config UPDATE add support for libssh params

roman · roman · commit 6eaf450fb005 · 2023-05-26T13:26:02.000+02:00
Added identities for libssh's host-key, key exchange, encryption and mac
algs.
diff --git a/modules/libnetconf2-netconf-server.yang b/modules/libnetconf2-netconf-server.yang
@@ -11,6 +11,22 @@ module libnetconf2-netconf-server {
     prefix ct;
   }
 
+  import iana-ssh-public-key-algs {
+    prefix sshpka;
+  }
+
+  import iana-ssh-key-exchange-algs {
+    prefix sshkea;
+  }
+
+  import iana-ssh-encryption-algs {
+    prefix sshea;
+  }
+
+  import iana-ssh-mac-algs {
+    prefix sshma;
+  }
+
   /*
   identity ed25519-private-key-format {
     base ct:private-key-format;
@@ -81,6 +97,141 @@ module libnetconf2-netconf-server {
         The Secure Shell (SSH) Transport Layer Protocol";
   }
 
+  identity openssh-ssh-ed25519-cert-v01 {
+    base sshpka:public-key-alg-base;
+    description
+      "SSH-ED25519-CERT-V01@OPENSSH.COM";
+    reference
+      "OpenSSH PROTOCOL.certkeys:
+        https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
+  }
+
+  identity openssh-ecdsa-sha2-nistp521-cert-v01 {
+    base sshpka:public-key-alg-base;
+    description
+      "ECDSA-SHA2-NISTP521-CERT-V01@OPENSSH.COM";
+    reference
+      "OpenSSH PROTOCOL.certkeys:
+        https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
+  }
+
+  identity openssh-ecdsa-sha2-nistp384-cert-v01 {
+    base sshpka:public-key-alg-base;
+    description
+      "ECDSA-SHA2-NISTP384-CERT-V01@OPENSSH.COM";
+    reference
+      "OpenSSH PROTOCOL.certkeys:
+        https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
+  }
+
+  identity openssh-ecdsa-sha2-nistp256-cert-v01 {
+    base sshpka:public-key-alg-base;
+    description
+      "ECDSA-SHA2-NISTP256-CERT-V01@OPENSSH.COM";
+    reference
+      "OpenSSH PROTOCOL.certkeys:
+        https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
+  }
+
+  identity openssh-rsa-sha2-512-cert-v01 {
+    base sshpka:public-key-alg-base;
+    description
+      "RSA-SHA2-512-CERT-V01@OPENSSH.COM";
+    reference
+      "OpenSSH PROTOCOL.certkeys:
+        https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
+  }
+
+  identity openssh-rsa-sha2-256-cert-v01 {
+    base sshpka:public-key-alg-base;
+    description
+      "RSA-SHA2-256-CERT-V01@OPENSSH.COM";
+    reference
+      "OpenSSH PROTOCOL.certkeys:
+        https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
+  }
+
+  identity openssh-ssh-rsa-cert-v01 {
+    base sshpka:public-key-alg-base;
+    description
+      "SSH-RSA-CERT-V01@OPENSSH.COM";
+    reference
+      "OpenSSH PROTOCOL.certkeys:
+        https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
+  }
+
+  identity openssh-ssh-dss-cert-v01 {
+    base sshpka:public-key-alg-base;
+    description
+      "SSH-DSS-CERT-V01@OPENSSH.COM";
+    reference
+      "OpenSSH PROTOCOL.certkeys:
+        https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
+  }
+
+  identity libssh-curve25519-sha256 {
+    base sshkea:key-exchange-alg-base;
+    description
+      "CURVE25519-SHA256@LIBSSH.ORG";
+    reference
+      "curve25519-sha256@libssh.org specification:
+        https://git.libssh.org/projects/libssh.git/tree/doc/curve25519-sha256@libssh.org.txt";
+  }
+
+  identity openssh-chacha20-poly1305 {
+    base sshea:encryption-alg-base;
+    description
+      "CHACHA20-POLY1305@OPENSSH.COM";
+    reference
+      "OpenSSH PROTOCOL.chacha20poly1305:
+        https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.chacha20poly1305?annotate=HEAD";
+  }
+
+  identity openssh-aes256-gcm {
+    base sshea:encryption-alg-base;
+    description
+      "AES256-GCM@OPENSSH.COM";
+    reference
+      "OpenSSH PROTOCOL, Section 1.6:
+        https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
+  }
+
+  identity openssh-aes128-gcm {
+    base sshea:encryption-alg-base;
+    description
+      "AES128-GCM@OPENSSH.COM";
+    reference
+      "OpenSSH PROTOCOL, Section 1.6:
+        https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
+  }
+
+  identity openssh-hmac-sha2-256-etm {
+    base sshma:mac-alg-base;
+    description
+      "HMAC-SHA2-256-ETM@OPENSSH.COM";
+    reference
+      "OpenSSH PROTOCOL:
+        https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
+  }
+
+  identity openssh-hmac-sha2-512-etm {
+    base sshma:mac-alg-base;
+    description
+      "HMAC-SHA2-512-ETM@OPENSSH.COM";
+    reference
+      "OpenSSH PROTOCOL:
+        https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
+  }
+
+  identity openssh-hmac-sha1-etm {
+    base sshma:mac-alg-base;
+    description
+      "HMAC-SHA1-ETM@OPENSSH.COM";
+    reference
+      "OpenSSH PROTOCOL:
+        https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
+  }
+
   augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
     leaf auth-attempts {
       type uint16;
diff --git a/src/server_config.c b/src/server_config.c
@@ -29,28 +29,28 @@
 /* All libssh supported host-key, key-exchange, encryption and mac algorithms as of version 0.10.90 */
 
