[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ECC


For what it's worth, the attached patch should at fix the missing
option (and remove some duplication in the key option code).

However, when patching samplesshd to use an ECDSA key, however, I get
"ssh_handle_key_exchange: Could not get the public key from the
private key".  I suspect this is because if you look in pki_key_dup in
pki_crypto.c it does not set a private key's ecdsa_nid, then the key
is duplicated in bind.c (in ssh_bind_accept_fd), and then later
pki_key_dup expects ecdsa_nid to be set in "demotion to a public key".
 However, correcting this, I then get a signature failure on the
client end during a (ECDH) key exchange (using an OpenSSH client).
The DSA key option for samplesshd continues to work though with this
patch, so I suspect this patch is right but some part of the libssh
code may not be right with my combination of using libcrypto with
libssh, where libcrypto is the version in Ubuntu 12.04.4.  I suppose
the patch should wait until I can figure the rest out.

I will continue to look at this.

On Fri, Feb 14, 2014 at 3:57 PM, Andreas Schneider <asn@xxxxxxxxxxxxxx> wrote:
> On Friday 14 February 2014 14:22:28 you wrote:
>> Yeah. I'm not on the same machine, right now, but it also seems like, even
>> when I try to connect with an ECDSA certificate, it coerces me into RSA.
>>
>> Andreas/Aris: What's the state of EC support?
>>
>
> I've thought that I've tested it and it worked. If not you should open a bug
> and we need to fix it :)
>
> I think the missing options are worth a bug.
>
> Patches are welcome.
>
>
>         -- andreas
>
>
From 2041181e02e74f0d4389b515937ceb08461a1ab4 Mon Sep 17 00:00:00 2001
From: Alan Dunn <amdunn@xxxxxxxxx>
Date: Fri, 14 Feb 2014 09:22:41 -0600
Subject: [PATCH] options: Allow use of host ECDSA key


Signed-off-by: Alan Dunn <amdunn@xxxxxxxxx>
---
 include/libssh/server.h |    1 +
 src/options.c           |   46 +++++++++++++++++++++++++++-------------------
 2 files changed, 28 insertions(+), 19 deletions(-)

diff --git a/include/libssh/server.h b/include/libssh/server.h
index 9d095fe..63b7ec2 100644
--- a/include/libssh/server.h
+++ b/include/libssh/server.h
@@ -42,6 +42,7 @@ enum ssh_bind_options_e {
   SSH_BIND_OPTIONS_HOSTKEY,
   SSH_BIND_OPTIONS_DSAKEY,
   SSH_BIND_OPTIONS_RSAKEY,
+  SSH_BIND_OPTIONS_ECDSAKEY,
   SSH_BIND_OPTIONS_BANNER,
   SSH_BIND_OPTIONS_LOG_VERBOSITY,
   SSH_BIND_OPTIONS_LOG_VERBOSITY_STR
diff --git a/src/options.c b/src/options.c
index cdcbe7c..2ae9356 100644
--- a/src/options.c
+++ b/src/options.c
@@ -1303,6 +1303,22 @@ static int ssh_bind_options_set_algo(ssh_bind sshbind, int algo,
   return 0;
 }
 
+static int ssh_bind_set_key(ssh_bind sshbind, char **key_path_loc,
+    const void *value) {
+  if (value == NULL) {
+    ssh_set_error_invalid(sshbind);
+    return -1;
+  } else {
+    SAFE_FREE(*key_path_loc);
+    *key_path_loc = strdup(value);
+    if (*key_path_loc == NULL) {
+      ssh_set_error_oom(sshbind);
+      return -1;
+    }
+  }
+  return 0;
+}
+
 /**
  * @brief This function can set all possible ssh bind options.
  *
@@ -1344,11 +1360,14 @@ static int ssh_bind_options_set_algo(ssh_bind sshbind, int algo,
  *                        (string).
  *
  *                      SSH_BIND_OPTIONS_DSAKEY:
- *                        Set the path to the dsa ssh host key (string).
+ *                        Set the path to the ssh host dsa key (string).
  *
  *                      SSH_BIND_OPTIONS_RSAKEY:
  *                        Set the path to the ssh host rsa key (string).
  *
+ *                      SSH_BIND_OPTIONS_ECDSAKEY:
+ *                        Set the path to the ssh host ecdsa key (string).
+ *
  *                      SSH_BIND_OPTIONS_BANNER:
  *                        Set the server banner sent to clients (string).
  *
@@ -1445,29 +1464,18 @@ int ssh_bind_options_set(ssh_bind sshbind, enum ssh_bind_options_e type,
       }
       break;
     case SSH_BIND_OPTIONS_DSAKEY:
-      if (value == NULL) {
-        ssh_set_error_invalid(sshbind);
+      if (ssh_bind_set_key(sshbind, &sshbind->dsakey, value) < 0) {
         return -1;
-      } else {
-        SAFE_FREE(sshbind->dsakey);
-        sshbind->dsakey = strdup(value);
-        if (sshbind->dsakey == NULL) {
-          ssh_set_error_oom(sshbind);
-          return -1;
-        }
       }
       break;
     case SSH_BIND_OPTIONS_RSAKEY:
-      if (value == NULL) {
-        ssh_set_error_invalid(sshbind);
+      if (ssh_bind_set_key(sshbind, &sshbind->rsakey, value) < 0) {
+        return -1;
+      }
+      break;
+    case SSH_BIND_OPTIONS_ECDSAKEY:
+      if (ssh_bind_set_key(sshbind, &sshbind->ecdsakey, value) < 0) {
         return -1;
-      } else {
-        SAFE_FREE(sshbind->rsakey);
-        sshbind->rsakey = strdup(value);
-        if (sshbind->rsakey == NULL) {
-          ssh_set_error_oom(sshbind);
-          return -1;
-        }
       }
       break;
     case SSH_BIND_OPTIONS_BANNER:
-- 
1.7.9.5


Follow-Ups:
Re: ECCJon Simons <jon@xxxxxxxxxxxxx>
Re: ECCAndreas Schneider <asn@xxxxxxxxxxxxxx>
References:
ECCDustin Oprea <myselfasunder@xxxxxxxxx>
Re: ECCAlan Dunn <amdunn@xxxxxxxxx>
Re: ECCDustin Oprea <myselfasunder@xxxxxxxxx>
Re: ECCAndreas Schneider <asn@xxxxxxxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org