diff --git a/enable_sk_keys_by_config.patch b/enable_sk_keys_by_config.patch new file mode 100644 index 0000000..afe017a --- /dev/null +++ b/enable_sk_keys_by_config.patch @@ -0,0 +1,105 @@ +diff --git a/src/kex.c b/src/kex.c +index 1155b9c7..528cb182 100644 +--- a/src/kex.c ++++ b/src/kex.c +@@ -101,12 +101,19 @@ + + #ifdef HAVE_ECDH + #define ECDH "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521," +-#define EC_HOSTKEYS "ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256," +-#define EC_PUBLIC_KEY_ALGORITHMS "ecdsa-sha2-nistp521-cert-v01@openssh.com," \ ++#define EC_HOSTKEYS "ecdsa-sha2-nistp521," \ ++ "ecdsa-sha2-nistp384," \ ++ "ecdsa-sha2-nistp256," ++#define EC_SK_HOSTKEYS "sk-ecdsa-sha2-nistp256@openssh.com," ++#define EC_FIPS_PUBLIC_KEY_ALGOS "ecdsa-sha2-nistp521-cert-v01@openssh.com," \ + "ecdsa-sha2-nistp384-cert-v01@openssh.com," \ + "ecdsa-sha2-nistp256-cert-v01@openssh.com," ++#define EC_PUBLIC_KEY_ALGORITHMS EC_FIPS_PUBLIC_KEY_ALGOS \ ++ "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com," + #else + #define EC_HOSTKEYS "" ++#define EC_SK_HOSTKEYS "" ++#define EC_FIPS_PUBLIC_KEY_ALGOS "" + #define EC_PUBLIC_KEY_ALGORITHMS "" + #define ECDH "" + #endif /* HAVE_ECDH */ +@@ -127,16 +134,21 @@ + + #define HOSTKEYS "ssh-ed25519," \ + EC_HOSTKEYS \ ++ "sk-ssh-ed25519@openssh.com," \ ++ EC_SK_HOSTKEYS \ + "rsa-sha2-512," \ + "rsa-sha2-256," \ + "ssh-rsa" \ + DSA_HOSTKEYS + #define DEFAULT_HOSTKEYS "ssh-ed25519," \ + EC_HOSTKEYS \ ++ "sk-ssh-ed25519@openssh.com," \ ++ EC_SK_HOSTKEYS \ + "rsa-sha2-512," \ + "rsa-sha2-256" + + #define PUBLIC_KEY_ALGORITHMS "ssh-ed25519-cert-v01@openssh.com," \ ++ "sk-ssh-ed25519-cert-v01@openssh.com," \ + EC_PUBLIC_KEY_ALGORITHMS \ + "rsa-sha2-512-cert-v01@openssh.com," \ + "rsa-sha2-256-cert-v01@openssh.com," \ +@@ -186,7 +198,7 @@ + "rsa-sha2-512," \ + "rsa-sha2-256" + +-#define FIPS_ALLOWED_PUBLIC_KEY_ALGORITHMS EC_PUBLIC_KEY_ALGORITHMS \ ++#define FIPS_ALLOWED_PUBLIC_KEY_ALGORITHMS EC_FIPS_PUBLIC_KEY_ALGOS \ + "rsa-sha2-512-cert-v01@openssh.com," \ + "rsa-sha2-256-cert-v01@openssh.com," \ + FIPS_ALLOWED_HOSTKEYS +diff --git a/src/knownhosts.c b/src/knownhosts.c +index 1f52dedc..94618fe2 100644 +--- a/src/knownhosts.c ++++ b/src/knownhosts.c +@@ -480,6 +480,8 @@ static const char *ssh_known_host_sigs_from_hostkey_type(enum ssh_keytypes_e typ + return "rsa-sha2-512,rsa-sha2-256,ssh-rsa"; + case SSH_KEYTYPE_ED25519: + return "ssh-ed25519"; ++ case SSH_KEYTYPE_SK_ED25519: ++ return "sk-ssh-ed25519@openssh.com"; + #ifdef HAVE_DSA + case SSH_KEYTYPE_DSS: + return "ssh-dss"; +@@ -494,6 +496,8 @@ static const char *ssh_known_host_sigs_from_hostkey_type(enum ssh_keytypes_e typ + return "ecdsa-sha2-nistp384"; + case SSH_KEYTYPE_ECDSA_P521: + return "ecdsa-sha2-nistp521"; ++ case SSH_KEYTYPE_SK_ECDSA: ++ return "sk-ecdsa-sha2-nistp256@openssh.com"; + #else + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: +diff --git a/tests/unittests/torture_knownhosts_parsing.c b/tests/unittests/torture_knownhosts_parsing.c +index fffa8296..7fd21f05 100644 +--- a/tests/unittests/torture_knownhosts_parsing.c ++++ b/tests/unittests/torture_knownhosts_parsing.c +@@ -634,7 +634,9 @@ static void torture_knownhosts_algorithms(void **state) + bool process_config = false; + const char *expect = "ssh-ed25519,rsa-sha2-512,rsa-sha2-256," + "ecdsa-sha2-nistp521,ecdsa-sha2-nistp384," +- "ecdsa-sha2-nistp256"; ++ "ecdsa-sha2-nistp256," ++ "sk-ssh-ed25519@openssh.com," ++ "sk-ecdsa-sha2-nistp256@openssh.com"; + const char *expect_fips = "rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp521," + "ecdsa-sha2-nistp384,ecdsa-sha2-nistp256"; + +@@ -669,7 +671,9 @@ static void torture_knownhosts_algorithms_global(void **state) + bool process_config = false; + const char *expect = "ssh-ed25519,rsa-sha2-512,rsa-sha2-256," + "ecdsa-sha2-nistp521,ecdsa-sha2-nistp384," +- "ecdsa-sha2-nistp256"; ++ "ecdsa-sha2-nistp256," ++ "sk-ssh-ed25519@openssh.com," ++ "sk-ecdsa-sha2-nistp256@openssh.com"; + const char *expect_fips = "rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp521," + "ecdsa-sha2-nistp384,ecdsa-sha2-nistp256"; + diff --git a/libssh.spec b/libssh.spec index 0fa8237..07aff47 100644 --- a/libssh.spec +++ b/libssh.spec @@ -1,6 +1,6 @@ Name: libssh Version: 0.10.4 -Release: 6%{?dist} +Release: 7%{?dist} Summary: A library implementing the SSH protocol License: LGPLv2+ URL: http://www.libssh.org @@ -45,6 +45,7 @@ Patch3: loglevel.patch Patch4: plus_sign.patch Patch5: memory_leak.patch Patch6: options_apply.patch +Patch7: enable_sk_keys_by_config.patch %description The ssh library was designed to be used by programmers needing a working SSH @@ -137,6 +138,10 @@ popd %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config %changelog +* Wed Jan 4 2023 Norbert Pocs - 0.10.4-7 +- Add sk-keys to configuration parsing allowing to turn on-off by config +- Related: rhbz#2026449 + * Thu Dec 1 2022 Norbert Pocs - 0.10.4-6 - Fix covscan error - Remove unwanted test with yet unimplemented feature