CERT01,
* SSH_KEYTYPE_ECDSA_P384_CERT01, SSH_KEYTYPE_ECDSA_P521_CERT01, or * SSH_KEYTYPE_ECDSA_P384_CERT01, SSH_KEYTYPE_ECDSA_P521_CERT01, or
* SSH_KEYTYPE_ED25519_CERT01. * SSH_KEYTYPE_ED25519_CERT01.
@@ -281,8 +274,6 @@ ssh_key_signature_to_char(enum ssh_keytypes_e type,
*/ */
const char *ssh_key_type_to_char(enum ssh_keytypes_e type) { const char *ssh_key_type_to_char(enum ssh_keytypes_e type) {
switch (type) { switch (type) {
case SSH_KEYTYPE_DSS:
return "ssh-dss";
case SSH_KEYTYPE_RSA: case SSH_KEYTYPE_RSA:
return "ssh-rsa"; return "ssh-rsa";
case SSH_KEYTYPE_ECDSA: case SSH_KEYTYPE_ECDSA:
@@ -295,8 +286,6 @@ const char *ssh_key_type_to_char(enum ssh_keytypes_e type) {
return "ecdsa-sha2-nistp521"; return "ecdsa-sha2-nistp521";
case SSH_KEYTYPE_ED25519: case SSH_KEYTYPE_ED25519:
return "ssh-ed25519"; return "ssh-ed25519";
case SSH_KEYTYPE_DSS_CERT01:
return "ssh-dss-cert-v01@openssh.com";
case SSH_KEYTYPE_RSA_CERT01: case SSH_KEYTYPE_RSA_CERT01:
return "ssh-rsa-cert-v01@openssh.com"; return "ssh-rsa-cert-v01@openssh.com";
case SSH_KEYTYPE_ECDSA_P256_CERT01: case SSH_KEYTYPE_ECDSA_P256_CERT01:
@@ -315,7 +304,9 @@ const char *ssh_key_type_to_char(enum ssh_keytypes_e type) {
return "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com"; return "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com";
case SSH_KEYTYPE_SK_ED25519_CERT01: case SSH_KEYTYPE_SK_ED25519_CERT01:
return "sk-ssh-ed25519-cert-v01@openssh.com"; return "sk-ssh-ed25519-cert-v01@openssh.com";
case SSH_KEYTYPE_DSS: /* deprecated */
case SSH_KEYTYPE_RSA1: case SSH_KEYTYPE_RSA1:
case SSH_KEYTYPE_DSS_CERT01: /* deprecated */
case SSH_KEYTYPE_UNKNOWN: case SSH_KEYTYPE_UNKNOWN:
return NULL; return NULL;
} }
@@ -333,8 +324,6 @@ enum ssh_digest_e ssh_key_hash_from_name(const char *name)
if (strcmp(name, "ssh-rsa") == 0) { if (strcmp(name, "ssh-rsa") == 0) {
return SSH_DIGEST_SHA1; return SSH_DIGEST_SHA1;
} else if (strcmp(name, "ssh-dss") == 0) {
return SSH_DIGEST_SHA1;
} else if (strcmp(name, "rsa-sha2-256") == 0) { } else if (strcmp(name, "rsa-sha2-256") == 0) {
return SSH_DIGEST_SHA256; return SSH_DIGEST_SHA256;
} else if (strcmp(name, "rsa-sha2-512") == 0) { } else if (strcmp(name, "rsa-sha2-512") == 0) {
@@ -450,9 +439,6 @@ enum ssh_digest_e ssh_key_type_to_hash(ssh_session session,
enum ssh_keytypes_e type) enum ssh_keytypes_e type)
{ {
switch (type) { switch (type) {
case SSH_KEYTYPE_DSS_CERT01:
case SSH_KEYTYPE_DSS:
return SSH_DIGEST_SHA1;
case SSH_KEYTYPE_RSA_CERT01: case SSH_KEYTYPE_RSA_CERT01:
/* If we are talking to an old OpenSSH version which does not support /* If we are talking to an old OpenSSH version which does not support
* SHA2 in certificates */ * SHA2 in certificates */
@@ -494,6 +480,8 @@ enum ssh_digest_e ssh_key_type_to_hash(ssh_session session,
case SSH_KEYTYPE_ED25519: case SSH_KEYTYPE_ED25519:
return SSH_DIGEST_AUTO; return SSH_DIGEST_AUTO;
case SSH_KEYTYPE_RSA1: case SSH_KEYTYPE_RSA1:
case SSH_KEYTYPE_DSS: /* deprecated */
case SSH_KEYTYPE_DSS_CERT01: /* deprecated */
case SSH_KEYTYPE_ECDSA: case SSH_KEYTYPE_ECDSA:
case SSH_KEYTYPE_UNKNOWN: case SSH_KEYTYPE_UNKNOWN:
default: default:
@@ -576,12 +564,8 @@ enum ssh_keytypes_e ssh_key_type_from_name(const char *name)
if (strcmp(name, "rsa") == 0) { if (strcmp(name, "rsa") == 0) {
return SSH_KEYTYPE_RSA; return SSH_KEYTYPE_RSA;
} else if (strcmp(name, "dsa") == 0) {
return SSH_KEYTYPE_DSS;
} else if (strcmp(name, "ssh-rsa") == 0) { } else if (strcmp(name, "ssh-rsa") == 0) {
return SSH_KEYTYPE_RSA; return SSH_KEYTYPE_RSA;
} else if (strcmp(name, "ssh-dss") == 0) {
return SSH_KEYTYPE_DSS;
} else if (strcmp(name, "ssh-ecdsa") == 0 } else if (strcmp(name, "ssh-ecdsa") == 0
|| strcmp(name, "ecdsa") == 0 || strcmp(name, "ecdsa") == 0
|| strcmp(name, "ecdsa-sha2-nistp256") == 0) { || strcmp(name, "ecdsa-sha2-nistp256") == 0) {
@@ -592,8 +576,6 @@ enum ssh_keytypes_e ssh_key_type_from_name(const char *name)
return SSH_KEYTYPE_ECDSA_P521; return SSH_KEYTYPE_ECDSA_P521;
} else if (strcmp(name, "ssh-ed25519") == 0){ } else if (strcmp(name, "ssh-ed25519") == 0){
return SSH_KEYTYPE_ED25519; return SSH_KEYTYPE_ED25519;
} else if (strcmp(name, "ssh-dss-cert-v01@openssh.com") == 0) {
return SSH_KEYTYPE_DSS_CERT01;
} else if (strcmp(name, "ssh-rsa-cert-v01@openssh.com") == 0) { } else if (strcmp(name, "ssh-rsa-cert-v01@openssh.com") == 0) {
return SSH_KEYTYPE_RSA_CERT01; return SSH_KEYTYPE_RSA_CERT01;
} else if (strcmp(name, "ecdsa-sha2-nistp256-cert-v01@openssh.com") == 0) { } else if (strcmp(name, "ecdsa-sha2-nistp256-cert-v01@openssh.com") == 0) {
@@ -627,8 +609,6 @@ enum ssh_keytypes_e ssh_key_type_from_name(const char *name)
enum ssh_keytypes_e ssh_key_type_plain(enum ssh_keytypes_e type) enum ssh_keytypes_e ssh_key_type_plain(enum ssh_keytypes_e type)
{ {
switch (type) { switch (type) {
case SSH_KEYTYPE_DSS_CERT01:
return SSH_KEYTYPE_DSS;
case SSH_KEYTYPE_RSA_CERT01: case SSH_KEYTYPE_RSA_CERT01:
return SSH_KEYTYPE_RSA; return SSH_KEYTYPE_RSA;
case SSH_KEYTYPE_ECDSA_P256_CERT01: case SSH_KEYTYPE_ECDSA_P256_CERT01:
@@ -747,11 +727,6 @@ void ssh_signature_free(ssh_signature sig)
} }
switch(sig->type) { switch(sig->type) {
case SSH_KEYTYPE_DSS:
#ifdef HAVE_LIBGCRYPT
gcry_sexp_release(sig->dsa_sig);
#endif /* HAVE_LIBGCRYPT */
break;
case SSH_KEYTYPE_RSA: case SSH_KEYTYPE_RSA:
#ifdef HAVE_LIBGCRYPT #ifdef HAVE_LIBGCRYPT
gcry_sexp_release(sig->rsa_sig); gcry_sexp_release(sig->rsa_sig);
@@ -777,7 +752,8 @@ void ssh_signature_free(ssh_signature sig)
SAFE_FREE(sig->ed25519_sig); SAFE_FREE(sig->ed25519_sig);
#endif /* HAVE_LIBCRYPTO */ #endif /* HAVE_LIBCRYPTO */
break; break;
case SSH_KEYTYPE_DSS_CERT01: case SSH_KEYTYPE_DSS: /* deprecated */
case SSH_KEYTYPE_DSS_CERT01: /* deprecated */
case SSH_KEYTYPE_RSA_CERT01: case SSH_KEYTYPE_RSA_CERT01:
case SSH_KEYTYPE_ECDSA_P256_CERT01: case SSH_KEYTYPE_ECDSA_P256_CERT01:
case SSH_KEYTYPE_ECDSA_P384_CERT01: case SSH_KEYTYPE_ECDSA_P384_CERT01:
@@ -1115,8 +1091,6 @@ ssh_public_key ssh_pki_convert_key_to_publickey(const ssh_key key)
pub->type_c = tmp->type_c; pub->type_c = tmp->type_c;
#ifndef HAVE_LIBCRYPTO #ifndef HAVE_LIBCRYPTO
pub->dsa_pub = tmp->dsa;
tmp->dsa = NULL;
pub->rsa_pub = tmp->rsa; pub->rsa_pub = tmp->rsa;
tmp->rsa = NULL; tmp->rsa = NULL;
#else #else
@@ -1141,7 +1115,6 @@ ssh_private_key ssh_pki_convert_key_to_privatekey(const ssh_key key)
privkey->type = key->type; privkey->type = key->type;
#ifndef HAVE_LIBCRYPTO #ifndef HAVE_LIBCRYPTO
privkey->dsa_priv = key->dsa;
privkey->rsa_priv = key->rsa; privkey->rsa_priv = key->rsa;
#else #else
privkey->key_priv = key->key; privkey->key_priv = key->key;
@@ -1167,46 +1140,6 @@ int pki_import_privkey_buffer(enum ssh_keytypes_e type,
key->flags = SSH_KEY_FLAG_PRIVATE | SSH_KEY_FLAG_PUBLIC; key->flags = SSH_KEY_FLAG_PRIVATE | SSH_KEY_FLAG_PUBLIC;
switch (type) { switch (type) {
case SSH_KEYTYPE_DSS:
{
ssh_string p = NULL;
ssh_string q = NULL;
ssh_string g = NULL;
ssh_string pubkey = NULL;
ssh_string privkey = NULL;
rc = ssh_buffer_unpack(buffer, "SSSSS", &p, &q, &g,
&pubkey, &privkey);
if (rc != SSH_OK) {
SSH_LOG(SSH_LOG_TRACE, "Unpack error");
goto fail;
}
rc = pki_privkey_build_dss(key, p, q, g, pubkey, privkey);
#ifdef DEBUG_CRYPTO
ssh_log_hexdump("p", ssh_string_data(p), ssh_string_len(p));
ssh_log_hexdump("q", ssh_string_data(q), ssh_string_len(q));
ssh_log_hexdump("g", ssh_string_data(g), ssh_string_len(g));
ssh_log_hexdump("pubkey", ssh_string_data(pubkey),
ssh_string_len(pubkey));
ssh_log_hexdump("privkey", ssh_string_data(privkey),
ssh_string_len(privkey));
#endif /* DEBUG_CRYPTO */
ssh_string_burn(p);
SSH_STRING_FREE(p);
ssh_string_burn(q);
SSH_STRING_FREE(q);
ssh_string_burn(g);
SSH_STRING_FREE(g);
ssh_string_burn(pubkey);
SSH_STRING_FREE(pubkey);
ssh_string_burn(privkey);
SSH_STRING_FREE(privkey);
if (rc == SSH_ERROR) {
goto fail;
}
}
break;
case SSH_KEYTYPE_RSA: case SSH_KEYTYPE_RSA:
{ {
ssh_string n = NULL; ssh_string n = NULL;
@@ -1309,7 +1242,6 @@ int pki_import_privkey_buffer(enum ssh_keytypes_e type,
} }
} }
break; break;
case SSH_KEYTYPE_DSS_CERT01:
case SSH_KEYTYPE_RSA_CERT01: case SSH_KEYTYPE_RSA_CERT01:
case SSH_KEYTYPE_ECDSA_P256_CERT01: case SSH_KEYTYPE_ECDSA_P256_CERT01:
case SSH_KEYTYPE_ECDSA_P384_CERT01: case SSH_KEYTYPE_ECDSA_P384_CERT01:
@@ -1351,39 +1283,6 @@ static int pki_import_pubkey_buffer(ssh_buffer buffer,
key->flags = SSH_KEY_FLAG_PUBLIC; key->flags = SSH_KEY_FLAG_PUBLIC;
switch (type) { switch (type) {
case SSH_KEYTYPE_DSS:
{
ssh_string p = NULL;
ssh_string q = NULL;
ssh_string g = NULL;
ssh_string pubkey = NULL;
rc = ssh_buffer_unpack(buffer, "SSSS", &p, &q, &g, &pubkey);
if (rc != SSH_OK) {
SSH_LOG(SSH_LOG_TRACE, "Unpack error");
goto fail;
}
rc = pki_pubkey_build_dss(key, p, q, g, pubkey);
#ifdef DEBUG_CRYPTO
ssh_log_hexdump("p", ssh_string_data(p), ssh_string_len(p));
ssh_log_hexdump("q", ssh_string_data(q), ssh_string_len(q));
ssh_log_hexdump("g", ssh_string_data(g), ssh_string_len(g));
#endif /* DEBUG_CRYPTO */
ssh_string_burn(p);
SSH_STRING_FREE(p);
ssh_string_burn(q);
SSH_STRING_FREE(q);
ssh_string_burn(g);
SSH_STRING_FREE(g);
ssh_string_burn(pubkey);
SSH_STRING_FREE(pubkey);
if (rc == SSH_ERROR) {
SSH_LOG(SSH_LOG_TRACE, "Failed to build DSA public key");
goto fail;
}
}
break;
case SSH_KEYTYPE_RSA: case SSH_KEYTYPE_RSA:
{ {
ssh_string e = NULL; ssh_string e = NULL;
@@ -1494,7 +1393,6 @@ static int pki_import_pubkey_buffer(ssh_buffer buffer,
} }
} }
break; break;
case SSH_KEYTYPE_DSS_CERT01:
case SSH_KEYTYPE_RSA_CERT01: case SSH_KEYTYPE_RSA_CERT01:
case SSH_KEYTYPE_ECDSA_P256_CERT01: case SSH_KEYTYPE_ECDSA_P256_CERT01:
case SSH_KEYTYPE_ECDSA_P384_CERT01: case SSH_KEYTYPE_ECDSA_P384_CERT01:
@@ -1562,9 +1460,6 @@ static int pki_import_cert_buffer(ssh_buffer buffer,
SSH_STRING_FREE(tmp_s); SSH_STRING_FREE(tmp_s);
switch (type) { switch (type) {
case SSH_KEYTYPE_DSS_CERT01:
rc = pki_import_pubkey_buffer(buffer, SSH_KEYTYPE_DSS, &key);
break;
case SSH_KEYTYPE_RSA_CERT01: case SSH_KEYTYPE_RSA_CERT01:
rc = pki_import_pubkey_buffer(buffer, SSH_KEYTYPE_RSA, &key); rc = pki_import_pubkey_buffer(buffer, SSH_KEYTYPE_RSA, &key);
break; break;
@@ -1977,7 +1872,6 @@ int ssh_pki_import_cert_file(const char *filename, ssh_key *pkey)
* *
* @param[in] parameter Parameter to the creation of key: * @param[in] parameter Parameter to the creation of key:
* rsa : length of the key in bits (e.g. 1024, 2048, 4096) * rsa : length of the key in bits (e.g. 1024, 2048, 4096)
* dsa : length of the key in bits (e.g. 1024, 2048, 3072)
* @param[out] pkey A pointer to store the allocated private key. You need * @param[out] pkey A pointer to store the allocated private key. You need
* to free the memory using ssh_key_free(). * to free the memory using ssh_key_free().
* *
@@ -2007,11 +1901,6 @@ int ssh_pki_generate(enum ssh_keytypes_e type, int parameter,
if(rc == SSH_ERROR) if(rc == SSH_ERROR)
goto error; goto error;
break; break;
case SSH_KEYTYPE_DSS:
rc = pki_key_generate_dss(key, parameter);
if(rc == SSH_ERROR)
goto error;
break;
#ifdef HAVE_ECC #ifdef HAVE_ECC
case SSH_KEYTYPE_ECDSA: /* deprecated */ case SSH_KEYTYPE_ECDSA: /* deprecated */
rc = pki_key_generate_ecdsa(key, parameter); rc = pki_key_generate_ecdsa(key, parameter);
@@ -2047,7 +1936,6 @@ int ssh_pki_generate(enum ssh_keytypes_e type, int parameter,
goto error; goto error;
} }
break; break;
case SSH_KEYTYPE_DSS_CERT01:
case SSH_KEYTYPE_RSA_CERT01: case SSH_KEYTYPE_RSA_CERT01:
case SSH_KEYTYPE_ECDSA_P256_CERT01: case SSH_KEYTYPE_ECDSA_P256_CERT01:
case SSH_KEYTYPE_ECDSA_P384_CERT01: case SSH_KEYTYPE_ECDSA_P384_CERT01:
@@ -2441,17 +2329,6 @@ int pki_key_check_hash_compatible(ssh_key key,
} }
switch(key->type) { switch(key->type) {
case SSH_KEYTYPE_DSS_CERT01:
case SSH_KEYTYPE_DSS:
if (hash_type == SSH_DIGEST_SHA1) {
if (ssh_fips_mode()) {
SSH_LOG(SSH_LOG_TRACE, "SHA1 is not allowed in FIPS mode");
return SSH_ERROR;
} else {
return SSH_OK;
}
}
break;
case SSH_KEYTYPE_RSA_CERT01: case SSH_KEYTYPE_RSA_CERT01:
case SSH_KEYTYPE_RSA: case SSH_KEYTYPE_RSA:
if (hash_type == SSH_DIGEST_SHA1) { if (hash_type == SSH_DIGEST_SHA1) {
@@ -2497,6 +2374,8 @@ int pki_key_check_hash_compatible(ssh_key key,
return SSH_OK; return SSH_OK;
} }
break; break;
case SSH_KEYTYPE_DSS: /* deprecated */
case SSH_KEYTYPE_DSS_CERT01: /* deprecated */
case SSH_KEYTYPE_RSA1: case SSH_KEYTYPE_RSA1:
case SSH_KEYTYPE_ECDSA: case SSH_KEYTYPE_ECDSA:
case SSH_KEYTYPE_UNKNOWN: case SSH_KEYTYPE_UNKNOWN:

