Merge pull request #499 from JacobBarthelmeh/sshd

add option to use x509v3 private key in connection without x509 auth
2023-03-16 09:01:10 -07:00 · 2023-03-16 09:01:10 -07:00 · 17e83731ff
parent 6a3f9d9ad4 d5ecaf4452
commit 17e83731ff
2 changed files with 24 additions and 3 deletions
--- a/apps/wolfsshd/test/create_authorized_test_file.sh
+++ b/apps/wolfsshd/test/create_authorized_test_file.sh
@ -3,6 +3,6 @@
 USER=`whoami`

 cat ../../../keys/hansel-*.pub > authorized_keys_test
-sed -i "s/hansel/$USER/" ./authorized_keys_test
+sed -i.bak "s/hansel/$USER/" ./authorized_keys_test

 exit 0
--- a/src/internal.c
+++ b/src/internal.c
@ -138,6 +138,8 @@ Flags:
    algorithms off.
 */

+static int SetHostPrivateKey(WOLFSSH_CTX* ctx, byte keyId, int isKey,
+        byte* der, word32 derSz, int dynamicType);

 static const char sshProtoIdStr[] = "SSH-2.0-wolfSSHv"
                                    LIBWOLFSSH_VERSION_STRING
@ -627,8 +629,12 @@ static void UpdateKeyID(WOLFSSH_CTX* ctx)
    for (idx = 0; idx < ctx->privateKeyCount &&
                  idx < WOLFSSH_MAX_PVT_KEYS; idx++) {
        if (ctx->cert[idx] != NULL && ctx->certSz[idx] > 0) {
+            byte keyId;
+            byte* der;
+
            /* matching certificate was set, convert private key id */
-            switch (ctx->privateKeyId[idx]) {
+            keyId = ctx->privateKeyId[idx];
+            switch (keyId) {
            #ifndef WOLFSSH_NO_ECDSA_SHA2_NISTP521
                case ID_ECDSA_SHA2_NISTP521:
                    ctx->privateKeyId[idx] = ID_X509V3_ECDSA_SHA2_NISTP521;
@ -650,6 +656,19 @@ static void UpdateKeyID(WOLFSSH_CTX* ctx)
                    break;
            #endif
            }
+
+            /* can use the key for non X509v3 connections too */
+            der = (byte*)WMALLOC(ctx->privateKeySz[idx], ctx->heap,
+                DYNTYPE_PRIVKEY);
+            if (der != NULL) {
+                int ret;
+                WMEMCPY(der, ctx->privateKey[idx], ctx->privateKeySz[idx]);
+                ret = SetHostPrivateKey(ctx, keyId, 1, der,
+                            ctx->privateKeySz[idx], DYNTYPE_PRIVKEY);
+                if (ret != 0) {
+                    WFREE(der, ctx->heap, DYNTYPE_PRIVKEY);
+                }
+            }
        }
    }
 #endif
@ -1008,7 +1027,7 @@ static int IdentifyCert(const byte* in, word32 inSz, void* heap)
 #endif /* WOLFSSH_CERTS */


-static int SetHostPrivateKey(WOLFSSH_CTX* ctx, byte keyId, int isKey,
+int SetHostPrivateKey(WOLFSSH_CTX* ctx, byte keyId, int isKey,
        byte* der, word32 derSz, int dynamicType)
 {
    word32 destIdx = 0;
@ -7677,11 +7696,13 @@ static int BuildNameList(char* buf, word32 bufSz,
    const char* name;
    int nameSz, idx;

+    WLOG(WS_LOG_DEBUG, "Entering BuildNameList()");
    idx = 0;
    do {
        name = IdToName(*src);
        nameSz = (int)WSTRLEN(name);

+        WLOG(WS_LOG_DEBUG, "\tAdding name : %s", name);
        if (nameSz + 1 + idx > (int)bufSz) {
            idx = WS_BUFFER_E;
            break;