upstream: Improve strictness and control over RSA-SHA2 signature

In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself. In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature. Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2. Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys. feedback and ok markus@ OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde
author: djm@openbsd.org <djm@openbsd.org> 2018-07-03 11:39:54 +0000
committer: Damien Miller <djm@mindrot.org> 2018-07-03 23:26:36 +1000
commit: 4ba0d54794814ec0de1ec87987d0c3b89379b436 (patch)
tree: b8d904880f8927374b377b2e4d5661213c1138b6 /sshd.c
parent: 95344c257412b51199ead18d54eaed5bafb75617 (diff)
1 files changed, 34 insertions, 29 deletions
diff --git a/sshd.c b/sshd.c
index edbe815c5..4cfb72dd3 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.508 2018/04/13 03:57:26 dtucker Exp $ */
+/* $OpenBSD: sshd.c,v 1.509 2018/07/03 11:39:54 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -681,45 +681,47 @@ privsep_postauth(Authctxt *authctxt)
        packet_set_authenticated();
 }
+static void
+append_hostkey_type(struct sshbuf *b, const char *s)
+{
+        int r;
+        if (match_pattern_list(s, options.hostkeyalgorithms, 0) != 1) {
+                debug3("%s: %s key not permitted by HostkeyAlgorithms",
+                    __func__, s);
+                return;
+        }
+        if ((r = sshbuf_putf(b, "%s%s", sshbuf_len(b) > 0 ? "," : "", s)) != 0)
+                fatal("%s: sshbuf_putf: %s", __func__, ssh_err(r));
+}
 static char *
 list_hostkey_types(void)
 {
-        Buffer b;
+        struct sshbuf *b;
-        const char *p;
+        struct sshkey *key;
        char *ret;
        u_int i;
-        struct sshkey *key;
-        buffer_init(&b);
+        if ((b = sshbuf_new()) == NULL)
+                fatal("%s: sshbuf_new failed", __func__);
        for (i = 0; i < options.num_host_key_files; i++) {
                key = sensitive_data.host_keys[i];
                if (key == NULL)
                        key = sensitive_data.host_pubkeys[i];
                if (key == NULL)
                        continue;
-                /* Check that the key is accepted in HostkeyAlgorithms */
-                if (match_pattern_list(sshkey_ssh_name(key),
-                    options.hostkeyalgorithms, 0) != 1) {
-                        debug3("%s: %s key not permitted by HostkeyAlgorithms",
-                            __func__, sshkey_ssh_name(key));
-                        continue;
-                }
                switch (key->type) {
                case KEY_RSA:
+                        /* for RSA we also support SHA2 signatures */
+                        append_hostkey_type(b, "rsa-sha2-512");
+                        append_hostkey_type(b, "rsa-sha2-256");
+                        /* FALLTHROUGH */
                case KEY_DSA:
                case KEY_ECDSA:
                case KEY_ED25519:
                case KEY_XMSS:
-                        if (buffer_len(&b) > 0)
+                        append_hostkey_type(b, sshkey_ssh_name(key));
-                                buffer_append(&b, ",", 1);
-                        p = key_ssh_name(key);
-                        buffer_append(&b, p, strlen(p));
-                        /* for RSA we also support SHA2 signatures */
-                        if (key->type == KEY_RSA) {
-                                p = ",rsa-sha2-512,rsa-sha2-256";
-                                buffer_append(&b, p, strlen(p));
-                        }
                        break;
                }
                /* If the private key has a cert peer, then list that too */
@@ -728,21 +730,24 @@ list_hostkey_types(void)
                        continue;
                switch (key->type) {
                case KEY_RSA_CERT:
+                        /* for RSA we also support SHA2 signatures */
+                        append_hostkey_type(b,
+                            "rsa-sha2-512-cert-v01@openssh.com");
+                        append_hostkey_type(b,
+                            "rsa-sha2-256-cert-v01@openssh.com");
+                        /* FALLTHROUGH */
                case KEY_DSA_CERT:
                case KEY_ECDSA_CERT:
                case KEY_ED25519_CERT:
                case KEY_XMSS_CERT:
-                        if (buffer_len(&b) > 0)
+                        append_hostkey_type(b, sshkey_ssh_name(key));
-                                buffer_append(&b, ",", 1);
-                        p = key_ssh_name(key);
-                        buffer_append(&b, p, strlen(p));
                        break;
                }
        }
-        if ((ret = sshbuf_dup_string(&b)) == NULL)
+        if ((ret = sshbuf_dup_string(b)) == NULL)
                fatal("%s: sshbuf_dup_string failed", __func__);
-        buffer_free(&b);
+        sshbuf_free(b);
-        debug("list_hostkey_types: %s", ret);
+        debug("%s: %s", __func__, ret);
        return ret;
 }
author	djm@openbsd.org <djm@openbsd.org>	2018-07-03 11:39:54 +0000
committer	Damien Miller <djm@mindrot.org>	2018-07-03 23:26:36 +1000
commit	4ba0d54794814ec0de1ec87987d0c3b89379b436 (patch)
tree	b8d904880f8927374b377b2e4d5661213c1138b6 /sshd.c
parent	95344c257412b51199ead18d54eaed5bafb75617 (diff)