723
src/pki_crypto.c
View File

@@ -411,97 +411,6 @@ ssh_key pki_key_dup(const ssh_key key, int demote)
} }
switch (key->type) { switch (key->type) {
case SSH_KEYTYPE_DSS: {
#if OPENSSL_VERSION_NUMBER < 0x30000000L
const BIGNUM *p = NULL, *q = NULL, *g = NULL,
*pub_key = NULL, *priv_key = NULL;
BIGNUM *np, *nq, *ng, *npub_key, *npriv_key;
DSA *new_dsa = DSA_new();
const DSA *key_dsa = EVP_PKEY_get0_DSA(key->key);
if (new_dsa == NULL) {
goto fail;
}
/*
* p = public prime number
* q = public 160-bit subprime, q | p-1
* g = public generator of subgroup
* pub_key = public key y = g^x
* priv_key = private key x
*/
DSA_get0_pqg(key_dsa, &p, &q, &g);
np = BN_dup(p);
nq = BN_dup(q);
ng = BN_dup(g);
if (np == NULL || nq == NULL || ng == NULL) {
DSA_free(new_dsa);
BN_free(np);
BN_free(nq);
BN_free(ng);
goto fail;
}
/* Memory management of np, nq and ng is transferred to DSA object */
rc = DSA_set0_pqg(new_dsa, np, nq, ng);
if (rc == 0) {
DSA_free(new_dsa);
BN_free(np);
BN_free(nq);
BN_free(ng);
goto fail;
}
DSA_get0_key(key_dsa, &pub_key, &priv_key);
npub_key = BN_dup(pub_key);
if (npub_key == NULL) {
DSA_free(new_dsa);
goto fail;
}
/* Memory management of npubkey is transferred to DSA object */
rc = DSA_set0_key(new_dsa, npub_key, NULL);
if (rc == 0) {
DSA_free(new_dsa);
goto fail;
}
if (!demote && (key->flags & SSH_KEY_FLAG_PRIVATE)) {
npriv_key = BN_dup(priv_key);
if (npriv_key == NULL) {
DSA_free(new_dsa);
goto fail;
}
/* Memory management of npriv_key is transferred to DSA object */
rc = DSA_set0_key(new_dsa, NULL, npriv_key);
if (rc == 0) {
DSA_free(new_dsa);
goto fail;
}
}
new->key = EVP_PKEY_new();
if (new->key == NULL) {
DSA_free(new_dsa);
goto fail;
}
rc = EVP_PKEY_assign_DSA(new->key, new_dsa);
if (rc != 1) {
EVP_PKEY_free(new->key);
DSA_free(new_dsa);
goto fail;
}
new_dsa = NULL;
#else
rc = evp_dup_dsa_pkey(key, new, demote);
if (rc != SSH_OK) {
goto fail;
}
#endif /* OPENSSL_VERSION_NUMBER */
break;
}
case SSH_KEYTYPE_RSA: case SSH_KEYTYPE_RSA:
case SSH_KEYTYPE_RSA1: { case SSH_KEYTYPE_RSA1: {
#if OPENSSL_VERSION_NUMBER < 0x30000000L #if OPENSSL_VERSION_NUMBER < 0x30000000L
@@ -805,107 +714,6 @@ int pki_key_generate_rsa(ssh_key key, int parameter){
return SSH_OK; return SSH_OK;
} }
int pki_key_generate_dss(ssh_key key, int parameter){
int rc;
#if OPENSSL_VERSION_NUMBER < 0x30000000L
DSA *key_dsa = DSA_new();
if (key_dsa == NULL) {
return SSH_ERROR;
}
rc = DSA_generate_parameters_ex(key_dsa,
parameter,
NULL, /* seed */
0, /* seed_len */
NULL, /* counter_ret */
NULL, /* h_ret */
NULL); /* cb */
if (rc != 1) {
DSA_free(key_dsa);
return SSH_ERROR;
}
rc = DSA_generate_key(key_dsa);
if (rc != 1) {
DSA_free(key_dsa);
return SSH_ERROR;
}
key->key = EVP_PKEY_new();
if (key->key == NULL) {
DSA_free(key_dsa);
return SSH_ERROR;
}
rc = EVP_PKEY_assign_DSA(key->key, key_dsa);
if (rc != 1) {
DSA_free(key_dsa);
EVP_PKEY_free(key->key);
return SSH_ERROR;
}
key_dsa = NULL;
#else
OSSL_PARAM params[3];
EVP_PKEY *param_key = NULL;
EVP_PKEY_CTX *pctx = NULL;
EVP_PKEY_CTX *gctx = NULL;
int qbits = parameter < 2048 ? 160 : 256;
key->key = EVP_PKEY_new();
if (key->key == NULL) {
return SSH_ERROR;
}
pctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL);
if (pctx == NULL) {
return SSH_ERROR;
}
rc = EVP_PKEY_paramgen_init(pctx);
if (rc != 1) {
EVP_PKEY_CTX_free(pctx);
return SSH_ERROR;
}
params[0] = OSSL_PARAM_construct_int("pbits", &parameter);
params[1] = OSSL_PARAM_construct_int("qbits", &qbits);
params[2] = OSSL_PARAM_construct_end();
rc = EVP_PKEY_CTX_set_params(pctx, params);
if (rc != 1) {
EVP_PKEY_CTX_free(pctx);
return SSH_ERROR;
}
/* generating the domain parameters */
rc = EVP_PKEY_generate(pctx, &param_key);
if (rc != 1) {
EVP_PKEY_CTX_free(pctx);
EVP_PKEY_free(param_key);
return SSH_ERROR;
}
EVP_PKEY_CTX_free(pctx);
gctx = EVP_PKEY_CTX_new_from_pkey(NULL, param_key, NULL);
if (gctx == NULL) {
EVP_PKEY_free(param_key);
return SSH_ERROR;
}
EVP_PKEY_free(param_key);
rc = EVP_PKEY_keygen_init(gctx);
if (rc != 1) {
EVP_PKEY_CTX_free(gctx);
return SSH_ERROR;
}
/* generating the key from the domain parameters */
rc = EVP_PKEY_generate(gctx, &key->key);
if (rc != 1) {
EVP_PKEY_free(key->key);
key->key = NULL;
EVP_PKEY_CTX_free(gctx);
return SSH_ERROR;
}
EVP_PKEY_CTX_free(gctx);
#endif /* OPENSSL_VERSION_NUMBER */
return SSH_OK;
}
#ifdef HAVE_OPENSSL_ECC #ifdef HAVE_OPENSSL_ECC
int pki_key_generate_ecdsa(ssh_key key, int parameter) int pki_key_generate_ecdsa(ssh_key key, int parameter)
{ {
@@ -1033,7 +841,6 @@ int pki_key_compare(const ssh_key k1,
} }
#endif /* HAVE_OPENSSL_ECC */ #endif /* HAVE_OPENSSL_ECC */
#endif /* OPENSSL_VERSION_NUMBER */ #endif /* OPENSSL_VERSION_NUMBER */
case SSH_KEYTYPE_DSS:
case SSH_KEYTYPE_RSA: case SSH_KEYTYPE_RSA:
case SSH_KEYTYPE_RSA1: case SSH_KEYTYPE_RSA1:
rc = EVP_PKEY_eq(k1->key, k2->key); rc = EVP_PKEY_eq(k1->key, k2->key);
@@ -1068,7 +875,6 @@ ssh_string pki_private_key_to_pem(const ssh_key key,
} }
switch (key->type) { switch (key->type) {
case SSH_KEYTYPE_DSS:
case SSH_KEYTYPE_RSA: case SSH_KEYTYPE_RSA:
case SSH_KEYTYPE_RSA1: case SSH_KEYTYPE_RSA1:
case SSH_KEYTYPE_ECDSA_P256: case SSH_KEYTYPE_ECDSA_P256:
@@ -1101,7 +907,6 @@ ssh_string pki_private_key_to_pem(const ssh_key key,
/* Mark the operation as successful as for the other key types */ /* Mark the operation as successful as for the other key types */
rc = 1; rc = 1;
break; break;
case SSH_KEYTYPE_DSS_CERT01:
case SSH_KEYTYPE_RSA_CERT01: case SSH_KEYTYPE_RSA_CERT01:
case SSH_KEYTYPE_ECDSA_P256_CERT01: case SSH_KEYTYPE_ECDSA_P256_CERT01:
case SSH_KEYTYPE_ECDSA_P384_CERT01: case SSH_KEYTYPE_ECDSA_P384_CERT01:
@@ -1204,9 +1009,6 @@ ssh_key pki_private_key_from_base64(const char *b64_key,
return NULL; return NULL;
} }
switch (EVP_PKEY_base_id(pkey)) { switch (EVP_PKEY_base_id(pkey)) {
case EVP_PKEY_DSA:
type = SSH_KEYTYPE_DSS;
break;
case EVP_PKEY_RSA: case EVP_PKEY_RSA:
type = SSH_KEYTYPE_RSA; type = SSH_KEYTYPE_RSA;
break; break;
@@ -1307,199 +1109,6 @@ fail:
return NULL; return NULL;
} }
int pki_privkey_build_dss(ssh_key key,
ssh_string p,
ssh_string q,
ssh_string g,
ssh_string pubkey,
ssh_string privkey)
{
int rc;
BIGNUM *bp, *bq, *bg, *bpub_key, *bpriv_key;
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new();
if (param_bld == NULL) {
return SSH_ERROR;
}
#else
DSA *key_dsa = DSA_new();
if (key_dsa == NULL) {
return SSH_ERROR;
}
#endif /* OPENSSL_VERSION_NUMBER */
bp = ssh_make_string_bn(p);
bq = ssh_make_string_bn(q);
bg = ssh_make_string_bn(g);
bpub_key = ssh_make_string_bn(pubkey);
bpriv_key = ssh_make_string_bn(privkey);
if (bp == NULL || bq == NULL ||
bg == NULL || bpub_key == NULL) {
rc = SSH_ERROR;
goto fail;
}
#if OPENSSL_VERSION_NUMBER < 0x30000000L
/* Memory management of bp, qq and bg is transferred to DSA object */
rc = DSA_set0_pqg(key_dsa, bp, bq, bg);
if (rc == 0) {
goto fail;
}
/* Memory management of bpub_key and bpriv_key is transferred to DSA object */
rc = DSA_set0_key(key_dsa, bpub_key, bpriv_key);
if (rc == 0) {
goto fail;
}
key->key = EVP_PKEY_new();
if (key->key == NULL) {
goto fail;
}
rc = EVP_PKEY_assign_DSA(key->key, key_dsa);
if (rc != 1) {
goto fail;
}
return SSH_OK;
fail:
EVP_PKEY_free(key->key);
DSA_free(key_dsa);
return SSH_ERROR;
#else
rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, bp);
if (rc != 1) {
rc = SSH_ERROR;
goto fail;
}
rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, bq);
if (rc != 1) {
rc = SSH_ERROR;
goto fail;
}
rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, bg);
if (rc != 1) {
rc = SSH_ERROR;
goto fail;
}
rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, bpub_key);
if (rc != 1) {
rc = SSH_ERROR;
goto fail;
}
rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, bpriv_key);
if (rc != 1) {
rc = SSH_ERROR;
goto fail;
}
rc = evp_build_pkey("DSA", param_bld, &(key->key), EVP_PKEY_KEYPAIR);
fail:
OSSL_PARAM_BLD_free(param_bld);
bignum_safe_free(bp);
bignum_safe_free(bq);
bignum_safe_free(bg);
bignum_safe_free(bpub_key);
bignum_safe_free(bpriv_key);
return rc;
#endif /* OPENSSL_VERSION_NUMBER */
}
int pki_pubkey_build_dss(ssh_key key,
ssh_string p,
ssh_string q,
ssh_string g,
ssh_string pubkey) {
int rc;
BIGNUM *bp = NULL, *bq = NULL, *bg = NULL, *bpub_key = NULL;
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new();
if (param_bld == NULL) {
return SSH_ERROR;
}
#else
DSA *key_dsa = DSA_new();
if (key_dsa == NULL) {
return SSH_ERROR;
}
#endif /* OPENSSL_VERSION_NUMBER */
bp = ssh_make_string_bn(p);
bq = ssh_make_string_bn(q);
bg = ssh_make_string_bn(g);
bpub_key = ssh_make_string_bn(pubkey);
if (bp == NULL || bq == NULL ||
bg == NULL || bpub_key == NULL) {
rc = SSH_ERROR;
goto fail;
}
#if OPENSSL_VERSION_NUMBER < 0x30000000L
/* Memory management of bp, bq and bg is transferred to DSA object */
rc = DSA_set0_pqg(key_dsa, bp, bq, bg);
if (rc == 0) {
goto fail;
}
/* Memory management of npub_key is transferred to DSA object */
rc = DSA_set0_key(key_dsa, bpub_key, NULL);
if (rc == 0) {
goto fail;
}
key->key = EVP_PKEY_new();
if (key->key == NULL) {
goto fail;
}
rc = EVP_PKEY_assign_DSA(key->key, key_dsa);
if (rc != 1) {
goto fail;
}
return SSH_OK;
fail:
EVP_PKEY_free(key->key);
DSA_free(key_dsa);
return SSH_ERROR;
#else
rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, bp);
if (rc != 1) {
rc = SSH_ERROR;
goto fail;
}
rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, bq);
if (rc != 1) {
rc = SSH_ERROR;
goto fail;
}
rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, bg);
if (rc != 1) {
rc = SSH_ERROR;
goto fail;
}
rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, bpub_key);
if (rc != 1) {
rc = SSH_ERROR;
goto fail;
}
rc = evp_build_pkey("DSA", param_bld, &(key->key), EVP_PKEY_PUBLIC_KEY);
fail:
OSSL_PARAM_BLD_free(param_bld);
bignum_safe_free(bp);
bignum_safe_free(bq);
bignum_safe_free(bg);
bignum_safe_free(bpub_key);
return rc;
#endif /* OPENSSL_VERSION_NUMBER */
}
int pki_privkey_build_rsa(ssh_key key, int pki_privkey_build_rsa(ssh_key key,
ssh_string n, ssh_string n,
ssh_string e, ssh_string e,
@@ -1730,110 +1339,6 @@ ssh_string pki_publickey_to_blob(const ssh_key key)
} }
switch (key->type) { switch (key->type) {
case SSH_KEYTYPE_DSS: {
#if OPENSSL_VERSION_NUMBER < 0x30000000L
const BIGNUM *bp, *bq, *bg, *bpub_key;
const DSA *key_dsa = EVP_PKEY_get0_DSA(key->key);
DSA_get0_pqg(key_dsa, &bp, &bq, &bg);
DSA_get0_key(key_dsa, &bpub_key, NULL);
#else
const OSSL_PARAM *out_param = NULL;
rc = EVP_PKEY_todata(key->key, EVP_PKEY_PUBLIC_KEY, &params);
if (rc != 1) {
goto fail;
}
out_param = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_P);
if (out_param == NULL) {
SSH_LOG(SSH_LOG_TRACE, "DSA: No param P has been found");
goto fail;
}
rc = OSSL_PARAM_get_BN(out_param, &bp);
if (rc != 1) {
goto fail;
}
out_param = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_Q);
if (out_param == NULL) {
SSH_LOG(SSH_LOG_TRACE, "DSA: No param Q has been found");
goto fail;
}
rc = OSSL_PARAM_get_BN(out_param, &bq);
if (rc != 1) {
goto fail;
}
out_param = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_G);
if (out_param == NULL) {
SSH_LOG(SSH_LOG_TRACE, "DSA: No param G has been found");
goto fail;
}
rc = OSSL_PARAM_get_BN(out_param, &bg);
if (rc != 1) {
goto fail;
}
out_param = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PUB_KEY);
if (out_param == NULL) {
SSH_LOG(SSH_LOG_TRACE, "DSA: No param PUB_KEY has been found");
goto fail;
}
rc = OSSL_PARAM_get_BN(out_param, &bpub_key);
if (rc != 1) {
goto fail;
}
#endif /* OPENSSL_VERSION_NUMBER */
p = ssh_make_bignum_string((BIGNUM *)bp);
if (p == NULL) {
goto fail;
}
q = ssh_make_bignum_string((BIGNUM *)bq);
if (q == NULL) {
goto fail;
}
g = ssh_make_bignum_string((BIGNUM *)bg);
if (g == NULL) {
goto fail;
}
n = ssh_make_bignum_string((BIGNUM *)bpub_key);
if (n == NULL) {
goto fail;
}
if (ssh_buffer_add_ssh_string(buffer, p) < 0) {
goto fail;
}
if (ssh_buffer_add_ssh_string(buffer, q) < 0) {
goto fail;
}
if (ssh_buffer_add_ssh_string(buffer, g) < 0) {
goto fail;
}
if (ssh_buffer_add_ssh_string(buffer, n) < 0) {
goto fail;
}
ssh_string_burn(p);
SSH_STRING_FREE(p);
p = NULL;
ssh_string_burn(g);
SSH_STRING_FREE(g);
g = NULL;
ssh_string_burn(q);
SSH_STRING_FREE(q);
q = NULL;
ssh_string_burn(n);
SSH_STRING_FREE(n);
n = NULL;
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
bignum_safe_free(bp);
bignum_safe_free(bq);
bignum_safe_free(bg);
bignum_safe_free(bpub_key);
OSSL_PARAM_free(params);
#endif /* OPENSSL_VERSION_NUMBER */
break;
}
case SSH_KEYTYPE_RSA: case SSH_KEYTYPE_RSA:
case SSH_KEYTYPE_RSA1: { case SSH_KEYTYPE_RSA1: {
#if OPENSSL_VERSION_NUMBER < 0x30000000L #if OPENSSL_VERSION_NUMBER < 0x30000000L
@@ -2057,92 +1562,6 @@ fail:
return NULL; return NULL;
} }
static ssh_string pki_dsa_signature_to_blob(const ssh_signature sig)
{
char buffer[40] = { 0 };
ssh_string sig_blob = NULL;
const BIGNUM *pr = NULL, *ps = NULL;
ssh_string r = NULL;
size_t r_len, r_offset_in, r_offset_out;
ssh_string s = NULL;
size_t s_len, s_offset_in, s_offset_out;
const unsigned char *raw_sig_data = NULL;
size_t raw_sig_len;
int rc;
DSA_SIG *dsa_sig;
if (sig == NULL || sig->raw_sig == NULL) {
return NULL;
}
raw_sig_data = ssh_string_data(sig->raw_sig);
if (raw_sig_data == NULL) {
return NULL;
}
raw_sig_len = ssh_string_len(sig->raw_sig);
dsa_sig = d2i_DSA_SIG(NULL, &raw_sig_data, raw_sig_len);
if (dsa_sig == NULL) {
return NULL;
}
DSA_SIG_get0(dsa_sig, &pr, &ps);
if (pr == NULL || ps == NULL) {
goto error;
}
r = ssh_make_bignum_string((BIGNUM *)pr);
if (r == NULL) {
goto error;
}
s = ssh_make_bignum_string((BIGNUM *)ps);
if (s == NULL) {
goto error;
}
r_len = ssh_string_len(r);
r_offset_in = (r_len > 20) ? (r_len - 20) : 0;
r_offset_out = (r_len < 20) ? (20 - r_len) : 0;
s_len = ssh_string_len(s);
s_offset_in = (s_len > 20) ? (s_len - 20) : 0;
s_offset_out = (s_len < 20) ? (20 - s_len) : 0;
memcpy(buffer + r_offset_out,
((char *)ssh_string_data(r)) + r_offset_in,
r_len - r_offset_in);
memcpy(buffer + 20 + s_offset_out,
((char *)ssh_string_data(s)) + s_offset_in,
s_len - s_offset_in);
DSA_SIG_free(dsa_sig);
SSH_STRING_FREE(r);
SSH_STRING_FREE(s);
sig_blob = ssh_string_new(40);
if (sig_blob == NULL) {
return NULL;
}
rc = ssh_string_fill(sig_blob, buffer, 40);
if (rc < 0) {
SSH_STRING_FREE(sig_blob);
return NULL;
}
return sig_blob;
error:
DSA_SIG_free(dsa_sig);
SSH_STRING_FREE(r);
SSH_STRING_FREE(s);
return NULL;
}
static ssh_string pki_ecdsa_signature_to_blob(const ssh_signature sig) static ssh_string pki_ecdsa_signature_to_blob(const ssh_signature sig)
{ {
ssh_string r = NULL; ssh_string r = NULL;
@@ -2235,9 +1654,6 @@ ssh_string pki_signature_to_blob(const ssh_signature sig)
ssh_string sig_blob = NULL; ssh_string sig_blob = NULL;
switch(sig->type) { switch(sig->type) {
case SSH_KEYTYPE_DSS:
sig_blob = pki_dsa_signature_to_blob(sig);
break;
case SSH_KEYTYPE_RSA: case SSH_KEYTYPE_RSA:
case SSH_KEYTYPE_RSA1: case SSH_KEYTYPE_RSA1:
sig_blob = ssh_string_copy(sig->raw_sig); sig_blob = ssh_string_copy(sig->raw_sig);
@@ -2341,133 +1757,6 @@ errout:
return SSH_ERROR; return SSH_ERROR;
} }
static int pki_signature_from_dsa_blob(UNUSED_PARAM(const ssh_key pubkey),
const ssh_string sig_blob,
ssh_signature sig)
{
DSA_SIG *dsa_sig = NULL;
BIGNUM *pr = NULL, *ps = NULL;
ssh_string r;
ssh_string s = NULL;
size_t len;
size_t raw_sig_len = 0;
unsigned char *raw_sig_data = NULL;
unsigned char *temp_raw_sig = NULL;
int rc;
len = ssh_string_len(sig_blob);
/* 40 is the dual signature blob len. */
if (len != 40) {
SSH_LOG(SSH_LOG_TRACE,
"Signature has wrong size: %lu",
(unsigned long)len);
goto error;
}
#ifdef DEBUG_CRYPTO
ssh_log_hexdump("r", ssh_string_data(sig_blob), 20);
ssh_log_hexdump("s", (unsigned char *)ssh_string_data(sig_blob) + 20, 20);
#endif /* DEBUG_CRYPTO */
r = ssh_string_new(20);
if (r == NULL) {
goto error;
}
rc = ssh_string_fill(r, ssh_string_data(sig_blob), 20);
if (rc < 0) {
SSH_STRING_FREE(r);
goto error;
}
pr = ssh_make_string_bn(r);
ssh_string_burn(r);
SSH_STRING_FREE(r);
if (pr == NULL) {
goto error;
}
s = ssh_string_new(20);
if (s == NULL) {
goto error;
}
rc = ssh_string_fill(s, (char *)ssh_string_data(sig_blob) + 20, 20);
if (rc < 0) {
SSH_STRING_FREE(s);
goto error;
}
ps = ssh_make_string_bn(s);
ssh_string_burn(s);
SSH_STRING_FREE(s);
if (ps == NULL) {
goto error;
}
dsa_sig = DSA_SIG_new();
if (dsa_sig == NULL) {
goto error;
}
/* Memory management of pr and ps is transferred to DSA signature
* object */
rc = DSA_SIG_set0(dsa_sig, pr, ps);
if (rc == 0) {
goto error;
}
ps = NULL;
pr = NULL;
/* Get the expected size of the buffer */
rc = i2d_DSA_SIG(dsa_sig, NULL);
if (rc <= 0) {
goto error;
}
raw_sig_len = rc;
raw_sig_data = (unsigned char *)calloc(1, raw_sig_len);
if (raw_sig_data == NULL) {
goto error;
}
temp_raw_sig = raw_sig_data;
/* It is necessary to use a temporary pointer as i2d_* "advances" the
* pointer */
raw_sig_len = i2d_DSA_SIG(dsa_sig, &temp_raw_sig);
if (raw_sig_len <= 0) {
goto error;
}
sig->raw_sig = ssh_string_new(raw_sig_len);
if (sig->raw_sig == NULL) {
explicit_bzero(raw_sig_data, raw_sig_len);
goto error;
}
rc = ssh_string_fill(sig->raw_sig, raw_sig_data, raw_sig_len);
if (rc < 0) {
explicit_bzero(raw_sig_data, raw_sig_len);
goto error;
}
explicit_bzero(raw_sig_data, raw_sig_len);
SAFE_FREE(raw_sig_data);
DSA_SIG_free(dsa_sig);
return SSH_OK;
error:
bignum_safe_free(ps);
bignum_safe_free(pr);
SAFE_FREE(raw_sig_data);
DSA_SIG_free(dsa_sig);
return SSH_ERROR;
}
static int pki_signature_from_ecdsa_blob(UNUSED_PARAM(const ssh_key pubkey), static int pki_signature_from_ecdsa_blob(UNUSED_PARAM(const ssh_key pubkey),
const ssh_string sig_blob, const ssh_string sig_blob,
ssh_signature sig) ssh_signature sig)
@@ -2632,12 +1921,6 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey,
sig->hash_type = hash_type; sig->hash_type = hash_type;
switch(type) { switch(type) {
case SSH_KEYTYPE_DSS:
rc = pki_signature_from_dsa_blob(pubkey, sig_blob, sig);
if (rc != SSH_OK) {
goto error;
}
break;
case SSH_KEYTYPE_RSA: case SSH_KEYTYPE_RSA:
case SSH_KEYTYPE_RSA1: case SSH_KEYTYPE_RSA1:
rc = pki_signature_from_rsa_blob(pubkey, sig_blob, sig); rc = pki_signature_from_rsa_blob(pubkey, sig_blob, sig);
@@ -2715,8 +1998,6 @@ static EVP_PKEY *pki_key_to_pkey(ssh_key key)
int rc = 0; int rc = 0;
switch (key->type) { switch (key->type) {
case SSH_KEYTYPE_DSS:
case SSH_KEYTYPE_DSS_CERT01:
case SSH_KEYTYPE_RSA: case SSH_KEYTYPE_RSA:
case SSH_KEYTYPE_RSA1: case SSH_KEYTYPE_RSA1:
case SSH_KEYTYPE_RSA_CERT01: case SSH_KEYTYPE_RSA_CERT01:
@@ -3017,8 +2298,6 @@ int ssh_key_size(ssh_key key)
EVP_PKEY *pkey = NULL; EVP_PKEY *pkey = NULL;
switch (key->type) { switch (key->type) {
case SSH_KEYTYPE_DSS:
case SSH_KEYTYPE_DSS_CERT01:
case SSH_KEYTYPE_RSA: case SSH_KEYTYPE_RSA:
case SSH_KEYTYPE_RSA_CERT01: case SSH_KEYTYPE_RSA_CERT01:
case SSH_KEYTYPE_RSA1: case SSH_KEYTYPE_RSA1:
@@ -3043,6 +2322,8 @@ int ssh_key_size(ssh_key key)
case SSH_KEYTYPE_SK_ED25519_CERT01: case SSH_KEYTYPE_SK_ED25519_CERT01:
/* ed25519 keys have fixed size */ /* ed25519 keys have fixed size */
return 255; return 255;
case SSH_KEYTYPE_DSS: /* deprecated */
case SSH_KEYTYPE_DSS_CERT01: /* deprecated */
case SSH_KEYTYPE_UNKNOWN: case SSH_KEYTYPE_UNKNOWN:
default: default:
return SSH_ERROR; return SSH_ERROR;

