[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[gnurl] 137/151: libssh2: add support for ECDSA and ed25519 knownhost ke
From: |
gnunet |
Subject: |
[gnurl] 137/151: libssh2: add support for ECDSA and ed25519 knownhost keys |
Date: |
Fri, 20 Dec 2019 14:27:26 +0100 |
This is an automated email from the git hooks/post-receive script.
ng0 pushed a commit to branch master
in repository gnurl.
commit 1d2d3feb21c4c34789a51072915f6b709072074d
Author: Santino Keupp <address@hidden>
AuthorDate: Fri Dec 13 22:55:18 2019 +0100
libssh2: add support for ECDSA and ed25519 knownhost keys
... if a new enough libssh2 version is present.
Source: https://curl.haxx.se/mail/archive-2019-12/0023.html
Co-Authored-by: Daniel Stenberg
Closes #4714
---
lib/vssh/libssh2.c | 128 +++++++++++++++++++++++++++++++++--------------------
1 file changed, 81 insertions(+), 47 deletions(-)
diff --git a/lib/vssh/libssh2.c b/lib/vssh/libssh2.c
index c71cfbc9f..063f3d2ae 100644
--- a/lib/vssh/libssh2.c
+++ b/lib/vssh/libssh2.c
@@ -466,61 +466,95 @@ static CURLcode ssh_knownhost(struct connectdata *conn)
struct curl_khkey *knownkeyp = NULL;
struct curl_khkey foundkey;
- keybit = (keytype == LIBSSH2_HOSTKEY_TYPE_RSA)?
- LIBSSH2_KNOWNHOST_KEY_SSHRSA:LIBSSH2_KNOWNHOST_KEY_SSHDSS;
-
+ switch(keytype) {
+ case LIBSSH2_HOSTKEY_TYPE_RSA:
+ keybit = LIBSSH2_KNOWNHOST_KEY_SSHRSA;
+ break;
+ case LIBSSH2_HOSTKEY_TYPE_DSS:
+ keybit = LIBSSH2_KNOWNHOST_KEY_SSHDSS;
+ break;
+#ifdef LIBSSH2_HOSTKEY_TYPE_ECDSA_256
+ case LIBSSH2_HOSTKEY_TYPE_ECDSA_256:
+ keybit = LIBSSH2_KNOWNHOST_KEY_ECDSA_256;
+ break;
+#endif
+#ifdef LIBSSH2_HOSTKEY_TYPE_ECDSA_384
+ case LIBSSH2_HOSTKEY_TYPE_ECDSA_384:
+ keybit = LIBSSH2_KNOWNHOST_KEY_ECDSA_384;
+ break;
+#endif
+#ifdef LIBSSH2_HOSTKEY_TYPE_ECDSA_521
+ case LIBSSH2_HOSTKEY_TYPE_ECDSA_521:
+ keybit = LIBSSH2_KNOWNHOST_KEY_ECDSA_521;
+ break;
+#endif
+#ifdef LIBSSH2_HOSTKEY_TYPE_ED25519
+ case LIBSSH2_HOSTKEY_TYPE_ED25519:
+ keybit = LIBSSH2_KNOWNHOST_KEY_ED25519;
+ break;
+#endif
+ default:
+ infof(data, "unsupported key type, can't check knownhosts!\n");
+ keybit = 0;
+ break;
+ }
+ if(!keybit)
+ /* no check means failure! */
+ rc = CURLKHSTAT_REJECT;
+ else {
#ifdef HAVE_LIBSSH2_KNOWNHOST_CHECKP
- keycheck = libssh2_knownhost_checkp(sshc->kh,
- conn->host.name,
- (conn->remote_port != PORT_SSH)?
- conn->remote_port:-1,
- remotekey, keylen,
- LIBSSH2_KNOWNHOST_TYPE_PLAIN|
- LIBSSH2_KNOWNHOST_KEYENC_RAW|
- keybit,
- &host);
+ keycheck = libssh2_knownhost_checkp(sshc->kh,
+ conn->host.name,
+ (conn->remote_port != PORT_SSH)?
+ conn->remote_port:-1,
+ remotekey, keylen,
+ LIBSSH2_KNOWNHOST_TYPE_PLAIN|
+ LIBSSH2_KNOWNHOST_KEYENC_RAW|
+ keybit,
+ &host);
#else
- keycheck = libssh2_knownhost_check(sshc->kh,
- conn->host.name,
- remotekey, keylen,
- LIBSSH2_KNOWNHOST_TYPE_PLAIN|
- LIBSSH2_KNOWNHOST_KEYENC_RAW|
- keybit,
- &host);
+ keycheck = libssh2_knownhost_check(sshc->kh,
+ conn->host.name,
+ remotekey, keylen,
+ LIBSSH2_KNOWNHOST_TYPE_PLAIN|
+ LIBSSH2_KNOWNHOST_KEYENC_RAW|
+ keybit,
+ &host);
#endif
- infof(data, "SSH host check: %d, key: %s\n", keycheck,
- (keycheck <= LIBSSH2_KNOWNHOST_CHECK_MISMATCH)?
