Add support for ECDSA keys and host keys (#41)

This commit lands full ECDSA key support when using the OpenSSL backend. Which includes: New KEX methods: ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521 Can now read OpenSSL formatted ECDSA key files. Now supports known host keys of type ecdsa-sha2-nistp256. New curve types: NID_X9_62_prime256v1, NID_secp384r1, NID_secp521r1 Default host key preferred ordering is now nistp256, nistp384, nistp521, rsa, dss. Ref: https://github.com/libssh2/libssh2/issues/41 Closes https://github.com/libssh2/libssh2/pull/206
2025-08-01 11:26:53 +03:00 · 2017-08-31 14:57:40 -07:00
parent bcd492163b
commit aba34f5f56
13 changed files with 2087 additions and 110 deletions
--- a/tests/test_hostkey_hash.c
+++ b/tests/test_hostkey_hash.c
@ -5,7 +5,7 @@

 #include <stdio.h>

-const char *EXPECTED_HOSTKEY =
+const char *EXPECTED_RSA_HOSTKEY =
    "AAAAB3NzaC1yc2EAAAABIwAAAQEArrr/JuJmaZligyfS8vcNur+mWR2ddDQtVdhHzdKU"
    "UoR6/Om6cvxpe61H1YZO1xCpLUBXmkki4HoNtYOpPB2W4V+8U4BDeVBD5crypEOE1+7B"
    "Am99fnEDxYIOZq2/jTP0yQmzCpWYS3COyFmkOL7sfX1wQMeW5zQT2WKcxC6FSWbhDqrB"
@ -13,13 +13,27 @@ const char *EXPECTED_HOSTKEY =
    "i6ELfP3r+q6wdu0P4jWaoo3De1aYxnToV/ldXykpipON4NPamsb6Ph2qlJQKypq7J4iQ"
    "gkIIbCU1A31+4ExvcIVoxLQw/aTSbw==";

-const char *EXPECTED_MD5_HASH_DIGEST = "0C0ED1A5BB10275F76924CE187CE5C5E";
+const char *EXPECTED_ECDSA_HOSTKEY =
+    "AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC+/syyeKJD9dC2ZH"
+    "9Q7iJGReR4YM3rUCMsSynkyXojdfSClGCMY7JvWlt30ESjYvxoTfSRGx6WvaqYK/vPoYQ4=";

-const char *EXPECTED_SHA1_HASH_DIGEST =
+const char *EXPECTED_RSA_MD5_HASH_DIGEST = "0C0ED1A5BB10275F76924CE187CE5C5E";
+
+const char *EXPECTED_RSA_SHA1_HASH_DIGEST =
    "F3CD59E2913F4422B80F7B0A82B2B89EAE449387";

+const char *EXPECTED_RSA_SHA256_HASH_DIGEST = "92E3DA49DF3C7F99A828F505ED8239397A5D1F62914459760F878F7510F563A3";
+
+const char *EXPECTED_ECDSA_MD5_HASH_DIGEST = "0402E4D897580BBC911379CBD88BCD3D";
+
+const char *EXPECTED_ECDSA_SHA1_HASH_DIGEST =
+    "12FDAD1E3B31B10BABB00F2A8D1B9A62C326BD2F";
+
+const char *EXPECTED_ECDSA_SHA256_HASH_DIGEST = "56FCD975B166C3F0342D0036E44C311A86C0EAE40713B53FC776369BAE7F5264";
+
 const int MD5_HASH_SIZE = 16;
 const int SHA1_HASH_SIZE = 20;
+const int SHA256_HASH_SIZE = 32;

 static void calculate_digest(const char *hash, size_t hash_len, char *buffer,
                             size_t buffer_len)
@ -39,34 +53,111 @@ int test(LIBSSH2_SESSION *session)

    const char *md5_hash;
    const char *sha1_hash;
+    const char *sha256_hash;
+    int type;
+    size_t len;

-    md5_hash = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_MD5);
-    if (md5_hash == NULL) {
-        print_last_session_error(
-            "libssh2_hostkey_hash(LIBSSH2_HOSTKEY_HASH_MD5)");
+    const char *hostkey = libssh2_session_hostkey(session, &len, &type);
+    if (hostkey == NULL) {
+        print_last_session_error("libssh2_session_hostkey");
        return 1;
    }

-    calculate_digest(md5_hash, MD5_HASH_SIZE, buf, BUFSIZ);
+    if (type == LIBSSH2_HOSTKEY_TYPE_ECDSA) {

-    if (strcmp(buf, EXPECTED_MD5_HASH_DIGEST) != 0) {
-        fprintf(stderr, "MD5 hash not as expected - digest %s != %s\n", buf,
-                EXPECTED_MD5_HASH_DIGEST);
-        return 1;
-    }
+        md5_hash = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_MD5);
+        if (md5_hash == NULL) {
+            print_last_session_error(
+                "libssh2_hostkey_hash(LIBSSH2_HOSTKEY_HASH_MD5)");
+            return 1;
+        }