403
src/pki_gcrypt.c
View File

@@ -45,8 +45,6 @@
#define MAXLINESIZE 80 #define MAXLINESIZE 80
#define RSA_HEADER_BEGIN "-----BEGIN RSA PRIVATE KEY-----" #define RSA_HEADER_BEGIN "-----BEGIN RSA PRIVATE KEY-----"
#define RSA_HEADER_END "-----END RSA PRIVATE KEY-----" #define RSA_HEADER_END "-----END RSA PRIVATE KEY-----"
#define DSA_HEADER_BEGIN "-----BEGIN DSA PRIVATE KEY-----"
#define DSA_HEADER_END "-----END DSA PRIVATE KEY-----"
#define ECDSA_HEADER_BEGIN "-----BEGIN EC PRIVATE KEY-----" #define ECDSA_HEADER_BEGIN "-----BEGIN EC PRIVATE KEY-----"
#define ECDSA_HEADER_END "-----END EC PRIVATE KEY-----" #define ECDSA_HEADER_END "-----END EC PRIVATE KEY-----"
@@ -288,14 +286,11 @@ void pki_key_clean(ssh_key key)
if (key == NULL) if (key == NULL)
return; return;
if (key->dsa)
gcry_sexp_release(key->dsa);
if (key->rsa) if (key->rsa)
gcry_sexp_release(key->rsa); gcry_sexp_release(key->rsa);
if (key->ecdsa) if (key->ecdsa)
gcry_sexp_release(key->ecdsa); gcry_sexp_release(key->ecdsa);
key->dsa = NULL;
key->rsa = NULL; key->rsa = NULL;
key->ecdsa = NULL; key->ecdsa = NULL;
} }
@@ -436,10 +431,6 @@ static ssh_buffer privatekey_string_to_buffer(const char *pkey, int type,
} }
switch(type) { switch(type) {
case SSH_KEYTYPE_DSS:
header_begin = DSA_HEADER_BEGIN;
header_end = DSA_HEADER_END;
break;
case SSH_KEYTYPE_RSA: case SSH_KEYTYPE_RSA:
header_begin = RSA_HEADER_BEGIN; header_begin = RSA_HEADER_BEGIN;
header_end = RSA_HEADER_END; header_end = RSA_HEADER_END;
@@ -643,79 +634,6 @@ error:
return rc; return rc;
} }
static int b64decode_dsa_privatekey(const char *pkey, gcry_sexp_t *r, ssh_auth_callback cb,
void *userdata, const char *desc) {
const unsigned char *data;
ssh_buffer buffer = NULL;
ssh_string p = NULL;
ssh_string q = NULL;
ssh_string g = NULL;
ssh_string y = NULL;
ssh_string x = NULL;
ssh_string v = NULL;
int rc = 1;
buffer = privatekey_string_to_buffer(pkey, SSH_KEYTYPE_DSS, cb, userdata, desc);
if (buffer == NULL) {
return 0;
}
if (!asn1_check_sequence(buffer)) {
SSH_BUFFER_FREE(buffer);
return 0;
}
v = asn1_get_int(buffer);
if (v == NULL) {
SSH_BUFFER_FREE(buffer);
return 0;
}
data = ssh_string_data(v);
if (ssh_string_len(v) != 1 || data[0] != 0) {
SSH_STRING_FREE(v);
SSH_BUFFER_FREE(buffer);
return 0;
}
p = asn1_get_int(buffer);
q = asn1_get_int(buffer);
g = asn1_get_int(buffer);
y = asn1_get_int(buffer);
x = asn1_get_int(buffer);
SSH_BUFFER_FREE(buffer);
if (p == NULL || q == NULL || g == NULL || y == NULL || x == NULL) {
rc = 0;
goto error;
}
if (gcry_sexp_build(r, NULL,
"(private-key(dsa(p %b)(q %b)(g %b)(y %b)(x %b)))",
ssh_string_len(p), ssh_string_data(p),
ssh_string_len(q), ssh_string_data(q),
ssh_string_len(g), ssh_string_data(g),
ssh_string_len(y), ssh_string_data(y),
ssh_string_len(x), ssh_string_data(x))) {
rc = 0;
}
error:
ssh_string_burn(p);
SSH_STRING_FREE(p);
ssh_string_burn(q);
SSH_STRING_FREE(q);
ssh_string_burn(g);
SSH_STRING_FREE(g);
ssh_string_burn(y);
SSH_STRING_FREE(y);
ssh_string_burn(x);
SSH_STRING_FREE(x);
SSH_STRING_FREE(v);
return rc;
}
#ifdef HAVE_GCRYPT_ECC #ifdef HAVE_GCRYPT_ECC
static int pki_key_ecdsa_to_nid(gcry_sexp_t k) static int pki_key_ecdsa_to_nid(gcry_sexp_t k)
{ {
@@ -965,7 +883,6 @@ ssh_key pki_private_key_from_base64(const char *b64_key,
ssh_auth_callback auth_fn, ssh_auth_callback auth_fn,
void *auth_data) void *auth_data)
{ {
gcry_sexp_t dsa = NULL;
gcry_sexp_t rsa = NULL; gcry_sexp_t rsa = NULL;
gcry_sexp_t ecdsa = NULL; gcry_sexp_t ecdsa = NULL;
ssh_key key = NULL; ssh_key key = NULL;
@@ -979,25 +896,6 @@ ssh_key pki_private_key_from_base64(const char *b64_key,
} }
switch (type) { switch (type) {
case SSH_KEYTYPE_DSS:
if (passphrase == NULL) {
if (auth_fn) {
valid = b64decode_dsa_privatekey(b64_key, &dsa, auth_fn,
auth_data, "Passphrase for private key:");
} else {
valid = b64decode_dsa_privatekey(b64_key, &dsa, NULL, NULL,
NULL);
}
} else {
valid = b64decode_dsa_privatekey(b64_key, &dsa, NULL, (void *)
passphrase, NULL);
}
if (!valid) {
SSH_LOG(SSH_LOG_TRACE, "Error parsing private key");
goto fail;
}
break;
case SSH_KEYTYPE_RSA: case SSH_KEYTYPE_RSA:
if (passphrase == NULL) { if (passphrase == NULL) {
if (auth_fn) { if (auth_fn) {
@@ -1074,7 +972,6 @@ ssh_key pki_private_key_from_base64(const char *b64_key,
key->type = type; key->type = type;
key->type_c = ssh_key_type_to_char(type); key->type_c = ssh_key_type_to_char(type);
key->flags = SSH_KEY_FLAG_PRIVATE | SSH_KEY_FLAG_PUBLIC; key->flags = SSH_KEY_FLAG_PRIVATE | SSH_KEY_FLAG_PUBLIC;
key->dsa = dsa;
key->rsa = rsa; key->rsa = rsa;
key->ecdsa = ecdsa; key->ecdsa = ecdsa;
#ifdef HAVE_GCRYPT_ECC #ifdef HAVE_GCRYPT_ECC
@@ -1086,52 +983,12 @@ ssh_key pki_private_key_from_base64(const char *b64_key,
return key; return key;
fail: fail:
ssh_key_free(key); ssh_key_free(key);
gcry_sexp_release(dsa);
gcry_sexp_release(rsa); gcry_sexp_release(rsa);
gcry_sexp_release(ecdsa); gcry_sexp_release(ecdsa);
return NULL; return NULL;
} }
int pki_privkey_build_dss(ssh_key key,
ssh_string p,
ssh_string q,
ssh_string g,
ssh_string pubkey,
ssh_string privkey)
{
gcry_sexp_build(&key->dsa, NULL,
"(private-key(dsa(p %b)(q %b)(g %b)(y %b)(x %b)))",
ssh_string_len(p), ssh_string_data(p),
ssh_string_len(q), ssh_string_data(q),
ssh_string_len(g), ssh_string_data(g),
ssh_string_len(pubkey), ssh_string_data(pubkey),
ssh_string_len(privkey), ssh_string_data(privkey));
if (key->dsa == NULL) {
return SSH_ERROR;
}
return SSH_OK;
}
int pki_pubkey_build_dss(ssh_key key,
ssh_string p,
ssh_string q,
ssh_string g,
ssh_string pubkey) {
gcry_sexp_build(&key->dsa, NULL,
"(public-key(dsa(p %b)(q %b)(g %b)(y %b)))",
ssh_string_len(p), ssh_string_data(p),
ssh_string_len(q), ssh_string_data(q),
ssh_string_len(g), ssh_string_data(g),
ssh_string_len(pubkey), ssh_string_data(pubkey));
if (key->dsa == NULL) {
return SSH_ERROR;
}
return SSH_OK;
}
int pki_privkey_build_rsa(ssh_key key, int pki_privkey_build_rsa(ssh_key key,
ssh_string n, ssh_string n,
ssh_string e, ssh_string e,
@@ -1243,32 +1100,6 @@ ssh_key pki_key_dup(const ssh_key key, int demote)
} }
switch(key->type) { switch(key->type) {
case SSH_KEYTYPE_DSS:
err = gcry_sexp_extract_param(key->dsa,
NULL,
"pqgyx?",
&p,
&q,
&g,
&y,
&x,
NULL);
if (err != 0) {
break;
}
if (!demote && (key->flags & SSH_KEY_FLAG_PRIVATE)) {
err = gcry_sexp_build(&new->dsa,
NULL,
"(private-key(dsa(p %m)(q %m)(g %m)(y %m)(x %m)))",
p, q, g, y, x);
} else {
err = gcry_sexp_build(&new->dsa,
NULL,
"(public-key(dsa(p %m)(q %m)(g %m)(y %m)))",
p, q, g, y);
}
break;
case SSH_KEYTYPE_RSA: case SSH_KEYTYPE_RSA:
err = gcry_sexp_extract_param(key->rsa, err = gcry_sexp_extract_param(key->rsa,
NULL, NULL,
@@ -1383,9 +1214,6 @@ static int pki_key_generate(ssh_key key, int parameter, const char *type_s, int
case SSH_KEYTYPE_RSA: case SSH_KEYTYPE_RSA:
rc = gcry_pk_genkey(&key->rsa, params); rc = gcry_pk_genkey(&key->rsa, params);
break; break;
case SSH_KEYTYPE_DSS:
rc = gcry_pk_genkey(&key->dsa, params);
break;
case SSH_KEYTYPE_ECDSA_P256: case SSH_KEYTYPE_ECDSA_P256:
case SSH_KEYTYPE_ECDSA_P384: case SSH_KEYTYPE_ECDSA_P384:
case SSH_KEYTYPE_ECDSA_P521: case SSH_KEYTYPE_ECDSA_P521:
@@ -1403,9 +1231,6 @@ static int pki_key_generate(ssh_key key, int parameter, const char *type_s, int
int pki_key_generate_rsa(ssh_key key, int parameter){ int pki_key_generate_rsa(ssh_key key, int parameter){
return pki_key_generate(key, parameter, "rsa", SSH_KEYTYPE_RSA); return pki_key_generate(key, parameter, "rsa", SSH_KEYTYPE_RSA);
} }
int pki_key_generate_dss(ssh_key key, int parameter){
return pki_key_generate(key, parameter, "dsa", SSH_KEYTYPE_DSS);
}
#ifdef HAVE_GCRYPT_ECC #ifdef HAVE_GCRYPT_ECC
int pki_key_generate_ecdsa(ssh_key key, int parameter) { int pki_key_generate_ecdsa(ssh_key key, int parameter) {
@@ -1472,29 +1297,6 @@ int pki_key_compare(const ssh_key k1,
enum ssh_keycmp_e what) enum ssh_keycmp_e what)
{ {
switch (k1->type) { switch (k1->type) {
case SSH_KEYTYPE_DSS:
if (_bignum_cmp(k1->dsa, k2->dsa, "p") != 0) {
return 1;
}
if (_bignum_cmp(k1->dsa, k2->dsa, "q") != 0) {
return 1;
}
if (_bignum_cmp(k1->dsa, k2->dsa, "g") != 0) {
return 1;
}
if (_bignum_cmp(k1->dsa, k2->dsa, "y") != 0) {
return 1;
}
if (what == SSH_KEY_CMP_PRIVATE) {
if (_bignum_cmp(k1->dsa, k2->dsa, "x") != 0) {
return 1;
}
}
break;
case SSH_KEYTYPE_RSA: case SSH_KEYTYPE_RSA:
if (_bignum_cmp(k1->rsa, k2->rsa, "e") != 0) { if (_bignum_cmp(k1->rsa, k2->rsa, "e") != 0) {
return 1; return 1;
@@ -1546,7 +1348,8 @@ int pki_key_compare(const ssh_key k1,
} }
break; break;
#endif #endif
case SSH_KEYTYPE_DSS_CERT01: case SSH_KEYTYPE_DSS: /* deprecated */
case SSH_KEYTYPE_DSS_CERT01: /* deprecated */
case SSH_KEYTYPE_RSA_CERT01: case SSH_KEYTYPE_RSA_CERT01:
case SSH_KEYTYPE_ECDSA: case SSH_KEYTYPE_ECDSA:
case SSH_KEYTYPE_ECDSA_P256_CERT01: case SSH_KEYTYPE_ECDSA_P256_CERT01:
@@ -1603,66 +1406,6 @@ ssh_string pki_publickey_to_blob(const ssh_key key)
} }
switch (key->type) { switch (key->type) {
case SSH_KEYTYPE_DSS:
p = ssh_sexp_extract_mpi(key->dsa,
"p",
GCRYMPI_FMT_USG,
GCRYMPI_FMT_STD);
if (p == NULL) {
goto fail;
}
q = ssh_sexp_extract_mpi(key->dsa,
"q",
GCRYMPI_FMT_USG,
GCRYMPI_FMT_STD);
if (q == NULL) {
goto fail;
}
g = ssh_sexp_extract_mpi(key->dsa,
"g",
GCRYMPI_FMT_USG,
GCRYMPI_FMT_STD);
if (g == NULL) {
goto fail;
}
n = ssh_sexp_extract_mpi(key->dsa,
"y",
GCRYMPI_FMT_USG,
GCRYMPI_FMT_STD);
if (n == NULL) {
goto fail;
}
rc = ssh_buffer_add_ssh_string(buffer, p);
if (rc < 0) {
goto fail;
}
rc = ssh_buffer_add_ssh_string(buffer, q);
if (rc < 0) {
goto fail;
}
rc = ssh_buffer_add_ssh_string(buffer, g);
if (rc < 0) {
goto fail;
}
rc = ssh_buffer_add_ssh_string(buffer, n);
if (rc < 0) {
goto fail;
}
ssh_string_burn(p);
SSH_STRING_FREE(p);
ssh_string_burn(g);
SSH_STRING_FREE(g);
ssh_string_burn(q);
SSH_STRING_FREE(q);
ssh_string_burn(n);
SSH_STRING_FREE(n);
break;
case SSH_KEYTYPE_RSA: case SSH_KEYTYPE_RSA:
e = ssh_sexp_extract_mpi(key->rsa, e = ssh_sexp_extract_mpi(key->rsa,
"e", "e",
@@ -1787,13 +1530,7 @@ fail:
ssh_string pki_signature_to_blob(const ssh_signature sig) ssh_string pki_signature_to_blob(const ssh_signature sig)
{ {
char buffer[40] = { 0 }; const char *s = NULL; /* used in RSA */
const char *r = NULL;
size_t r_len, r_offset_in, r_offset_out;
const char *s = NULL;
size_t s_len, s_offset_in, s_offset_out;
gcry_sexp_t sexp; gcry_sexp_t sexp;
size_t size = 0; size_t size = 0;
@@ -1801,57 +1538,6 @@ ssh_string pki_signature_to_blob(const ssh_signature sig)
int rc; int rc;
switch(sig->type) { switch(sig->type) {
case SSH_KEYTYPE_DSS:
sexp = gcry_sexp_find_token(sig->dsa_sig, "r", 0);
if (sexp == NULL) {
return NULL;
}
r = gcry_sexp_nth_data(sexp, 1, &size);
/* libgcrypt put 0 when first bit is set */
if (*r == 0) {
size--;
r++;
}
r_len = size;
r_offset_in = (r_len > 20) ? (r_len - 20) : 0;
r_offset_out = (r_len < 20) ? (20 - r_len) : 0;
memcpy(buffer + r_offset_out,
r + r_offset_in,
r_len - r_offset_in);
gcry_sexp_release(sexp);
sexp = gcry_sexp_find_token(sig->dsa_sig, "s", 0);
if (sexp == NULL) {
return NULL;
}
s = gcry_sexp_nth_data(sexp,1,&size);
if (*s == 0) {
size--;
s++;
}
s_len = size;
s_offset_in = (s_len > 20) ? (s_len - 20) : 0;
s_offset_out = (s_len < 20) ? (20 - s_len) : 0;
memcpy(buffer + 20 + s_offset_out,
s + s_offset_in,
s_len - s_offset_in);
gcry_sexp_release(sexp);
sig_blob = ssh_string_new(40);
if (sig_blob == NULL) {
return NULL;
}
rc = ssh_string_fill(sig_blob, buffer, 40);
if (rc < 0) {
SSH_STRING_FREE(sig_blob);
return NULL;
}
break;
case SSH_KEYTYPE_RSA: case SSH_KEYTYPE_RSA:
sexp = gcry_sexp_find_token(sig->rsa_sig, "s", 0); sexp = gcry_sexp_find_token(sig->rsa_sig, "s", 0);
if (sexp == NULL) { if (sexp == NULL) {
@@ -1977,35 +1663,6 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey,
len = ssh_string_len(sig_blob); len = ssh_string_len(sig_blob);
switch(type) { switch(type) {
case SSH_KEYTYPE_DSS:
/* 40 is the dual signature blob len. */
if (len != 40) {
SSH_LOG(SSH_LOG_TRACE,
"Signature has wrong size: %lu",
(unsigned long)len);
ssh_signature_free(sig);
return NULL;
}
#ifdef DEBUG_CRYPTO
SSH_LOG(SSH_LOG_DEBUG,
"DSA signature len: %lu",
(unsigned long)len);
ssh_log_hexdump("DSA signature", ssh_string_data(sig_blob), len);
#endif
err = gcry_sexp_build(&sig->dsa_sig,
NULL,
"(sig-val(dsa(r %b)(s %b)))",
20,
ssh_string_data(sig_blob),
20,
(unsigned char *)ssh_string_data(sig_blob) + 20);
if (err) {
ssh_signature_free(sig);
return NULL;
}
break;
case SSH_KEYTYPE_RSA: case SSH_KEYTYPE_RSA:
rsalen = (gcry_pk_get_nbits(pubkey->rsa) + 7) / 8; rsalen = (gcry_pk_get_nbits(pubkey->rsa) + 7) / 8;
@@ -2141,7 +1798,6 @@ ssh_signature pki_do_sign_hash(const ssh_key privkey,
size_t hlen, size_t hlen,
enum ssh_digest_e hash_type) enum ssh_digest_e hash_type)
{ {
unsigned char ghash[hlen + 1];
const char *hash_c = NULL; const char *hash_c = NULL;
ssh_signature sig; ssh_signature sig;
gcry_sexp_t sexp; gcry_sexp_t sexp;
@@ -2155,28 +1811,6 @@ ssh_signature pki_do_sign_hash(const ssh_key privkey,
sig->type_c = ssh_key_signature_to_char(privkey->type, hash_type); sig->type_c = ssh_key_signature_to_char(privkey->type, hash_type);
sig->hash_type = hash_type; sig->hash_type = hash_type;
switch (privkey->type) { switch (privkey->type) {
case SSH_KEYTYPE_DSS:
/* That is to mark the number as positive */
if(hash[0] >= 0x80) {
memcpy(ghash + 1, hash, hlen);
ghash[0] = 0;
hash = ghash;
hlen += 1;
}
err = gcry_sexp_build(&sexp, NULL, "%b", hlen, hash);
if (err) {
ssh_signature_free(sig);
return NULL;
}
err = gcry_pk_sign(&sig->dsa_sig, sexp, privkey->dsa);
gcry_sexp_release(sexp);
if (err) {
ssh_signature_free(sig);
return NULL;
}
break;
case SSH_KEYTYPE_RSA: case SSH_KEYTYPE_RSA:
switch (hash_type) { switch (hash_type) {
case SSH_DIGEST_SHA1: case SSH_DIGEST_SHA1:
@@ -2409,32 +2043,6 @@ int pki_verify_data_signature(ssh_signature signature,
} }
switch(pubkey->type) { switch(pubkey->type) {
case SSH_KEYTYPE_DSS:
case SSH_KEYTYPE_DSS_CERT01:
/* That is to mark the number as positive */
if(hash[0] >= 0x80) {
hash = ghash;
hlen += 1;
}
err = gcry_sexp_build(&sexp, NULL, "%b", hlen, hash);
if (err) {
SSH_LOG(SSH_LOG_TRACE,
"DSA hash error: %s", gcry_strerror(err));
return SSH_ERROR;
}
err = gcry_pk_verify(signature->dsa_sig, sexp, pubkey->dsa);
gcry_sexp_release(sexp);
if (err) {
SSH_LOG(SSH_LOG_TRACE, "Invalid DSA signature");
if (gcry_err_code(err) != GPG_ERR_BAD_SIGNATURE) {
SSH_LOG(SSH_LOG_TRACE,
"DSA verify error: %s",
gcry_strerror(err));
}
return SSH_ERROR;
}
break;
case SSH_KEYTYPE_RSA: case SSH_KEYTYPE_RSA:
case SSH_KEYTYPE_RSA_CERT01: case SSH_KEYTYPE_RSA_CERT01:
err = gcry_sexp_build(&sexp, err = gcry_sexp_build(&sexp,
@@ -2515,9 +2123,6 @@ int pki_verify_data_signature(ssh_signature signature,
int ssh_key_size(ssh_key key) int ssh_key_size(ssh_key key)
{ {
switch (key->type) { switch (key->type) {
case SSH_KEYTYPE_DSS:
case SSH_KEYTYPE_DSS_CERT01:
return gcry_pk_get_nbits(key->dsa);
case SSH_KEYTYPE_RSA: case SSH_KEYTYPE_RSA:
case SSH_KEYTYPE_RSA_CERT01: case SSH_KEYTYPE_RSA_CERT01:
case SSH_KEYTYPE_RSA1: case SSH_KEYTYPE_RSA1:
@@ -2537,6 +2142,8 @@ int ssh_key_size(ssh_key key)
case SSH_KEYTYPE_SK_ED25519_CERT01: case SSH_KEYTYPE_SK_ED25519_CERT01:
/* ed25519 keys have fixed size */ /* ed25519 keys have fixed size */
return 255; return 255;
case SSH_KEYTYPE_DSS: /* deprecated */
case SSH_KEYTYPE_DSS_CERT01: /* deprecated */
case SSH_KEYTYPE_UNKNOWN: case SSH_KEYTYPE_UNKNOWN:
default: default:
return SSH_ERROR; return SSH_ERROR;

