Projects
openEuler:Mainline
libssh2
_service:tar_scm:backport-Legacy-Agent-support-...
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm:backport-Legacy-Agent-support-for-rsa2-key-upgrading-downgrad.patch of Package libssh2
From de7a74aff24c47b2f2e9815f0a98598195d602e4 Mon Sep 17 00:00:00 2001 From: Will Cosgrove <will@panic.com> Date: Fri, 14 Jan 2022 11:55:18 -0800 Subject: [PATCH] Legacy Agent support for rsa2 key upgrading/downgrading #659 (#662) Files: libssh2.h, agent.c, userauth.c Notes: Part 2 of the fix for #659. This adds rsa key downgrading for agents that don't support sha2 upgrading. It also adds better trace output for debugging/logging around key upgrading. Credit: Will Cosgrove (signed off by Michael Buckley) Conflict:NA Reference:https://github.com/libssh2/commit/de7a74aff24c47b2f2e9815f0a98598195d602e4 --- include/libssh2.h | 1 + src/agent.c | 27 +++++++++++++++++++++++++++ src/userauth.c | 43 ++++++++++++++++++++++++++++++++++--------- 3 files changed, 62 insertions(+), 9 deletions(-) diff --git a/include/libssh2.h b/include/libssh2.h index 20ba548..15dda6f 100644 --- a/include/libssh2.h +++ b/include/libssh2.h @@ -508,5 +508,6 @@ typedef struct _LIBSSH2_POLLFD { #define LIBSSH2_ERROR_KEYFILE_AUTH_FAILED -48 #define LIBSSH2_ERROR_RANDGEN -49 +#define LIBSSH2_ERROR_ALGO_UNSUPPORTED -51 /* this is a define to provide the old (<= 1.2.7) name */ #define LIBSSH2_ERROR_BANNER_NONE LIBSSH2_ERROR_BANNER_RECV diff --git a/src/agent.c b/src/agent.c index bce7175..4ed79ac 100644 --- a/src/agent.c +++ b/src/agent.c @@ -379,6 +379,7 @@ agent_sign(LIBSSH2_SESSION *session, unsigned char **sig, size_t *sig_len, ssize_t method_len; unsigned char *s; int rc; + unsigned char *method_name = NULL; uint32_t sign_flags = 0; /* Create a request to sign the data */ @@ -465,8 +466,28 @@ agent_sign(LIBSSH2_SESSION *session, unsigned char **sig, size_t *sig_len, rc = LIBSSH2_ERROR_AGENT_PROTOCOL; goto error; } + + /* method name */ + method_name = LIBSSH2_ALLOC(session, method_len); + if(!method_name) { + rc = LIBSSH2_ERROR_ALLOC; + goto error; + } + memcpy(method_name, s, method_len); s += method_len; + /* check to see if we match requested */ + if((size_t)method_len != session->userauth_pblc_method_len || + memcmp(method_name, session->userauth_pblc_method, method_len)) { + _libssh2_debug(session, + LIBSSH2_TRACE_KEX, + "Agent sign method %.*s", + method_len, method_name); + + rc = LIBSSH2_ERROR_ALGO_UNSUPPORTED; + goto error; + } + /* Read the signature */ len -= 4; if(len < 0) { @@ -489,12 +510,18 @@ agent_sign(LIBSSH2_SESSION *session, unsigned char **sig, size_t *sig_len, memcpy(*sig, s, *sig_len); error: + + if(method_name) + LIBSSH2_FREE(session, method_name); + LIBSSH2_FREE(session, transctx->request); transctx->request = NULL; LIBSSH2_FREE(session, transctx->response); transctx->response = NULL; + transctx->state = agent_NB_state_init; + return _libssh2_error(session, rc, "agent sign failure"); } diff --git a/src/userauth.c b/src/userauth.c index 84285bf..59b76ca 100644 --- a/src/userauth.c +++ b/src/userauth.c @@ -1283,9 +1283,6 @@ _libssh2_key_sign_algorithm(LIBSSH2_SESSION *session, if(key_method) { memcpy(*key_method, match, match_len); *key_method_len = match_len; - - _libssh2_debug(session, LIBSSH2_TRACE_KEX, - "Signing using %.*s", match_len, match); } else { *key_method_len = 0; @@ -1321,6 +1318,10 @@ _libssh2_userauth_publickey(LIBSSH2_SESSION *session, }; int rc; unsigned char *s; + int auth_attempts = 0; + + retry_auth: + auth_attempts++; if(session->userauth_pblc_state == libssh2_NB_state_idle) { @@ -1364,13 +1365,26 @@ _libssh2_userauth_publickey(LIBSSH2_SESSION *session, session->userauth_pblc_method_len); } - /* upgrade key key signing algo needed */ - rc = _libssh2_key_sign_algorithm(session, - &session->userauth_pblc_method, - &session->userauth_pblc_method_len); + /* upgrade key signing algo if it is supported and + * it is our first auth attempt, otherwise fallback to + * the key default algo */ + if(auth_attempts == 1) { + rc = _libssh2_key_sign_algorithm(session, + &session->userauth_pblc_method, + &session->userauth_pblc_method_len); - if(rc) - return rc; + if(rc) + return rc; + } + + if(session->userauth_pblc_method_len && + session->userauth_pblc_method) { + _libssh2_debug(session, + LIBSSH2_TRACE_KEX, + "Signing using %.*s", + session->userauth_pblc_method_len, + session->userauth_pblc_method); + } /* * 45 = packet_type(1) + username_len(4) + servicename_len(4) + @@ -1528,6 +1542,17 @@ _libssh2_userauth_publickey(LIBSSH2_SESSION *session, return _libssh2_error(session, LIBSSH2_ERROR_EAGAIN, "Would block"); } + else if(rc == LIBSSH2_ERROR_ALGO_UNSUPPORTED && auth_attempts == 1) { + /* try again with the default key algo */ + LIBSSH2_FREE(session, session->userauth_pblc_method); + session->userauth_pblc_method = NULL; + LIBSSH2_FREE(session, session->userauth_pblc_packet); + session->userauth_pblc_packet = NULL; + session->userauth_pblc_state = libssh2_NB_state_idle; + + rc = LIBSSH2_ERROR_NONE; + goto retry_auth; + } else if(rc) { LIBSSH2_FREE(session, session->userauth_pblc_method); session->userauth_pblc_method = NULL; -- 2.23.0
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2