diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c77d20c1..d651ed7c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -481,7 +481,7 @@ jobs: rcopts=' -O coff ' elif [ '${{ matrix.test }}' = 'no-options' ]; then options+=' -DLIBSSH2_NO_DEPRECATED=ON' - cflags='-DLIBSSH2_NO_MD5 -DLIBSSH2_NO_MD5_PEM -DLIBSSH2_NO_HMAC_RIPEMD -DLIBSSH2_NO_DSA -DLIBSSH2_NO_AES_CBC -DLIBSSH2_NO_AES_CTR -DLIBSSH2_NO_BLOWFISH -DLIBSSH2_NO_RC4 -DLIBSSH2_NO_CAST -DLIBSSH2_NO_3DES' + cflags='-DLIBSSH2_NO_MD5 -DLIBSSH2_NO_MD5_PEM -DLIBSSH2_NO_HMAC_RIPEMD -DLIBSSH2_DSA_ENABLE -DLIBSSH2_NO_AES_CBC -DLIBSSH2_NO_AES_CTR -DLIBSSH2_NO_BLOWFISH -DLIBSSH2_NO_RC4 -DLIBSSH2_NO_CAST -DLIBSSH2_NO_3DES' else cflags='' rcopts='' diff --git a/RELEASE-NOTES b/RELEASE-NOTES index b40d6741..cdd038db 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -6,7 +6,7 @@ Deprecation notices: disabled in default builds (with an option to enable them): - DSA: `ssh-dss` hostkeys. - You can disable it now with `-DLIBSSH2_NO_DSA`. + You can enable it now with `-DLIBSSH2_DSA_ENABLE`. Disabled by default in OpenSSH 7.0 (2015-08-11). Support to be removed by early 2025 from OpenSSH. - MD5-based MACs and hashes: `hmac-md5`, `hmac-md5-96`, diff --git a/docs/libssh2_knownhost_add.3 b/docs/libssh2_knownhost_add.3 index fa55a4e3..c881e36f 100644 --- a/docs/libssh2_knownhost_add.3 +++ b/docs/libssh2_knownhost_add.3 @@ -49,7 +49,7 @@ LIBSSH2_KNOWNHOST_KEYENC_RAW or LIBSSH2_KNOWNHOST_KEYENC_BASE64. The key is using one of these algorithms: LIBSSH2_KNOWNHOST_KEY_RSA1, LIBSSH2_KNOWNHOST_KEY_SSHRSA or -LIBSSH2_KNOWNHOST_KEY_SSHDSS. +LIBSSH2_KNOWNHOST_KEY_SSHDSS (deprecated). \fIstore\fP should point to a pointer that gets filled in to point to the known host data after the addition. NULL can be passed if you do not care about diff --git a/docs/libssh2_knownhost_addc.3 b/docs/libssh2_knownhost_addc.3 index 94a66654..5a1b8c56 100644 --- a/docs/libssh2_knownhost_addc.3 +++ b/docs/libssh2_knownhost_addc.3 @@ -54,7 +54,7 @@ LIBSSH2_KNOWNHOST_KEYENC_RAW or LIBSSH2_KNOWNHOST_KEYENC_BASE64. The key is using one of these algorithms: LIBSSH2_KNOWNHOST_KEY_RSA1, LIBSSH2_KNOWNHOST_KEY_SSHRSA or -LIBSSH2_KNOWNHOST_KEY_SSHDSS. +LIBSSH2_KNOWNHOST_KEY_SSHDSS (deprecated). \fIstore\fP should point to a pointer that gets filled in to point to the known host data after the addition. NULL can be passed if you do not care about diff --git a/docs/libssh2_session_hostkey.3 b/docs/libssh2_session_hostkey.3 index 8892ba59..4190843d 100644 --- a/docs/libssh2_session_hostkey.3 +++ b/docs/libssh2_session_hostkey.3 @@ -16,7 +16,7 @@ Returns a pointer to the current host key, the value \fIlen\fP points to will get the length of the key. The value \fItype\fP points to the type of hostkey which is one of: -LIBSSH2_HOSTKEY_TYPE_RSA, LIBSSH2_HOSTKEY_TYPE_DSS, or +LIBSSH2_HOSTKEY_TYPE_RSA, LIBSSH2_HOSTKEY_TYPE_DSS (deprecated), or LIBSSH2_HOSTKEY_TYPE_UNKNOWN. .SH RETURN VALUE diff --git a/include/libssh2.h b/include/libssh2.h index 71673801..8b16dd2e 100644 --- a/include/libssh2.h +++ b/include/libssh2.h @@ -502,7 +502,7 @@ typedef struct _LIBSSH2_POLLFD { /* Hostkey Types */ #define LIBSSH2_HOSTKEY_TYPE_UNKNOWN 0 #define LIBSSH2_HOSTKEY_TYPE_RSA 1 -#define LIBSSH2_HOSTKEY_TYPE_DSS 2 +#define LIBSSH2_HOSTKEY_TYPE_DSS 2 /* deprecated */ #define LIBSSH2_HOSTKEY_TYPE_ECDSA_256 3 #define LIBSSH2_HOSTKEY_TYPE_ECDSA_384 4 #define LIBSSH2_HOSTKEY_TYPE_ECDSA_521 5 @@ -1147,7 +1147,7 @@ libssh2_knownhost_init(LIBSSH2_SESSION *session); #define LIBSSH2_KNOWNHOST_KEY_SHIFT 18 #define LIBSSH2_KNOWNHOST_KEY_RSA1 (1<<18) #define