From 894221a63fa061e52e414ca58d47edc5fe645968 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Fri, 10 Mar 2017 05:01:13 +0000 Subject: upstream commit When updating hostkeys, accept RSA keys if HostkeyAlgorithms contains any RSA keytype. Previously, ssh could ignore RSA keys when any of the ssh-rsa-sha2-* methods was enabled in HostkeyAlgorithms nit ssh-rsa (SHA1 signatures) was not. bz#2650 reported by Luis Ressel; ok dtucker@ Upstream-ID: c5e8cfee15c42f4a05d126158a0766ea06da79d2 --- clientloop.c | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) (limited to 'clientloop.c') diff --git a/clientloop.c b/clientloop.c index c6a41386..06481623 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.290 2017/01/29 21:35:23 dtucker Exp $ */ +/* $OpenBSD: clientloop.c,v 1.291 2017/03/10 05:01:13 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -2390,6 +2390,26 @@ client_global_hostkeys_private_confirm(int type, u_int32_t seq, void *_ctx) hostkeys_update_ctx_free(ctx); } +/* + * Returns non-zero if the key is accepted by HostkeyAlgorithms. + * Made slightly less trivial by the multiple RSA signature algorithm names. + */ +static int +key_accepted_by_hostkeyalgs(const struct sshkey *key) +{ + const char *ktype = sshkey_ssh_name(key); + const char *hostkeyalgs = options.hostkeyalgorithms != NULL ? + options.hostkeyalgorithms : KEX_DEFAULT_PK_ALG; + + if (key == NULL || key->type == KEY_UNSPEC) + return 0; + if (key->type == KEY_RSA && + (match_pattern_list("rsa-sha2-256", hostkeyalgs, 0) == 1 || + match_pattern_list("rsa-sha2-512", hostkeyalgs, 0) == 1)) + return 1; + return match_pattern_list(ktype, hostkeyalgs, 0) == 1; +} + /* * Handle hostkeys-00@openssh.com global request to inform the client of all * the server's hostkeys. The keys are checked against the user's @@ -2436,10 +2456,7 @@ client_input_hostkeys(void) sshkey_type(key), fp); free(fp); - /* Check that the key is accepted in HostkeyAlgorithms */ - if (match_pattern_list(sshkey_ssh_name(key), - options.hostkeyalgorithms ? options.hostkeyalgorithms : - KEX_DEFAULT_PK_ALG, 0) != 1) { + if (!key_accepted_by_hostkeyalgs(key)) { debug3("%s: %s key not permitted by HostkeyAlgorithms", __func__, sshkey_ssh_name(key)); continue; -- cgit v1.2.3