From 4169be45eb5262a1a4aba775740b65206906e772 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Tue, 7 Aug 2018 11:32:36 +0200 Subject: pki: Allow filtering accepted public key types based on the configuration This effectively allows to disable using the SHA2 extension, disable other old public key mechanisms out of the box (hello DSA) or force the new SHA2-based key algorithm types if needed. This exposes the default_methods array from kex.c. Signed-off-by: Jakub Jelen Reviewed-by: Andreas Schneider --- include/libssh/kex.h | 1 + include/libssh/pki.h | 1 + src/kex.c | 9 +++++++++ src/pki.c | 29 +++++++++++++++++++++++++---- 4 files changed, 36 insertions(+), 4 deletions(-) diff --git a/include/libssh/kex.h b/include/libssh/kex.h index 3e9b69b5..58a9c555 100644 --- a/include/libssh/kex.h +++ b/include/libssh/kex.h @@ -43,6 +43,7 @@ char **ssh_space_tokenize(const char *chain); int ssh_get_kex1(ssh_session session); char *ssh_find_matching(const char *in_d, const char *what_d); const char *ssh_kex_get_supported_method(uint32_t algo); +const char *ssh_kex_get_default_methods(uint32_t algo); const char *ssh_kex_get_description(uint32_t algo); #endif /* KEX_H_ */ diff --git a/include/libssh/pki.h b/include/libssh/pki.h index 0a3823f3..621378ad 100644 --- a/include/libssh/pki.h +++ b/include/libssh/pki.h @@ -138,4 +138,5 @@ ssh_string ssh_srv_pki_do_sign_sessionid(ssh_session session, ssh_public_key ssh_pki_convert_key_to_publickey(const ssh_key key); ssh_private_key ssh_pki_convert_key_to_privatekey(const ssh_key key); +int ssh_key_algorithm_allowed(ssh_session session, const char *type); #endif /* PKI_H_ */ diff --git a/src/kex.c b/src/kex.c index 475b0ec8..ee36bb31 100644 --- a/src/kex.c +++ b/src/kex.c @@ -235,6 +235,15 @@ char **ssh_space_tokenize(const char *chain){ return tokens; } +const char *ssh_kex_get_default_methods(uint32_t algo) +{ + if (algo >= KEX_METHODS_SIZE) { + return NULL; + } + + return default_methods[algo]; +} + const char *ssh_kex_get_supported_method(uint32_t algo) { if (algo >= KEX_METHODS_SIZE) { return NULL; diff --git a/src/pki.c b/src/pki.c index d894762c..69d76c27 100644 --- a/src/pki.c +++ b/src/pki.c @@ -271,6 +271,27 @@ static enum ssh_digest_e ssh_key_hash_from_name(const char *name) /* we do not care for others now */ return SSH_DIGEST_AUTO; } +/** + * @brief Checks the given key against the configured allowed + * public key algorithm types + * + * @param[in] session The SSH session + * @parma[in] type The key algorithm to check + * @returns 1 if the key algorithm is allowed 0 otherwise + */ +int ssh_key_algorithm_allowed(ssh_session session, const char *type) +{ + const char *allowed_list; + + allowed_list = session->opts.pubkey_accepted_types; + if (allowed_list == NULL) { + allowed_list = ssh_kex_get_default_methods(SSH_HOSTKEYS); + } + + SSH_LOG(SSH_LOG_DEBUG, "Checking %s with list <%s>", type, allowed_list); + return ssh_match_group(allowed_list, type); +} + /** * @brief Convert a key type to a hash type. This is usually unambiguous * for all the key types, unless the SHA2 extension (RFC 8332) is @@ -285,15 +306,15 @@ static enum ssh_digest_e ssh_key_hash_from_name(const char *name) static enum ssh_digest_e ssh_key_type_to_hash(ssh_session session, enum ssh_keytypes_e type) { - /* TODO this should also reflect supported key types specified in - * configuration (ssh_config PubkeyAcceptedKeyTypes) */ switch (type) { case SSH_KEYTYPE_RSA: - if (session->extensions & SSH_EXT_SIG_RSA_SHA512) { + if (ssh_key_algorithm_allowed(session, "rsa-sha2-512") && + (session->extensions & SSH_EXT_SIG_RSA_SHA512)) { return SSH_DIGEST_SHA512; } - if (session->extensions & SSH_EXT_SIG_RSA_SHA256) { + if (ssh_key_algorithm_allowed(session, "rsa-sha2-256") && + (session->extensions & SSH_EXT_SIG_RSA_SHA256)) { return SSH_DIGEST_SHA256; } -- cgit v1.2.3