summaryrefslogtreecommitdiff
path: root/usr.bin/ssh
diff options
context:
space:
mode:
authorDamien Miller <djm@cvs.openbsd.org>2023-06-21 05:10:27 +0000
committerDamien Miller <djm@cvs.openbsd.org>2023-06-21 05:10:27 +0000
commit498d45d43bf88cb6982141561a13bfa4553a69d3 (patch)
tree97310f45559a085017e977070b77300bc68934a5 /usr.bin/ssh
parent9034712bf030f650fa6ddce7d901662e326dbc8a (diff)
better validate CASignatureAlgorithms in ssh_config and sshd_config.
Previously this directive would accept certificate algorithm names, but these were unusable in practice as OpenSSH does not support CA chains. part of bz3577; ok dtucker@
Diffstat (limited to 'usr.bin/ssh')
-rw-r--r--usr.bin/ssh/readconf.c10
-rw-r--r--usr.bin/ssh/servconf.c10
-rw-r--r--usr.bin/ssh/sshkey.c7
-rw-r--r--usr.bin/ssh/sshkey.h4
4 files changed, 22 insertions, 9 deletions
diff --git a/usr.bin/ssh/readconf.c b/usr.bin/ssh/readconf.c
index 7c1b1b1f434..de70683e558 100644
--- a/usr.bin/ssh/readconf.c
+++ b/usr.bin/ssh/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.376 2023/03/31 04:23:02 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.377 2023/06/21 05:10:26 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -931,7 +931,7 @@ process_config_line_depth(Options *options, struct passwd *pw, const char *host,
char **cpptr, ***cppptr, fwdarg[256];
u_int i, *uintptr, uvalue, max_entries = 0;
int r, oactive, negated, opcode, *intptr, value, value2, cmdline = 0;
- int remotefwd, dynamicfwd;
+ int remotefwd, dynamicfwd, ca_only = 0;
LogLevel *log_level_ptr;
SyslogFacility *log_facility_ptr;
long long val64;
@@ -1427,6 +1427,7 @@ parse_int:
case oHostKeyAlgorithms:
charptr = &options->hostkeyalgorithms;
+ ca_only = 0;
parse_pubkey_algos:
arg = argv_next(&ac, &av);
if (!arg || *arg == '\0') {
@@ -1436,7 +1437,7 @@ parse_pubkey_algos:
}
if (*arg != '-' &&
!sshkey_names_valid2(*arg == '+' || *arg == '^' ?
- arg + 1 : arg, 1)) {
+ arg + 1 : arg, 1, ca_only)) {
error("%s line %d: Bad key types '%s'.",
filename, linenum, arg ? arg : "<NONE>");
goto out;
@@ -1447,6 +1448,7 @@ parse_pubkey_algos:
case oCASignatureAlgorithms:
charptr = &options->ca_sign_algorithms;
+ ca_only = 1;
goto parse_pubkey_algos;
case oLogLevel:
@@ -2103,10 +2105,12 @@ parse_pubkey_algos:
case oHostbasedAcceptedAlgorithms:
charptr = &options->hostbased_accepted_algos;
+ ca_only = 0;
goto parse_pubkey_algos;
case oPubkeyAcceptedAlgorithms:
charptr = &options->pubkey_accepted_algos;
+ ca_only = 0;
goto parse_pubkey_algos;
case oAddKeysToAgent:
diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c
index 862b02068cb..1cf33162943 100644
--- a/usr.bin/ssh/servconf.c
+++ b/usr.bin/ssh/servconf.c
@@ -1,5 +1,5 @@
-/* $OpenBSD: servconf.c,v 1.394 2023/06/05 13:24:36 millert Exp $ */
+/* $OpenBSD: servconf.c,v 1.395 2023/06/21 05:10:26 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -1282,6 +1282,7 @@ process_server_config_line_depth(ServerOptions *options, char *line,
{
char *str, ***chararrayptr, **charptr, *arg, *arg2, *p, *keyword;
int cmdline = 0, *intptr, value, value2, n, port, oactive, r, found;
+ int ca_only = 0;
SyslogFacility *log_facility_ptr;
LogLevel *log_level_ptr;
ServerOpCodes opcode;
@@ -1517,6 +1518,7 @@ process_server_config_line_depth(ServerOptions *options, char *line,
case sHostbasedAcceptedAlgorithms:
charptr = &options->hostbased_accepted_algos;
+ ca_only = 0;
parse_pubkey_algos:
arg = argv_next(&ac, &av);
if (!arg || *arg == '\0')
@@ -1524,7 +1526,7 @@ process_server_config_line_depth(ServerOptions *options, char *line,
filename, linenum);
if (*arg != '-' &&
!sshkey_names_valid2(*arg == '+' || *arg == '^' ?
- arg + 1 : arg, 1))
+ arg + 1 : arg, 1, ca_only))
fatal("%s line %d: Bad key types '%s'.",
filename, linenum, arg ? arg : "<NONE>");
if (*activep && *charptr == NULL)
@@ -1533,18 +1535,22 @@ process_server_config_line_depth(ServerOptions *options, char *line,
case sHostKeyAlgorithms:
charptr = &options->hostkeyalgorithms;
+ ca_only = 0;
goto parse_pubkey_algos;
case sCASignatureAlgorithms:
charptr = &options->ca_sign_algorithms;
+ ca_only = 1;
goto parse_pubkey_algos;
case sPubkeyAuthentication:
intptr = &options->pubkey_authentication;
+ ca_only = 0;
goto parse_flag;
case sPubkeyAcceptedAlgorithms:
charptr = &options->pubkey_accepted_algos;
+ ca_only = 0;
goto parse_pubkey_algos;
case sPubkeyAuthOptions:
diff --git a/usr.bin/ssh/sshkey.c b/usr.bin/ssh/sshkey.c
index eac9c866ebe..3b07c92de12 100644
--- a/usr.bin/ssh/sshkey.c
+++ b/usr.bin/ssh/sshkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey.c,v 1.135 2023/03/31 03:22:49 djm Exp $ */
+/* $OpenBSD: sshkey.c,v 1.136 2023/06/21 05:10:26 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Alexander von Gernler. All rights reserved.
@@ -319,7 +319,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
}
int
-sshkey_names_valid2(const char *names, int allow_wildcard)
+sshkey_names_valid2(const char *names, int allow_wildcard, int plain_only)
{
char *s, *cp, *p;
const struct sshkey_impl *impl;
@@ -352,6 +352,9 @@ sshkey_names_valid2(const char *names, int allow_wildcard)
}
free(s);
return 0;
+ } else if (plain_only && sshkey_type_is_cert(type)) {
+ free(s);
+ return 0;
}
}
free(s);
diff --git a/usr.bin/ssh/sshkey.h b/usr.bin/ssh/sshkey.h
index e90a1eec8cb..2be16d19611 100644
--- a/usr.bin/ssh/sshkey.h
+++ b/usr.bin/ssh/sshkey.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey.h,v 1.61 2022/10/28 00:44:44 djm Exp $ */
+/* $OpenBSD: sshkey.h,v 1.62 2023/06/21 05:10:26 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -258,7 +258,7 @@ int sshkey_ec_validate_public(const EC_GROUP *, const EC_POINT *);
int sshkey_ec_validate_private(const EC_KEY *);
const char *sshkey_ssh_name(const struct sshkey *);
const char *sshkey_ssh_name_plain(const struct sshkey *);
-int sshkey_names_valid2(const char *, int);
+int sshkey_names_valid2(const char *, int, int);
char *sshkey_alg_list(int, int, int, char);
int sshkey_from_blob(const u_char *, size_t, struct sshkey **);