34
src/pki_mbedcrypto.c
View File

@@ -1874,36 +1874,6 @@ int pki_key_generate_ecdsa(ssh_key key, int parameter)
return SSH_OK; return SSH_OK;
} }
int pki_privkey_build_dss(ssh_key key, ssh_string p, ssh_string q, ssh_string g,
ssh_string pubkey, ssh_string privkey)
{
(void) key;
(void) p;
(void) q;
(void) g;
(void) pubkey;
(void) privkey;
return SSH_ERROR;
}
int pki_pubkey_build_dss(ssh_key key, ssh_string p, ssh_string q, ssh_string g,
ssh_string pubkey)
{
(void) key;
(void) p;
(void) q;
(void) g;
(void) pubkey;
return SSH_ERROR;
}
int pki_key_generate_dss(ssh_key key, int parameter)
{
(void) key;
(void) parameter;
return SSH_ERROR;
}
int ssh_key_size(ssh_key key) int ssh_key_size(ssh_key key)
{ {
switch (key->type) { switch (key->type) {
@@ -1928,8 +1898,8 @@ int ssh_key_size(ssh_key key)
case SSH_KEYTYPE_SK_ED25519_CERT01: case SSH_KEYTYPE_SK_ED25519_CERT01:
/* ed25519 keys have fixed size */ /* ed25519 keys have fixed size */
return 255; return 255;
case SSH_KEYTYPE_DSS: case SSH_KEYTYPE_DSS: /* deprecated */
case SSH_KEYTYPE_DSS_CERT01: case SSH_KEYTYPE_DSS_CERT01: /* deprecated */
case SSH_KEYTYPE_UNKNOWN: case SSH_KEYTYPE_UNKNOWN:
default: default:
return SSH_ERROR; return SSH_ERROR;

12
src/server.c
View File

@@ -112,15 +112,6 @@ int server_set_kex(ssh_session session)
snprintf(hostkeys + len, sizeof(hostkeys) - len, snprintf(hostkeys + len, sizeof(hostkeys) - len,
",%s", session->srv.ecdsa_key->type_c); ",%s", session->srv.ecdsa_key->type_c);
} }
#endif
#ifdef HAVE_DSA
if (session->srv.dsa_key != NULL) {
len = strlen(hostkeys);
keytype = ssh_key_type(session->srv.dsa_key);
snprintf(hostkeys + len, sizeof(hostkeys) - len,
",%s", ssh_key_type_to_char(keytype));
}
#endif #endif
if (session->srv.rsa_key != NULL) { if (session->srv.rsa_key != NULL) {
/* We support also the SHA2 variants */ /* We support also the SHA2 variants */
@@ -282,9 +273,6 @@ ssh_get_key_params(ssh_session session,
int rc; int rc;
switch(session->srv.hostkey) { switch(session->srv.hostkey) {
case SSH_KEYTYPE_DSS:
*privkey = session->srv.dsa_key;
break;
case SSH_KEYTYPE_RSA: case SSH_KEYTYPE_RSA:
*privkey = session->srv.rsa_key; *privkey = session->srv.rsa_key;
break; break;

13
src/session.c
View File

@@ -156,17 +156,6 @@ ssh_session ssh_new(void)
goto err; goto err;
} }
#ifdef HAVE_DSA
id = strdup("%d/id_dsa");
if (id == NULL) {
goto err;
}
rc = ssh_list_append(session->opts.identity_non_exp, id);
if (rc == SSH_ERROR) {
goto err;
}
#endif
/* Explicitly initialize states */ /* Explicitly initialize states */
session->session_state = SSH_SESSION_STATE_NONE; session->session_state = SSH_SESSION_STATE_NONE;
session->pending_call_state = SSH_PENDING_CALL_NONE; session->pending_call_state = SSH_PENDING_CALL_NONE;
@@ -251,8 +240,6 @@ void ssh_free(ssh_session session)
ssh_agent_free(session->agent); ssh_agent_free(session->agent);
#endif /* _WIN32 */ #endif /* _WIN32 */
ssh_key_free(session->srv.dsa_key);
session->srv.dsa_key = NULL;
ssh_key_free(session->srv.rsa_key); ssh_key_free(session->srv.rsa_key);
session->srv.rsa_key = NULL; session->srv.rsa_key = NULL;
ssh_key_free(session->srv.ecdsa_key); ssh_key_free(session->srv.ecdsa_key);

6
tests/CMakeLists.txt
View File

@@ -99,7 +99,7 @@ if (SSH_EXECUTABLE)
set(OPENSSH_CIPHERS "aes128-ctr\naes192-ctr\naes256-ctr\narcfour256\narcfour128\naes128-gcm@openssh.com\naes256-gcm@openssh.com\naes128-cbc\n3des-cbc\nblowfish-cbc\ncast128-cbc\naes192-cbc\naes256-cbc\narcfour\nrijndael-cbc@lysator.liu.se\n") set(OPENSSH_CIPHERS "aes128-ctr\naes192-ctr\naes256-ctr\narcfour256\narcfour128\naes128-gcm@openssh.com\naes256-gcm@openssh.com\naes128-cbc\n3des-cbc\nblowfish-cbc\ncast128-cbc\naes192-cbc\naes256-cbc\narcfour\nrijndael-cbc@lysator.liu.se\n")
set(OPENSSH_MACS "hmac-md5-etm@openssh.com\nhmac-sha1-etm@openssh.com\numac-64-etm@openssh.com\numac-128-etm@openssh.com\nhmac-sha2-256-etm@openssh.com\nhmac-sha2-512-etm@openssh.com\nhmac-ripemd160-etm@openssh.com\nhmac-sha1-96-etm@openssh.com\nhmac-md5-96-etm@openssh.com\nhmac-md5\nhmac-sha1\numac-64@openssh.com\numac-128@openssh.com\nhmac-sha2-256\nhmac-sha2-512\nhmac-ripemd160\nhmac-ripemd160@openssh.com\nhmac-sha1-96\nhmac-md5-96\n") set(OPENSSH_MACS "hmac-md5-etm@openssh.com\nhmac-sha1-etm@openssh.com\numac-64-etm@openssh.com\numac-128-etm@openssh.com\nhmac-sha2-256-etm@openssh.com\nhmac-sha2-512-etm@openssh.com\nhmac-ripemd160-etm@openssh.com\nhmac-sha1-96-etm@openssh.com\nhmac-md5-96-etm@openssh.com\nhmac-md5\nhmac-sha1\numac-64@openssh.com\numac-128@openssh.com\nhmac-sha2-256\nhmac-sha2-512\nhmac-ripemd160\nhmac-ripemd160@openssh.com\nhmac-sha1-96\nhmac-md5-96\n")
set(OPENSSH_KEX "ecdh-sha2-nistp256\necdh-sha2-nistp384\necdh-sha2-nistp521\ndiffie-hellman-group-exchange-sha256\ndiffie-hellman-group-exchange-sha1\ndiffie-hellman-group14-sha1\ndiffie-hellman-group1-sha1\n") set(OPENSSH_KEX "ecdh-sha2-nistp256\necdh-sha2-nistp384\necdh-sha2-nistp521\ndiffie-hellman-group-exchange-sha256\ndiffie-hellman-group-exchange-sha1\ndiffie-hellman-group14-sha1\ndiffie-hellman-group1-sha1\n")
set(OPENSSH_KEYS "ssh-rsa\nssh-dss\necdsa-sha2-nistp256\n") set(OPENSSH_KEYS "ssh-rsa\necdsa-sha2-nistp256\n")
else() else()
execute_process(COMMAND ${SSH_EXECUTABLE} -Q cipher OUTPUT_VARIABLE OPENSSH_CIPHERS) execute_process(COMMAND ${SSH_EXECUTABLE} -Q cipher OUTPUT_VARIABLE OPENSSH_CIPHERS)
execute_process(COMMAND ${SSH_EXECUTABLE} -Q mac OUTPUT_VARIABLE OPENSSH_MACS) execute_process(COMMAND ${SSH_EXECUTABLE} -Q mac OUTPUT_VARIABLE OPENSSH_MACS)
@@ -126,9 +126,9 @@ if (SSH_EXECUTABLE)
diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group-exchange-sha1 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521
curve25519-sha256 curve25519-sha256@libssh.org curve25519-sha256 curve25519-sha256@libssh.org
ssh-ed25519 ssh-ed25519-cert-v01@openssh.com ssh-rsa ssh-dss ssh-ed25519 ssh-ed25519-cert-v01@openssh.com ssh-rsa
ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521
ssh-rsa-cert-v01@openssh.com ssh-dss-cert-v01@openssh.com ssh-rsa-cert-v01@openssh.com
ecdsa-sha2-nistp256-cert-v01@openssh.com ecdsa-sha2-nistp384-cert-v01@openssh.com ecdsa-sha2-nistp256-cert-v01@openssh.com ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com ecdsa-sha2-nistp521-cert-v01@openssh.com
) )

28
tests/client/torture_hostkey.c
View File

@@ -127,30 +127,6 @@ static void torture_hostkey_ed25519(void **state) {
assert_ssh_return_code(session, rc); assert_ssh_return_code(session, rc);
} }
#ifdef HAVE_DSA
static void torture_hostkey_dss(void **state) {
struct torture_state *s = *state;
ssh_session session = s->ssh.session;
char rsa[] = "ssh-dss";
int rc;
if (ssh_fips_mode()) {
skip();
}
rc = ssh_options_set(session, SSH_OPTIONS_HOSTKEYS, &rsa);
assert_ssh_return_code(session, rc);
rc = ssh_connect(session);
assert_ssh_return_code(session, rc);
ssh_disconnect(session);
rc = ssh_connect(session);
assert_ssh_return_code(session, rc);
}
#endif /* HAVE_DSA */
#ifdef HAVE_ECC #ifdef HAVE_ECC
static void torture_hostkey_ecdsa(void **state) { static void torture_hostkey_ecdsa(void **state) {
struct torture_state *s = *state; struct torture_state *s = *state;
@@ -220,10 +196,6 @@ int torture_run_tests(void) {
#ifdef HAVE_ECC #ifdef HAVE_ECC
cmocka_unit_test_setup_teardown(torture_hostkey_ecdsa, session_setup, cmocka_unit_test_setup_teardown(torture_hostkey_ecdsa, session_setup,
session_teardown), session_teardown),
#endif
#ifdef HAVE_DSA
cmocka_unit_test_setup_teardown(torture_hostkey_dss, session_setup,
session_teardown),
#endif #endif
/* the client is able to handle SHA2 extension (if negotiated) */ /* the client is able to handle SHA2 extension (if negotiated) */
cmocka_unit_test_setup_teardown(torture_hostkey_rsa_sha256, cmocka_unit_test_setup_teardown(torture_hostkey_rsa_sha256,

12
tests/keys/ssh_host_dsa_key
View File

@@ -1,12 +0,0 @@
-----BEGIN DSA PRIVATE KEY-----
MIIBuwIBAAKBgQD7vBS+d/eJP6wK2VQw+8AIfgCw9IR50utLRkkrWbfDdiM7V+fp
tJYKCyqZT9j9ANhqicB2tuqAI6WJBZMaGekxWfI30JxPkHZrrwbdFzlRbjav07lg
IKqWgcz81iVPmfn5savEoobiSFjJNMmYcizjKZgGmyNUzlJjzF7u5qD08wIVAPFp
6VKuv8VxNjENciUZCdEDRW/lAoGBAN/BFSBRSP9frsHID6e2NeKHqs8JDUWhCTE9
/WQKqUUbxO2UU98CfHuf1mNlaSsrOxaBdvTeURcZZc1svhyGr1VG+NbNTDDlzTgA
UlrzNML61TYcFXQVxgifUy+Tmh8FRGCa6Ko/EsX4ZWLTto5w1u5cPpgzSbLMco9T
AeeNLgYNAoGAJRuawWN3+NezI7+bBe42Kjg4gVUlpS+8TTlYFbwrM1Esab7gvxHB
/b2apbk9xIAkkqsnb+EPrXTLUdE2Y7XkEuGLLSTus2UlZKobBGBX/Ioysg5W9Fk/
2MhI4YssRb2alar8d+gmAHPaT+D+NDd90PBfY3HqcXFEK+eDTWo1JNICFBLdsuoO
6pObeFSOYbr38kJzZ0xG
-----END DSA PRIVATE KEY-----

1
tests/keys/ssh_host_dsa_key.pub
View File

@@ -1 +0,0 @@
ssh-dss AAAAB3NzaC1kc3MAAACBAPu8FL5394k/rArZVDD7wAh+ALD0hHnS60tGSStZt8N2IztX5+m0lgoLKplP2P0A2GqJwHa26oAjpYkFkxoZ6TFZ8jfQnE+QdmuvBt0XOVFuNq/TuWAgqpaBzPzWJU+Z+fmxq8SihuJIWMk0yZhyLOMpmAabI1TOUmPMXu7moPTzAAAAFQDxaelSrr/FcTYxDXIlGQnRA0Vv5QAAAIEA38EVIFFI/1+uwcgPp7Y14oeqzwkNRaEJMT39ZAqpRRvE7ZRT3wJ8e5/WY2VpKys7FoF29N5RFxllzWy+HIavVUb41s1MMOXNOABSWvM0wvrVNhwVdBXGCJ9TL5OaHwVEYJroqj8SxfhlYtO2jnDW7lw+mDNJssxyj1MB540uBg0AAACAJRuawWN3+NezI7+bBe42Kjg4gVUlpS+8TTlYFbwrM1Esab7gvxHB/b2apbk9xIAkkqsnb+EPrXTLUdE2Y7XkEuGLLSTus2UlZKobBGBX/Ioysg5W9Fk/2MhI4YssRb2alar8d+gmAHPaT+D+NDd90PBfY3HqcXFEK+eDTWo1JNI= asn@magrathea

4
tests/pkd/pkd_daemon.c
View File

@@ -267,10 +267,6 @@ static int pkd_exec_hello(int fd, struct pkd_daemon_args *args)
opts = SSH_BIND_OPTIONS_RSAKEY; opts = SSH_BIND_OPTIONS_RSAKEY;
} else if (type == PKD_ED25519) { } else if (type == PKD_ED25519) {
opts = SSH_BIND_OPTIONS_HOSTKEY; opts = SSH_BIND_OPTIONS_HOSTKEY;
#ifdef HAVE_DSA
} else if (type == PKD_DSA) {
opts = SSH_BIND_OPTIONS_DSAKEY;
#endif
} else if (type == PKD_ECDSA) { } else if (type == PKD_ECDSA) {
opts = SSH_BIND_OPTIONS_ECDSAKEY; opts = SSH_BIND_OPTIONS_ECDSAKEY;
} else { } else {

3
tests/pkd/pkd_daemon.h
View File

@@ -12,9 +12,6 @@
enum pkd_hostkey_type_e { enum pkd_hostkey_type_e {
PKD_RSA, PKD_RSA,
#ifdef HAVE_DSA
PKD_DSA,
#endif
PKD_ED25519, PKD_ED25519,
PKD_ECDSA PKD_ECDSA
}; };

