Mercurial > dropbear
comparison cli-authpubkey.c @ 1676:d5cdc60db08e
ext-info handling for server-sig-algs
only client side is handled
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Tue, 19 May 2020 00:31:41 +0800 |
parents | ae41624c2198 |
children | 435cfb9ec96e |
comparison
equal
deleted
inserted
replaced
1675:ae41624c2198 | 1676:d5cdc60db08e |
---|---|
182 TRACE(("leave send_msg_userauth_pubkey")) | 182 TRACE(("leave send_msg_userauth_pubkey")) |
183 } | 183 } |
184 | 184 |
185 /* Returns 1 if a key was tried */ | 185 /* Returns 1 if a key was tried */ |
186 int cli_auth_pubkey() { | 186 int cli_auth_pubkey() { |
187 enum signature_type sigtype; | |
187 TRACE(("enter cli_auth_pubkey")) | 188 TRACE(("enter cli_auth_pubkey")) |
188 | 189 |
189 #if DROPBEAR_CLI_AGENTFWD | 190 #if DROPBEAR_CLI_AGENTFWD |
190 if (!cli_opts.agent_keys_loaded) { | 191 if (!cli_opts.agent_keys_loaded) { |
191 /* get the list of available keys from the agent */ | 192 /* get the list of available keys from the agent */ |
192 cli_load_agent_keys(cli_opts.privkeys); | 193 cli_load_agent_keys(cli_opts.privkeys); |
193 cli_opts.agent_keys_loaded = 1; | 194 cli_opts.agent_keys_loaded = 1; |
195 TRACE(("cli_auth_pubkey: agent keys loaded")) | |
194 } | 196 } |
195 #endif | 197 #endif |
196 | 198 |
197 /* TODO iterate through privkeys to skip ones not in server-sig-algs */ | 199 /* iterate through privkeys to remove ones not allowed in server-sig-algs */ |
198 | 200 while (cli_opts.privkeys->first) { |
199 /* TODO: testing */ | 201 sign_key * key = (sign_key*)cli_opts.privkeys->first->item; |
202 if (cli_ses.server_sig_algs) { | |
203 #ifdef DROPBEAR_RSA | |
204 if (key->type == DROPBEAR_SIGNKEY_RSA) { | |
200 #if DROPBEAR_RSA_SHA256 | 205 #if DROPBEAR_RSA_SHA256 |
201 cli_ses.preferred_rsa_sigtype = DROPBEAR_SIGNATURE_RSA_SHA256; | 206 if (buf_has_algo(cli_ses.server_sig_algs, SSH_SIGNATURE_RSA_SHA256) |
202 #elif DROPBEAR_RSA_SHA1 | 207 == DROPBEAR_SUCCESS) { |
203 cli_ses.preferred_rsa_sigtype = DROPBEAR_SIGNATURE_RSA_SHA1; | 208 sigtype = DROPBEAR_SIGNATURE_RSA_SHA256; |
209 TRACE(("server-sig-algs allows rsa sha256")) | |
210 break; | |
211 } | |
212 #endif /* DROPBEAR_RSA_SHA256 */ | |
213 #if DROPBEAR_RSA_SHA1 | |
214 if (buf_has_algo(cli_ses.server_sig_algs, SSH_SIGNKEY_RSA) | |
215 == DROPBEAR_SUCCESS) { | |
216 sigtype = DROPBEAR_SIGNATURE_RSA_SHA1; | |
217 TRACE(("server-sig-algs allows rsa sha1")) | |
218 break; | |
219 } | |
220 #endif /* DROPBEAR_RSA_SHA256 */ | |
221 } else | |
222 #endif /* DROPBEAR_RSA */ | |
223 { | |
224 /* Not RSA */ | |
225 const char *name = NULL; | |
226 sigtype = signature_type_from_signkey(key->type); | |
227 name = signature_name_from_type(sigtype, NULL); | |
228 if (buf_has_algo(cli_ses.server_sig_algs, name) | |
229 == DROPBEAR_SUCCESS) { | |
230 TRACE(("server-sig-algs allows %s", name)) | |
231 break; | |
232 } | |
233 } | |
234 | |
235 /* No match, skip this key */ | |
236 TRACE(("server-sig-algs no match keytype %d, skipping", key->type)) | |
237 key = list_remove(cli_opts.privkeys->first); | |
238 sign_key_free(key); | |
239 continue; | |
240 } else { | |
241 /* Server didn't provide a server-sig-algs list, we'll | |
242 assume all except rsa-sha256 are OK. */ | |
243 #if DROPBEAR_RSA | |
244 if (key->type == DROPBEAR_SIGNKEY_RSA) { | |
245 #ifdef DROPBEAR_RSA_SHA1 | |
246 sigtype = DROPBEAR_SIGNATURE_RSA_SHA1; | |
247 TRACE(("no server-sig-algs, using rsa sha1")) | |
248 break; | |
249 #else | |
250 /* only support rsa-sha256, skip this key */ | |
251 TRACE(("no server-sig-algs, skipping rsa sha256")) | |
252 key = list_remove(cli_opts.privkeys->first); | |
253 sign_key_free(key); | |
254 continue; | |
204 #endif | 255 #endif |
256 } /* key->type == DROPBEAR_SIGNKEY_RSA */ | |
257 #endif /* DROPBEAR_RSA */ | |
258 sigtype = signature_type_from_signkey(key->type); | |
259 TRACE(("no server-sig-algs, using key")) | |
260 break; | |
261 } | |
262 } | |
205 | 263 |
206 if (cli_opts.privkeys->first) { | 264 if (cli_opts.privkeys->first) { |
207 sign_key * key = (sign_key*)cli_opts.privkeys->first->item; | 265 sign_key * key = (sign_key*)cli_opts.privkeys->first->item; |
208 /* Determine the signature type to use */ | |
209 enum signature_type sigtype = (enum signature_type)key->type; | |
210 #if DROPBEAR_RSA | |
211 if (key->type == DROPBEAR_SIGNKEY_RSA) { | |
212 sigtype = cli_ses.preferred_rsa_sigtype; | |
213 } | |
214 #endif | |
215 | |
216 /* Send a trial request */ | 266 /* Send a trial request */ |
217 send_msg_userauth_pubkey(key, sigtype, 0); | 267 send_msg_userauth_pubkey(key, sigtype, 0); |
218 cli_ses.lastprivkey = key; | 268 cli_ses.lastprivkey = key; |
219 TRACE(("leave cli_auth_pubkey-success")) | 269 TRACE(("leave cli_auth_pubkey-success")) |
220 return 1; | 270 return 1; |