diff options
Diffstat (limited to 'extcap')
-rw-r--r-- | extcap/ciscodump.c | 9 | ||||
-rw-r--r-- | extcap/ssh-base.c | 64 | ||||
-rw-r--r-- | extcap/ssh-base.h | 4 | ||||
-rw-r--r-- | extcap/sshdump.c | 9 | ||||
-rw-r--r-- | extcap/wifidump.c | 10 |
5 files changed, 95 insertions, 1 deletions
diff --git a/extcap/ciscodump.c b/extcap/ciscodump.c index 54751ed0..f9a61099 100644 --- a/extcap/ciscodump.c +++ b/extcap/ciscodump.c @@ -103,6 +103,7 @@ enum { OPT_SSHKEY, OPT_SSHKEY_PASSPHRASE, OPT_PROXYCOMMAND, + OPT_SSH_SHA1, OPT_REMOTE_COUNT }; @@ -2259,6 +2260,9 @@ static int list_config(char *interface, unsigned int remote_port) printf("arg {number=%u}{call--sshkey-passphrase}{display=SSH key passphrase}" "{type=password}{tooltip=Passphrase to unlock the SSH private key}" "{group=Authentication\n", inc++); + printf("arg {number=%u}{call=--ssh-sha1}{display=Support SHA-1 keys (deprecated)}" + "{type=boolflag}{tooltip=Support keys and key exchange algorithms using SHA-1 (deprecated)}{group=Authentication}" + "\n", inc++); printf("arg {number=%u}{call=--remote-interface}{display=Remote interface}" "{type=string}{required=true}{tooltip=The remote network interface used for capture" "}{group=Capture}\n", inc++); @@ -2343,6 +2347,7 @@ int main(int argc, char *argv[]) extcap_help_add_option(extcap_conf, "--sshkey <public key path>", "the path of the ssh key"); extcap_help_add_option(extcap_conf, "--sshkey-passphrase <public key passphrase>", "the passphrase to unlock public ssh"); extcap_help_add_option(extcap_conf, "--proxycommand <proxy command>", "the command to use as proxy for the ssh connection"); + extcap_help_add_option(extcap_conf, "--ssh-sha1", "support keys and key exchange using SHA-1 (deprecated)"); extcap_help_add_option(extcap_conf, "--remote-interface <iface>", "the remote capture interface"); extcap_help_add_option(extcap_conf, "--remote-filter <filter>", "a filter for remote capture " "(default: don't capture data for all interfaces IPs)"); @@ -2407,6 +2412,10 @@ int main(int argc, char *argv[]) ssh_params->proxycommand = g_strdup(ws_optarg); break; + case OPT_SSH_SHA1: + ssh_params->ssh_sha1 = true; + break; + case OPT_REMOTE_INTERFACE: g_free(remote_interface); remote_interface = g_strdup(ws_optarg); diff --git a/extcap/ssh-base.c b/extcap/ssh-base.c index 124b825d..be9717c5 100644 --- a/extcap/ssh-base.c +++ b/extcap/ssh-base.c @@ -21,6 +21,45 @@ #include <ws_attributes.h> #include <wsutil/wslog.h> +/* + * The unreleased 0.11.0 version of libssh has the ability to + * add algorithms to the default supported list by prepending + * "+" to the configuration list. For older versions, we have + * to specify all the algorithms we want, but as long as at + * least one succeeds the command won't fail. (That means that + * it's possible that we won't actually add support for SHA-1, + * say if it's running on a system in FIPS mode. We could parse + * the returned list to check.) + */ +#if LIBSSH_VERSION_INT >= SSH_VERSION_INT(0,11,0) +#define HOSTKEYS_SHA1 "+ssh-rsa" +#define KEY_EXCHANGE_SHA1 "+diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1" +#define HMAC_SHA1 "+hmac-sha1-etm@openssh.com,hmac-sha1" +#else +#define HOSTKEYS_SHA1 \ + "ssh-ed25519," \ + "ecdsa-sha2-nistp521," \ + "ecdsa-sha2-nistp384," \ + "ecdsa-sha2-nistp256," \ + "sk-ssh-ed25519@openssh.com," \ + "sk-ecdsa-sha2-nistp256@openssh.com," \ + "rsa-sha2-512," \ + "rsa-sha2-256," \ + "ssh-rsa" +#define KEY_EXCHANGE_SHA1 \ + "curve25519-sha256,curve25519-sha256@libssh.org," \ + "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521," \ + "diffie-hellman-group18-sha512,diffie-hellman-group16-sha512," \ + "diffie-hellman-group-exchange-sha256," \ + "diffie-hellman-group14-sha256," \ + "diffie-hellman-group-exchange-sha1," \ + "diffie-hellman-group14-sha1,diffie-hellman-group1-sha1" +#define HMAC_SHA1 \ + "hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com," \ + "hmac-sha2-256,hmac-sha2-512," \ + "hmac-sha1-etm@openssh.com,hmac-sha1" +#endif + static void extcap_log(int priority _U_, const char *function, const char *buffer, void *userdata _U_) { ws_debug("[%s] %s", function, buffer); @@ -68,6 +107,31 @@ ssh_session create_ssh_connection(const ssh_params_t* ssh_params, char** err_inf ssh_set_log_callback(extcap_log); } + if (ssh_params->ssh_sha1) { + if (ssh_options_set(sshs, SSH_OPTIONS_HOSTKEYS, HOSTKEYS_SHA1)) { + *err_info = ws_strdup_printf("Can't set host keys to allow SHA-1."); + goto failure; + } +#if LIBSSH_VERSION_INT >= SSH_VERSION_INT(0,8,3) + if (ssh_options_set(sshs, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, HOSTKEYS_SHA1)) { + *err_info = ws_strdup_printf("Can't set public key algorithms to allow SSH-RSA (SHA-1)."); + goto failure; + } +#endif + if (ssh_options_set(sshs, SSH_OPTIONS_KEY_EXCHANGE, KEY_EXCHANGE_SHA1)) { + *err_info = ws_strdup_printf("Can't set key exchange methods to allow SHA-1."); + goto failure; + } + if (ssh_options_set(sshs, SSH_OPTIONS_HMAC_C_S, HMAC_SHA1)) { + *err_info = ws_strdup_printf("Can't set MAC client to server algorithms to allow SHA-1."); + goto failure; + } + if (ssh_options_set(sshs, SSH_OPTIONS_HMAC_S_C, HMAC_SHA1)) { + *err_info = ws_strdup_printf("Can't set MAC server to client algorithms to allow SHA-1."); + goto failure; + } + } + if (ssh_params->port != 0) { port = ssh_params->port; if (ssh_options_set(sshs, SSH_OPTIONS_PORT, &port)) { diff --git a/extcap/ssh-base.h b/extcap/ssh-base.h index 8283bffc..9ac59230 100644 --- a/extcap/ssh-base.h +++ b/extcap/ssh-base.h @@ -38,7 +38,8 @@ { "remote-count", ws_required_argument, NULL, OPT_REMOTE_COUNT}, \ { "sshkey", ws_required_argument, NULL, OPT_SSHKEY}, \ { "sshkey-passphrase", ws_required_argument, NULL, OPT_SSHKEY_PASSPHRASE}, \ - { "proxycommand", ws_required_argument, NULL, OPT_PROXYCOMMAND} + { "proxycommand", ws_required_argument, NULL, OPT_PROXYCOMMAND}, \ + { "ssh-sha1", ws_no_argument, NULL, OPT_SSH_SHA1} typedef struct _ssh_params { char* host; @@ -48,6 +49,7 @@ typedef struct _ssh_params { char* sshkey_path; char* sshkey_passphrase; char* proxycommand; + bool ssh_sha1; bool debug; } ssh_params_t; diff --git a/extcap/sshdump.c b/extcap/sshdump.c index 12864731..e4cfc793 100644 --- a/extcap/sshdump.c +++ b/extcap/sshdump.c @@ -57,6 +57,7 @@ enum { OPT_SSHKEY, OPT_SSHKEY_PASSPHRASE, OPT_PROXYCOMMAND, + OPT_SSH_SHA1, OPT_REMOTE_COUNT, OPT_REMOTE_SUDO, // Deprecated OPT_REMOTE_PRIV, @@ -346,6 +347,9 @@ static int list_config(char *interface, unsigned int remote_port) printf("arg {number=%u}{call=--proxycommand}{display=ProxyCommand}" "{type=string}{tooltip=The command to use as proxy for the SSH connection}" "{group=Authentication}\n", inc++); + printf("arg {number=%u}{call=--ssh-sha1}{display=Support SHA-1 keys (deprecated)}" + "{type=boolflag}{tooltip=Support keys and key exchange algorithms using SHA-1 (deprecated)}{group=Authentication}" + "\n", inc++); printf("arg {number=%u}{call=--remote-interface}{display=Remote interface}" "{type=string}{tooltip=The remote network interface used for capture" "}{group=Capture}\n", inc++); @@ -475,6 +479,7 @@ int main(int argc, char *argv[]) extcap_help_add_option(extcap_conf, "--sshkey <private key path>", "the path of the SSH key (OpenSSH format)"); extcap_help_add_option(extcap_conf, "--sshkey-passphrase <private key passphrase>", "the passphrase to unlock private SSH key"); extcap_help_add_option(extcap_conf, "--proxycommand <proxy command>", "the command to use as proxy for the SSH connection"); + extcap_help_add_option(extcap_conf, "--ssh-sha1", "support keys and key exchange using SHA-1 (deprecated)"); extcap_help_add_option(extcap_conf, "--remote-interface <iface>", "the remote capture interface"); extcap_help_add_option(extcap_conf, "--remote-capture-command-select <selection>", "dumpcap, tcpdump or other remote capture command"); extcap_help_add_option(extcap_conf, "--remote-capture-command <capture command>", "the remote capture command"); @@ -546,6 +551,10 @@ int main(int argc, char *argv[]) ssh_params->proxycommand = g_strdup(ws_optarg); break; + case OPT_SSH_SHA1: + ssh_params->ssh_sha1 = true; + break; + case OPT_REMOTE_INTERFACE: g_free(remote_interface); remote_interface = g_strdup(ws_optarg); diff --git a/extcap/wifidump.c b/extcap/wifidump.c index 489118eb..ba3a6364 100644 --- a/extcap/wifidump.c +++ b/extcap/wifidump.c @@ -59,6 +59,7 @@ enum { OPT_SSHKEY, OPT_SSHKEY_PASSPHRASE, OPT_PROXYCOMMAND, + OPT_SSH_SHA1, OPT_REMOTE_COUNT }; @@ -456,6 +457,10 @@ static int list_config(char *interface) printf("arg {number=%u}{call=--sshkey-passphrase}{display=SSH key passphrase}" "{type=password}{tooltip=Passphrase to unlock the SSH private key}{group=Authentication}\n", inc++); + printf("arg {number=%u}{call=--ssh-sha1}{display=Support SHA-1 keys (deprecated)}" + "{type=boolflag}{tooltip=Support keys and key exchange algorithms using SHA-1 (deprecated)}{group=Authentication}" + "\n", inc++); + // Capture tab printf("arg {number=%u}{call=--remote-interface}{display=Remote interface}" @@ -579,6 +584,7 @@ int main(int argc, char *argv[]) extcap_help_add_option(extcap_conf, "--remote-password <password>", "the remote SSH password. If not specified, ssh-agent and ssh-key are used"); extcap_help_add_option(extcap_conf, "--sshkey <public key path>", "the path of the ssh key"); extcap_help_add_option(extcap_conf, "--sshkey-passphrase <public key passphrase>", "the passphrase to unlock public ssh"); + extcap_help_add_option(extcap_conf, "--ssh-sha1", "support keys and key exchange using SHA-1 (deprecated)"); extcap_help_add_option(extcap_conf, "--remote-interface <iface>", "the remote capture interface"); extcap_help_add_option(extcap_conf, "--remote-channel-frequency <channel_frequency>", "the remote channel frequency in MHz"); extcap_help_add_option(extcap_conf, "--remote-channel-width <channel_width>", "the remote channel width in MHz"); @@ -641,6 +647,10 @@ int main(int argc, char *argv[]) memset(ws_optarg, 'X', strlen(ws_optarg)); break; + case OPT_SSH_SHA1: + ssh_params->ssh_sha1 = true; + break; + case OPT_REMOTE_INTERFACE: g_free(remote_interface); remote_interface = g_strdup(ws_optarg); |