Issue proftpd#1437: Implement support for Ed448 host keys, and the "c…

…urve448-sha512" key exchange algorithm, in `mod_sftp`.
SlowFox71 · May 17, 2022 · 4635189 · 4635189
1 parent 16b7e53
commit 4635189
Show file tree

Hide file tree

Showing 13 changed files with 1,086 additions and 72 deletions.
diff --git a/NEWS b/NEWS
@@ -28,6 +28,7 @@
 - Issue 1439 - SFTP "check-file" implementation computes incorrect results.
 - Issue 1457 - Implement SFTPHostKeys directive for configuring the SSH host
   key algorithms.
+- Issue 1437 - Implement the "curve448-sha512" SSH key exchange algorithm.
 
 1.3.8rc3 - Released 23-Apr-2022
 --------------------------------

diff --git a/RELEASE_NOTES b/RELEASE_NOTES
@@ -19,6 +19,8 @@ ChangeLog files.
 
     SFTPClientMatch (Issue #1444)
 
+    SFTPKeyExchanges curve448-512 (Issue #1437)
+
 
 1.3.8rc3
 ---------

diff --git a/contrib/mod_sftp/auth-hostbased.c b/contrib/mod_sftp/auth-hostbased.c
@@ -1,6 +1,6 @@
 /*
  * ProFTPD - mod_sftp 'hostbased' user authentication
- * Copyright (c) 2008-2020 TJ Saunders
+ * Copyright (c) 2008-2022 TJ Saunders
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -91,30 +91,30 @@ int sftp_auth_hostbased(struct ssh2_packet *pkt, cmd_rec *pass_cmd,
     "client sent '%s' host key, FQDN %s, and remote user '%s'",
     hostkey_algo, host_fqdn, host_user);
 
-  if (strncmp(hostkey_algo, "ssh-rsa", 8) == 0) {
+  if (strcmp(hostkey_algo, "ssh-rsa") == 0) {
     pubkey_type = SFTP_KEY_RSA;
 
-#ifdef HAVE_SHA256_OPENSSL
-  } else if (strncmp(hostkey_algo, "rsa-sha2-256", 13) == 0) {
+#if defined(HAVE_SHA256_OPENSSL)
+  } else if (strcmp(hostkey_algo, "rsa-sha2-256") == 0) {
     pubkey_type = SFTP_KEY_RSA_SHA256;
 #endif /* HAVE_SHA256_OPENSSL */
 
-#ifdef HAVE_SHA512_OPENSSL
-  } else if (strncmp(hostkey_algo, "rsa-sha2-512", 13) == 0) {
+#if defined(HAVE_SHA512_OPENSSL)
+  } else if (strcmp(hostkey_algo, "rsa-sha2-512") == 0) {
     pubkey_type = SFTP_KEY_RSA_SHA512;
 #endif /* HAVE_SHA512_OPENSSL */
 
-  } else if (strncmp(hostkey_algo, "ssh-dss", 8) == 0) {
+  } else if (strcmp(hostkey_algo, "ssh-dss") == 0) {
     pubkey_type = SFTP_KEY_DSA;
 
-#ifdef PR_USE_OPENSSL_ECC
-  } else if (strncmp(hostkey_algo, "ecdsa-sha2-nistp256", 20) == 0) {
+#if defined(PR_USE_OPENSSL_ECC)
+  } else if (strcmp(hostkey_algo, "ecdsa-sha2-nistp256") == 0) {
     pubkey_type = SFTP_KEY_ECDSA_256;
 
-  } else if (strncmp(hostkey_algo, "ecdsa-sha2-nistp384", 20) == 0) {
+  } else if (strcmp(hostkey_algo, "ecdsa-sha2-nistp384") == 0) {
     pubkey_type = SFTP_KEY_ECDSA_384;
 