161
tests/pkd/pkd_hello.c
View File

@@ -183,15 +183,6 @@ static int torture_pkd_setup_ed25519(void **state) {
return 0; return 0;
} }
#ifdef HAVE_DSA
static int torture_pkd_setup_dsa(void **state) {
setup_dsa_key();
*state = (void *) torture_pkd_setup(PKD_DSA, LIBSSH_DSA_TESTKEY);
return 0;
}
#endif
static int torture_pkd_setup_ecdsa_256(void **state) { static int torture_pkd_setup_ecdsa_256(void **state) {
setup_ecdsa_keys(); setup_ecdsa_keys();
*state = (void *) torture_pkd_setup(PKD_ECDSA, LIBSSH_ECDSA_256_TESTKEY); *state = (void *) torture_pkd_setup(PKD_ECDSA, LIBSSH_ECDSA_256_TESTKEY);
@@ -223,16 +214,9 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
f(client, ecdsa_384_default, cmd, setup_ecdsa_384, teardown) \ f(client, ecdsa_384_default, cmd, setup_ecdsa_384, teardown) \
f(client, ecdsa_521_default, cmd, setup_ecdsa_521, teardown) f(client, ecdsa_521_default, cmd, setup_ecdsa_521, teardown)
#ifdef HAVE_DSA
#define PKDTESTS_DEFAULT(f, client, cmd) \
/* Default passes by server key type. */ \
PKDTESTS_DEFAULT_FIPS(f, client, cmd) \
f(client, dsa_default, cmd, setup_dsa, teardown)
#else
#define PKDTESTS_DEFAULT(f, client, cmd) \ #define PKDTESTS_DEFAULT(f, client, cmd) \
/* Default passes by server key type. */ \ /* Default passes by server key type. */ \
PKDTESTS_DEFAULT_FIPS(f, client, cmd) PKDTESTS_DEFAULT_FIPS(f, client, cmd)
#endif
#define PKDTESTS_DEFAULT_OPENSSHONLY(f, client, cmd) \ #define PKDTESTS_DEFAULT_OPENSSHONLY(f, client, cmd) \
/* Default passes by server key type. */ \ /* Default passes by server key type. */ \
@@ -314,44 +298,7 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
f(client, ecdsa_521_diffie_hellman_group14_sha1, kexcmd("diffie-hellman-group14-sha1"), setup_ecdsa_521, teardown) \ f(client, ecdsa_521_diffie_hellman_group14_sha1, kexcmd("diffie-hellman-group14-sha1"), setup_ecdsa_521, teardown) \
f(client, ecdsa_521_diffie_hellman_group1_sha1, kexcmd("diffie-hellman-group1-sha1"), setup_ecdsa_521, teardown) f(client, ecdsa_521_diffie_hellman_group1_sha1, kexcmd("diffie-hellman-group1-sha1"), setup_ecdsa_521, teardown)
#if defined(HAVE_DSA) && defined(WITH_GEX) #if defined(WITH_GEX)
/* GEX_SHA256 with RSA and ECDSA is included in PKDTESTS_KEX_FIPS if available */
#define PKDTESTS_KEX(f, client, kexcmd) \
/* Kex algorithms. */ \
PKDTESTS_KEX_COMMON(f, client, kexcmd) \
f(client, rsa_diffie_hellman_group_exchange_sha1, kexcmd(GEX_SHA1), setup_rsa, teardown) \
f(client, dsa_curve25519_sha256, kexcmd("curve25519-sha256"), setup_dsa, teardown) \
f(client, dsa_curve25519_sha256_libssh_org, kexcmd("curve25519-sha256@libssh.org"), setup_dsa, teardown) \
f(client, dsa_ecdh_sha2_nistp256, kexcmd("ecdh-sha2-nistp256 "), setup_dsa, teardown) \
f(client, dsa_ecdh_sha2_nistp384, kexcmd("ecdh-sha2-nistp384 "), setup_dsa, teardown) \
f(client, dsa_ecdh_sha2_nistp521, kexcmd("ecdh-sha2-nistp521 "), setup_dsa, teardown) \
f(client, dsa_diffie_hellman_group16_sha512, kexcmd("diffie-hellman-group16-sha512"), setup_dsa, teardown) \
f(client, dsa_diffie_hellman_group18_sha512, kexcmd("diffie-hellman-group18-sha512"), setup_dsa, teardown) \
f(client, dsa_diffie_hellman_group14_sha1, kexcmd("diffie-hellman-group14-sha1"), setup_dsa, teardown) \
f(client, dsa_diffie_hellman_group14_sha256, kexcmd("diffie-hellman-group14-sha256"), setup_dsa, teardown) \
f(client, dsa_diffie_hellman_group1_sha1, kexcmd("diffie-hellman-group1-sha1"), setup_dsa, teardown) \
f(client, dsa_diffie_hellman_group_exchange_sha256, kexcmd(GEX_SHA256), setup_dsa, teardown) \
f(client, dsa_diffie_hellman_group_exchange_sha1, kexcmd(GEX_SHA1), setup_dsa, teardown) \
f(client, ecdsa_256_diffie_hellman_group_exchange_sha1, kexcmd(GEX_SHA1), setup_ecdsa_256, teardown) \
f(client, ecdsa_384_diffie_hellman_group_exchange_sha1, kexcmd(GEX_SHA1), setup_ecdsa_384, teardown) \
f(client, ecdsa_521_diffie_hellman_group_exchange_sha1, kexcmd(GEX_SHA1), setup_ecdsa_521, teardown)
#elif defined(HAVE_DSA) /* && !defined(WITH_GEX) */
#define PKDTESTS_KEX(f, client, kexcmd) \
/* Kex algorithms. */ \
PKDTESTS_KEX_COMMON(f, client, kexcmd) \
f(client, dsa_curve25519_sha256, kexcmd("curve25519-sha256"), setup_dsa, teardown) \
f(client, dsa_curve25519_sha256_libssh_org, kexcmd("curve25519-sha256@libssh.org"), setup_dsa, teardown) \
f(client, dsa_ecdh_sha2_nistp256, kexcmd("ecdh-sha2-nistp256 "), setup_dsa, teardown) \
f(client, dsa_ecdh_sha2_nistp384, kexcmd("ecdh-sha2-nistp384 "), setup_dsa, teardown) \
f(client, dsa_ecdh_sha2_nistp521, kexcmd("ecdh-sha2-nistp521 "), setup_dsa, teardown) \
f(client, dsa_diffie_hellman_group16_sha512, kexcmd("diffie-hellman-group16-sha512"), setup_dsa, teardown) \
f(client, dsa_diffie_hellman_group18_sha512, kexcmd("diffie-hellman-group18-sha512"), setup_dsa, teardown) \
f(client, dsa_diffie_hellman_group14_sha1, kexcmd("diffie-hellman-group14-sha1"), setup_dsa, teardown) \
f(client, dsa_diffie_hellman_group14_sha256, kexcmd("diffie-hellman-group14-sha256"), setup_dsa, teardown) \
f(client, dsa_diffie_hellman_group1_sha1, kexcmd("diffie-hellman-group1-sha1"), setup_dsa, teardown)
#elif defined(WITH_GEX) /* && !defined(HAVE_DSA) */
/* GEX_SHA256 is included in PKDTESTS_KEX_FIPS if available */ /* GEX_SHA256 is included in PKDTESTS_KEX_FIPS if available */
#define PKDTESTS_KEX(f, client, kexcmd) \ #define PKDTESTS_KEX(f, client, kexcmd) \
/* Kex algorithms. */ \ /* Kex algorithms. */ \
@@ -397,7 +344,6 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
f(client, ed25519_diffie_hellman_group_exchange_sha1, kexcmd(GEX_SHA1), setup_ed25519, teardown) f(client, ed25519_diffie_hellman_group_exchange_sha1, kexcmd(GEX_SHA1), setup_ed25519, teardown)
#endif #endif
#define PKDTESTS_CIPHER_COMMON(f, client, ciphercmd) \ #define PKDTESTS_CIPHER_COMMON(f, client, ciphercmd) \
f(client, rsa_aes128_ctr, ciphercmd("aes128-ctr"), setup_rsa, teardown) \ f(client, rsa_aes128_ctr, ciphercmd("aes128-ctr"), setup_rsa, teardown) \
f(client, rsa_aes256_ctr, ciphercmd("aes256-ctr"), setup_rsa, teardown) \ f(client, rsa_aes256_ctr, ciphercmd("aes256-ctr"), setup_rsa, teardown) \
@@ -445,7 +391,6 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
f(client, ecdsa_521_aes128_gcm, ciphercmd(AES128_GCM), setup_ecdsa_521, teardown) \ f(client, ecdsa_521_aes128_gcm, ciphercmd(AES128_GCM), setup_ecdsa_521, teardown) \
f(client, ecdsa_521_aes256_gcm, ciphercmd(AES256_GCM), setup_ecdsa_521, teardown) f(client, ecdsa_521_aes256_gcm, ciphercmd(AES256_GCM), setup_ecdsa_521, teardown)
#ifdef HAVE_DSA
#define PKDTESTS_CIPHER_OPENSSHONLY(f, client, ciphercmd) \ #define PKDTESTS_CIPHER_OPENSSHONLY(f, client, ciphercmd) \
/* Ciphers. */ \ /* Ciphers. */ \
PKDTESTS_CIPHER_OPENSSHONLY_FIPS(f, client, ciphercmd) \ PKDTESTS_CIPHER_OPENSSHONLY_FIPS(f, client, ciphercmd) \
@@ -455,14 +400,6 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
f(client, rsa_aes256_cbc, ciphercmd("aes256-cbc"), setup_rsa, teardown) \ f(client, rsa_aes256_cbc, ciphercmd("aes256-cbc"), setup_rsa, teardown) \
f(client, rsa_aes192_ctr, ciphercmd("aes192-ctr"), setup_rsa, teardown) \ f(client, rsa_aes192_ctr, ciphercmd("aes192-ctr"), setup_rsa, teardown) \
f(client, rsa_chacha20, ciphercmd(CHACHA20), setup_rsa, teardown) \ f(client, rsa_chacha20, ciphercmd(CHACHA20), setup_rsa, teardown) \
f(client, dsa_3des_cbc, ciphercmd("3des-cbc"), setup_dsa, teardown) \
f(client, dsa_aes128_cbc, ciphercmd("aes128-cbc"), setup_dsa, teardown) \
f(client, dsa_aes192_cbc, ciphercmd("aes192-cbc"), setup_dsa, teardown) \
f(client, dsa_aes256_cbc, ciphercmd("aes256-cbc"), setup_dsa, teardown) \
f(client, dsa_aes192_ctr, ciphercmd("aes192-ctr"), setup_dsa, teardown) \
f(client, dsa_chacha20, ciphercmd(CHACHA20), setup_dsa, teardown) \
f(client, dsa_aes128_gcm, ciphercmd(AES128_GCM), setup_dsa, teardown) \
f(client, dsa_aes256_gcm, ciphercmd(AES256_GCM), setup_dsa, teardown) \
f(client, ed25519_3des_cbc, ciphercmd("3des-cbc"), setup_ed25519, teardown) \ f(client, ed25519_3des_cbc, ciphercmd("3des-cbc"), setup_ed25519, teardown) \
f(client, ed25519_aes128_cbc, ciphercmd("aes128-cbc"), setup_ed25519, teardown) \ f(client, ed25519_aes128_cbc, ciphercmd("aes128-cbc"), setup_ed25519, teardown) \
f(client, ed25519_aes128_ctr, ciphercmd("aes128-ctr"), setup_ed25519, teardown) \ f(client, ed25519_aes128_ctr, ciphercmd("aes128-ctr"), setup_ed25519, teardown) \
@@ -491,43 +428,6 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
f(client, ecdsa_521_aes256_cbc, ciphercmd("aes256-cbc"), setup_ecdsa_521, teardown) \ f(client, ecdsa_521_aes256_cbc, ciphercmd("aes256-cbc"), setup_ecdsa_521, teardown) \
f(client, ecdsa_521_aes192_ctr, ciphercmd("aes192-ctr"), setup_ecdsa_521, teardown) \ f(client, ecdsa_521_aes192_ctr, ciphercmd("aes192-ctr"), setup_ecdsa_521, teardown) \
f(client, ecdsa_521_chacha20, ciphercmd(CHACHA20), setup_ecdsa_521, teardown) f(client, ecdsa_521_chacha20, ciphercmd(CHACHA20), setup_ecdsa_521, teardown)
#else
#define PKDTESTS_CIPHER_OPENSSHONLY(f, client, ciphercmd) \
/* Ciphers. */ \
PKDTESTS_CIPHER_OPENSSHONLY_FIPS(f, client, ciphercmd) \
f(client, rsa_3des_cbc, ciphercmd("3des-cbc"), setup_rsa, teardown) \
f(client, rsa_aes128_cbc, ciphercmd("aes128-cbc"), setup_rsa, teardown) \
f(client, rsa_aes192_cbc, ciphercmd("aes192-cbc"), setup_rsa, teardown) \
f(client, rsa_aes256_cbc, ciphercmd("aes256-cbc"), setup_rsa, teardown) \
f(client, rsa_aes192_ctr, ciphercmd("aes192-ctr"), setup_rsa, teardown) \
f(client, rsa_chacha20, ciphercmd(CHACHA20), setup_rsa, teardown) \
f(client, ed25519_3des_cbc, ciphercmd("3des-cbc"), setup_ed25519, teardown) \
f(client, ed25519_aes128_cbc, ciphercmd("aes128-cbc"), setup_ed25519, teardown) \
f(client, ed25519_aes128_ctr, ciphercmd("aes128-ctr"), setup_ed25519, teardown) \
f(client, ed25519_aes256_cbc, ciphercmd("aes256-cbc"), setup_ed25519, teardown) \
f(client, ed25519_aes256_ctr, ciphercmd("aes256-ctr"), setup_ed25519, teardown) \
f(client, ed25519_aes192_cbc, ciphercmd("aes192-cbc"), setup_ed25519, teardown) \
f(client, ed25519_aes192_ctr, ciphercmd("aes192-ctr"), setup_ed25519, teardown) \
f(client, ed25519_chacha20, ciphercmd(CHACHA20), setup_ed25519, teardown) \
f(client, ecdsa_256_3des_cbc, ciphercmd("3des-cbc"), setup_ecdsa_256, teardown) \
f(client, ecdsa_256_aes128_cbc, ciphercmd("aes128-cbc"), setup_ecdsa_256, teardown) \
f(client, ecdsa_256_aes192_cbc, ciphercmd("aes192-cbc"), setup_ecdsa_256, teardown) \
f(client, ecdsa_256_aes256_cbc, ciphercmd("aes256-cbc"), setup_ecdsa_256, teardown) \
f(client, ecdsa_256_aes192_ctr, ciphercmd("aes192-ctr"), setup_ecdsa_256, teardown) \
f(client, ecdsa_256_chacha20, ciphercmd(CHACHA20), setup_ecdsa_256, teardown) \
f(client, ecdsa_384_3des_cbc, ciphercmd("3des-cbc"), setup_ecdsa_384, teardown) \
f(client, ecdsa_384_aes128_cbc, ciphercmd("aes128-cbc"), setup_ecdsa_384, teardown) \
f(client, ecdsa_384_aes192_cbc, ciphercmd("aes192-cbc"), setup_ecdsa_384, teardown) \
f(client, ecdsa_384_aes256_cbc, ciphercmd("aes256-cbc"), setup_ecdsa_384, teardown) \
f(client, ecdsa_384_aes192_ctr, ciphercmd("aes192-ctr"), setup_ecdsa_384, teardown) \
f(client, ecdsa_384_chacha20, ciphercmd(CHACHA20), setup_ecdsa_384, teardown) \
f(client, ecdsa_521_3des_cbc, ciphercmd("3des-cbc"), setup_ecdsa_521, teardown) \
f(client, ecdsa_521_aes128_cbc, ciphercmd("aes128-cbc"), setup_ecdsa_521, teardown) \
f(client, ecdsa_521_aes192_cbc, ciphercmd("aes192-cbc"), setup_ecdsa_521, teardown) \
f(client, ecdsa_521_aes256_cbc, ciphercmd("aes256-cbc"), setup_ecdsa_521, teardown) \
f(client, ecdsa_521_aes192_ctr, ciphercmd("aes192-ctr"), setup_ecdsa_521, teardown) \
f(client, ecdsa_521_chacha20, ciphercmd(CHACHA20), setup_ecdsa_521, teardown)
#endif
#define PKDTESTS_MAC_FIPS(f, client, maccmd) \ #define PKDTESTS_MAC_FIPS(f, client, maccmd) \
@@ -558,25 +458,6 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
f(client, rsa_hmac_sha2_512, maccmd("hmac-sha2-512"), setup_rsa, teardown) \ f(client, rsa_hmac_sha2_512, maccmd("hmac-sha2-512"), setup_rsa, teardown) \
f(client, rsa_hmac_sha2_512_etm, maccmd("hmac-sha2-512-etm@openssh.com"), setup_rsa, teardown) f(client, rsa_hmac_sha2_512_etm, maccmd("hmac-sha2-512-etm@openssh.com"), setup_rsa, teardown)
#ifdef HAVE_DSA
#define PKDTESTS_MAC(f, client, maccmd) \
/* MACs. */ \
PKDTESTS_MAC_FIPS(f, client, maccmd) \
f(client, dsa_hmac_sha1, maccmd("hmac-sha1"), setup_dsa, teardown) \
f(client, dsa_hmac_sha2_256, maccmd("hmac-sha2-256"), setup_dsa, teardown)
#define PKDTESTS_MAC_OPENSSHONLY(f, client, maccmd) \
PKDTESTS_MAC_OPENSSHONLY_FIPS(f, client, maccmd) \
f(client, dsa_hmac_sha1_etm, maccmd("hmac-sha1-etm@openssh.com"), setup_dsa, teardown) \
f(client, dsa_hmac_sha2_256_etm, maccmd("hmac-sha2-256-etm@openssh.com"), setup_dsa, teardown) \
f(client, dsa_hmac_sha2_512, maccmd("hmac-sha2-512"), setup_dsa, teardown) \
f(client, dsa_hmac_sha2_512_etm, maccmd("hmac-sha2-512-etm@openssh.com"), setup_dsa, teardown) \
f(client, ed25519_hmac_sha1, maccmd("hmac-sha1"), setup_ed25519, teardown) \
f(client, ed25519_hmac_sha1_etm, maccmd("hmac-sha1-etm@openssh.com"), setup_ed25519, teardown) \
f(client, ed25519_hmac_sha2_256, maccmd("hmac-sha2-256"), setup_ed25519, teardown) \
f(client, ed25519_hmac_sha2_256_etm, maccmd("hmac-sha2-256-etm@openssh.com"), setup_ed25519, teardown) \
f(client, ed25519_hmac_sha2_512, maccmd("hmac-sha2-512"), setup_ed25519, teardown) \
f(client, ed25519_hmac_sha2_512_etm, maccmd("hmac-sha2-512-etm@openssh.com"), setup_ed25519, teardown)
#else
#define PKDTESTS_MAC(f, client, maccmd) \ #define PKDTESTS_MAC(f, client, maccmd) \
/* MACs. */ \ /* MACs. */ \
PKDTESTS_MAC_FIPS(f, client, maccmd) PKDTESTS_MAC_FIPS(f, client, maccmd)
@@ -588,7 +469,6 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
f(client, ed25519_hmac_sha2_256_etm, maccmd("hmac-sha2-256-etm@openssh.com"), setup_ed25519, teardown) \ f(client, ed25519_hmac_sha2_256_etm, maccmd("hmac-sha2-256-etm@openssh.com"), setup_ed25519, teardown) \
f(client, ed25519_hmac_sha2_512, maccmd("hmac-sha2-512"), setup_ed25519, teardown) \ f(client, ed25519_hmac_sha2_512, maccmd("hmac-sha2-512"), setup_ed25519, teardown) \
f(client, ed25519_hmac_sha2_512_etm, maccmd("hmac-sha2-512-etm@openssh.com"), setup_ed25519, teardown) f(client, ed25519_hmac_sha2_512_etm, maccmd("hmac-sha2-512-etm@openssh.com"), setup_ed25519, teardown)
#endif
#define PKDTESTS_HOSTKEY_OPENSSHONLY_FIPS(f, client, hkcmd) \ #define PKDTESTS_HOSTKEY_OPENSSHONLY_FIPS(f, client, hkcmd) \
@@ -644,21 +524,6 @@ static void torture_pkd_runtest(const char *testname,
/* /*
* Actual test functions are emitted here. * Actual test functions are emitted here.
*/ */
#ifdef HAVE_DSA
#define CLIENT_ID_FILE OPENSSH_DSA_TESTKEY
PKDTESTS_DEFAULT(emit_keytest, openssh_dsa, OPENSSH_CMD)
PKDTESTS_DEFAULT(emit_keytest, openssh_cert_dsa, OPENSSH_CERT_CMD)
PKDTESTS_DEFAULT_OPENSSHONLY(emit_keytest, openssh_dsa, OPENSSH_CMD)
PKDTESTS_KEX(emit_keytest, openssh_dsa, OPENSSH_KEX_CMD)
PKDTESTS_KEX_OPENSSHONLY(emit_keytest, openssh_dsa, OPENSSH_KEX_CMD)
PKDTESTS_CIPHER(emit_keytest, openssh_dsa, OPENSSH_CIPHER_CMD)
PKDTESTS_CIPHER_OPENSSHONLY(emit_keytest, openssh_dsa, OPENSSH_CIPHER_CMD)
PKDTESTS_MAC(emit_keytest, openssh_dsa, OPENSSH_MAC_CMD)
PKDTESTS_MAC_OPENSSHONLY(emit_keytest, openssh_dsa, OPENSSH_MAC_CMD)
#undef CLIENT_ID_FILE
#endif
#define CLIENT_ID_FILE OPENSSH_RSA_TESTKEY #define CLIENT_ID_FILE OPENSSH_RSA_TESTKEY
PKDTESTS_DEFAULT(emit_keytest, openssh_rsa, OPENSSH_CMD) PKDTESTS_DEFAULT(emit_keytest, openssh_rsa, OPENSSH_CMD)
PKDTESTS_DEFAULT(emit_keytest, openssh_cert_rsa, OPENSSH_CERT_CMD) PKDTESTS_DEFAULT(emit_keytest, openssh_cert_rsa, OPENSSH_CERT_CMD)
@@ -730,17 +595,6 @@ struct {
const struct CMUnitTest test; const struct CMUnitTest test;
} testmap[] = { } testmap[] = {
/* OpenSSH */ /* OpenSSH */
#ifdef HAVE_DSA
PKDTESTS_DEFAULT(emit_testmap, openssh_dsa, OPENSSH_CMD)
PKDTESTS_DEFAULT(emit_testmap, openssh_cert_dsa, OPENSSH_CERT_CMD)
PKDTESTS_DEFAULT_OPENSSHONLY(emit_testmap, openssh_dsa, OPENSSH_CMD)
PKDTESTS_KEX(emit_testmap, openssh_dsa, OPENSSH_KEX_CMD)
PKDTESTS_KEX_OPENSSHONLY(emit_testmap, openssh_dsa, OPENSSH_KEX_CMD)
PKDTESTS_CIPHER(emit_testmap, openssh_dsa, OPENSSH_CIPHER_CMD)
PKDTESTS_CIPHER_OPENSSHONLY(emit_testmap, openssh_dsa, OPENSSH_CIPHER_CMD)
PKDTESTS_MAC(emit_testmap, openssh_dsa, OPENSSH_MAC_CMD)
PKDTESTS_MAC_OPENSSHONLY(emit_testmap, openssh_dsa, OPENSSH_MAC_CMD)
#endif
PKDTESTS_DEFAULT(emit_testmap, openssh_rsa, OPENSSH_CMD) PKDTESTS_DEFAULT(emit_testmap, openssh_rsa, OPENSSH_CMD)
PKDTESTS_DEFAULT(emit_testmap, openssh_cert_rsa, OPENSSH_CERT_CMD) PKDTESTS_DEFAULT(emit_testmap, openssh_cert_rsa, OPENSSH_CERT_CMD)
@@ -795,16 +649,6 @@ static int pkd_run_tests(void) {
int tindex = 0; int tindex = 0;
const struct CMUnitTest openssh_tests[] = { const struct CMUnitTest openssh_tests[] = {
#ifdef HAVE_DSA
PKDTESTS_DEFAULT(emit_unit_test_comma, openssh_dsa, OPENSSH_CMD)
PKDTESTS_DEFAULT(emit_unit_test_comma, openssh_cert_dsa, OPENSSH_CERT_CMD)
PKDTESTS_DEFAULT_OPENSSHONLY(emit_unit_test_comma, openssh_dsa, OPENSSH_CMD)
PKDTESTS_KEX(emit_unit_test_comma, openssh_dsa, OPENSSH_KEX_CMD)
PKDTESTS_CIPHER(emit_unit_test_comma, openssh_dsa, OPENSSH_CIPHER_CMD)
PKDTESTS_CIPHER_OPENSSHONLY(emit_unit_test_comma, openssh_dsa, OPENSSH_CIPHER_CMD)
PKDTESTS_MAC(emit_unit_test_comma, openssh_dsa, OPENSSH_MAC_CMD)
PKDTESTS_MAC_OPENSSHONLY(emit_unit_test_comma, openssh_dsa, OPENSSH_MAC_CMD)
#endif
PKDTESTS_DEFAULT(emit_unit_test_comma, openssh_rsa, OPENSSH_CMD) PKDTESTS_DEFAULT(emit_unit_test_comma, openssh_rsa, OPENSSH_CMD)
PKDTESTS_DEFAULT(emit_unit_test_comma, openssh_cert_rsa, OPENSSH_CERT_CMD) PKDTESTS_DEFAULT(emit_unit_test_comma, openssh_cert_rsa, OPENSSH_CERT_CMD)
@@ -948,9 +792,6 @@ static int pkd_run_tests(void) {
cleanup_ecdsa_keys(); cleanup_ecdsa_keys();
if (!ssh_fips_mode()) { if (!ssh_fips_mode()) {
cleanup_ed25519_key(); cleanup_ed25519_key();
#ifdef HAVE_DSA
cleanup_dsa_key();
#endif
} }
return rc; return rc;

33
tests/pkd/pkd_keyutil.c
View File

@@ -40,17 +40,6 @@ void setup_ed25519_key(void) {
assert_int_equal(rc, 0); assert_int_equal(rc, 0);
} }
#ifdef HAVE_DSA
void setup_dsa_key(void) {
int rc = 0;
if (access(LIBSSH_DSA_TESTKEY, F_OK) != 0) {
rc = system_checked(OPENSSH_KEYGEN " -t dsa -q -N \"\" -f "
LIBSSH_DSA_TESTKEY);
}
assert_int_equal(rc, 0);
}
#endif
void setup_ecdsa_keys(void) { void setup_ecdsa_keys(void) {
int rc = 0; int rc = 0;
@@ -79,12 +68,6 @@ void cleanup_ed25519_key(void) {
cleanup_key(LIBSSH_ED25519_TESTKEY); cleanup_key(LIBSSH_ED25519_TESTKEY);
} }
#ifdef HAVE_DSA
void cleanup_dsa_key(void) {
cleanup_key(LIBSSH_DSA_TESTKEY);
}
#endif
void cleanup_ecdsa_keys(void) { void cleanup_ecdsa_keys(void) {
cleanup_key(LIBSSH_ECDSA_256_TESTKEY); cleanup_key(LIBSSH_ECDSA_256_TESTKEY);
cleanup_key(LIBSSH_ECDSA_384_TESTKEY); cleanup_key(LIBSSH_ECDSA_384_TESTKEY);
@@ -156,19 +139,6 @@ void setup_openssh_client_keys(void) {
assert_int_equal(rc, 0); assert_int_equal(rc, 0);
if (!ssh_fips_mode()) { if (!ssh_fips_mode()) {
#ifdef HAVE_DSA
if (access(OPENSSH_DSA_TESTKEY, F_OK) != 0) {
rc = system_checked(OPENSSH_KEYGEN " -t dsa -q -N \"\" -f "
OPENSSH_DSA_TESTKEY);
}
assert_int_equal(rc, 0);
if (access(OPENSSH_DSA_TESTKEY "-cert.pub", F_OK) != 0) {
rc = system_checked(OPENSSH_KEYGEN " -I ident -s " OPENSSH_CA_TESTKEY
" " OPENSSH_DSA_TESTKEY ".pub 2>/dev/null");
}
assert_int_equal(rc, 0);
#endif
if (access(OPENSSH_ED25519_TESTKEY, F_OK) != 0) { if (access(OPENSSH_ED25519_TESTKEY, F_OK) != 0) {
rc = system_checked(OPENSSH_KEYGEN " -t ed25519 -q -N \"\" -f " rc = system_checked(OPENSSH_KEYGEN " -t ed25519 -q -N \"\" -f "
@@ -193,9 +163,6 @@ void cleanup_openssh_client_keys(void) {
cleanup_key(OPENSSH_ECDSA521_TESTKEY); cleanup_key(OPENSSH_ECDSA521_TESTKEY);
if (!ssh_fips_mode()) { if (!ssh_fips_mode()) {
cleanup_key(OPENSSH_ED25519_TESTKEY); cleanup_key(OPENSSH_ED25519_TESTKEY);
#ifdef HAVE_DSA
cleanup_key(OPENSSH_DSA_TESTKEY);
#endif
} }
} }

