公開鍵認証(RSA鍵)の署名方式の優先度を設定できるようにした
設定名は RSAPubkeySignAlgorithmOrder として、RSA 公開鍵専用とした
@@ -264,10 +264,43 @@ | ||
264 | 264 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = buf; |
265 | 265 | } |
266 | 266 | |
267 | -ssh_keyalgo choose_SSH2_keysign_algorithm(char *server_proposal, ssh_keytype keytype) | |
267 | +static void SSH2_rsa_pubkey_sign_algo_myproposal(PTInstVar pvar, char *buf, int buf_len) | |
268 | 268 | { |
269 | + int algo; | |
270 | + int len, i; | |
271 | + char *c_str; | |
272 | + | |
273 | + // 設定された優先順位に応じて buf に並べる | |
274 | + buf[0] = '\0'; | |
275 | + for (i = 0 ; pvar->settings.RSAPubkeySignAlgorithmOrder[i] != 0 ; i++) { | |
276 | + algo = pvar->settings.RSAPubkeySignAlgorithmOrder[i] - '0'; | |
277 | + if (algo == 0) // disabled line | |
278 | + break; | |
279 | + switch (algo) { | |
280 | + case RSA_PUBKEY_SIGN_ALGO_RSA: | |
281 | + c_str = "ssh-rsa,"; | |
282 | + break; | |
283 | + case RSA_PUBKEY_SIGN_ALGO_RSASHA256: | |
284 | + c_str = "rsa-sha2-256,"; | |
285 | + break; | |
286 | + case RSA_PUBKEY_SIGN_ALGO_RSASHA512: | |
287 | + c_str = "rsa-sha2-512,"; | |
288 | + break; | |
289 | + default: | |
290 | + continue; | |
291 | + } | |
292 | + strncat_s(buf, buf_len, c_str, _TRUNCATE); | |
293 | + } | |
294 | + len = strlen(buf); | |
295 | + if (len > 0) | |
296 | + buf[len - 1] = '\0'; // get rid of comma | |
297 | +} | |
298 | + | |
299 | +ssh_keyalgo choose_SSH2_keysign_algorithm(PTInstVar pvar, ssh_keytype keytype) | |
300 | +{ | |
269 | 301 | char buff[128]; |
270 | 302 | const struct ssh2_host_key_t *ptr = ssh2_host_key; |
303 | + char *server_proposal = pvar->server_sig_algs; | |
271 | 304 | |
272 | 305 | if (keytype == KEY_RSA) { |
273 | 306 | if (server_proposal == NULL) { |
@@ -275,7 +308,9 @@ | ||
275 | 308 | return KEY_ALGO_RSA; |
276 | 309 | } |
277 | 310 | else { |
278 | - choose_SSH2_proposal(server_proposal, "rsa-sha2-512,rsa-sha2-256,ssh-rsa", buff, sizeof(buff)); | |
311 | + char rsa_myproposal[128]; | |
312 | + SSH2_rsa_pubkey_sign_algo_myproposal(pvar, rsa_myproposal, sizeof(rsa_myproposal)); | |
313 | + choose_SSH2_proposal(server_proposal, rsa_myproposal, buff, sizeof(buff)); | |
279 | 314 | if (strlen(buff) == 0) { |
280 | 315 | // not found. |
281 | 316 | logprintf(LOG_LEVEL_WARNING, "%s: no match sign algorithm.", __FUNCTION__); |
@@ -298,3 +333,15 @@ | ||
298 | 333 | // not reached |
299 | 334 | return KEY_ALGO_UNSPEC; |
300 | 335 | } |
336 | + | |
337 | +void normalize_rsa_pubkey_sign_algo_order(char *buf) | |
338 | +{ | |
339 | + static char default_strings[] = { | |
340 | + RSA_PUBKEY_SIGN_ALGO_RSASHA512, | |
341 | + RSA_PUBKEY_SIGN_ALGO_RSASHA256, | |
342 | + RSA_PUBKEY_SIGN_ALGO_RSA, | |
343 | + RSA_PUBKEY_SIGN_ALGO_NONE, | |
344 | + }; | |
345 | + | |
346 | + normalize_generic_order(buf, default_strings, NUM_ELEM(default_strings)); | |
347 | +} |
@@ -93,7 +93,15 @@ | ||
93 | 93 | SSH_DIGEST_MAX, |
94 | 94 | } digest_algorithm; |
95 | 95 | |
96 | +typedef enum { | |
97 | + RSA_PUBKEY_SIGN_ALGO_NONE, | |
98 | + RSA_PUBKEY_SIGN_ALGO_RSA, | |
99 | + RSA_PUBKEY_SIGN_ALGO_RSASHA256, | |
100 | + RSA_PUBKEY_SIGN_ALGO_RSASHA512, | |
101 | + RSA_PUBKEY_SIGN_ALGO_MAX, | |
102 | +} ssh_rsapubkeysignalgo; | |
96 | 103 | |
104 | + | |
97 | 105 | ssh_keytype get_hostkey_type_from_name(char *name); |
98 | 106 | char* get_ssh2_hostkey_type_name(ssh_keytype type); |
