aboutsummaryrefslogtreecommitdiff
path: root/src/pki.c
diff options
context:
space:
mode:
authorJakub Jelen <jjelen@redhat.com>2018-08-07 11:32:36 +0200
committerAndreas Schneider <asn@cryptomilk.org>2018-08-31 14:18:34 +0200
commit4169be45eb5262a1a4aba775740b65206906e772 (patch)
tree23c034a55346dab310639d4d04b0e05d894a9ae3 /src/pki.c
parent5d53f519bceddda24f72da10dbd6576398fef05a (diff)
downloadlibssh-4169be45eb5262a1a4aba775740b65206906e772.tar.gz
libssh-4169be45eb5262a1a4aba775740b65206906e772.tar.xz
libssh-4169be45eb5262a1a4aba775740b65206906e772.zip
pki: Allow filtering accepted public key types based on the configuration
This effectively allows to disable using the SHA2 extension, disable other old public key mechanisms out of the box (hello DSA) or force the new SHA2-based key algorithm types if needed. This exposes the default_methods array from kex.c. Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Diffstat (limited to 'src/pki.c')
-rw-r--r--src/pki.c29
1 files changed, 25 insertions, 4 deletions
diff --git a/src/pki.c b/src/pki.c
index d894762c..69d76c27 100644
--- a/src/pki.c
+++ b/src/pki.c
@@ -272,6 +272,27 @@ static enum ssh_digest_e ssh_key_hash_from_name(const char *name)
return SSH_DIGEST_AUTO;
}
/**
+ * @brief Checks the given key against the configured allowed
+ * public key algorithm types
+ *
+ * @param[in] session The SSH session
+ * @parma[in] type The key algorithm to check
+ * @returns 1 if the key algorithm is allowed 0 otherwise
+ */
+int ssh_key_algorithm_allowed(ssh_session session, const char *type)
+{
+ const char *allowed_list;
+
+ allowed_list = session->opts.pubkey_accepted_types;
+ if (allowed_list == NULL) {
+ allowed_list = ssh_kex_get_default_methods(SSH_HOSTKEYS);
+ }
+
+ SSH_LOG(SSH_LOG_DEBUG, "Checking %s with list <%s>", type, allowed_list);
+ return ssh_match_group(allowed_list, type);
+}
+
+/**
* @brief Convert a key type to a hash type. This is usually unambiguous
* for all the key types, unless the SHA2 extension (RFC 8332) is
* negotiated during key exchange.
@@ -285,15 +306,15 @@ static enum ssh_digest_e ssh_key_hash_from_name(const char *name)
static enum ssh_digest_e ssh_key_type_to_hash(ssh_session session,
enum ssh_keytypes_e type)
{
- /* TODO this should also reflect supported key types specified in
- * configuration (ssh_config PubkeyAcceptedKeyTypes) */
switch (type) {
case SSH_KEYTYPE_RSA:
- if (session->extensions & SSH_EXT_SIG_RSA_SHA512) {
+ if (ssh_key_algorithm_allowed(session, "rsa-sha2-512") &&
+ (session->extensions & SSH_EXT_SIG_RSA_SHA512)) {
return SSH_DIGEST_SHA512;
}
- if (session->extensions & SSH_EXT_SIG_RSA_SHA256) {
+ if (ssh_key_algorithm_allowed(session, "rsa-sha2-256") &&
+ (session->extensions & SSH_EXT_SIG_RSA_SHA256)) {
return SSH_DIGEST_SHA256;
}