12
tests/pkd/pkd_keyutil.h
View File

@@ -10,32 +10,20 @@
#include "config.h" #include "config.h"
/* Server keys. */ /* Server keys. */
#ifdef HAVE_DSA
#define LIBSSH_DSA_TESTKEY "libssh_testkey.id_dsa"
#endif
#define LIBSSH_RSA_TESTKEY "libssh_testkey.id_rsa" #define LIBSSH_RSA_TESTKEY "libssh_testkey.id_rsa"
#define LIBSSH_ED25519_TESTKEY "libssh_testkey.id_ed25519" #define LIBSSH_ED25519_TESTKEY "libssh_testkey.id_ed25519"
#define LIBSSH_ECDSA_256_TESTKEY "libssh_testkey.id_ecdsa256" #define LIBSSH_ECDSA_256_TESTKEY "libssh_testkey.id_ecdsa256"
#define LIBSSH_ECDSA_384_TESTKEY "libssh_testkey.id_ecdsa384" #define LIBSSH_ECDSA_384_TESTKEY "libssh_testkey.id_ecdsa384"
#define LIBSSH_ECDSA_521_TESTKEY "libssh_testkey.id_ecdsa521" #define LIBSSH_ECDSA_521_TESTKEY "libssh_testkey.id_ecdsa521"
#ifdef HAVE_DSA
void setup_dsa_key(void);
#endif
void setup_rsa_key(void); void setup_rsa_key(void);
void setup_ed25519_key(void); void setup_ed25519_key(void);
void setup_ecdsa_keys(void); void setup_ecdsa_keys(void);
#ifdef HAVE_DSA
void cleanup_dsa_key(void);
#endif
void cleanup_rsa_key(void); void cleanup_rsa_key(void);
void cleanup_ed25519_key(void); void cleanup_ed25519_key(void);
void cleanup_ecdsa_keys(void); void cleanup_ecdsa_keys(void);
/* Client keys. */ /* Client keys. */
#ifdef HAVE_DSA
#define OPENSSH_DSA_TESTKEY "openssh_testkey.id_dsa"
#endif
#define OPENSSH_RSA_TESTKEY "openssh_testkey.id_rsa" #define OPENSSH_RSA_TESTKEY "openssh_testkey.id_rsa"
#define OPENSSH_ECDSA256_TESTKEY "openssh_testkey.id_ecdsa256" #define OPENSSH_ECDSA256_TESTKEY "openssh_testkey.id_ecdsa256"
#define OPENSSH_ECDSA384_TESTKEY "openssh_testkey.id_ecdsa384" #define OPENSSH_ECDSA384_TESTKEY "openssh_testkey.id_ecdsa384"

27
tests/server/test_server/main.c
View File

@@ -45,7 +45,6 @@ struct arguments_st {
char *port; char *port;
char *ecdsa_key; char *ecdsa_key;
char *dsa_key;
char *ed25519_key; char *ed25519_key;
char *rsa_key; char *rsa_key;
char *host_key; char *host_key;
@@ -74,7 +73,6 @@ static void free_arguments(struct arguments_st *arguments)
SAFE_FREE(arguments->port); SAFE_FREE(arguments->port);
SAFE_FREE(arguments->ecdsa_key); SAFE_FREE(arguments->ecdsa_key);
SAFE_FREE(arguments->dsa_key);
SAFE_FREE(arguments->ed25519_key); SAFE_FREE(arguments->ed25519_key);
SAFE_FREE(arguments->rsa_key); SAFE_FREE(arguments->rsa_key);
SAFE_FREE(arguments->host_key); SAFE_FREE(arguments->host_key);
@@ -153,8 +151,6 @@ static void print_server_state(struct server_state_st *state)
printf("=================================================\n"); printf("=================================================\n");
printf("ecdsa_key = %s\n", printf("ecdsa_key = %s\n",
state->ecdsa_key? state->ecdsa_key: "NULL"); state->ecdsa_key? state->ecdsa_key: "NULL");
printf("dsa_key = %s\n",
state->dsa_key? state->dsa_key: "NULL");
printf("ed25519_key = %s\n", printf("ed25519_key = %s\n",
state->ed25519_key? state->ed25519_key: "NULL"); state->ed25519_key? state->ed25519_key: "NULL");
printf("rsa_key = %s\n", printf("rsa_key = %s\n",
@@ -218,13 +214,6 @@ static int init_server_state(struct server_state_st *state,
state->ecdsa_key = NULL; state->ecdsa_key = NULL;
} }
if (arguments->dsa_key) {
state->dsa_key = arguments->dsa_key;
arguments->dsa_key = NULL;
} else {
state->dsa_key = NULL;
}
if (arguments->ed25519_key) { if (arguments->ed25519_key) {
state->ed25519_key = arguments->ed25519_key; state->ed25519_key = arguments->ed25519_key;
arguments->ed25519_key = NULL; arguments->ed25519_key = NULL;
@@ -363,14 +352,6 @@ static struct argp_option options[] = {
.doc = "Set the ECDSA key.", .doc = "Set the ECDSA key.",
.group = 0 .group = 0
}, },
{
.name = "dsakey",
.key = 'd',
.arg = "FILE",
.flags = 0,
.doc = "Set the DSA key.",
.group = 0
},
{ {
.name = "ed25519key", .name = "ed25519key",
.key = 'e', .key = 'e',
@@ -486,14 +467,6 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state)
goto end; goto end;
} }
break; break;
case 'd':
arguments->dsa_key = strdup(arg);
if (arguments->dsa_key == NULL) {
fprintf(stderr, "Out of memory\n");
rc = ENOMEM;
goto end;
}
break;
case 'e': case 'e':
arguments->ed25519_key = strdup(arg); arguments->ed25519_key = strdup(arg);
if (arguments->ed25519_key == NULL) { if (arguments->ed25519_key == NULL) {

13
tests/server/test_server/test_server.c
View File

@@ -46,7 +46,6 @@ void free_server_state(struct server_state_st *state)
SAFE_FREE(state->address); SAFE_FREE(state->address);
SAFE_FREE(state->ecdsa_key); SAFE_FREE(state->ecdsa_key);
SAFE_FREE(state->dsa_key);
SAFE_FREE(state->ed25519_key); SAFE_FREE(state->ed25519_key);
SAFE_FREE(state->rsa_key); SAFE_FREE(state->rsa_key);
SAFE_FREE(state->host_key); SAFE_FREE(state->host_key);
@@ -159,18 +158,6 @@ int run_server(struct server_state_st *state)
goto free_sshbind; goto free_sshbind;
} }
if (state->dsa_key != NULL) {
rc = ssh_bind_options_set(sshbind,
SSH_BIND_OPTIONS_DSAKEY,
state->dsa_key);
if (rc != 0) {
fprintf(stderr,
"Error setting DSA key: %s\n",
ssh_get_error(sshbind));
goto free_sshbind;
}
}
if (state->rsa_key != NULL) { if (state->rsa_key != NULL) {
rc = ssh_bind_options_set(sshbind, rc = ssh_bind_options_set(sshbind,
SSH_BIND_OPTIONS_RSAKEY, SSH_BIND_OPTIONS_RSAKEY,

1
tests/server/test_server/test_server.h
View File

@@ -36,7 +36,6 @@ struct server_state_st {
int port; int port;
char *ecdsa_key; char *ecdsa_key;
char *dsa_key;
char *ed25519_key; char *ed25519_key;
char *rsa_key; char *rsa_key;
char *host_key; char *host_key;

27
tests/server/torture_server_config.c
View File

@@ -51,9 +51,6 @@ struct test_server_st {
char ecdsa_521_hostkey[1024]; char ecdsa_521_hostkey[1024];
char ecdsa_384_hostkey[1024]; char ecdsa_384_hostkey[1024];
char ecdsa_256_hostkey[1024]; char ecdsa_256_hostkey[1024];
#ifdef HAVE_DSA
char dsa_hostkey[1024];
#endif /* HAVE_DSA */
}; };
static int setup_files(void **state) static int setup_files(void **state)
@@ -117,14 +114,6 @@ static int setup_files(void **state)
torture_write_file(tss->ed25519_hostkey, torture_write_file(tss->ed25519_hostkey,
torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0)); torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0));
#ifdef HAVE_DSA
snprintf(tss->dsa_hostkey,
sizeof(tss->dsa_hostkey),
"%s/sshd/ssh_host_dsa_key",
s->socket_dir);
torture_write_file(tss->dsa_hostkey,
torture_get_testkey(SSH_KEYTYPE_DSS, 0));
#endif /* HAVE_DSA */
} }
tss->state = s; tss->state = s;
@@ -372,10 +361,6 @@ static size_t setup_hostkey_files(struct test_server_st *tss)
if (!ssh_fips_mode()) { if (!ssh_fips_mode()) {
hostkey_files[4] = tss->ed25519_hostkey; hostkey_files[4] = tss->ed25519_hostkey;
num_hostkey_files++; num_hostkey_files++;
#ifdef HAVE_DSA
hostkey_files[5] = tss->dsa_hostkey;
num_hostkey_files++;
#endif
} }
#endif /* TEST_ALL_CRYPTO_COMBINATIONS */ #endif /* TEST_ALL_CRYPTO_COMBINATIONS */
@@ -670,18 +655,6 @@ static void torture_server_config_hostkey_algorithms(void **state)
rc = try_config_content(state, config_content, false); rc = try_config_content(state, config_content, false);
assert_int_equal(rc, 0); assert_int_equal(rc, 0);
#ifdef HAVE_DSA
if (!ssh_fips_mode()) {
/* ssh-dss */
snprintf(config_content,
sizeof(config_content),
"HostKey %s\nHostkeyAlgorithms %s\n",
tss->dsa_hostkey, "ssh-dss");
rc = try_config_content(state, config_content, false);
assert_int_equal(rc, 0);
}
#endif
} }
static void torture_server_config_unknown(void **state) static void torture_server_config_unknown(void **state)

2
tests/ssh_ping.c
View File

@@ -60,7 +60,7 @@ int main(int argc, char **argv)
goto out; goto out;
} }
/* Enable all supported algorithms (including DSA) */ /* Enable all supported algorithms */
hostkeys = ssh_kex_get_supported_method(SSH_HOSTKEYS); hostkeys = ssh_kex_get_supported_method(SSH_HOSTKEYS);
rc = ssh_options_set(session, SSH_OPTIONS_HOSTKEYS, hostkeys); rc = ssh_options_set(session, SSH_OPTIONS_HOSTKEYS, hostkeys);
if (rc < 0) { if (rc < 0) {

2
tests/tests_config.h.cmake
View File

@@ -52,12 +52,10 @@
#cmakedefine OPENSSH_SSH_ED25519 1 #cmakedefine OPENSSH_SSH_ED25519 1
#cmakedefine OPENSSH_SSH_ED25519_CERT_V01_OPENSSH_COM 1 #cmakedefine OPENSSH_SSH_ED25519_CERT_V01_OPENSSH_COM 1
#cmakedefine OPENSSH_SSH_RSA 1 #cmakedefine OPENSSH_SSH_RSA 1
#cmakedefine OPENSSH_SSH_DSS 1
#cmakedefine OPENSSH_ECDSA_SHA2_NISTP256 1 #cmakedefine OPENSSH_ECDSA_SHA2_NISTP256 1
#cmakedefine OPENSSH_ECDSA_SHA2_NISTP384 1 #cmakedefine OPENSSH_ECDSA_SHA2_NISTP384 1
#cmakedefine OPENSSH_ECDSA_SHA2_NISTP521 1 #cmakedefine OPENSSH_ECDSA_SHA2_NISTP521 1
#cmakedefine OPENSSH_SSH_RSA_CERT_V01_OPENSSH_COM 1 #cmakedefine OPENSSH_SSH_RSA_CERT_V01_OPENSSH_COM 1
#cmakedefine OPENSSH_SSH_DSS_CERT_V01_OPENSSH_COM 1
#cmakedefine OPENSSH_ECDSA_SHA2_NISTP256_CERT_V01_OPENSSH_COM 1 #cmakedefine OPENSSH_ECDSA_SHA2_NISTP256_CERT_V01_OPENSSH_COM 1
#cmakedefine OPENSSH_ECDSA_SHA2_NISTP384_CERT_V01_OPENSSH_COM 1 #cmakedefine OPENSSH_ECDSA_SHA2_NISTP384_CERT_V01_OPENSSH_COM 1
#cmakedefine OPENSSH_ECDSA_SHA2_NISTP521_CERT_V01_OPENSSH_COM 1 #cmakedefine OPENSSH_ECDSA_SHA2_NISTP521_CERT_V01_OPENSSH_COM 1

45
tests/torture.c
View File

@@ -383,11 +383,6 @@ ssh_bind torture_ssh_bind(const char *addr,
} }
switch (key_type) { switch (key_type) {
#ifdef HAVE_DSA
case SSH_KEYTYPE_DSS:
opts = SSH_BIND_OPTIONS_DSAKEY;
break;
#endif /* HAVE_DSA */
case SSH_KEYTYPE_RSA: case SSH_KEYTYPE_RSA:
opts = SSH_BIND_OPTIONS_RSAKEY; opts = SSH_BIND_OPTIONS_RSAKEY;
break; break;
@@ -631,9 +626,6 @@ void torture_setup_create_libssh_config(void **state)
{ {
struct torture_state *s = *state; struct torture_state *s = *state;
char ed25519_hostkey[1024] = {0}; char ed25519_hostkey[1024] = {0};
#ifdef HAVE_DSA
char dsa_hostkey[1024];
#endif /* HAVE_DSA */
char rsa_hostkey[1024]; char rsa_hostkey[1024];
char ecdsa_hostkey[1024]; char ecdsa_hostkey[1024];
char sshd_config[2048]; char sshd_config[2048];
@@ -647,9 +639,6 @@ void torture_setup_create_libssh_config(void **state)
"%s %s\n" "%s %s\n"
"%s %s\n" "%s %s\n"
"%s %s\n" "%s %s\n"
#ifdef HAVE_DSA
"%s %s\n"
#endif /* HAVE_DSA */
"%s\n"; /* The space for test-specific options */ "%s\n"; /* The space for test-specific options */
bool written = false; bool written = false;
int rc; int rc;
@@ -686,13 +675,6 @@ void torture_setup_create_libssh_config(void **state)
"%s/sshd/ssh_host_ecdsa_key", "%s/sshd/ssh_host_ecdsa_key",
s->socket_dir); s->socket_dir);
#ifdef HAVE_DSA
snprintf(dsa_hostkey,
sizeof(dsa_hostkey),
"%s/sshd/ssh_host_dsa_key",
s->socket_dir);
#endif /* HAVE_DSA */
if (!written) { if (!written) {
torture_write_file(ed25519_hostkey, torture_write_file(ed25519_hostkey,
torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0)); torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0));
@@ -700,10 +682,6 @@ void torture_setup_create_libssh_config(void **state)
torture_get_testkey(SSH_KEYTYPE_RSA, 0)); torture_get_testkey(SSH_KEYTYPE_RSA, 0));
torture_write_file(ecdsa_hostkey, torture_write_file(ecdsa_hostkey,
torture_get_testkey(SSH_KEYTYPE_ECDSA_P521, 0)); torture_get_testkey(SSH_KEYTYPE_ECDSA_P521, 0));
#ifdef HAVE_DSA
torture_write_file(dsa_hostkey,
torture_get_testkey(SSH_KEYTYPE_DSS, 0));
#endif /* HAVE_DSA */
} }
additional_config = (s->srv_additional_config != NULL ? additional_config = (s->srv_additional_config != NULL ?
@@ -714,9 +692,6 @@ void torture_setup_create_libssh_config(void **state)
"HostKey", ed25519_hostkey, "HostKey", ed25519_hostkey,
"HostKey", rsa_hostkey, "HostKey", rsa_hostkey,
"HostKey", ecdsa_hostkey, "HostKey", ecdsa_hostkey,
#ifdef HAVE_DSA
"HostKey", dsa_hostkey,
#endif /* HAVE_DSA */
additional_config); additional_config);
torture_write_file(s->srv_config, sshd_config); torture_write_file(s->srv_config, sshd_config);
@@ -727,9 +702,6 @@ static void torture_setup_create_sshd_config(void **state, bool pam)
{ {
struct torture_state *s = *state; struct torture_state *s = *state;
char ed25519_hostkey[1024] = {0}; char ed25519_hostkey[1024] = {0};
#ifdef HAVE_DSA
char dsa_hostkey[1024];
#endif /* HAVE_DSA */
char rsa_hostkey[1024]; char rsa_hostkey[1024];
char ecdsa_hostkey[1024]; char ecdsa_hostkey[1024];
char trusted_ca_pubkey[1024]; char trusted_ca_pubkey[1024];
@@ -748,9 +720,6 @@ static void torture_setup_create_sshd_config(void **state, bool pam)
"Port 22\n" "Port 22\n"
"ListenAddress 127.0.0.10\n" "ListenAddress 127.0.0.10\n"
"%s %s\n" /* ed25519 HostKey */ "%s %s\n" /* ed25519 HostKey */
#ifdef HAVE_DSA
"%s %s\n" /* DSA HostKey */
#endif /* HAVE_DSA */
"%s %s\n" /* RSA HostKey */ "%s %s\n" /* RSA HostKey */
"%s %s\n" /* ECDSA HostKey */ "%s %s\n" /* ECDSA HostKey */
"\n" "\n"
@@ -870,13 +839,6 @@ static void torture_setup_create_sshd_config(void **state, bool pam)
"%s/sshd/ssh_host_ed25519_key", "%s/sshd/ssh_host_ed25519_key",
s->socket_dir); s->socket_dir);
#ifdef HAVE_DSA
snprintf(dsa_hostkey,
sizeof(dsa_hostkey),
"%s/sshd/ssh_host_dsa_key",
s->socket_dir);
#endif /* HAVE_DSA */
snprintf(rsa_hostkey, snprintf(rsa_hostkey,
sizeof(rsa_hostkey), sizeof(rsa_hostkey),
"%s/sshd/ssh_host_rsa_key", "%s/sshd/ssh_host_rsa_key",
@@ -895,10 +857,6 @@ static void torture_setup_create_sshd_config(void **state, bool pam)
if (!written) { if (!written) {
torture_write_file(ed25519_hostkey, torture_write_file(ed25519_hostkey,
torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0)); torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0));
#ifdef HAVE_DSA
torture_write_file(dsa_hostkey,
torture_get_testkey(SSH_KEYTYPE_DSS, 0));
#endif /* HAVE_DSA */
torture_write_file(rsa_hostkey, torture_write_file(rsa_hostkey,
torture_get_testkey(SSH_KEYTYPE_RSA, 0)); torture_get_testkey(SSH_KEYTYPE_RSA, 0));
torture_write_file(ecdsa_hostkey, torture_write_file(ecdsa_hostkey,
@@ -935,9 +893,6 @@ static void torture_setup_create_sshd_config(void **state, bool pam)
snprintf(sshd_config, sizeof(sshd_config), snprintf(sshd_config, sizeof(sshd_config),
config_string, config_string,
"HostKey", ed25519_hostkey, "HostKey", ed25519_hostkey,
#ifdef HAVE_DSA
"HostKey", dsa_hostkey,
#endif /* HAVE_DSA */
"HostKey", rsa_hostkey, "HostKey", rsa_hostkey,
"HostKey", ecdsa_hostkey, "HostKey", ecdsa_hostkey,
trusted_ca_pubkey, trusted_ca_pubkey,

9
tests/unittests/CMakeLists.txt
View File

@@ -45,6 +45,7 @@ if (UNIX AND NOT WIN32)
torture_keyfiles torture_keyfiles
torture_pki torture_pki
torture_pki_rsa torture_pki_rsa
torture_pki_dsa
torture_pki_ed25519 torture_pki_ed25519
# requires /dev/null # requires /dev/null
torture_channel torture_channel
@@ -62,14 +63,6 @@ if (UNIX AND NOT WIN32)
endif() endif()
endif() endif()
if (HAVE_DSA)
set(LIBSSH_UNIT_TESTS
${LIBSSH_UNIT_TESTS}
torture_pki_dsa
)
endif()
if (WITH_PKCS11_URI) if (WITH_PKCS11_URI)
set(LIBSSH_UNIT_TESTS set(LIBSSH_UNIT_TESTS
${LIBSSH_UNIT_TESTS} ${LIBSSH_UNIT_TESTS}

7
tests/unittests/torture_bind_config.c
View File

@@ -54,9 +54,6 @@ extern LIBSSH_THREAD int ssh_log_level;
#define MACS "hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com" #define MACS "hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com"
#define MACS2 "hmac-sha1" #define MACS2 "hmac-sha1"
#ifdef HAVE_DSA
#define LIBSSH_DSA_TESTKEY "libssh_testkey.id_dsa"
#endif
#define LIBSSH_RSA_TESTKEY "libssh_testkey.id_rsa" #define LIBSSH_RSA_TESTKEY "libssh_testkey.id_rsa"
#define LIBSSH_ED25519_TESTKEY "libssh_testkey.id_ed25519" #define LIBSSH_ED25519_TESTKEY "libssh_testkey.id_ed25519"
#ifdef HAVE_ECC #ifdef HAVE_ECC
@@ -237,10 +234,6 @@ static int setup_config_files(void **state)
torture_write_file(LIBSSH_ECDSA_521_TESTKEY, torture_write_file(LIBSSH_ECDSA_521_TESTKEY,
torture_get_openssh_testkey(SSH_KEYTYPE_ECDSA_P521, 0)); torture_get_openssh_testkey(SSH_KEYTYPE_ECDSA_P521, 0));
#endif #endif
#ifdef HAVE_DSA
torture_write_file(LIBSSH_DSA_TESTKEY,
torture_get_openssh_testkey(SSH_KEYTYPE_DSS, 0));
#endif
torture_write_file(LIBSSH_TEST_BIND_CONFIG_LISTENADDRESS, torture_write_file(LIBSSH_TEST_BIND_CONFIG_LISTENADDRESS,
LIBSSH_TEST_BIND_CONFIG_LISTENADDRESS_STRING); LIBSSH_TEST_BIND_CONFIG_LISTENADDRESS_STRING);