99 | 107 | char *get_ssh2_hostkey_type_name_from_key(Key *key); |
@@ -106,8 +114,9 @@ | ||
106 | 114 | char* get_digest_algorithm_name(digest_algorithm id); |
107 | 115 | |
108 | 116 | void normalize_host_key_order(char *buf); |
117 | +void normalize_rsa_pubkey_sign_algo_order(char *buf); | |
109 | 118 | ssh_keyalgo choose_SSH2_host_key_algorithm(char *server_proposal, char *my_proposal); |
110 | -ssh_keyalgo choose_SSH2_keysign_algorithm(char *server_proposal, ssh_keytype keytype); | |
119 | +ssh_keyalgo choose_SSH2_keysign_algorithm(PTInstVar pvar, ssh_keytype keytype); | |
111 | 120 | void SSH2_update_host_key_myproposal(PTInstVar pvar); |
112 | 121 | |
113 | 122 | #endif /* SSHCMAC_H */ |
@@ -6310,7 +6310,7 @@ | ||
6310 | 6310 | goto error; |
6311 | 6311 | } |
6312 | 6312 | |
6313 | - keyalgo = choose_SSH2_keysign_algorithm(pvar->server_sig_algs, keypair->type); | |
6313 | + keyalgo = choose_SSH2_keysign_algorithm(pvar, keypair->type); | |
6314 | 6314 | keyalgo_name = get_ssh2_hostkey_algorithm_name(keyalgo); |
6315 | 6315 | |
6316 | 6316 | // step1 |
@@ -6384,7 +6384,7 @@ | ||
6384 | 6384 | len = get_uint32_MSBfirst(puttykey+4); |
6385 | 6385 | keytype_name = puttykey + 8; |
6386 | 6386 | keytype = get_hostkey_type_from_name(keytype_name); |
6387 | - keyalgo = choose_SSH2_keysign_algorithm(pvar->server_sig_algs, keytype); | |
6387 | + keyalgo = choose_SSH2_keysign_algorithm(pvar, keytype); | |
6388 | 6388 | keyalgo_name = get_ssh2_hostkey_algorithm_name(keyalgo); |
6389 | 6389 | |
6390 | 6390 | // アルゴリズムをコピーする |
@@ -7123,7 +7123,7 @@ | ||
7123 | 7123 | len = get_uint32_MSBfirst(puttykey+4); |
7124 | 7124 | keytype_name = puttykey + 8; |
7125 | 7125 | keytype = get_hostkey_type_from_name(keytype_name); |
7126 | - keyalgo = choose_SSH2_keysign_algorithm(pvar->server_sig_algs, keytype); | |
7126 | + keyalgo = choose_SSH2_keysign_algorithm(pvar, keytype); | |
7127 | 7127 | keyalgo_name = get_ssh2_hostkey_algorithm_name(keyalgo); |
7128 | 7128 | signflag = get_ssh2_agent_flag(keyalgo); |
7129 | 7129 |
@@ -292,6 +292,9 @@ | ||
292 | 292 | // Compression algorithm order |
293 | 293 | READ_STD_STRING_OPTION(CompOrder); |
294 | 294 | normalize_comp_order(settings->CompOrder); |
295 | + // Sign algorithm order of RSA publickey authentication | |
296 | + READ_STD_STRING_OPTION(RSAPubkeySignAlgorithmOrder); | |
297 | + normalize_rsa_pubkey_sign_algo_order(settings->RSAPubkeySignAlgorithmOrder); | |
295 | 298 | |
296 | 299 | read_string_option(fileName, "KnownHostsFiles", "ssh_known_hosts", |
297 | 300 | settings->KnownHostsFiles, |
@@ -425,6 +428,9 @@ | ||
425 | 428 | WritePrivateProfileString("TTSSH", "CompOrder", |
426 | 429 | settings->CompOrder, fileName); |
427 | 430 | |
431 | + WritePrivateProfileString("TTSSH", "RSAPubkeySignAlgorithmOrder", | |
432 | + settings->RSAPubkeySignAlgorithmOrder, fileName); | |
433 | + | |
428 | 434 | WritePrivateProfileString("TTSSH", "KnownHostsFiles", |
429 | 435 | settings->KnownHostsFiles, fileName); |
430 | 436 |
@@ -208,6 +208,11 @@ | ||
208 | 208 | int GexMinimalGroupSize; |
209 | 209 | |
210 | 210 | int AuthBanner; |
211 | + | |
212 | + // Sign algorithm order | |
213 | + // for publickey authentication (not for server hostkey) | |
214 | + // for RSA key only | |
215 | + char RSAPubkeySignAlgorithmOrder[RSA_PUBKEY_SIGN_ALGO_MAX+1]; | |
211 | 216 | } TS_SSH; |
212 | 217 | |
213 | 218 | typedef struct _TInstVar { |