-    sha1_hash = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1);
-    if (sha1_hash == NULL) {
-        print_last_session_error(
-            "libssh2_hostkey_hash(LIBSSH2_HOSTKEY_HASH_SHA1)");
-        return 1;
-    }
+        calculate_digest(md5_hash, MD5_HASH_SIZE, buf, BUFSIZ);

-    calculate_digest(sha1_hash, SHA1_HASH_SIZE, buf, BUFSIZ);
+        if (strcmp(buf, EXPECTED_ECDSA_MD5_HASH_DIGEST) != 0) {
+            fprintf(stderr, "ECDSA MD5 hash not as expected - digest %s != %s\n", buf,
+                    EXPECTED_ECDSA_MD5_HASH_DIGEST);
+            return 1;
+        }

-    if (strcmp(buf, EXPECTED_SHA1_HASH_DIGEST) != 0) {
-        fprintf(stderr, "SHA1 hash not as expected - digest %s != %s\n", buf,
-                EXPECTED_SHA1_HASH_DIGEST);
+        sha1_hash = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1);
+        if (sha1_hash == NULL) {
+            print_last_session_error(
+                "libssh2_hostkey_hash(LIBSSH2_HOSTKEY_HASH_SHA1)");
+            return 1;
+        }
+
+        calculate_digest(sha1_hash, SHA1_HASH_SIZE, buf, BUFSIZ);
+
+        if (strcmp(buf, EXPECTED_ECDSA_SHA1_HASH_DIGEST) != 0) {
+            fprintf(stderr, "ECDSA SHA1 hash not as expected - digest %s != %s\n", buf,
+                    EXPECTED_ECDSA_SHA1_HASH_DIGEST);
+            return 1;
+        }
+
+        sha256_hash = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA256);
+        if (sha256_hash == NULL) {
+            print_last_session_error(
+                "libssh2_hostkey_hash(LIBSSH2_HOSTKEY_HASH_SHA256)");
+            return 1;
+        }
+
+        calculate_digest(sha256_hash, SHA256_HASH_SIZE, buf, BUFSIZ);
+
+        if (strcmp(buf, EXPECTED_ECDSA_SHA256_HASH_DIGEST) != 0) {
+            fprintf(stderr, "ECDSA SHA256 hash not as expected - digest %s != %s\n", buf,
+                    EXPECTED_ECDSA_SHA256_HASH_DIGEST);
+            return 1;
+        }
+
+    } else if ( type == LIBSSH2_HOSTKEY_TYPE_RSA ) {
+
+        md5_hash = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_MD5);
+        if (md5_hash == NULL) {
+            print_last_session_error(
+                "libssh2_hostkey_hash(LIBSSH2_HOSTKEY_HASH_MD5)");
+            return 1;
+        }
+
+        calculate_digest(md5_hash, MD5_HASH_SIZE, buf, BUFSIZ);
+
+        if (strcmp(buf, EXPECTED_RSA_MD5_HASH_DIGEST) != 0) {
+            fprintf(stderr, "MD5 hash not as expected - digest %s != %s\n", buf,
+                    EXPECTED_RSA_MD5_HASH_DIGEST);
+            return 1;
+        }
+
+        sha1_hash = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1);
+        if (sha1_hash == NULL) {
+            print_last_session_error(
+                "libssh2_hostkey_hash(LIBSSH2_HOSTKEY_HASH_SHA1)");
+            return 1;
+        }
+
+        calculate_digest(sha1_hash, SHA1_HASH_SIZE, buf, BUFSIZ);
+
+        if (strcmp(buf, EXPECTED_RSA_SHA1_HASH_DIGEST) != 0) {
+            fprintf(stderr, "SHA1 hash not as expected - digest %s != %s\n", buf,
+                    EXPECTED_RSA_SHA1_HASH_DIGEST);
+            return 1;
+        }
+
+        sha256_hash = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA256);
+        if (sha256_hash == NULL) {
+            print_last_session_error(
+                "libssh2_hostkey_hash(LIBSSH2_HOSTKEY_HASH_SHA256)");
+            return 1;
+        }
+
+        calculate_digest(sha256_hash, SHA256_HASH_SIZE, buf, BUFSIZ);
+
+        if (strcmp(buf, EXPECTED_RSA_SHA256_HASH_DIGEST) != 0) {
+            fprintf(stderr, "SHA256 hash not as expected - digest %s != %s\n", buf,
+                    EXPECTED_RSA_SHA256_HASH_DIGEST);
+            return 1;
+        }
+    } else {
+        fprintf(stderr, "Unexpected type of hostkey: %i\n", type);
        return 1;
    }