73
tests/unittests/torture_keyfiles.c
View File

@@ -7,9 +7,6 @@
#include "legacy.c" #include "legacy.c"
#define LIBSSH_RSA_TESTKEY "libssh_testkey.id_rsa" #define LIBSSH_RSA_TESTKEY "libssh_testkey.id_rsa"
#ifdef HAVE_DSA
#define LIBSSH_DSA_TESTKEY "libssh_testkey.id_dsa"
#endif
static int setup_rsa_key(void **state) static int setup_rsa_key(void **state)
{ {
@@ -29,26 +26,6 @@ static int setup_rsa_key(void **state)
return 0; return 0;
} }
#ifdef HAVE_DSA
static int setup_dsa_key(void **state)
{
ssh_session session;
unlink(LIBSSH_DSA_TESTKEY);
unlink(LIBSSH_DSA_TESTKEY ".pub");
torture_write_file(LIBSSH_DSA_TESTKEY,
torture_get_testkey(SSH_KEYTYPE_DSS, 0));
torture_write_file(LIBSSH_DSA_TESTKEY ".pub",
torture_get_testkey_pub(SSH_KEYTYPE_DSS));
session = ssh_new();
*state = session;
return 0;
}
#endif
static int setup_both_keys(void **state) { static int setup_both_keys(void **state) {
int rc; int rc;
@@ -56,11 +33,6 @@ static int setup_both_keys(void **state) {
if (rc != 0) { if (rc != 0) {
return rc; return rc;
} }
#ifdef HAVE_DSA
ssh_free(*state);
rc = setup_dsa_key(state);
#endif
return rc; return rc;
} }
@@ -74,13 +46,6 @@ static int setup_both_keys_passphrase(void **state)
torture_write_file(LIBSSH_RSA_TESTKEY ".pub", torture_write_file(LIBSSH_RSA_TESTKEY ".pub",
torture_get_testkey_pub(SSH_KEYTYPE_RSA)); torture_get_testkey_pub(SSH_KEYTYPE_RSA));
#ifdef HAVE_DSA
torture_write_file(LIBSSH_DSA_TESTKEY,
torture_get_testkey(SSH_KEYTYPE_DSS, 1));
torture_write_file(LIBSSH_DSA_TESTKEY ".pub",
torture_get_testkey_pub(SSH_KEYTYPE_DSS));
#endif
session = ssh_new(); session = ssh_new();
*state = session; *state = session;
@@ -89,10 +54,6 @@ static int setup_both_keys_passphrase(void **state)
static int teardown(void **state) static int teardown(void **state)
{ {
#ifdef HAVE_DSA
unlink(LIBSSH_DSA_TESTKEY);
unlink(LIBSSH_DSA_TESTKEY ".pub");
#endif
unlink(LIBSSH_RSA_TESTKEY); unlink(LIBSSH_RSA_TESTKEY);
unlink(LIBSSH_RSA_TESTKEY ".pub"); unlink(LIBSSH_RSA_TESTKEY ".pub");
@@ -235,15 +196,6 @@ static void torture_privatekey_from_file(void **state) {
key = NULL; key = NULL;
} }
#ifdef HAVE_DSA
key = privatekey_from_file(session, LIBSSH_DSA_TESTKEY, SSH_KEYTYPE_DSS, NULL);
assert_non_null(key);
if (key != NULL) {
privatekey_free(key);
key = NULL;
}
#endif
/* Test the automatic type discovery */ /* Test the automatic type discovery */
key = privatekey_from_file(session, LIBSSH_RSA_TESTKEY, 0, NULL); key = privatekey_from_file(session, LIBSSH_RSA_TESTKEY, 0, NULL);
assert_non_null(key); assert_non_null(key);
@@ -252,14 +204,6 @@ static void torture_privatekey_from_file(void **state) {
key = NULL; key = NULL;
} }
#ifdef HAVE_DSA
key = privatekey_from_file(session, LIBSSH_DSA_TESTKEY, 0, NULL);
assert_non_null(key);
if (key != NULL) {
privatekey_free(key);
key = NULL;
}
#endif
} }
/** /**
@@ -276,15 +220,6 @@ static void torture_privatekey_from_file_passphrase(void **state) {
key = NULL; key = NULL;
} }
#ifdef HAVE_DSA
key = privatekey_from_file(session, LIBSSH_DSA_TESTKEY, SSH_KEYTYPE_DSS, TORTURE_TESTKEY_PASSWORD);
assert_non_null(key);
if (key != NULL) {
privatekey_free(key);
key = NULL;
}
#endif
/* Test the automatic type discovery */ /* Test the automatic type discovery */
key = privatekey_from_file(session, LIBSSH_RSA_TESTKEY, 0, TORTURE_TESTKEY_PASSWORD); key = privatekey_from_file(session, LIBSSH_RSA_TESTKEY, 0, TORTURE_TESTKEY_PASSWORD);
assert_non_null(key); assert_non_null(key);
@@ -293,14 +228,6 @@ static void torture_privatekey_from_file_passphrase(void **state) {
key = NULL; key = NULL;
} }
#ifdef HAVE_DSA
key = privatekey_from_file(session, LIBSSH_DSA_TESTKEY, 0, TORTURE_TESTKEY_PASSWORD);
assert_non_null(key);
if (key != NULL) {
privatekey_free(key);
key = NULL;
}
#endif
} }
int torture_run_tests(void) { int torture_run_tests(void) {

65
tests/unittests/torture_options.c
View File

@@ -18,9 +18,6 @@
#include <libssh/bind.h> #include <libssh/bind.h>
#define LIBSSH_CUSTOM_BIND_CONFIG_FILE "my_bind_config" #define LIBSSH_CUSTOM_BIND_CONFIG_FILE "my_bind_config"
#endif #endif
#ifdef HAVE_DSA
#define LIBSSH_DSA_TESTKEY "libssh_testkey.id_dsa"
#endif
#define LIBSSH_RSA_TESTKEY "libssh_testkey.id_rsa" #define LIBSSH_RSA_TESTKEY "libssh_testkey.id_rsa"
#define LIBSSH_ED25519_TESTKEY "libssh_testkey.id_ed25519" #define LIBSSH_ED25519_TESTKEY "libssh_testkey.id_ed25519"
#ifdef HAVE_ECC #ifdef HAVE_ECC
@@ -958,8 +955,6 @@ static void torture_options_getopt(void **state)
"-vv", "-v", "-r", "-c", "aes128-ctr", "-vv", "-v", "-r", "-c", "aes128-ctr",
"-i", "id_rsa", "-C", "-2", "-1", NULL}; "-i", "id_rsa", "-C", "-2", "-1", NULL};
int argc = sizeof(argv)/sizeof(char *) - 1; int argc = sizeof(argv)/sizeof(char *) - 1;
const char *argv_invalid[] = {EXECUTABLE_NAME, "-r", "-d", NULL};
previous_level = ssh_get_log_level(); previous_level = ssh_get_log_level();
/* Test with all the supported options */ /* Test with all the supported options */
@@ -1049,17 +1044,6 @@ static void torture_options_getopt(void **state)
assert_string_equal(argv[4], "hmac-sha1"); assert_string_equal(argv[4], "hmac-sha1");
assert_string_equal(argv[5], "example.com"); assert_string_equal(argv[5], "example.com");
/* Invalid configuration combination -d and -r (for some reason?) */
argc = 3;
rc = ssh_options_getopt(session, &argc, (char **)argv_invalid);
assert_ssh_return_code_equal(session, rc, SSH_ERROR);
assert_int_equal(argc, 3);
assert_string_equal(argv_invalid[0], EXECUTABLE_NAME);
assert_string_equal(argv_invalid[1], "-r");
assert_string_equal(argv_invalid[2], "-d");
/* Corner case: only one argument */ /* Corner case: only one argument */
argv[1] = "-C"; argv[1] = "-C";
argv[2] = NULL; argv[2] = NULL;
@@ -1541,10 +1525,6 @@ static int ssh_bind_setup_files(void **state)
#ifdef HAVE_ECC #ifdef HAVE_ECC
torture_write_file(LIBSSH_ECDSA_521_TESTKEY, torture_write_file(LIBSSH_ECDSA_521_TESTKEY,
torture_get_openssh_testkey(SSH_KEYTYPE_ECDSA_P521, 0)); torture_get_openssh_testkey(SSH_KEYTYPE_ECDSA_P521, 0));
#endif
#ifdef HAVE_DSA
torture_write_file(LIBSSH_DSA_TESTKEY,
torture_get_openssh_testkey(SSH_KEYTYPE_DSS, 0));
#endif #endif
torture_write_file(LIBSSH_CUSTOM_BIND_CONFIG_FILE, torture_write_file(LIBSSH_CUSTOM_BIND_CONFIG_FILE,
"Port 42\n"); "Port 42\n");
@@ -1627,16 +1607,6 @@ static void torture_bind_options_import_key(void **state)
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_IMPORT_KEY, key); rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_IMPORT_KEY, key);
assert_int_equal(rc, 0); assert_int_equal(rc, 0);
#ifdef HAVE_DSA
/* set dsa key */
base64_key = torture_get_testkey(SSH_KEYTYPE_DSS, 0);
rc = ssh_pki_import_privkey_base64(base64_key, NULL, NULL, NULL, &key);
assert_int_equal(rc, SSH_OK);
assert_non_null(key);
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_IMPORT_KEY, key);
assert_int_equal(rc, 0);
#endif
#ifdef HAVE_ECC #ifdef HAVE_ECC
/* set ecdsa key */ /* set ecdsa key */
base64_key = torture_get_testkey(SSH_KEYTYPE_ECDSA_P521, 0); base64_key = torture_get_testkey(SSH_KEYTYPE_ECDSA_P521, 0);
@@ -1686,15 +1656,6 @@ static void torture_bind_options_hostkey(void **state)
assert_non_null(bind->ecdsakey); assert_non_null(bind->ecdsakey);
assert_string_equal(bind->ecdsakey, LIBSSH_ECDSA_521_TESTKEY); assert_string_equal(bind->ecdsakey, LIBSSH_ECDSA_521_TESTKEY);
#endif #endif
#ifdef HAVE_DSA
/* Test DSA key */
rc = ssh_bind_options_set(bind,
SSH_BIND_OPTIONS_HOSTKEY,
LIBSSH_DSA_TESTKEY);
assert_int_equal(rc, 0);
assert_non_null(bind->dsakey);
assert_string_equal(bind->dsakey, LIBSSH_DSA_TESTKEY);
#endif
} }
static void torture_bind_options_bindaddr(void **state) static void torture_bind_options_bindaddr(void **state)
@@ -1803,28 +1764,6 @@ static void torture_bind_options_log_verbosity_str(void **state)
assert_int_equal(rc, SSH_OK); assert_int_equal(rc, SSH_OK);
} }
#ifdef HAVE_DSA
static void torture_bind_options_dsakey(void **state)
{
struct bind_st *test_state;
ssh_bind bind;
int rc;
assert_non_null(state);
test_state = *((struct bind_st **)state);
assert_non_null(test_state);
assert_non_null(test_state->bind);
bind = test_state->bind;
rc = ssh_bind_options_set(bind,
SSH_BIND_OPTIONS_DSAKEY,
LIBSSH_DSA_TESTKEY);
assert_int_equal(rc, 0);
assert_non_null(bind->dsakey);
assert_string_equal(bind->dsakey, LIBSSH_DSA_TESTKEY);
}
#endif
static void torture_bind_options_rsakey(void **state) static void torture_bind_options_rsakey(void **state)
{ {
struct bind_st *test_state; struct bind_st *test_state;
@@ -2315,10 +2254,6 @@ int torture_run_tests(void) {
sshbind_setup, sshbind_teardown), sshbind_setup, sshbind_teardown),
cmocka_unit_test_setup_teardown(torture_bind_options_log_verbosity_str, cmocka_unit_test_setup_teardown(torture_bind_options_log_verbosity_str,
sshbind_setup, sshbind_teardown), sshbind_setup, sshbind_teardown),
#ifdef HAVE_DSA
cmocka_unit_test_setup_teardown(torture_bind_options_dsakey,
sshbind_setup, sshbind_teardown),
#endif
cmocka_unit_test_setup_teardown(torture_bind_options_rsakey, cmocka_unit_test_setup_teardown(torture_bind_options_rsakey,
sshbind_setup, sshbind_teardown), sshbind_setup, sshbind_teardown),
#ifdef HAVE_ECC #ifdef HAVE_ECC

32
tests/unittests/torture_pki.c
View File

@@ -125,15 +125,7 @@ struct key_attrs key_attrs_list[][5] = {
{0, 0, "", 0, 0, "", 0}, /* UNKNOWN, SHA384 */ {0, 0, "", 0, 0, "", 0}, /* UNKNOWN, SHA384 */
{0, 0, "", 0, 0, "", 0}, /* UNKNOWN, SHA512 */ {0, 0, "", 0, 0, "", 0}, /* UNKNOWN, SHA512 */
}, },
#ifdef HAVE_DSA /* Cannot remove this as it will break the array indexing used */
{
{1, 1, "ssh-dss", 1024, 0, "", 0}, /* DSS, AUTO */
{1, 1, "ssh-dss", 1024, 20, "ssh-dss", 1}, /* DSS, SHA1 */
{1, 1, "ssh-dss", 1024, 0, "", 0}, /* DSS, SHA256 */
{1, 1, "ssh-dss", 1024, 0, "", 0}, /* DSS, SHA384 */
{1, 1, "ssh-dss", 1024, 0, "", 0}, /* DSS, SHA512 */
},
#else
{ {
{0, 0, "", 0, 0, "", 0}, /* DSS, AUTO */ {0, 0, "", 0, 0, "", 0}, /* DSS, AUTO */
{0, 0, "", 0, 0, "", 0}, /* DSS, SHA1 */ {0, 0, "", 0, 0, "", 0}, /* DSS, SHA1 */
@@ -141,7 +133,6 @@ struct key_attrs key_attrs_list[][5] = {
{0, 0, "", 0, 0, "", 0}, /* DSS, SHA384 */ {0, 0, "", 0, 0, "", 0}, /* DSS, SHA384 */
{0, 0, "", 0, 0, "", 0}, /* DSS, SHA512 */ {0, 0, "", 0, 0, "", 0}, /* DSS, SHA512 */
}, },
#endif /* HAVE_DSA */
{ {
{1, 1, "ssh-rsa", 2048, 0, "", 0}, /* RSA, AUTO */ {1, 1, "ssh-rsa", 2048, 0, "", 0}, /* RSA, AUTO */
{1, 1, "ssh-rsa", 2048, 20, "ssh-rsa", 1}, /* RSA, SHA1 */ {1, 1, "ssh-rsa", 2048, 20, "ssh-rsa", 1}, /* RSA, SHA1 */
@@ -170,15 +161,6 @@ struct key_attrs key_attrs_list[][5] = {
{1, 1, "ssh-ed25519", 255, 0, "", 0}, /* ED25519, SHA384 */ {1, 1, "ssh-ed25519", 255, 0, "", 0}, /* ED25519, SHA384 */
{1, 1, "ssh-ed25519", 255, 0, "", 0}, /* ED25519, SHA512 */ {1, 1, "ssh-ed25519", 255, 0, "", 0}, /* ED25519, SHA512 */
}, },
#ifdef HAVE_DSA
{
{0, 1, "", 0, 0, "", 0}, /* DSS CERT, AUTO */
{0, 1, "", 0, 0, "", 0}, /* DSS CERT, SHA1 */
{0, 1, "", 0, 0, "", 0}, /* DSS CERT, SHA256 */
{0, 1, "", 0, 0, "", 0}, /* DSS CERT, SHA384 */
{0, 1, "", 0, 0, "", 0}, /* DSS CERT, SHA512 */
},
#else
{ {
{0, 0, "", 0, 0, "", 0}, /* DSS CERT, AUTO */ {0, 0, "", 0, 0, "", 0}, /* DSS CERT, AUTO */
{0, 0, "", 0, 0, "", 0}, /* DSS CERT, SHA1 */ {0, 0, "", 0, 0, "", 0}, /* DSS CERT, SHA1 */
@@ -186,7 +168,6 @@ struct key_attrs key_attrs_list[][5] = {
{0, 0, "", 0, 0, "", 0}, /* DSS CERT, SHA384 */ {0, 0, "", 0, 0, "", 0}, /* DSS CERT, SHA384 */
{0, 0, "", 0, 0, "", 0}, /* DSS CERT, SHA512 */ {0, 0, "", 0, 0, "", 0}, /* DSS CERT, SHA512 */
}, },
#endif /* HAVE_DSA */
{ {
{0, 1, "", 0, 0, "", 0}, /* RSA CERT, AUTO */ {0, 1, "", 0, 0, "", 0}, /* RSA CERT, AUTO */
{0, 1, "", 0, 0, "", 0}, /* RSA CERT, SHA1 */ {0, 1, "", 0, 0, "", 0}, /* RSA CERT, SHA1 */
@@ -266,7 +247,7 @@ static void torture_pki_verify_mismatch(void **state)
ssh_options_set(session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity); ssh_options_set(session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
for (sig_type = SSH_KEYTYPE_DSS; for (sig_type = SSH_KEYTYPE_RSA;
sig_type <= SSH_KEYTYPE_ED25519_CERT01; sig_type <= SSH_KEYTYPE_ED25519_CERT01;
sig_type++) sig_type++)
{ {
@@ -275,8 +256,7 @@ static void torture_pki_verify_mismatch(void **state)
hash++) hash++)
{ {
if (ssh_fips_mode()) { if (ssh_fips_mode()) {
if (sig_type == SSH_KEYTYPE_DSS || if (sig_type == SSH_KEYTYPE_ED25519 ||
sig_type == SSH_KEYTYPE_ED25519 ||
hash == SSH_DIGEST_SHA1) hash == SSH_DIGEST_SHA1)
{ {
/* In FIPS mode, skip unsupported algorithms */ /* In FIPS mode, skip unsupported algorithms */
@@ -341,13 +321,12 @@ static void torture_pki_verify_mismatch(void **state)
input_length); input_length);
assert_true(rc == SSH_OK); assert_true(rc == SSH_OK);
for (key_type = SSH_KEYTYPE_DSS; for (key_type = SSH_KEYTYPE_RSA;
key_type <= SSH_KEYTYPE_ED25519_CERT01; key_type <= SSH_KEYTYPE_ED25519_CERT01;
key_type++) key_type++)
{ {
if (ssh_fips_mode()) { if (ssh_fips_mode()) {
if (key_type == SSH_KEYTYPE_DSS || if (key_type == SSH_KEYTYPE_ED25519)
key_type == SSH_KEYTYPE_ED25519)
{ {
/* In FIPS mode, skip unsupported algorithms */ /* In FIPS mode, skip unsupported algorithms */
continue; continue;
@@ -428,7 +407,6 @@ static void torture_pki_verify_mismatch(void **state)
key = NULL; key = NULL;
} }
} }
ssh_free(session); ssh_free(session);
} }

