lib/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2025-07-31 00:03:07 +03:00
Code Activity

Add support for sk-keys through configuration

Browse Source 
To be able to enable sk-ecdsa, sk-edd25519 key usage from the config file
the algorithms are needed to be listed in the algorithm lists.

Signed-off-by: Norbert Pocs <npocs@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
(cherry picked from commit 96ad1b380d)
This commit is contained in:
Norbert Pocs
2023-01-03 15:10:55 +01:00
committed by Andreas Schneider
parent 253658dce8
commit d190053660
3 changed files with 25 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
src/kex.c
View File

@ -101,12 +101,19 @@
#ifdef HAVE_ECDH
#define ECDH "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,"
#define EC_HOSTKEYS "ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,"
#define EC_PUBLIC_KEY_ALGORITHMS "ecdsa-sha2-nistp521-cert-v01@openssh.com," \
#define EC_HOSTKEYS "ecdsa-sha2-nistp521," \
"ecdsa-sha2-nistp384," \
"ecdsa-sha2-nistp256,"
#define EC_SK_HOSTKEYS "sk-ecdsa-sha2-nistp256@openssh.com,"
#define EC_FIPS_PUBLIC_KEY_ALGOS "ecdsa-sha2-nistp521-cert-v01@openssh.com," \
"ecdsa-sha2-nistp384-cert-v01@openssh.com," \
"ecdsa-sha2-nistp256-cert-v01@openssh.com,"
#define EC_PUBLIC_KEY_ALGORITHMS EC_FIPS_PUBLIC_KEY_ALGOS \
"sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,"
#else
#define EC_HOSTKEYS ""
#define EC_SK_HOSTKEYS ""
#define EC_FIPS_PUBLIC_KEY_ALGOS ""
#define EC_PUBLIC_KEY_ALGORITHMS ""
#define ECDH ""
#endif /* HAVE_ECDH */
@ -127,16 +134,21 @@
#define HOSTKEYS "ssh-ed25519," \
EC_HOSTKEYS \
"sk-ssh-ed25519@openssh.com," \
EC_SK_HOSTKEYS \
"rsa-sha2-512," \
"rsa-sha2-256," \
"ssh-rsa" \
DSA_HOSTKEYS
#define DEFAULT_HOSTKEYS "ssh-ed25519," \
EC_HOSTKEYS \
"sk-ssh-ed25519@openssh.com," \
EC_SK_HOSTKEYS \
"rsa-sha2-512," \
"rsa-sha2-256"
#define PUBLIC_KEY_ALGORITHMS "ssh-ed25519-cert-v01@openssh.com," \
"sk-ssh-ed25519-cert-v01@openssh.com," \
EC_PUBLIC_KEY_ALGORITHMS \
"rsa-sha2-512-cert-v01@openssh.com," \
"rsa-sha2-256-cert-v01@openssh.com," \
@ -186,7 +198,7 @@
"rsa-sha2-512," \
"rsa-sha2-256"
#define FIPS_ALLOWED_PUBLIC_KEY_ALGORITHMS EC_PUBLIC_KEY_ALGORITHMS \
#define FIPS_ALLOWED_PUBLIC_KEY_ALGORITHMS EC_FIPS_PUBLIC_KEY_ALGOS \
"rsa-sha2-512-cert-v01@openssh.com," \
"rsa-sha2-256-cert-v01@openssh.com," \
FIPS_ALLOWED_HOSTKEYS

4
src/knownhosts.c
View File

@ -480,6 +480,8 @@ static const char *ssh_known_host_sigs_from_hostkey_type(enum ssh_keytypes_e typ
return "rsa-sha2-512,rsa-sha2-256,ssh-rsa";
case SSH_KEYTYPE_ED25519:
return "ssh-ed25519";
case SSH_KEYTYPE_SK_ED25519:
return "sk-ssh-ed25519@openssh.com";
#ifdef HAVE_DSA
case SSH_KEYTYPE_DSS:
return "ssh-dss";
@ -494,6 +496,8 @@ static const char *ssh_known_host_sigs_from_hostkey_type(enum ssh_keytypes_e typ
return "ecdsa-sha2-nistp384";
case SSH_KEYTYPE_ECDSA_P521:
return "ecdsa-sha2-nistp521";
case SSH_KEYTYPE_SK_ECDSA:
return "sk-ecdsa-sha2-nistp256@openssh.com";
#else
case SSH_KEYTYPE_ECDSA_P256:
case SSH_KEYTYPE_ECDSA_P384:

8
tests/unittests/torture_knownhosts_parsing.c
View File

@ -634,7 +634,9 @@ static void torture_knownhosts_algorithms(void **state)
bool process_config = false;
const char *expect = "ssh-ed25519,rsa-sha2-512,rsa-sha2-256,"
"ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,"
"ecdsa-sha2-nistp256";
"ecdsa-sha2-nistp256,"
"sk-ssh-ed25519@openssh.com,"
"sk-ecdsa-sha2-nistp256@openssh.com";
const char *expect_fips = "rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp521,"
"ecdsa-sha2-nistp384,ecdsa-sha2-nistp256";
@ -669,7 +671,9 @@ static void torture_knownhosts_algorithms_global(void **state)
bool process_config = false;
const char *expect = "ssh-ed25519,rsa-sha2-512,rsa-sha2-256,"
"ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,"
"ecdsa-sha2-nistp256";
"ecdsa-sha2-nistp256,"
"sk-ssh-ed25519@openssh.com,"
"sk-ecdsa-sha2-nistp256@openssh.com";
const char *expect_fips = "rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp521,"
"ecdsa-sha2-nistp384,ecdsa-sha2-nistp256";