 static const char *supported_hostkey_algs[] = {
-    "ssh-ed25519-cert-v01@openssh.com", "ecdsa-sha2-nistp521-cert-v01@openssh.com",
-    "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ecdsa-sha2-nistp256-cert-v01@openssh.com",
-    "rsa-sha2-512-cert-v01@openssh.com", "rsa-sha2-256-cert-v01@openssh.com",
-    "ssh-rsa-cert-v01@openssh.com", "ssh-dss-cert-v01@openssh.com",
+    "openssh-ssh-ed25519-cert-v01", "openssh-ecdsa-sha2-nistp521-cert-v01",
+    "openssh-ecdsa-sha2-nistp384-cert-v01", "openssh-ecdsa-sha2-nistp256-cert-v01",
+    "openssh-rsa-sha2-512-cert-v01", "openssh-rsa-sha2-256-cert-v01",
+    "openssh-ssh-rsa-cert-v01", "openssh-ssh-dss-cert-v01",
     "ssh-ed25519", "ecdsa-sha2-nistp521", "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp256",
     "rsa-sha2-512", "rsa-sha2-256", "ssh-rsa", "ssh-dss", NULL
 };
 
 static const char *supported_kex_algs[] = {
-    "diffie-hellman-group-exchange-sha1", "curve25519-sha256", "curve25519-sha256@libssh.org",
+    "diffie-hellman-group-exchange-sha1", "curve25519-sha256", "libssh-curve25519-sha256",
     "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group18-sha512",
     "diffie-hellman-group16-sha512", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group14-sha256", NULL
 };
 
 static const char *supported_encryption_algs[] = {
-    "chacha20-poly1305@openssh.com", "aes256-gcm@openssh.com", "aes128-gcm@openssh.com",
+    "openssh-chacha20-poly1305", "openssh-aes256-gcm", "openssh-aes128-gcm",
     "aes256-ctr", "aes192-ctr", "aes128-ctr", "aes256-cbc", "aes192-cbc", "aes128-cbc",
     "blowfish-cbc", "triple-des-cbc", "none", NULL
 };
 
 static const char *supported_mac_algs[] = {
-    "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha1-etm@openssh.com",
+    "openssh-hmac-sha2-256-etm", "openssh-hmac-sha2-512-etm", "openssh-hmac-sha1-etm",
     "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1", NULL
 };
 
@@ -1609,11 +1609,38 @@ nc_server_config_none(const struct lyd_node *node, NC_OPERATION op)
 }
 
 static int
-nc_server_config_transport_params(const char *alg, char **alg_store, NC_OPERATION op)
+nc_server_config_transport_params(const char *algorithm, char **alg_store, NC_OPERATION op)
 {
     int ret = 0, alg_found = 0;
-    char *substr, *haystack;
-    size_t alg_len = strlen(alg);
+    char *substr, *haystack, *alg = NULL;
+    size_t alg_len;
+
+    if (!strncmp(algorithm, "openssh-", 8)) {
+        /* if the name starts with openssh, convert it to it's original libssh accepted form */
+        asprintf(&alg, "%s@openssh.com", algorithm + 8);
+        if (!alg) {
+            ERRMEM;
+            ret = 1;
+            goto cleanup;
+        }
+    } else if (!strncmp(algorithm, "libssh-", 7)) {
+        /* if the name starts with libssh, convert it to it's original libssh accepted form */
+        asprintf(&alg, "%s@libssh.org", algorithm + 7);
+        if (!alg) {
+            ERRMEM;
+            ret = 1;
+            goto cleanup;
+        }
+    } else {
+        alg = strdup(algorithm);
+        if (!alg) {
+            ERRMEM;
+            ret = 1;
+            goto cleanup;
+        }
+    }
+
+    alg_len = strlen(alg);
 
     if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
         if (!*alg_store) {
@@ -1660,6 +1687,7 @@ nc_server_config_transport_params(const char *alg, char **alg_store, NC_OPERATIO
     }
 
 cleanup:
+    free(alg);
     return ret;
 }
 
