|
 |
5fd609 |
diff --git a/src/kex.c b/src/kex.c
|
|
|
5fd609 |
index 1155b9c7..528cb182 100644
|
|
|
5fd609 |
--- a/src/kex.c
|
|
|
5fd609 |
+++ b/src/kex.c
|
|
|
5fd609 |
@@ -101,12 +101,19 @@
|
|
|
5fd609 |
|
|
|
5fd609 |
#ifdef HAVE_ECDH
|
|
|
5fd609 |
#define ECDH "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,"
|
|
|
5fd609 |
-#define EC_HOSTKEYS "ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,"
|
|
|
5fd609 |
-#define EC_PUBLIC_KEY_ALGORITHMS "ecdsa-sha2-nistp521-cert-v01@openssh.com," \
|
|
|
5fd609 |
+#define EC_HOSTKEYS "ecdsa-sha2-nistp521," \
|
|
|
5fd609 |
+ "ecdsa-sha2-nistp384," \
|
|
|
5fd609 |
+ "ecdsa-sha2-nistp256,"
|
|
|
5fd609 |
+#define EC_SK_HOSTKEYS "sk-ecdsa-sha2-nistp256@openssh.com,"
|
|
|
5fd609 |
+#define EC_FIPS_PUBLIC_KEY_ALGOS "ecdsa-sha2-nistp521-cert-v01@openssh.com," \
|
|
|
5fd609 |
"ecdsa-sha2-nistp384-cert-v01@openssh.com," \
|
|
|
5fd609 |
"ecdsa-sha2-nistp256-cert-v01@openssh.com,"
|
|
|
5fd609 |
+#define EC_PUBLIC_KEY_ALGORITHMS EC_FIPS_PUBLIC_KEY_ALGOS \
|
|
|
5fd609 |
+ "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,"
|
|
|
5fd609 |
#else
|
|
|
5fd609 |
#define EC_HOSTKEYS ""
|
|
|
5fd609 |
+#define EC_SK_HOSTKEYS ""
|
|
|
5fd609 |
+#define EC_FIPS_PUBLIC_KEY_ALGOS ""
|
|
|
5fd609 |
#define EC_PUBLIC_KEY_ALGORITHMS ""
|
|
|
5fd609 |
#define ECDH ""
|
|
|
5fd609 |
#endif /* HAVE_ECDH */
|
|
|
5fd609 |
@@ -127,16 +134,21 @@
|
|
|
5fd609 |
|
|
|
5fd609 |
#define HOSTKEYS "ssh-ed25519," \
|
|
|
5fd609 |
EC_HOSTKEYS \
|
|
|
5fd609 |
+ "sk-ssh-ed25519@openssh.com," \
|
|
|
5fd609 |
+ EC_SK_HOSTKEYS \
|
|
|
5fd609 |
"rsa-sha2-512," \
|
|
|
5fd609 |
"rsa-sha2-256," \
|
|
|
5fd609 |
"ssh-rsa" \
|
|
|
5fd609 |
DSA_HOSTKEYS
|
|
|
5fd609 |
#define DEFAULT_HOSTKEYS "ssh-ed25519," \
|
|
|
5fd609 |
EC_HOSTKEYS \
|
|
|
5fd609 |
+ "sk-ssh-ed25519@openssh.com," \
|
|
|
5fd609 |
+ EC_SK_HOSTKEYS \
|
|
|
5fd609 |
"rsa-sha2-512," \
|
|
|
5fd609 |
"rsa-sha2-256"
|
|
|
5fd609 |
|
|
|
5fd609 |
#define PUBLIC_KEY_ALGORITHMS "ssh-ed25519-cert-v01@openssh.com," \
|
|
|
5fd609 |
+ "sk-ssh-ed25519-cert-v01@openssh.com," \
|
|
|
5fd609 |
EC_PUBLIC_KEY_ALGORITHMS \
|
|
|
5fd609 |
"rsa-sha2-512-cert-v01@openssh.com," \
|
|
|
5fd609 |
"rsa-sha2-256-cert-v01@openssh.com," \
|
|
|
5fd609 |
@@ -186,7 +198,7 @@
|
|
|
5fd609 |
"rsa-sha2-512," \
|
|
|
5fd609 |
"rsa-sha2-256"
|
|
|
5fd609 |
|
|
|
5fd609 |
-#define FIPS_ALLOWED_PUBLIC_KEY_ALGORITHMS EC_PUBLIC_KEY_ALGORITHMS \
|
|
|
5fd609 |
+#define FIPS_ALLOWED_PUBLIC_KEY_ALGORITHMS EC_FIPS_PUBLIC_KEY_ALGOS \
|
|
|
5fd609 |
"rsa-sha2-512-cert-v01@openssh.com," \
|
|
|
5fd609 |
"rsa-sha2-256-cert-v01@openssh.com," \
|
|
|
5fd609 |
FIPS_ALLOWED_HOSTKEYS
|
|
|
5fd609 |
