upstream: Add sshd_config CASignatureAlgorithms option to allow

control over which signature algorithms a CA may use when signing certificates. In particular, this allows a sshd to ban certificates signed with RSA/SHA1. ok markus@ OpenBSD-Commit-ID: b05c86ef8b52b913ed48d54a9b9c1a7714d96bac
author: djm@openbsd.org <djm@openbsd.org> 2018-09-20 03:28:06 +0000
committer: Damien Miller <djm@mindrot.org> 2018-09-20 14:00:29 +1000
commit: 86e5737c39153af134158f24d0cab5827cbd5852 (patch)
tree: 1add30c99e83b544792233280451f70f03053586 /auth2-pubkey.c
parent: f80e68ea7d62e2dfafc12f1a60ab544ae4033a0f (diff)
1 files changed, 8 insertions, 2 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index f9e4e2e7f..2fb5950ea 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.85 2018/08/28 12:25:53 mestre Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.86 2018/09/20 03:28:06 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
@@ -137,7 +137,13 @@ userauth_pubkey(struct ssh *ssh)
                    __func__, sshkey_ssh_name(key));
                goto done;
        }
+        if ((r = sshkey_check_cert_sigtype(key,
+            options.ca_sign_algorithms)) != 0) {
+                logit("%s: certificate signature algorithm %s: %s", __func__,
+                    (key->cert == NULL || key->cert->signature_type == NULL) ?
+                    "(null)" : key->cert->signature_type, ssh_err(r));
+                goto done;
+        }
        key_s = format_key(key);
        if (sshkey_is_cert(key))
                ca_s = format_key(key->cert->signature_key);
author	djm@openbsd.org <djm@openbsd.org>	2018-09-20 03:28:06 +0000
committer	Damien Miller <djm@mindrot.org>	2018-09-20 14:00:29 +1000
commit	86e5737c39153af134158f24d0cab5827cbd5852 (patch)
tree	1add30c99e83b544792233280451f70f03053586 /auth2-pubkey.c
parent	f80e68ea7d62e2dfafc12f1a60ab544ae4033a0f (diff)

diff --git a/auth2-pubkey.c b/auth2-pubkey.c index f9e4e2e7f..2fb5950ea 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: auth2-pubkey.c,v 1.85 2018/08/28 12:25:53 mestre Exp $ */	1	/* $OpenBSD: auth2-pubkey.c,v 1.86 2018/09/20 03:28:06 djm Exp $ */
2	/*	2	/*
3	* Copyright (c) 2000 Markus Friedl. All rights reserved.	3	* Copyright (c) 2000 Markus Friedl. All rights reserved.
4	*	4	*
@@ -137,7 +137,13 @@ userauth_pubkey(struct ssh *ssh)
137	__func__, sshkey_ssh_name(key));	137	__func__, sshkey_ssh_name(key));
138	goto done;	138	goto done;
139	}	139	}
140		140	if ((r = sshkey_check_cert_sigtype(key,
		141	options.ca_sign_algorithms)) != 0) {
		142	logit("%s: certificate signature algorithm %s: %s", __func__,
		143	(key->cert == NULL \|\| key->cert->signature_type == NULL) ?
		144	"(null)" : key->cert->signature_type, ssh_err(r));
		145	goto done;
		146	}
141	key_s = format_key(key);	147	key_s = format_key(key);
142	if (sshkey_is_cert(key))	148	if (sshkey_is_cert(key))
143	ca_s = format_key(key->cert->signature_key);	149	ca_s = format_key(key->cert->signature_key);