LIBSSH2_KNOWNHOST_KEY_SSHRSA (2<<18) -#define LIBSSH2_KNOWNHOST_KEY_SSHDSS (3<<18) +#define LIBSSH2_KNOWNHOST_KEY_SSHDSS (3<<18) /* deprecated */ #define LIBSSH2_KNOWNHOST_KEY_ECDSA_256 (4<<18) #define LIBSSH2_KNOWNHOST_KEY_ECDSA_384 (5<<18) #define LIBSSH2_KNOWNHOST_KEY_ECDSA_521 (6<<18) diff --git a/src/crypto_config.h b/src/crypto_config.h index 5934e140..885a6a91 100644 --- a/src/crypto_config.h +++ b/src/crypto_config.h @@ -20,7 +20,7 @@ #define LIBSSH2_HMAC_RIPEMD 0 #endif -#ifdef LIBSSH2_NO_DSA +#if !defined(LIBSSH2_DSA_ENABLE) #undef LIBSSH2_DSA #define LIBSSH2_DSA 0 #endif diff --git a/src/hostkey.c b/src/hostkey.c index 40302f67..99eaf3e0 100644 --- a/src/hostkey.c +++ b/src/hostkey.c @@ -1416,9 +1416,11 @@ static int hostkey_type(const unsigned char *hostkey, size_t len) static const unsigned char rsa[] = { 0, 0, 0, 0x07, 's', 's', 'h', '-', 'r', 's', 'a' }; +#if LIBSSH2_DSA static const unsigned char dss[] = { 0, 0, 0, 0x07, 's', 's', 'h', '-', 'd', 's', 's' }; +#endif static const unsigned char ecdsa_256[] = { 0, 0, 0, 0x13, 'e', 'c', 'd', 's', 'a', '-', 's', 'h', 'a', '2', '-', 'n', 'i', 's', 't', 'p', '2', '5', '6' @@ -1441,8 +1443,10 @@ static int hostkey_type(const unsigned char *hostkey, size_t len) if(!memcmp(rsa, hostkey, 11)) return LIBSSH2_HOSTKEY_TYPE_RSA; +#if LIBSSH2_DSA if(!memcmp(dss, hostkey, 11)) return LIBSSH2_HOSTKEY_TYPE_DSS; +#endif if(len < 15) return LIBSSH2_HOSTKEY_TYPE_UNKNOWN; diff --git a/src/knownhost.c b/src/knownhost.c index 5eba6a10..79500ec5 100644 --- a/src/knownhost.c +++ b/src/knownhost.c @@ -779,18 +779,20 @@ static int hostline(LIBSSH2_KNOWNHOSTS *hosts, } key_type_len = key - key_type_name; - if(!strncmp(key_type_name, "ssh-dss", key_type_len)) - key_type = LIBSSH2_KNOWNHOST_KEY_SSHDSS; - else if(!strncmp(key_type_name, "ssh-rsa", key_type_len)) - key_type = LIBSSH2_KNOWNHOST_KEY_SSHRSA; + if(!strncmp(key_type_name, "ssh-ed25519", key_type_len)) + key_type = LIBSSH2_KNOWNHOST_KEY_ED25519; else if(!strncmp(key_type_name, "ecdsa-sha2-nistp256", key_type_len)) key_type = LIBSSH2_KNOWNHOST_KEY_ECDSA_256; else if(!strncmp(key_type_name, "ecdsa-sha2-nistp384", key_type_len)) key_type = LIBSSH2_KNOWNHOST_KEY_ECDSA_384; else if(!strncmp(key_type_name, "ecdsa-sha2-nistp521", key_type_len)) key_type = LIBSSH2_KNOWNHOST_KEY_ECDSA_521; - else if(!strncmp(key_type_name, "ssh-ed25519", key_type_len)) - key_type = LIBSSH2_KNOWNHOST_KEY_ED25519; + else if(!strncmp(key_type_name, "ssh-rsa", key_type_len)) + key_type = LIBSSH2_KNOWNHOST_KEY_SSHRSA; +#if LIBSSH2_DSA + else if(!strncmp(key_type_name, "ssh-dss", key_type_len)) + key_type = LIBSSH2_KNOWNHOST_KEY_SSHDSS; +#endif else key_type = LIBSSH2_KNOWNHOST_KEY_UNKNOWN; @@ -1026,10 +1028,12 @@ knownhost_writeline(LIBSSH2_KNOWNHOSTS *hosts, key_type_name = "ssh-rsa"; key_type_len = 7; break; +#if LIBSSH2_DSA case LIBSSH2_KNOWNHOST_KEY_SSHDSS: key_type_name = "ssh-dss"; key_type_len = 7; break; +#endif case LIBSSH2_KNOWNHOST_KEY_ECDSA_256: key_type_name = "ecdsa-sha2-nistp256"; key_type_len = 19; diff --git a/tests/openssh_server/sshd_config b/tests/openssh_server/sshd_config index 1069566f..5cd2b898 100644 --- a/tests/openssh_server/sshd_config +++ b/tests/openssh_server/sshd_config @@ -1,4 +1,4 @@ HostKeyAlgorithms +ssh-rsa -PubkeyAcceptedKeyTypes +ssh-rsa,ssh-dss,ssh-rsa-cert-v01@openssh.com +PubkeyAcceptedKeyTypes +ssh-rsa,ssh-rsa-cert-v01@openssh.com MACs +hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-512,hmac-md5,hmac-md5-96,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com Ciphers +3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com