- host->key:"<none>");
+ infof(data, "SSH host check: %d, key: %s\n", keycheck,
+ (keycheck <= LIBSSH2_KNOWNHOST_CHECK_MISMATCH)?
+ host->key:"<none>");
+
+ /* setup 'knownkey' */
+ if(keycheck <= LIBSSH2_KNOWNHOST_CHECK_MISMATCH) {
+ knownkey.key = host->key;
+ knownkey.len = 0;
+ knownkey.keytype = (keytype == LIBSSH2_HOSTKEY_TYPE_RSA)?
+ CURLKHTYPE_RSA : CURLKHTYPE_DSS;
+ knownkeyp = &knownkey;
+ }
- /* setup 'knownkey' */
- if(keycheck <= LIBSSH2_KNOWNHOST_CHECK_MISMATCH) {
- knownkey.key = host->key;
- knownkey.len = 0;
- knownkey.keytype = (keytype == LIBSSH2_HOSTKEY_TYPE_RSA)?
+ /* setup 'foundkey' */
+ foundkey.key = remotekey;
+ foundkey.len = keylen;
+ foundkey.keytype = (keytype == LIBSSH2_HOSTKEY_TYPE_RSA)?
CURLKHTYPE_RSA : CURLKHTYPE_DSS;
- knownkeyp = &knownkey;
- }
- /* setup 'foundkey' */
- foundkey.key = remotekey;
- foundkey.len = keylen;
- foundkey.keytype = (keytype == LIBSSH2_HOSTKEY_TYPE_RSA)?
- CURLKHTYPE_RSA : CURLKHTYPE_DSS;
+ /*
+ * if any of the LIBSSH2_KNOWNHOST_CHECK_* defines and the
+ * curl_khmatch enum are ever modified, we need to introduce a
+ * translation table here!
+ */
+ keymatch = (enum curl_khmatch)keycheck;
- /*
- * if any of the LIBSSH2_KNOWNHOST_CHECK_* defines and the
- * curl_khmatch enum are ever modified, we need to introduce a
- * translation table here!
- */
- keymatch = (enum curl_khmatch)keycheck;
-
- /* Ask the callback how to behave */
- Curl_set_in_callback(data, true);
- rc = func(data, knownkeyp, /* from the knownhosts file */
- &foundkey, /* from the remote host */
- keymatch, data->set.ssh_keyfunc_userp);
- Curl_set_in_callback(data, false);
+ /* Ask the callback how to behave */
+ Curl_set_in_callback(data, true);
+ rc = func(data, knownkeyp, /* from the knownhosts file */
+ &foundkey, /* from the remote host */
+ keymatch, data->set.ssh_keyfunc_userp);
+ Curl_set_in_callback(data, false);
+ }
}
else
/* no remotekey means failure! */
--
To stop receiving notification emails like this one, please contact
address@hidden.
- [gnurl] 133/151: azure: add a torture test on mac, (continued)
- [gnurl] 133/151: azure: add a torture test on mac, gnunet, 2019/12/20
- [gnurl] 143/151: KNOWN_BUGS: Connection information when using TCP Fast Open, gnunet, 2019/12/20
- [gnurl] 127/151: azure: make the default build use --enable-debug --enable-werror, gnunet, 2019/12/20
- [gnurl] 131/151: tests: use DoH feature for DoH tests, gnunet, 2019/12/20
- [gnurl] 144/151: KNOWN_BUGS: TLS session cache doesn't work with TFO, gnunet, 2019/12/20
- [gnurl] 140/151: cirrus: Switch to the FreeBSD 12.1 point release & enable more tests., gnunet, 2019/12/20
- [gnurl] 145/151: Revert "checksrc: fix regexp for ASSIGNWITHINCONDITION", gnunet, 2019/12/20
- [gnurl] 122/151: unit1607: fix mem-leak in OOM, gnunet, 2019/12/20
- [gnurl] 134/151: RELEASE-NOTES: synced, gnunet, 2019/12/20
- [gnurl] 139/151: azure: the macos cmake doesn't need to install cmake, gnunet, 2019/12/20
- [gnurl] 137/151: libssh2: add support for ECDSA and ed25519 knownhost keys,
gnunet <=
- [gnurl] 129/151: tests: fix build with `CURL_DISABLE_DOH`, gnunet, 2019/12/20
- [gnurl] 151/151: make gnurl, gnunet, 2019/12/20
- [gnurl] 141/151: docs: TLS SRP doesn't work with TLS 1.3, gnunet, 2019/12/20
- [gnurl] 147/151: lib: remove ASSIGNWITHINCONDITION exceptions, use our code style, gnunet, 2019/12/20
- [gnurl] 146/151: tests: make sure checksrc runs on header files too, gnunet, 2019/12/20
- [gnurl] 150/151: makefile, gnunet, 2019/12/20
- [gnurl] 148/151: define: remove HAVE_ENGINE_LOAD_BUILTIN_ENGINES, not used anymore, gnunet, 2019/12/20
- [gnurl] 149/151: Merge remote-tracking branch 'upstream/master', gnunet, 2019/12/20