diff options
author | Jakub Jelen <jjelen@redhat.com> | 2019-10-31 13:03:21 +0100 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2019-11-07 15:55:32 +0100 |
commit | 1ebf506913495a736322fc5a97ba336adff6e464 (patch) | |
tree | c5df3a393c157286e41c43219b7f7e8c08d9a37c /include | |
parent | fbc2912ddeb22dfc901508467a23d6e9d41cd6a2 (diff) | |
download | libssh-1ebf506913495a736322fc5a97ba336adff6e464.tar.gz libssh-1ebf506913495a736322fc5a97ba336adff6e464.tar.xz libssh-1ebf506913495a736322fc5a97ba336adff6e464.zip |
server: Use really the negotiated signature type
Generally, when the extension negotiation is enabled and client supports
SHA2 algorithms for RSA, they are supposed to be prioritized against the
old SHA1. If it is not (ssh-rsa is listed in front of rsa-sha2-* hostkey
algorithms during negotiation), the server wrongly tries to provide the
new typo of signature, ignoring the negotiated algirithm
This commit propagates the digest algorithm from negotiation to the actual
signature functions, which were previously responsible for decision
about the hash algorithm based just on the negotiated extensions.
Fixes T191
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Diffstat (limited to 'include')
-rw-r--r-- | include/libssh/pki.h | 4 | ||||
-rw-r--r-- | include/libssh/priv.h | 12 | ||||
-rw-r--r-- | include/libssh/session.h | 1 | ||||
-rw-r--r-- | include/libssh/wrapper.h | 8 |
4 files changed, 15 insertions, 10 deletions
diff --git a/include/libssh/pki.h b/include/libssh/pki.h index 533d3e09..9b104349 100644 --- a/include/libssh/pki.h +++ b/include/libssh/pki.h @@ -111,6 +111,7 @@ enum ssh_keytypes_e ssh_key_type_from_signature_name(const char *name); enum ssh_keytypes_e ssh_key_type_plain(enum ssh_keytypes_e type); enum ssh_digest_e ssh_key_type_to_hash(ssh_session session, enum ssh_keytypes_e type); +enum ssh_digest_e ssh_key_hash_from_name(const char *name); #define is_ecdsa_key_type(t) \ ((t) >= SSH_KEYTYPE_ECDSA_P256 && (t) <= SSH_KEYTYPE_ECDSA_P521) @@ -153,7 +154,8 @@ ssh_string ssh_pki_do_sign_agent(ssh_session session, struct ssh_buffer_struct *buf, const ssh_key pubkey); ssh_string ssh_srv_pki_do_sign_sessionid(ssh_session session, - const ssh_key privkey); + const ssh_key privkey, + const enum ssh_digest_e digest); /* Temporary functions, to be removed after migration to ssh_key */ ssh_public_key ssh_pki_convert_key_to_publickey(const ssh_key key); diff --git a/include/libssh/priv.h b/include/libssh/priv.h index ce74465a..90ef0dcf 100644 --- a/include/libssh/priv.h +++ b/include/libssh/priv.h @@ -221,7 +221,17 @@ int gettimeofday(struct timeval *__p, void *__t); struct ssh_common_struct; struct ssh_kex_struct; -int ssh_get_key_params(ssh_session session, ssh_key *privkey); +enum ssh_digest_e { + SSH_DIGEST_AUTO=0, + SSH_DIGEST_SHA1=1, + SSH_DIGEST_SHA256, + SSH_DIGEST_SHA384, + SSH_DIGEST_SHA512, +}; + +int ssh_get_key_params(ssh_session session, + ssh_key *privkey, + enum ssh_digest_e *digest); /* LOGGING */ void ssh_log_function(int verbosity, diff --git a/include/libssh/session.h b/include/libssh/session.h index dfcb0cd6..6558da46 100644 --- a/include/libssh/session.h +++ b/include/libssh/session.h @@ -188,6 +188,7 @@ struct ssh_session_struct { ssh_key ed25519_key; /* The type of host key wanted by client */ enum ssh_keytypes_e hostkey; + enum ssh_digest_e hostkey_digest; } srv; /* auths accepted by server */ diff --git a/include/libssh/wrapper.h b/include/libssh/wrapper.h index 1c18f288..ba64939b 100644 --- a/include/libssh/wrapper.h +++ b/include/libssh/wrapper.h @@ -29,14 +29,6 @@ #include "libssh/libgcrypt.h" #include "libssh/libmbedcrypto.h" -enum ssh_digest_e { - SSH_DIGEST_AUTO=0, - SSH_DIGEST_SHA1=1, - SSH_DIGEST_SHA256, - SSH_DIGEST_SHA384, - SSH_DIGEST_SHA512, -}; - enum ssh_kdf_digest { SSH_KDF_SHA1=1, SSH_KDF_SHA256, |