net/openssh/patches/0001-fix-key-type-check.patch

   1 From 5e021158aa22cc64da4fca1618ee0bfd2d031049 Mon Sep 17 00:00:00 2001
   2 From: "djm@openbsd.org" <djm@openbsd.org>
   3 Date: Fri, 16 Nov 2018 02:43:56 +0000
   4 Subject: upstream: fix bug in HostbasedAcceptedKeyTypes and
   5
   6 PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were
   7 specified, then authentication would always fail for RSA keys as the monitor
   8 checks only the base key (not the signature algorithm) type against
   9 *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
  10
  11 OpenBSD-Commit-ID: 117bc3dc54578dbdb515a1d3732988cb5b00461b
  12
  13 Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=cd9467318b56e6e93ff9575c906ff8350af9b8a2
  14 Last-Update: 2019-02-28
  15
  16 Patch-Name: fix-key-type-check.patch
  17 ---
  18  monitor.c | 39 ++++++++++++++++++++++++++++++++++-----
  19  1 file changed, 34 insertions(+), 5 deletions(-)
  20
  21 diff --git a/monitor.c b/monitor.c
  22 index 08fddabd7..037d6d333 100644
  23 --- a/monitor.c
  24 +++ b/monitor.c
  25 @@ -892,6 +892,35 @@ mm_answer_authrole(int sock, struct sshbuf *m)
  26         return (0);
  27  }
  28
  29 +/*
  30 + * Check that the key type appears in the supplied pattern list, ignoring
  31 + * mismatches in the signature algorithm. (Signature algorithm checks are
  32 + * performed in the unprivileged authentication code).
  33 + * Returns 1 on success, 0 otherwise.
  34 + */
  35 +static int
  36 +key_base_type_match(const char *method, const struct sshkey *key,
  37 +    const char *list)
  38 +{
  39 +       char *s, *l, *ol = xstrdup(list);
  40 +       int found = 0;
  41 +
  42 +       l = ol;
  43 +       for ((s = strsep(&l, ",")); s && *s != '\0'; (s = strsep(&l, ","))) {
  44 +               if (sshkey_type_from_name(s) == key->type) {
  45 +                       found = 1;
  46 +                       break;
  47 +               }
  48 +       }
  49 +       if (!found) {
  50 +               error("%s key type %s is not in permitted list %s", method,
  51 +                   sshkey_ssh_name(key), list);
  52 +       }
  53 +
  54 +       free(ol);
  55 +       return found;
  56 +}
  57 +
  58  int
  59  mm_answer_authpassword(int sock, struct sshbuf *m)
  60  {
  61 @@ -1197,8 +1226,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m)
  62                                 break;
  63                         if (auth2_key_already_used(authctxt, key))
  64                                 break;
  65 -                       if (match_pattern_list(sshkey_ssh_name(key),
  66 -                           options.pubkey_key_types, 0) != 1)
  67 +                       if (!key_base_type_match(auth_method, key,
  68 +                           options.pubkey_key_types))
  69                                 break;
  70                         allowed = user_key_allowed(ssh, authctxt->pw, key,
  71                             pubkey_auth_attempt, &opts);
  72 @@ -1209,8 +1238,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m)
  73                                 break;
  74                         if (auth2_key_already_used(authctxt, key))
  75                                 break;
  76 -                       if (match_pattern_list(sshkey_ssh_name(key),
  77 -                           options.hostbased_key_types, 0) != 1)
  78 +                       if (!key_base_type_match(auth_method, key,
  79 +                           options.hostbased_key_types))
  80                                 break;
  81                         allowed = hostbased_key_allowed(authctxt->pw,
  82                             cuser, chost, key);