764
tests/unittests/torture_pki_dsa.c
View File

@@ -129,10 +129,8 @@ static void torture_pki_dsa_import_pubkey_file(void **state)
/* The key doesn't have the hostname as comment after the key */ /* The key doesn't have the hostname as comment after the key */
rc = ssh_pki_import_pubkey_file(LIBSSH_DSA_TESTKEY ".pub", &pubkey); rc = ssh_pki_import_pubkey_file(LIBSSH_DSA_TESTKEY ".pub", &pubkey);
assert_return_code(rc, errno); assert_int_equal(rc, SSH_ERROR);
assert_non_null(pubkey); assert_null(pubkey);
SSH_KEY_FREE(pubkey);
} }
static void torture_pki_dsa_import_pubkey_from_openssh_privkey(void **state) static void torture_pki_dsa_import_pubkey_from_openssh_privkey(void **state)
@@ -144,10 +142,8 @@ static void torture_pki_dsa_import_pubkey_from_openssh_privkey(void **state)
/* The key doesn't have the hostname as comment after the key */ /* The key doesn't have the hostname as comment after the key */
rc = ssh_pki_import_pubkey_file(LIBSSH_DSA_TESTKEY_PASSPHRASE, &pubkey); rc = ssh_pki_import_pubkey_file(LIBSSH_DSA_TESTKEY_PASSPHRASE, &pubkey);
assert_return_code(rc, errno); assert_int_equal(rc, SSH_ERROR);
assert_non_null(pubkey); assert_null(pubkey);
SSH_KEY_FREE(pubkey);
} }
static void torture_pki_dsa_import_privkey_base64(void **state) static void torture_pki_dsa_import_privkey_base64(void **state)
@@ -163,102 +159,11 @@ static void torture_pki_dsa_import_privkey_base64(void **state)
NULL, NULL,
NULL, NULL,
&key); &key);
assert_true(rc == 0); assert_int_equal(rc, SSH_ERROR);
assert_null(key);
SSH_KEY_FREE(key);
} }
static void torture_pki_dsa_import_privkey_base64_comment(void **state) static void torture_pki_generate_dsa(void **state)
{
int rc, file_str_len;
ssh_key key = NULL;
const char *passphrase = torture_get_testkey_passphrase();
const char *comment_str = "#this is line-comment\n#this is another\n";
const char *key_str = NULL;
char *file_str = NULL;
(void) state; /* unused */
key_str = torture_get_testkey(SSH_KEYTYPE_DSS, 0);
assert_non_null(key_str);
file_str_len = strlen(comment_str) + strlen(key_str) + 1;
file_str = malloc(file_str_len);
assert_non_null(file_str);
rc = snprintf(file_str, file_str_len, "%s%s", comment_str, key_str);
assert_int_equal(rc, file_str_len - 1);
rc = ssh_pki_import_privkey_base64(file_str,
passphrase,
NULL,
NULL,
&key);
assert_true(rc == 0);
free(file_str);
SSH_KEY_FREE(key);
}
static void torture_pki_dsa_import_privkey_base64_whitespace(void **state)
{
int rc, file_str_len;
ssh_key key = NULL;
const char *passphrase = torture_get_testkey_passphrase();
const char *whitespace_str = " \n\t\t\t\t\t\n\n\n\n\n";
const char *key_str = NULL;
char *file_str = NULL;
(void) state; /* unused */
key_str = torture_get_testkey(SSH_KEYTYPE_DSS, 0);
assert_non_null(key_str);
file_str_len = strlen(whitespace_str) + strlen(key_str) + 1;
file_str = malloc(file_str_len);
assert_non_null(file_str);
rc = snprintf(file_str, file_str_len, "%s%s", whitespace_str, key_str);
assert_int_equal(rc, file_str_len - 1);
rc = ssh_pki_import_privkey_base64(file_str,
passphrase,
NULL,
NULL,
&key);
assert_true(rc == 0);
free(file_str);
SSH_KEY_FREE(key);
}
static int test_sign_verify_data(ssh_key key,
enum ssh_digest_e hash_type,
const unsigned char *input,
size_t input_len)
{
ssh_signature sig;
ssh_key pubkey = NULL;
int rc;
/* Get the public key to verify signature */
rc = ssh_pki_export_privkey_to_pubkey(key, &pubkey);
assert_int_equal(rc, SSH_OK);
assert_non_null(pubkey);
/* Sign the buffer */
sig = pki_sign_data(key, hash_type, input, input_len);
assert_non_null(sig);
/* Verify signature */
rc = pki_verify_data_signature(sig, pubkey, input, input_len);
assert_int_equal(rc, SSH_OK);
ssh_signature_free(sig);
SSH_KEY_FREE(pubkey);
return rc;
}
static void torture_pki_sign_data_dsa(void **state)
{ {
int rc; int rc;
ssh_key key = NULL; ssh_key key = NULL;
@@ -267,619 +172,20 @@ static void torture_pki_sign_data_dsa(void **state)
/* Setup */ /* Setup */
rc = ssh_pki_generate(SSH_KEYTYPE_DSS, 2048, &key); rc = ssh_pki_generate(SSH_KEYTYPE_DSS, 2048, &key);
assert_int_equal(rc, SSH_OK); assert_int_equal(rc, SSH_ERROR);
assert_non_null(key);
/* Test using SHA1 */
rc = test_sign_verify_data(key, SSH_DIGEST_SHA1, INPUT, sizeof(INPUT));
assert_int_equal(rc, SSH_OK);
/* Cleanup */
SSH_KEY_FREE(key);
}
static void torture_pki_fail_sign_with_incompatible_hash(void **state)
{
int rc;
ssh_key key = NULL;
ssh_key pubkey = NULL;
ssh_signature sig, bad_sig;
(void) state;
/* Setup */
rc = ssh_pki_generate(SSH_KEYTYPE_DSS, 2048, &key);
assert_int_equal(rc, SSH_OK);
assert_non_null(key);
/* Get the public key to verify signature */
rc = ssh_pki_export_privkey_to_pubkey(key, &pubkey);
assert_int_equal(rc, SSH_OK);
assert_non_null(pubkey);
/* Sign the buffer */
sig = pki_sign_data(key, SSH_DIGEST_SHA1, INPUT, sizeof(INPUT));
assert_non_null(sig);
/* Verify signature */
rc = pki_verify_data_signature(sig, pubkey, INPUT, sizeof(INPUT));
assert_int_equal(rc, SSH_OK);
/* Test if signature fails with SSH_DIGEST_AUTO */
bad_sig = pki_sign_data(key, SSH_DIGEST_AUTO, INPUT, sizeof(INPUT));
assert_null(bad_sig);
/* Test if verification fails with SSH_DIGEST_AUTO */
sig->hash_type = SSH_DIGEST_AUTO;
rc = pki_verify_data_signature(sig, pubkey, INPUT, sizeof(INPUT));
assert_int_not_equal(rc, SSH_OK);
/* Test if signature fails with SSH_DIGEST_SHA256 */
bad_sig = pki_sign_data(key, SSH_DIGEST_SHA256, INPUT, sizeof(INPUT));
assert_null(bad_sig);
/* Test if verification fails with SSH_DIGEST_SHA256 */
sig->hash_type = SSH_DIGEST_SHA256;
rc = pki_verify_data_signature(sig, pubkey, INPUT, sizeof(INPUT));
assert_int_not_equal(rc, SSH_OK);
/* Test if signature fails with SSH_DIGEST_SHA384 */
bad_sig = pki_sign_data(key, SSH_DIGEST_SHA384, INPUT, sizeof(INPUT));
assert_null(bad_sig);
/* Test if verification fails with SSH_DIGEST_SHA384 */
sig->hash_type = SSH_DIGEST_SHA384;
rc = pki_verify_data_signature(sig, pubkey, INPUT, sizeof(INPUT));
assert_int_not_equal(rc, SSH_OK);
/* Test if signature fails with SSH_DIGEST_SHA512 */
bad_sig = pki_sign_data(key, SSH_DIGEST_SHA512, INPUT, sizeof(INPUT));
assert_null(bad_sig);
/* Test if verification fails with SSH_DIGEST_SHA512 */
sig->hash_type = SSH_DIGEST_SHA512;
rc = pki_verify_data_signature(sig, pubkey, INPUT, sizeof(INPUT));
assert_int_not_equal(rc, SSH_OK);
/* Cleanup */
ssh_signature_free(sig);
SSH_KEY_FREE(pubkey);
SSH_KEY_FREE(key);
}
#ifdef HAVE_LIBCRYPTO
static void torture_pki_dsa_write_privkey(void **state)
{
ssh_key origkey = NULL;
ssh_key privkey = NULL;
int rc;
(void) state; /* unused */
rc = ssh_pki_import_privkey_file(LIBSSH_DSA_TESTKEY,
NULL,
NULL,
NULL,
&origkey);
assert_true(rc == 0);
assert_non_null(origkey);
unlink(LIBSSH_DSA_TESTKEY);
rc = ssh_pki_export_privkey_file(origkey,
NULL,
NULL,
NULL,
LIBSSH_DSA_TESTKEY);
assert_true(rc == 0);
rc = ssh_pki_import_privkey_file(LIBSSH_DSA_TESTKEY,
NULL,
NULL,
NULL,
&privkey);
assert_true(rc == 0);
assert_non_null(privkey);
rc = ssh_key_cmp(origkey, privkey, SSH_KEY_CMP_PRIVATE);
assert_true(rc == 0);
SSH_KEY_FREE(origkey);
SSH_KEY_FREE(privkey);
/* Test with passphrase */
rc = ssh_pki_import_privkey_file(LIBSSH_DSA_TESTKEY_PASSPHRASE,
torture_get_testkey_passphrase(),
NULL,
NULL,
&origkey);
assert_true(rc == 0);
assert_non_null(origkey);
unlink(LIBSSH_DSA_TESTKEY_PASSPHRASE);
rc = ssh_pki_export_privkey_file(origkey,
torture_get_testkey_passphrase(),
NULL,
NULL,
LIBSSH_DSA_TESTKEY_PASSPHRASE);
assert_true(rc == 0);
/* Test with invalid passphrase */
rc = ssh_pki_import_privkey_file(LIBSSH_DSA_TESTKEY_PASSPHRASE,
"invalid secret",
NULL,
NULL,
&privkey);
assert_true(rc == SSH_ERROR);
assert_null(privkey);
rc = ssh_pki_import_privkey_file(LIBSSH_DSA_TESTKEY_PASSPHRASE,
torture_get_testkey_passphrase(),
NULL,
NULL,
&privkey);
assert_true(rc == 0);
assert_non_null(privkey);
rc = ssh_key_cmp(origkey, privkey, SSH_KEY_CMP_PRIVATE);
assert_true(rc == 0);
SSH_KEY_FREE(origkey);
SSH_KEY_FREE(privkey);
}
#endif
static void torture_pki_dsa_import_privkey_base64_passphrase(void **state)
{
int rc;
ssh_key key = NULL;
const char *passphrase = torture_get_testkey_passphrase();
(void) state; /* unused */
rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_DSS, 1),
passphrase,
NULL,
NULL,
&key);
assert_return_code(rc, errno);
assert_non_null(key);
rc = ssh_key_is_private(key);
assert_true(rc == 1);
SSH_KEY_FREE(key);
/* test if it returns -1 if passphrase is wrong */
rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_DSS, 1),
"wrong passphrase !!",
NULL,
NULL,
&key);
assert_true(rc == -1);
assert_null(key); assert_null(key);
/* test if it returns -1 if passphrase is NULL */
/* libcrypto asks for a passphrase, so skip this test */
#ifndef HAVE_LIBCRYPTO
rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_DSS, 1),
NULL,
NULL,
NULL,
&key);
assert_true(rc == -1);
assert_null(key);
#endif
rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_DSS, 1),
passphrase,
NULL,
NULL,
&key);
assert_return_code(rc, errno);
assert_non_null(key);
rc = ssh_key_is_private(key);
assert_true(rc == 1);
SSH_KEY_FREE(key);
/* test if it returns -1 if passphrase is wrong */
rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_DSS, 1),
"wrong passphrase !!",
NULL,
NULL,
&key);
assert_true(rc == -1);
assert_null(key);
/* This free in unnecessary, but the static analyser does not know */
SSH_KEY_FREE(key);
#ifndef HAVE_LIBCRYPTO
/* test if it returns -1 if passphrase is NULL */
/* libcrypto asks for a passphrase, so skip this test */
rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_DSS, 1),
NULL,
NULL,
NULL,
&key);
assert_true(rc == -1);
assert_null(key);
/* This free in unnecessary, but the static analyser does not know */
SSH_KEY_FREE(key);
#endif /* HAVE_LIBCRYPTO */
}
static void
torture_pki_dsa_import_openssh_privkey_base64_passphrase(void **state)
{
int rc;
ssh_key key = NULL;
const char *passphrase = torture_get_testkey_passphrase();
const char *keystring = NULL;
(void) state; /* unused */
keystring = torture_get_openssh_testkey(SSH_KEYTYPE_DSS, 1);
assert_non_null(keystring);
rc = ssh_pki_import_privkey_base64(keystring,
passphrase,
NULL,
NULL,
&key);
assert_return_code(rc, errno);
assert_non_null(key);
rc = ssh_key_is_private(key);
assert_true(rc == 1);
SSH_KEY_FREE(key);
/* test if it returns -1 if passphrase is wrong */
rc = ssh_pki_import_privkey_base64(keystring,
"wrong passphrase !!",
NULL,
NULL,
&key);
assert_true(rc == -1);
assert_null(key);
/* test if it returns -1 if passphrase is NULL */
rc = ssh_pki_import_privkey_base64(keystring,
NULL,
NULL,
NULL,
&key);
assert_true(rc == -1);
rc = ssh_pki_import_privkey_base64(keystring,
passphrase,
NULL,
NULL,
&key);
assert_return_code(rc, errno);
assert_non_null(key);
rc = ssh_key_is_private(key);
assert_true(rc == 1);
SSH_KEY_FREE(key);
/* test if it returns -1 if passphrase is wrong */
rc = ssh_pki_import_privkey_base64(keystring,
"wrong passphrase !!",
NULL,
NULL,
&key);
assert_true(rc == -1);
assert_null(key);
/* This free is unnecessary, but the static analyser does not know */
SSH_KEY_FREE(key);
/* test if it returns -1 if passphrase is NULL */
rc = ssh_pki_import_privkey_base64(keystring,
NULL,
NULL,
NULL,
&key);
assert_true(rc == -1);
assert_null(key);
/* This free is unnecessary, but the static analyser does not know */
SSH_KEY_FREE(key);
}
static void torture_pki_dsa_publickey_from_privatekey(void **state)
{
int rc;
ssh_key key = NULL;
ssh_key pubkey = NULL;
const char *passphrase = NULL;
(void) state; /* unused */
rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_DSS, 0),
passphrase,
NULL,
NULL,
&key);
assert_true(rc == 0);
assert_non_null(key);
rc = ssh_key_is_private(key);
assert_true(rc == 1);
rc = ssh_pki_export_privkey_to_pubkey(key, &pubkey);
assert_true(rc == SSH_OK);
assert_non_null(pubkey);
SSH_KEY_FREE(key);
SSH_KEY_FREE(pubkey);
} }
static void torture_pki_dsa_import_cert_file(void **state) static void torture_pki_dsa_import_cert_file(void **state)
{ {
int rc; int rc;
ssh_key cert = NULL; ssh_key cert = NULL;
enum ssh_keytypes_e type;
(void) state; /* unused */ (void) state; /* unused */
rc = ssh_pki_import_cert_file(LIBSSH_DSA_TESTKEY "-cert.pub", &cert); rc = ssh_pki_import_cert_file(LIBSSH_DSA_TESTKEY "-cert.pub", &cert);
assert_true(rc == 0); assert_int_equal(rc, SSH_ERROR);
assert_non_null(cert); assert_null(cert);
type = ssh_key_type(cert);
assert_true(type == SSH_KEYTYPE_DSS_CERT01);
rc = ssh_key_is_public(cert);
assert_true(rc == 1);
SSH_KEY_FREE(cert);
}
static void torture_pki_dsa_publickey_base64(void **state)
{
enum ssh_keytypes_e type;
char *b64_key = NULL, *key_buf = NULL, *p = NULL;
const char *str = NULL;
ssh_key key = NULL;
size_t keylen;
size_t i;
int rc;
(void) state; /* unused */
key_buf = strdup(torture_get_testkey_pub(SSH_KEYTYPE_DSS));
assert_non_null(key_buf);
keylen = strlen(key_buf);
str = p = key_buf;
for (i = 0; i < keylen; i++) {
if (isspace((int)p[i])) {
p[i] = '\0';
break;
}
}
type = ssh_key_type_from_name(str);
assert_true(type == SSH_KEYTYPE_DSS);
str = &p[i + 1];
for (; i < keylen; i++) {
if (isspace((int)p[i])) {
p[i] = '\0';
break;
}
}
rc = ssh_pki_import_pubkey_base64(str, type, &key);
assert_true(rc == 0);
assert_non_null(key);
rc = ssh_pki_export_pubkey_base64(key, &b64_key);
assert_true(rc == 0);
assert_non_null(b64_key);
assert_string_equal(str, b64_key);
free(b64_key);
free(key_buf);
SSH_KEY_FREE(key);
}
static void torture_pki_dsa_generate_pubkey_from_privkey(void **state)
{
char pubkey_generated[4096] = {0};
ssh_key privkey = NULL;
ssh_key pubkey = NULL;
int len;
int rc;
(void) state; /* unused */
/* remove the public key, generate it from the private key and write it. */
unlink(LIBSSH_DSA_TESTKEY ".pub");
rc = ssh_pki_import_privkey_file(LIBSSH_DSA_TESTKEY,
NULL,
NULL,
NULL,
&privkey);
assert_true(rc == 0);
assert_non_null(privkey);
rc = ssh_pki_export_privkey_to_pubkey(privkey, &pubkey);
assert_true(rc == SSH_OK);
assert_non_null(pubkey);
rc = ssh_pki_export_pubkey_file(pubkey, LIBSSH_DSA_TESTKEY ".pub");
assert_true(rc == 0);
rc = torture_read_one_line(LIBSSH_DSA_TESTKEY ".pub",
pubkey_generated,
sizeof(pubkey_generated));
assert_true(rc == 0);
len = torture_pubkey_len(torture_get_testkey_pub(SSH_KEYTYPE_DSS));
assert_memory_equal(torture_get_testkey_pub(SSH_KEYTYPE_DSS),
pubkey_generated,
len);
SSH_KEY_FREE(privkey);
SSH_KEY_FREE(pubkey);
}
static void torture_pki_dsa_duplicate_key(void **state)
{
int rc;
char *b64_key = NULL;
char *b64_key_gen = NULL;
ssh_key pubkey = NULL;
ssh_key pubkey_dup = NULL;
ssh_key privkey = NULL;
ssh_key privkey_dup = NULL;
(void) state;
rc = ssh_pki_import_pubkey_file(LIBSSH_DSA_TESTKEY ".pub", &pubkey);
assert_true(rc == 0);
assert_non_null(pubkey);
rc = ssh_pki_export_pubkey_base64(pubkey, &b64_key);
assert_true(rc == 0);
assert_non_null(b64_key);
rc = ssh_pki_import_privkey_file(LIBSSH_DSA_TESTKEY,
NULL,
NULL,
NULL,
&privkey);
assert_true(rc == 0);
assert_non_null(privkey);
privkey_dup = ssh_key_dup(privkey);
assert_non_null(privkey_dup);
rc = ssh_pki_export_privkey_to_pubkey(privkey, &pubkey_dup);
assert_true(rc == SSH_OK);
assert_non_null(pubkey_dup);
rc = ssh_pki_export_pubkey_base64(pubkey_dup, &b64_key_gen);
assert_true(rc == 0);
assert_non_null(b64_key_gen);
assert_string_equal(b64_key, b64_key_gen);
rc = ssh_key_cmp(privkey, privkey_dup, SSH_KEY_CMP_PRIVATE);
assert_true(rc == 0);
rc = ssh_key_cmp(pubkey, pubkey_dup, SSH_KEY_CMP_PUBLIC);
assert_true(rc == 0);
SSH_KEY_FREE(pubkey);
SSH_KEY_FREE(pubkey_dup);
SSH_KEY_FREE(privkey);
SSH_KEY_FREE(privkey_dup);
SSH_STRING_FREE_CHAR(b64_key);
SSH_STRING_FREE_CHAR(b64_key_gen);
}
static void torture_pki_dsa_generate_key(void **state)
{
int rc;
ssh_key key = NULL, pubkey = NULL;
ssh_signature sign = NULL;
ssh_session session=ssh_new();
(void) state;
rc = ssh_pki_generate(SSH_KEYTYPE_DSS, 1024, &key);
assert_true(rc == SSH_OK);
assert_non_null(key);
rc = ssh_pki_export_privkey_to_pubkey(key, &pubkey);
assert_int_equal(rc, SSH_OK);
assert_non_null(pubkey);
sign = pki_do_sign(key, INPUT, sizeof(INPUT), SSH_DIGEST_SHA1);
assert_non_null(sign);
rc = ssh_pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT));
assert_true(rc == SSH_OK);
ssh_signature_free(sign);
SSH_KEY_FREE(key);
SSH_KEY_FREE(pubkey);
rc = ssh_pki_generate(SSH_KEYTYPE_DSS, 2048, &key);
assert_true(rc == SSH_OK);
assert_non_null(key);
rc = ssh_pki_export_privkey_to_pubkey(key, &pubkey);
assert_int_equal(rc, SSH_OK);
assert_non_null(pubkey);
sign = pki_do_sign(key, INPUT, sizeof(INPUT), SSH_DIGEST_SHA1);
assert_non_null(sign);
rc = ssh_pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT));
assert_true(rc == SSH_OK);
ssh_signature_free(sign);
SSH_KEY_FREE(key);
SSH_KEY_FREE(pubkey);
rc = ssh_pki_generate(SSH_KEYTYPE_DSS, 3072, &key);
assert_true(rc == SSH_OK);
assert_non_null(key);
rc = ssh_pki_export_privkey_to_pubkey(key, &pubkey);
assert_int_equal(rc, SSH_OK);
assert_non_null(pubkey);
sign = pki_do_sign(key, INPUT, sizeof(INPUT), SSH_DIGEST_SHA1);
assert_non_null(sign);
rc = ssh_pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT));
assert_true(rc == SSH_OK);
ssh_signature_free(sign);
SSH_KEY_FREE(key);
SSH_KEY_FREE(pubkey);
ssh_free(session);
}
static void torture_pki_dsa_cert_verify(void **state)
{
int rc;
ssh_key privkey = NULL, cert = NULL;
ssh_signature sign = NULL;
ssh_session session=ssh_new();
(void) state;
rc = ssh_pki_import_privkey_file(LIBSSH_DSA_TESTKEY,
NULL,
NULL,
NULL,
&privkey);
assert_true(rc == 0);
assert_non_null(privkey);
rc = ssh_pki_import_cert_file(LIBSSH_DSA_TESTKEY "-cert.pub", &cert);
assert_true(rc == 0);
assert_non_null(cert);
sign = pki_do_sign(privkey, INPUT, sizeof(INPUT), SSH_DIGEST_SHA1);
assert_non_null(sign);
rc = ssh_pki_signature_verify(session, sign, cert, INPUT, sizeof(INPUT));
assert_true(rc == SSH_OK);
ssh_signature_free(sign);
SSH_KEY_FREE(privkey);
SSH_KEY_FREE(cert);
ssh_free(session);
}
static void torture_pki_dsa_skip(UNUSED_PARAM(void **state))
{
skip();
} }
int torture_run_tests(void) int torture_run_tests(void)
@@ -895,60 +201,20 @@ int torture_run_tests(void)
cmocka_unit_test_setup_teardown(torture_pki_dsa_import_privkey_base64, cmocka_unit_test_setup_teardown(torture_pki_dsa_import_privkey_base64,
setup_dsa_key, setup_dsa_key,
teardown), teardown),
cmocka_unit_test_setup_teardown(torture_pki_dsa_import_privkey_base64_comment,
setup_dsa_key,
teardown),
cmocka_unit_test_setup_teardown(torture_pki_dsa_import_privkey_base64_whitespace,
setup_dsa_key,
teardown),
cmocka_unit_test_setup_teardown(torture_pki_dsa_import_privkey_base64, cmocka_unit_test_setup_teardown(torture_pki_dsa_import_privkey_base64,
setup_openssh_dsa_key, setup_openssh_dsa_key,
teardown), teardown),
cmocka_unit_test_setup_teardown(torture_pki_dsa_publickey_from_privatekey,
setup_dsa_key,
teardown),
cmocka_unit_test_setup_teardown(torture_pki_dsa_import_cert_file, cmocka_unit_test_setup_teardown(torture_pki_dsa_import_cert_file,
setup_dsa_key, setup_dsa_key,
teardown), teardown),
#ifdef HAVE_LIBCRYPTO cmocka_unit_test_setup_teardown(torture_pki_generate_dsa,
cmocka_unit_test_setup_teardown(torture_pki_dsa_write_privkey, setup_dsa_key,
setup_dsa_key, teardown),
teardown),
#endif
cmocka_unit_test(torture_pki_sign_data_dsa),
cmocka_unit_test(torture_pki_fail_sign_with_incompatible_hash),
cmocka_unit_test(torture_pki_dsa_import_privkey_base64_passphrase),
cmocka_unit_test(torture_pki_dsa_import_openssh_privkey_base64_passphrase),
/* public key */
cmocka_unit_test_setup_teardown(torture_pki_dsa_publickey_base64,
setup_dsa_key,
teardown),
cmocka_unit_test_setup_teardown(torture_pki_dsa_generate_pubkey_from_privkey,
setup_dsa_key,
teardown),
cmocka_unit_test_setup_teardown(torture_pki_dsa_duplicate_key,
setup_dsa_key,
teardown),
cmocka_unit_test_setup_teardown(torture_pki_dsa_duplicate_key,
setup_dsa_key,
teardown),
cmocka_unit_test(torture_pki_dsa_generate_key),
cmocka_unit_test_setup_teardown(torture_pki_dsa_cert_verify,
setup_dsa_key,
teardown),
};
struct CMUnitTest skip_tests[] = {
cmocka_unit_test(torture_pki_dsa_skip)
}; };
ssh_init(); ssh_init();
if (ssh_fips_mode()) { torture_filter_tests(tests);
rc = cmocka_run_group_tests(skip_tests, NULL, NULL); rc = cmocka_run_group_tests(tests, NULL, NULL);
} else {
torture_filter_tests(tests);
rc = cmocka_run_group_tests(tests, NULL, NULL);
}
ssh_finalize(); ssh_finalize();
return rc; return rc;
} }