-  } else if (strncmp(hostkey_algo, "ecdsa-sha2-nistp521", 20) == 0) {
+  } else if (strcmp(hostkey_algo, "ecdsa-sha2-nistp521") == 0) {
     pubkey_type = SFTP_KEY_ECDSA_521;
 #endif /* PR_USE_OPENSSL_ECC */
 

diff --git a/contrib/mod_sftp/configure b/contrib/mod_sftp/configure
@@ -4058,6 +4058,46 @@ $as_echo "no" >&6; }
     LIBS="$saved_libs"
 
 
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether OpenSSL supports X448 algorithm" >&5
+$as_echo_n "checking whether OpenSSL supports X448 algorithm... " >&6; }
+LIBS="-lcrypto $LIBS"
+
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+    #include <openssl/evp.h>
+
+int
+main ()
+{
+
+    EVP_PKEY_CTX *pctx;
+    pctx = EVP_PKEY_CTX_new_id(NID_X448, NULL);
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+
+    { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define HAVE_X448_OPENSSL 1" >>confdefs.h
+
+    LIBS="$saved_libs"
+
+else
+
+    { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+    LIBS="$saved_libs"
+
+
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext

diff --git a/contrib/mod_sftp/configure.in b/contrib/mod_sftp/configure.in
@@ -300,6 +300,28 @@ AC_TRY_LINK(
   ]
 )
 
+AC_MSG_CHECKING([whether OpenSSL supports X448 algorithm])
+LIBS="-lcrypto $LIBS"
+
+AC_TRY_LINK(
+  [
+    #include <openssl/evp.h>
+  ],
+  [
+    EVP_PKEY_CTX *pctx;
+    pctx = EVP_PKEY_CTX_new_id(NID_X448, NULL);
+  ],
+  [
+    AC_MSG_RESULT(yes)
+    AC_DEFINE(HAVE_X448_OPENSSL, 1, [OpenSSL supports X448 algorithm])
+    LIBS="$saved_libs"
+  ],
+  [
+    AC_MSG_RESULT(no)
+    LIBS="$saved_libs"
+  ]
+)
+
 LIBS="$saved_libs"
 
 INCLUDES="$ac_build_addl_includes"

diff --git a/contrib/mod_sftp/crypto.c b/contrib/mod_sftp/crypto.c
@@ -204,6 +204,9 @@ static const char *hostkey_algos[] = {
 #if defined(PR_USE_SODIUM)
   "ssh-ed25519",
 #endif /* PR_USE_SODIUM */
+#if defined(HAVE_X448_OPENSSL)
+  "ssh-ed448",
+#endif /* HAVE_X448_OPENSSL */
 #if defined(PR_USE_OPENSSL_ECC)
   "ecdsa-sha2-nistp256",
   "ecdsa-sha2-nistp384",
@@ -231,7 +234,7 @@ static const char *key_exchanges[] = {
   "diffie-hellman-group-exchange-sha256",
 #endif
   "diffie-hellman-group-exchange-sha1",
-#ifdef PR_USE_OPENSSL_ECC
+#if defined(PR_USE_OPENSSL_ECC)
   "ecdh-sha2-nistp256",
   "ecdh-sha2-nistp384",
   "ecdh-sha2-nistp521",
@@ -240,6 +243,9 @@ static const char *key_exchanges[] = {
   "curve25519-sha256",
   "[email protected]",
 #endif /* HAVE_SODIUM_H and HAVE_SHA256_OPENSSL */
+#if defined(HAVE_X448_OPENSSL) && defined(HAVE_SHA512_OPENSSL)
+  "curve448-sha512",
+#endif /* HAVE_X448_OPENSSL and HAVE_SHA512_OPENSSL */
   "rsa1024-sha1",
   NULL
 };
-Original file line number
+Diff line change
@@ Expand Up / @@ -19,6 +19,8 @@ ChangeLog files. @@
         SFTPClientMatch (Issue #1444)
+        SFTPKeyExchanges curve448-512 (Issue #1437)
 .3.8rc3
     ---------
@@ Expand Down @@