diff options
author | Jakub Jelen <jjelen@redhat.com> | 2018-08-07 11:32:36 +0200 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2018-08-31 14:18:34 +0200 |
commit | 4169be45eb5262a1a4aba775740b65206906e772 (patch) | |
tree | 23c034a55346dab310639d4d04b0e05d894a9ae3 /src/pki.c | |
parent | 5d53f519bceddda24f72da10dbd6576398fef05a (diff) | |
download | libssh-4169be45eb5262a1a4aba775740b65206906e772.tar.gz libssh-4169be45eb5262a1a4aba775740b65206906e772.tar.xz libssh-4169be45eb5262a1a4aba775740b65206906e772.zip |
pki: Allow filtering accepted public key types based on the configuration
This effectively allows to disable using the SHA2 extension, disable
other old public key mechanisms out of the box (hello DSA) or force
the new SHA2-based key algorithm types if needed.
This exposes the default_methods array from kex.c.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Diffstat (limited to 'src/pki.c')
-rw-r--r-- | src/pki.c | 29 |
1 files changed, 25 insertions, 4 deletions
@@ -272,6 +272,27 @@ static enum ssh_digest_e ssh_key_hash_from_name(const char *name) return SSH_DIGEST_AUTO; } /** + * @brief Checks the given key against the configured allowed + * public key algorithm types + * + * @param[in] session The SSH session + * @parma[in] type The key algorithm to check + * @returns 1 if the key algorithm is allowed 0 otherwise + */ +int ssh_key_algorithm_allowed(ssh_session session, const char *type) +{ + const char *allowed_list; + + allowed_list = session->opts.pubkey_accepted_types; + if (allowed_list == NULL) { + allowed_list = ssh_kex_get_default_methods(SSH_HOSTKEYS); + } + + SSH_LOG(SSH_LOG_DEBUG, "Checking %s with list <%s>", type, allowed_list); + return ssh_match_group(allowed_list, type); +} + +/** * @brief Convert a key type to a hash type. This is usually unambiguous * for all the key types, unless the SHA2 extension (RFC 8332) is * negotiated during key exchange. @@ -285,15 +306,15 @@ static enum ssh_digest_e ssh_key_hash_from_name(const char *name) static enum ssh_digest_e ssh_key_type_to_hash(ssh_session session, enum ssh_keytypes_e type) { - /* TODO this should also reflect supported key types specified in - * configuration (ssh_config PubkeyAcceptedKeyTypes) */ switch (type) { case SSH_KEYTYPE_RSA: - if (session->extensions & SSH_EXT_SIG_RSA_SHA512) { + if (ssh_key_algorithm_allowed(session, "rsa-sha2-512") && + (session->extensions & SSH_EXT_SIG_RSA_SHA512)) { return SSH_DIGEST_SHA512; } - if (session->extensions & SSH_EXT_SIG_RSA_SHA256) { + if (ssh_key_algorithm_allowed(session, "rsa-sha2-256") && + (session->extensions & SSH_EXT_SIG_RSA_SHA256)) { return SSH_DIGEST_SHA256; } |