diff --git a/src/knownhosts.c b/src/knownhosts.c
|
|
|
5fd609 |
index 1f52dedc..94618fe2 100644
|
|
|
5fd609 |
--- a/src/knownhosts.c
|
|
|
5fd609 |
+++ b/src/knownhosts.c
|
|
|
5fd609 |
@@ -480,6 +480,8 @@ static const char *ssh_known_host_sigs_from_hostkey_type(enum ssh_keytypes_e typ
|
|
|
5fd609 |
return "rsa-sha2-512,rsa-sha2-256,ssh-rsa";
|
|
|
5fd609 |
case SSH_KEYTYPE_ED25519:
|
|
|
5fd609 |
return "ssh-ed25519";
|
|
|
5fd609 |
+ case SSH_KEYTYPE_SK_ED25519:
|
|
|
5fd609 |
+ return "sk-ssh-ed25519@openssh.com";
|
|
|
5fd609 |
#ifdef HAVE_DSA
|
|
|
5fd609 |
case SSH_KEYTYPE_DSS:
|
|
|
5fd609 |
return "ssh-dss";
|
|
|
5fd609 |
@@ -494,6 +496,8 @@ static const char *ssh_known_host_sigs_from_hostkey_type(enum ssh_keytypes_e typ
|
|
|
5fd609 |
return "ecdsa-sha2-nistp384";
|
|
|
5fd609 |
case SSH_KEYTYPE_ECDSA_P521:
|
|
|
5fd609 |
return "ecdsa-sha2-nistp521";
|
|
|
5fd609 |
+ case SSH_KEYTYPE_SK_ECDSA:
|
|
|
5fd609 |
+ return "sk-ecdsa-sha2-nistp256@openssh.com";
|
|
|
5fd609 |
#else
|
|
|
5fd609 |
case SSH_KEYTYPE_ECDSA_P256:
|
|
|
5fd609 |
case SSH_KEYTYPE_ECDSA_P384:
|
|
|
5fd609 |
diff --git a/tests/unittests/torture_knownhosts_parsing.c b/tests/unittests/torture_knownhosts_parsing.c
|
|
|
5fd609 |
index fffa8296..7fd21f05 100644
|
|
|
5fd609 |
--- a/tests/unittests/torture_knownhosts_parsing.c
|
|
|
5fd609 |
+++ b/tests/unittests/torture_knownhosts_parsing.c
|
|
|
5fd609 |
@@ -634,7 +634,9 @@ static void torture_knownhosts_algorithms(void **state)
|
|
|
5fd609 |
bool process_config = false;
|
|
|
5fd609 |
const char *expect = "ssh-ed25519,rsa-sha2-512,rsa-sha2-256,"
|
|
|
5fd609 |
"ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,"
|
|
|
5fd609 |
- "ecdsa-sha2-nistp256";
|
|
|
5fd609 |
+ "ecdsa-sha2-nistp256,"
|
|
|
5fd609 |
+ "sk-ssh-ed25519@openssh.com,"
|
|
|
5fd609 |
+ "sk-ecdsa-sha2-nistp256@openssh.com";
|
|
|
5fd609 |
const char *expect_fips = "rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp521,"
|
|
|
5fd609 |
"ecdsa-sha2-nistp384,ecdsa-sha2-nistp256";
|
|
|
5fd609 |
|
|
|
5fd609 |
@@ -669,7 +671,9 @@ static void torture_knownhosts_algorithms_global(void **state)
|
|
|
5fd609 |
bool process_config = false;
|
|
|
5fd609 |
const char *expect = "ssh-ed25519,rsa-sha2-512,rsa-sha2-256,"
|
|
|
5fd609 |
"ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,"
|
|
|
5fd609 |
- "ecdsa-sha2-nistp256";
|
|
|
5fd609 |
+ "ecdsa-sha2-nistp256,"
|
|
|
5fd609 |
+ "sk-ssh-ed25519@openssh.com,"
|
|
|
5fd609 |
+ "sk-ecdsa-sha2-nistp256@openssh.com";
|
|
|
5fd609 |
const char *expect_fips = "rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp521,"
|
|
|
5fd609 |
"ecdsa-sha2-nistp384,ecdsa-sha2-nistp256";
|
|
|
5fd609 |
|