4.1 Algorithms registration
When initializing a library context, the application has to register some algorithm descriptors on the struct assh_context_s object.
Algorithm descriptors include speed factor and safety factor values that give a rough estimate of the performances and cryptographic safety of each algorithm. These values have multiple purposes:
They can be used to filter algorithms on registration.
They are used along with the application provided weight values to compute a score for the retained algorithms. This allows the application to favor speed or safety. The score is then used to sort lists of algorithms advertised during the key-exchange.
They are used to compute an overall score of the safety of the session. This score depends on keys and algorithms negotiated with the remote host during the last key-exchange process. It is provided for use by the application.
The library offers multiple ways to shape the set of algorithms involved in a libassh session:
The first selection is performed when registering the algorithms on the context object. Depending on the library function used for that purpose, a specific list of algorithms is provided by the application, or the library is instructed to filter among the supported algorithms based on the safety requirement provided by the application.
When multiple variants of the same algorithm are available, the one with the highest score that fulfills the requirement is retained. The application is free to use a low safety factor in order to favor acceptance of weak keys and weak parameters in order to maximize compatibility. It may also use a high safety requirement, which will prevent connecting with older unsafe implementations and reject weak user keys and host keys.
An additional filter callback function can be attached to sessions in order to further filter among registered algorithms during the key-exchange process. Because some algorithms are available under different names, this callback allows filtering based on the specification status and popularity of a name. It can also be used to enable some of the algorithms in a single direction.
The signature algorithms used during the user authentication process have to be registered as well. If you want to allow use of a specific signature algorithm for user authentication while excluding it from the key-exchange, you may rely on the filter callback function mentioned above. On server contexts, you can also avoid loading a host key that can be used by that algorithm.
The test/algo_list application can be used to display a list of algorithms supported by your specific build of libassh. It is also possible to give safety parameters in order to view what would be the actual table of registered algorithms.
Algorithms registration related functions are declared in the assh/assh_algo.h and assh/assh_session.h headers.
See also assh_algo_register, assh_algo_register_default, assh_algo_register_names_va, assh_algo_register_static and assh_algo_register_va.