aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJon Simons <jon@jonsimons.org>2019-02-04 18:21:21 -0500
committerAndreas Schneider <asn@cryptomilk.org>2019-02-07 14:22:30 +0100
commita4948f62127859d2395b13c58cc3ada2699d00ff (patch)
tree2c441241675e01766ba7e4079a57edb106a638c5
parente05e4ae9712b29eee2cd46021787889c95497a96 (diff)
downloadlibssh-a4948f62127859d2395b13c58cc3ada2699d00ff.tar.gz
libssh-a4948f62127859d2395b13c58cc3ada2699d00ff.tar.xz
libssh-a4948f62127859d2395b13c58cc3ada2699d00ff.zip
kex: honor client preference for rsa-sha2-{256,512} host key algorithms
Ensure to honor the client preference ordering when enabling one of the RFC8332 RSA signature extensions (`rsa-sha2-{256,512}`). Before this change, libssh unconditionally selects the `rsa-sha2-512` algorithm for clients which may have offered "rsa-sha2-256,rsa-sha2-512". The change can be observed before-and-after with the pkd tests: ./pkd_hello -t torture_pkd_openssh_rsa_rsa_sha2_256_512 Signed-off-by: Jon Simons <jon@jonsimons.org> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org> (cherry picked from commit 5d279a7ad7fc69c339ca89caf334b479ba787f70)
-rw-r--r--src/kex.c24
1 files changed, 24 insertions, 0 deletions
diff --git a/src/kex.c b/src/kex.c
index 44d60f59..82686e4b 100644
--- a/src/kex.c
+++ b/src/kex.c
@@ -421,6 +421,7 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit){
int server_kex=session->server;
ssh_string str = NULL;
char *strings[KEX_METHODS_SIZE] = {0};
+ char *rsa_sig_ext = NULL;
int rc = SSH_ERROR;
uint8_t first_kex_packet_follows = 0;
@@ -546,6 +547,29 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit){
if (ok) {
session->extensions |= SSH_EXT_SIG_RSA_SHA256;
}
+
+ /*
+ * Ensure that the client preference is honored for the case
+ * both signature types are enabled.
+ */
+ if ((session->extensions & SSH_EXT_SIG_RSA_SHA256) &&
+ (session->extensions & SSH_EXT_SIG_RSA_SHA512)) {
+ session->extensions &= ~(SSH_EXT_SIG_RSA_SHA256 | SSH_EXT_SIG_RSA_SHA512);
+ rsa_sig_ext = ssh_find_matching("rsa-sha2-512,rsa-sha2-256",
+ session->next_crypto->client_kex.methods[SSH_HOSTKEYS]);
+ if (rsa_sig_ext == NULL) {
+ goto error; /* should never happen */
+ } else if (strcmp(rsa_sig_ext, "rsa-sha2-512") == 0) {
+ session->extensions |= SSH_EXT_SIG_RSA_SHA512;
+ } else if (strcmp(rsa_sig_ext, "rsa-sha2-256") == 0) {
+ session->extensions |= SSH_EXT_SIG_RSA_SHA256;
+ } else {
+ SAFE_FREE(rsa_sig_ext);
+ goto error; /* should never happen */
+ }
+ SAFE_FREE(rsa_sig_ext);
+ }
+
SSH_LOG(SSH_LOG_DEBUG, "The client supports extension "
"negotiation. Enabled signature algorithms: %s%s",
session->extensions & SSH_EXT_SIG_RSA_SHA256 ? "SHA256" : "",