Skip to content

Commit

Permalink
config UPDATE add support for libssh params
Browse files Browse the repository at this point in the history 
Added identities for libssh's host-key, key exchange, encryption and mac
algs.
  • Loading branch information
roman committed May 26, 2023
1 parent 21420ea commit 6eaf450
Show file tree
Hide file tree
Showing 2 changed files with 189 additions and 10 deletions.
151 changes: 151 additions & 0 deletions modules/libnetconf2-netconf-server.yang
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,22 @@ module libnetconf2-netconf-server {
prefix ct;
}

import iana-ssh-public-key-algs {
prefix sshpka;
}

import iana-ssh-key-exchange-algs {
prefix sshkea;
}

import iana-ssh-encryption-algs {
prefix sshea;
}

import iana-ssh-mac-algs {
prefix sshma;
}

/*
identity ed25519-private-key-format {
base ct:private-key-format;
Expand Down Expand Up @@ -81,6 +97,141 @@ module libnetconf2-netconf-server {
The Secure Shell (SSH) Transport Layer Protocol";
}

identity openssh-ssh-ed25519-cert-v01 {
base sshpka:public-key-alg-base;
description
"[email protected]";
reference
"OpenSSH PROTOCOL.certkeys:
https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
}

identity openssh-ecdsa-sha2-nistp521-cert-v01 {
base sshpka:public-key-alg-base;
description
"[email protected]";
reference
"OpenSSH PROTOCOL.certkeys:
https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
}

identity openssh-ecdsa-sha2-nistp384-cert-v01 {
base sshpka:public-key-alg-base;
description
"[email protected]";
reference
"OpenSSH PROTOCOL.certkeys:
https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
}

identity openssh-ecdsa-sha2-nistp256-cert-v01 {
base sshpka:public-key-alg-base;
description
"[email protected]";
reference
"OpenSSH PROTOCOL.certkeys:
https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
}

identity openssh-rsa-sha2-512-cert-v01 {
base sshpka:public-key-alg-base;
description
"[email protected]";
reference
"OpenSSH PROTOCOL.certkeys:
https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
}

identity openssh-rsa-sha2-256-cert-v01 {
base sshpka:public-key-alg-base;
description
"[email protected]";
reference
"OpenSSH PROTOCOL.certkeys:
https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
}

identity openssh-ssh-rsa-cert-v01 {
base sshpka:public-key-alg-base;
description
"[email protected]";
reference
"OpenSSH PROTOCOL.certkeys:
https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
}

identity openssh-ssh-dss-cert-v01 {
base sshpka:public-key-alg-base;
description
"[email protected]";
reference
"OpenSSH PROTOCOL.certkeys:
https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
}

identity libssh-curve25519-sha256 {
base sshkea:key-exchange-alg-base;
description
"[email protected]";
reference
"[email protected] specification:
https://git.libssh.org/projects/libssh.git/tree/doc/[email protected]";
}

identity openssh-chacha20-poly1305 {
base sshea:encryption-alg-base;
description
"[email protected]";
reference
"OpenSSH PROTOCOL.chacha20poly1305:
https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.chacha20poly1305?annotate=HEAD";
}

identity openssh-aes256-gcm {
base sshea:encryption-alg-base;
description
"[email protected]";
reference
"OpenSSH PROTOCOL, Section 1.6:
https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
}

identity openssh-aes128-gcm {
base sshea:encryption-alg-base;
description
"[email protected]";
reference
"OpenSSH PROTOCOL, Section 1.6:
https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
}

identity openssh-hmac-sha2-256-etm {
base sshma:mac-alg-base;
description
"[email protected]";
reference
"OpenSSH PROTOCOL:
https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
}

identity openssh-hmac-sha2-512-etm {
base sshma:mac-alg-base;
description
"[email protected]";
reference
"OpenSSH PROTOCOL:
https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
}

identity openssh-hmac-sha1-etm {
base sshma:mac-alg-base;
description
"[email protected]";
reference
"OpenSSH PROTOCOL:
https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
}

augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
leaf auth-attempts {
type uint16;
Expand Down
48 changes: 38 additions & 10 deletions src/server_config.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,28 +29,28 @@
/* All libssh supported host-key, key-exchange, encryption and mac algorithms as of version 0.10.90 */

static const char *supported_hostkey_algs[] = {
"ssh-ed25519-cert-v01@openssh.com", "ecdsa-sha2-nistp521-cert-v01@openssh.com",
"ecdsa-sha2-nistp384-cert-v01@openssh.com", "ecdsa-sha2-nistp256-cert-v01@openssh.com",
"rsa-sha2-512-cert-v01@openssh.com", "rsa-sha2-256-cert-v01@openssh.com",
"ssh-rsa-cert-v01@openssh.com", "ssh-dss-cert-v01@openssh.com",
"openssh-ssh-ed25519-cert-v01", "openssh-ecdsa-sha2-nistp521-cert-v01",
"openssh-ecdsa-sha2-nistp384-cert-v01", "openssh-ecdsa-sha2-nistp256-cert-v01",
"openssh-rsa-sha2-512-cert-v01", "openssh-rsa-sha2-256-cert-v01",
"openssh-ssh-rsa-cert-v01", "openssh-ssh-dss-cert-v01",
"ssh-ed25519", "ecdsa-sha2-nistp521", "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp256",
"rsa-sha2-512", "rsa-sha2-256", "ssh-rsa", "ssh-dss", NULL
};

static const char *supported_kex_algs[] = {
"diffie-hellman-group-exchange-sha1", "curve25519-sha256", "curve25519-sha256@libssh.org",
"diffie-hellman-group-exchange-sha1", "curve25519-sha256", "libssh-curve25519-sha256",
"ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group18-sha512",
"diffie-hellman-group16-sha512", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group14-sha256", NULL
};

static const char *supported_encryption_algs[] = {
"chacha20-poly1305@openssh.com", "aes256-gcm@openssh.com", "aes128-gcm@openssh.com",
"openssh-chacha20-poly1305", "openssh-aes256-gcm", "openssh-aes128-gcm",
"aes256-ctr", "aes192-ctr", "aes128-ctr", "aes256-cbc", "aes192-cbc", "aes128-cbc",
"blowfish-cbc", "triple-des-cbc", "none", NULL
};

static const char *supported_mac_algs[] = {
"hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha1-etm@openssh.com",
"openssh-hmac-sha2-256-etm", "openssh-hmac-sha2-512-etm", "openssh-hmac-sha1-etm",
"hmac-sha2-256", "hmac-sha2-512", "hmac-sha1", NULL
};

Expand Down Expand Up @@ -1609,11 +1609,38 @@ nc_server_config_none(const struct lyd_node *node, NC_OPERATION op)
}

static int
nc_server_config_transport_params(const char *alg, char **alg_store, NC_OPERATION op)
nc_server_config_transport_params(const char *algorithm, char **alg_store, NC_OPERATION op)
{
int ret = 0, alg_found = 0;
char *substr, *haystack;
size_t alg_len = strlen(alg);
char *substr, *haystack, *alg = NULL;
size_t alg_len;

if (!strncmp(algorithm, "openssh-", 8)) {
/* if the name starts with openssh, convert it to it's original libssh accepted form */
asprintf(&alg, "%[email protected]", algorithm + 8);
if (!alg) {
ERRMEM;
ret = 1;
goto cleanup;
}
} else if (!strncmp(algorithm, "libssh-", 7)) {
/* if the name starts with libssh, convert it to it's original libssh accepted form */
asprintf(&alg, "%[email protected]", algorithm + 7);
if (!alg) {
ERRMEM;
ret = 1;
goto cleanup;
}
} else {
alg = strdup(algorithm);
if (!alg) {
ERRMEM;
ret = 1;
goto cleanup;
}
}

alg_len = strlen(alg);

if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
if (!*alg_store) {
Expand Down Expand Up @@ -1660,6 +1687,7 @@ nc_server_config_transport_params(const char *alg, char **alg_store, NC_OPERATIO
}

cleanup:
free(alg);
return ret;
}

Expand Down

0 comments on commit 6eaf450

Please sign in to comment.