diff options
| -rw-r--r-- | include/libssh/wrapper.h | 7 | ||||
| -rw-r--r-- | src/kex.c | 8 | ||||
| -rw-r--r-- | src/wrapper.c | 85 |
3 files changed, 96 insertions, 4 deletions
diff --git a/include/libssh/wrapper.h b/include/libssh/wrapper.h index 44141b78..f2a98bde 100644 --- a/include/libssh/wrapper.h +++ b/include/libssh/wrapper.h @@ -45,6 +45,11 @@ enum ssh_des_e { SSH_DES }; +struct ssh_hmac_struct { + const char* name; + enum ssh_hmac_e hmac_type; +}; + typedef struct ssh_mac_ctx_struct *ssh_mac_ctx; MD5CTX md5_init(void); void md5_update(MD5CTX c, const void *data, unsigned long len); @@ -91,4 +96,6 @@ void crypto_free(struct ssh_crypto_struct *crypto); void ssh_reseed(void); +struct ssh_hmac_struct *ssh_get_hmactab(void); + #endif /* WRAPPER_H_ */ @@ -88,8 +88,8 @@ static const char *default_methods[] = { HOSTKEYS, AES BLOWFISH DES, AES BLOWFISH DES, - "hmac-sha1", - "hmac-sha1", + "hmac-sha1,hmac-sha2-256,hmac-sha2-512", + "hmac-sha1,hmac-sha2-256,hmac-sha2-512", "none", "none", "", @@ -103,8 +103,8 @@ static const char *supported_methods[] = { HOSTKEYS, AES BLOWFISH DES, AES BLOWFISH DES, - "hmac-sha1", - "hmac-sha1", + "hmac-sha1,hmac-sha2-256,hmac-sha2-512", + "hmac-sha1,hmac-sha2-256,hmac-sha2-512", ZLIB, ZLIB, "", diff --git a/src/wrapper.c b/src/wrapper.c index 3b411a4c..c8dab5a8 100644 --- a/src/wrapper.c +++ b/src/wrapper.c @@ -48,6 +48,19 @@ #include "libssh/wrapper.h" #include "libssh/pki.h" +static struct ssh_hmac_struct ssh_hmac_tab[] = { + { "hmac-sha1", SSH_HMAC_SHA1 }, + { "hmac-sha2-256", SSH_HMAC_SHA256 }, + { "hmac-sha2-384", SSH_HMAC_SHA384 }, + { "hmac-sha2-512", SSH_HMAC_SHA512 }, + { "hmac-md5", SSH_HMAC_MD5 }, + { NULL, 0} +}; + +struct ssh_hmac_struct *ssh_get_hmactab(void) { + return ssh_hmac_tab; +} + size_t hmac_digest_len(enum ssh_hmac_e type) { switch(type) { case SSH_HMAC_SHA1: @@ -184,6 +197,7 @@ static int crypt_set_algorithms2(ssh_session session){ const char *wanted; int i = 0; struct ssh_cipher_struct *ssh_ciphertab=ssh_get_ciphertab(); + struct ssh_hmac_struct *ssh_hmactab=ssh_get_hmactab(); /* we must scan the kex entries to find crypto algorithms and set their appropriate structure */ /* out */ @@ -207,6 +221,24 @@ static int crypt_set_algorithms2(ssh_session session){ } i = 0; + /* we must scan the kex entries to find hmac algorithms and set their appropriate structure */ + /* out */ + wanted = session->next_crypto->kex_methods[SSH_MAC_C_S]; + while (ssh_hmactab[i].name && strcmp(wanted, ssh_hmactab[i].name)) { + i++; + } + + if (ssh_hmactab[i].name == NULL) { + ssh_set_error(session, SSH_FATAL, + "crypt_set_algorithms2: no hmac algorithm function found for %s", + wanted); + return SSH_ERROR; + } + SSH_LOG(SSH_LOG_PACKET, "Set HMAC output algorithm to %s", wanted); + + session->next_crypto->out_hmac = ssh_hmactab[i].hmac_type; + i = 0; + /* in */ wanted = session->next_crypto->kex_methods[SSH_CRYPT_S_C]; while (ssh_ciphertab[i].name && strcmp(wanted, ssh_ciphertab[i].name)) { @@ -226,6 +258,24 @@ static int crypt_set_algorithms2(ssh_session session){ ssh_set_error_oom(session); return SSH_ERROR; } + i = 0; + + /* we must scan the kex entries to find hmac algorithms and set their appropriate structure */ + wanted = session->next_crypto->kex_methods[SSH_MAC_S_C]; + while (ssh_hmactab[i].name && strcmp(wanted, ssh_hmactab[i].name)) { + i++; + } + + if (ssh_hmactab[i].name == NULL) { + ssh_set_error(session, SSH_FATAL, + "crypt_set_algorithms2: no hmac algorithm function found for %s", + wanted); + return SSH_ERROR; + } + SSH_LOG(SSH_LOG_PACKET, "Set HMAC output algorithm to %s", wanted); + + session->next_crypto->in_hmac = ssh_hmactab[i].hmac_type; + i = 0; /* compression */ if (strcmp(session->next_crypto->kex_methods[SSH_COMP_C_S], "zlib") == 0) { @@ -284,6 +334,7 @@ int crypt_set_algorithms_server(ssh_session session){ char *method = NULL; int i = 0; struct ssh_cipher_struct *ssh_ciphertab=ssh_get_ciphertab(); + struct ssh_hmac_struct *ssh_hmactab=ssh_get_hmactab(); if (session == NULL) { return SSH_ERROR; @@ -326,6 +377,40 @@ int crypt_set_algorithms_server(ssh_session session){ ssh_set_error_oom(session); return SSH_ERROR; } + i=0; + + /* HMAC algorithm selection */ + method = session->next_crypto->kex_methods[SSH_MAC_S_C]; + while (ssh_hmactab[i].name && strcmp(method, ssh_hmactab[i].name)) { + i++; + } + + if (ssh_hmactab[i].name == NULL) { + ssh_set_error(session, SSH_FATAL, + "crypt_set_algorithms_server: no hmac algorithm function found for %s", + method); + return SSH_ERROR; + } + SSH_LOG(SSH_LOG_PACKET, "Set HMAC output algorithm to %s", method); + + session->next_crypto->out_hmac = ssh_hmactab[i].hmac_type; + i=0; + + method = session->next_crypto->kex_methods[SSH_MAC_C_S]; + while (ssh_hmactab[i].name && strcmp(method, ssh_hmactab[i].name)) { + i++; + } + + if (ssh_hmactab[i].name == NULL) { + ssh_set_error(session, SSH_FATAL, + "crypt_set_algorithms_server: no hmac algorithm function found for %s", + method); + return SSH_ERROR; + } + SSH_LOG(SSH_LOG_PACKET, "Set HMAC input algorithm to %s", method); + + session->next_crypto->in_hmac = ssh_hmactab[i].hmac_type; + i=0; /* compression */ method = session->next_crypto->kex_methods[SSH_COMP_C_S]; |