summaryrefslogtreecommitdiff
path: root/clientloop.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2017-03-10 05:01:13 +0000
committerDamien Miller <djm@mindrot.org>2017-03-10 16:02:46 +1100
commit894221a63fa061e52e414ca58d47edc5fe645968 (patch)
tree7c09f1e1441d72bc45607085f76f959658b0c8a2 /clientloop.c
parentdd3e2298663f4cc1a06bc69582d00dcfee27d73c (diff)
upstream commit
When updating hostkeys, accept RSA keys if HostkeyAlgorithms contains any RSA keytype. Previously, ssh could ignore RSA keys when any of the ssh-rsa-sha2-* methods was enabled in HostkeyAlgorithms nit ssh-rsa (SHA1 signatures) was not. bz#2650 reported by Luis Ressel; ok dtucker@ Upstream-ID: c5e8cfee15c42f4a05d126158a0766ea06da79d2
Diffstat (limited to 'clientloop.c')
-rw-r--r--clientloop.c27
1 files changed, 22 insertions, 5 deletions
diff --git a/clientloop.c b/clientloop.c
index c6a41386d..064816234 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: clientloop.c,v 1.290 2017/01/29 21:35:23 dtucker Exp $ */ 1/* $OpenBSD: clientloop.c,v 1.291 2017/03/10 05:01:13 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -2391,6 +2391,26 @@ client_global_hostkeys_private_confirm(int type, u_int32_t seq, void *_ctx)
2391} 2391}
2392 2392
2393/* 2393/*
2394 * Returns non-zero if the key is accepted by HostkeyAlgorithms.
2395 * Made slightly less trivial by the multiple RSA signature algorithm names.
2396 */
2397static int
2398key_accepted_by_hostkeyalgs(const struct sshkey *key)
2399{
2400 const char *ktype = sshkey_ssh_name(key);
2401 const char *hostkeyalgs = options.hostkeyalgorithms != NULL ?
2402 options.hostkeyalgorithms : KEX_DEFAULT_PK_ALG;
2403
2404 if (key == NULL || key->type == KEY_UNSPEC)
2405 return 0;
2406 if (key->type == KEY_RSA &&
2407 (match_pattern_list("rsa-sha2-256", hostkeyalgs, 0) == 1 ||
2408 match_pattern_list("rsa-sha2-512", hostkeyalgs, 0) == 1))
2409 return 1;
2410 return match_pattern_list(ktype, hostkeyalgs, 0) == 1;
2411}
2412
2413/*
2394 * Handle hostkeys-00@openssh.com global request to inform the client of all 2414 * Handle hostkeys-00@openssh.com global request to inform the client of all
2395 * the server's hostkeys. The keys are checked against the user's 2415 * the server's hostkeys. The keys are checked against the user's
2396 * HostkeyAlgorithms preference before they are accepted. 2416 * HostkeyAlgorithms preference before they are accepted.
@@ -2436,10 +2456,7 @@ client_input_hostkeys(void)
2436 sshkey_type(key), fp); 2456 sshkey_type(key), fp);
2437 free(fp); 2457 free(fp);
2438 2458
2439 /* Check that the key is accepted in HostkeyAlgorithms */ 2459 if (!key_accepted_by_hostkeyalgs(key)) {
2440 if (match_pattern_list(sshkey_ssh_name(key),
2441 options.hostkeyalgorithms ? options.hostkeyalgorithms :
2442 KEX_DEFAULT_PK_ALG, 0) != 1) {
2443 debug3("%s: %s key not permitted by HostkeyAlgorithms", 2460 debug3("%s: %s key not permitted by HostkeyAlgorithms",
2444 __func__, sshkey_ssh_name(key)); 2461 __func__, sshkey_ssh_name(key));
2445 continue; 2462 continue;