KEX Cipher Lists

1. Add new list for the public key algorithms the server can verify from the client for user authentication. 2. Add accessors for the key allowed list.
wolfSSL · Feb 29, 2024 · ad13545 · ad13545
1 parent 2fabf06
commit ad13545
Show file tree

Hide file tree

Showing 4 changed files with 66 additions and 6 deletions.
diff --git a/src/internal.c b/src/internal.c
@@ -722,6 +722,7 @@ WOLFSSH_CTX* CtxInit(WOLFSSH_CTX* ctx, byte side, void* heap)
     }
     ctx->algoListCipher = cannedEncAlgoNames;
     ctx->algoListMac = cannedMacAlgoNames;
+    ctx->algoListKeyAccepted = cannedKeyAlgoNames;
 
     count = (word32)(sizeof(ctx->privateKey)
             / sizeof(ctx->privateKey[0]));
@@ -894,6 +895,7 @@ WOLFSSH* SshInit(WOLFSSH* ssh, WOLFSSH_CTX* ctx)
     ssh->algoListKey = ctx->algoListKey;
     ssh->algoListCipher = ctx->algoListCipher;
     ssh->algoListMac = ctx->algoListMac;
+    ssh->algoListKeyAccepted = ctx->algoListKeyAccepted;
 #ifdef WOLFSSH_SCP
     ssh->scpRequestState = SCP_PARSE_COMMAND;
     ssh->scpConfirmMsg   = NULL;
@@ -11232,7 +11234,7 @@ int SendExtInfo(WOLFSSH* ssh)
 {
     byte* output;
     word32 idx;
-    word32 cannedKeyAlgoNamesSz = 0;
+    word32 keyAlgoNamesSz = 0;
     word32 serverSigAlgsNameSz = 0;
     int ret = WS_SUCCESS;
 
@@ -11243,10 +11245,10 @@ int SendExtInfo(WOLFSSH* ssh)
     }
 
     if (ret == WS_SUCCESS) {
-        cannedKeyAlgoNamesSz = AlgoListSz(cannedKeyAlgoNames);
+        keyAlgoNamesSz = AlgoListSz(ssh->algoListKeyAccepted);
         serverSigAlgsNameSz = AlgoListSz(serverSigAlgsName);
         ret = PreparePacket(ssh, MSG_ID_SZ + UINT32_SZ + (LENGTH_SZ * 2)
-                + serverSigAlgsNameSz + cannedKeyAlgoNamesSz);
+                + serverSigAlgsNameSz + keyAlgoNamesSz);
     }
 
     if (ret == WS_SUCCESS) {
@@ -11262,10 +11264,10 @@ int SendExtInfo(WOLFSSH* ssh)
         WMEMCPY(output + idx, serverSigAlgsName, serverSigAlgsNameSz);
         idx += serverSigAlgsNameSz;
 
-        c32toa(cannedKeyAlgoNamesSz, output + idx);
+        c32toa(keyAlgoNamesSz, output + idx);
         idx += LENGTH_SZ;
-        WMEMCPY(output + idx, cannedKeyAlgoNames, cannedKeyAlgoNamesSz);
-        idx += cannedKeyAlgoNamesSz;
+        WMEMCPY(output + idx, ssh->algoListKeyAccepted, keyAlgoNamesSz);
+        idx += keyAlgoNamesSz;
 
         ssh->outputBuffer.length = idx;
 

diff --git a/src/ssh.c b/src/ssh.c
@@ -2132,6 +2132,56 @@ const char* wolfSSH_GetAlgoListMac(WOLFSSH* ssh)
 }
 
 
+int wolfSSH_CTX_SetAlgoListKeyAccepted(WOLFSSH_CTX* ctx, const char* list)
+{
+    int ret = WS_SSH_CTX_NULL_E;
+
+    if (ctx) {
+        ctx->algoListKeyAccepted = list;
+        ret = WS_SUCCESS;
+    }
+
+    return ret;
+}
+
+
+const char* wolfSSH_CTX_GetAlgoListKeyAccepted(WOLFSSH_CTX* ctx)
+{
+    const char* list = NULL;
+
+    if (ctx) {
+        list = ctx->algoListKeyAccepted;
+    }
+
+    return list;
+}
+
+
+int wolfSSH_SetAlgoListKeyAccepted(WOLFSSH* ssh, const char* list)
+{
+    int ret = WS_SSH_NULL_E;
+
+    if (ssh) {
+        ssh->algoListKeyAccepted = list;
+        ret = WS_SUCCESS;
+    }
+
+    return ret;
+}
+
+
+const char* wolfSSH_GetAlgoListKeyAccepted(WOLFSSH* ssh)
+{
+    const char* list = NULL;
+
+    if (ssh) {
+        list = ssh->algoListKeyAccepted;
+    }
+
+    return list;
+}
+
+
 int wolfSSH_CheckAlgoName(const char* name)
 {
     int ret = WS_INVALID_ALGO_ID;

diff --git a/wolfssh/internal.h b/wolfssh/internal.h
@@ -513,6 +513,7 @@ struct WOLFSSH_CTX {
     const char* algoListKey;
     const char* algoListCipher;
     const char* algoListMac;
+    const char* algoListKeyAccepted;
     word32 bannerSz;
     word32 windowSz;
     word32 maxPacketSz;
@@ -653,6 +654,7 @@ struct WOLFSSH {
     const char* algoListKey;
     const char* algoListCipher;
     const char* algoListMac;
+    const char* algoListKeyAccepted;
     byte acceptState;
     byte connectState;
     byte clientState;

diff --git a/wolfssh/ssh.h b/wolfssh/ssh.h
@@ -111,6 +111,12 @@ WOLFSSH_API const char* wolfSSH_CTX_GetAlgoListMac(WOLFSSH_CTX* ctx);
 WOLFSSH_API int wolfSSH_SetAlgoListMac(WOLFSSH* ssh, const char* list);
 WOLFSSH_API const char* wolfSSH_GetAlgoListMac(WOLFSSH* ssh);
 
+WOLFSSH_API int wolfSSH_CTX_SetAlgoListKeyAccepted(WOLFSSH_CTX* ctx,
+        const char* list);
+WOLFSSH_API const char* wolfSSH_CTX_GetAlgoListKeyAccepted(WOLFSSH_CTX* ctx);
+WOLFSSH_API int wolfSSH_SetAlgoListKeyAccepted(WOLFSSH* ssh, const char* list);
+WOLFSSH_API const char* wolfSSH_GetAlgoListKeyAccepted(WOLFSSH* ssh);
+
 WOLFSSH_API int wolfSSH_CheckAlgoName(const char* name);
 
 WOLFSSH_API const char* wolfSSH_QueryKex(word32* index);