Attachment #3202 for bug #2746

Lines 1168-1176 mm_answer_keyallowed(int sock, struct sshbuf *m) Link Here

(-)a/monitor.c (-4 / +10 lines)
1168	break;	1168	break;
1169	if (auth2_key_already_used(authctxt, key))	1169	if (auth2_key_already_used(authctxt, key))
1170	break;	1170	break;
1171	if (match_pattern_list(sshkey_ssh_name(key),	1171	if (sshkey_type_allowed_by_config(key,
1172	options.pubkey_key_types, 0) != 1)	1172	options.pubkey_key_types) != 1) {
		1173	debug("Key type %s not in PubkeyAcceptedKeyTypes",
		1174	sshkey_ssh_name(key));
1173	break;	1175	break;
		1176	}
1174	allowed = user_key_allowed(ssh, authctxt->pw, key,	1177	allowed = user_key_allowed(ssh, authctxt->pw, key,
1175	pubkey_auth_attempt, &opts);	1178	pubkey_auth_attempt, &opts);
1176	break;	1179	break;
Lines 1180-1188 mm_answer_keyallowed(int sock, struct sshbuf *m) Link Here
1180	break;	1183	break;
1181	if (auth2_key_already_used(authctxt, key))	1184	if (auth2_key_already_used(authctxt, key))
1182	break;	1185	break;
1183	if (match_pattern_list(sshkey_ssh_name(key),	1186	if (sshkey_type_allowed_by_config(key,
1184	options.hostbased_key_types, 0) != 1)	1187	options.hostbased_key_types) != 1) {
		1188	debug("Key type %s not in PubkeyAcceptedKeyTypes",
		1189	sshkey_ssh_name(key));
1185	break;	1190	break;
		1191	}
1186	allowed = hostbased_key_allowed(authctxt->pw,	1192	allowed = hostbased_key_allowed(authctxt->pw,
1187	cuser, chost, key);	1193	cuser, chost, key);
1188	auth2_record_info(authctxt,	1194	auth2_record_info(authctxt,




	return private;
}

static int
key_type_allowed_by_config(struct sshkey *key)
{
	if (match_pattern_list(sshkey_ssh_name(key),
	    options.pubkey_key_types, 0) == 1)
		return 1;

	/* RSA keys/certs might be allowed by alternate signature types */
	switch (key->type) {
	case KEY_RSA:
		if (match_pattern_list("rsa-sha2-512",
		    options.pubkey_key_types, 0) == 1)
			return 1;
		if (match_pattern_list("rsa-sha2-256",
		    options.pubkey_key_types, 0) == 1)
			return 1;
		break;
	case KEY_RSA_CERT:
		if (match_pattern_list("rsa-sha2-512-cert-v01@openssh.com",
		    options.pubkey_key_types, 0) == 1)
			return 1;
		if (match_pattern_list("rsa-sha2-256-cert-v01@openssh.com",
		    options.pubkey_key_types, 0) == 1)
			return 1;
		break;
	}
	return 0;
}


/*
 * try keys in the following order:
 * 	1. certificates listed in the config file

	}
	/* finally, filter by PubkeyAcceptedKeyTypes */
	TAILQ_FOREACH_SAFE(id, preferred, next, id2) {
		if (id->key != NULL && !sshkey_type_allowed_by_config(id->key,
		    options.pubkey_key_types)) {
			debug("Skipping %s key %s - "
			    "not in PubkeyAcceptedKeyTypes",
			    sshkey_ssh_name(id->key), id->filename);




	    passphrase, keyp, commentp);
}

int
sshkey_type_allowed_by_config(const struct sshkey *key, const char *pubkey_types)
{
	if (match_pattern_list(sshkey_ssh_name(key),
	    pubkey_types, 0) == 1)
		return 1;

	/* RSA keys/certs might be allowed by alternate signature types */
	switch (key->type) {
	case KEY_RSA:
		if (match_pattern_list("rsa-sha2-512",
		    pubkey_types, 0) == 1)
			return 1;
		if (match_pattern_list("rsa-sha2-256",
		    pubkey_types, 0) == 1)
			return 1;
		break;
	case KEY_RSA_CERT:
		if (match_pattern_list("rsa-sha2-512-cert-v01@openssh.com",
		    pubkey_types, 0) == 1)
			return 1;
		if (match_pattern_list("rsa-sha2-256-cert-v01@openssh.com",
		    pubkey_types, 0) == 1)
			return 1;
		break;
	}
	return 0;
}

#ifdef WITH_XMSS
/*
 * serialize the key with the current state and forward the state

Lines 261-266 int ssh_xmss_sign(const struct sshkey key, u_char sigp, size_t lenp, Link Here

(-)a/sshkey.h (-1 / +2 lines)
261	int ssh_xmss_verify(const struct sshkey *key,	261	int ssh_xmss_verify(const struct sshkey *key,
262	const u_char *signature, size_t signaturelen,	262	const u_char *signature, size_t signaturelen,
263	const u_char *data, size_t datalen, u_int compat);	263	const u_char *data, size_t datalen, u_int compat);
		264	int key_type_allowed_by_config(const struct sshkey *key,
		265	const char *pubkey_types);
264	#endif	266	#endif
265		267
266	#if !defined(WITH_OPENSSL)	268	#if !defined(WITH_OPENSSL)
267	-

Return to bug 2746

Lines 1572-1607 load_identity_file(Identity *id) Link Here

(-)a/sshconnect2.c (-31 / +2 lines)
1572	return private;	1572	return private;
1573	}	1573	}
1574		1574
1575	static int
1576	key_type_allowed_by_config(struct sshkey *key)
1577	{
1578	if (match_pattern_list(sshkey_ssh_name(key),
1579	options.pubkey_key_types, 0) == 1)
1580	return 1;
1581
1582	/* RSA keys/certs might be allowed by alternate signature types */
1583	switch (key->type) {
1584	case KEY_RSA:
1585	if (match_pattern_list("rsa-sha2-512",
1586	options.pubkey_key_types, 0) == 1)
1587	return 1;
1588	if (match_pattern_list("rsa-sha2-256",
1589	options.pubkey_key_types, 0) == 1)
1590	return 1;
1591	break;
1592	case KEY_RSA_CERT:
1593	if (match_pattern_list("rsa-sha2-512-cert-v01@openssh.com",
1594	options.pubkey_key_types, 0) == 1)
1595	return 1;
1596	if (match_pattern_list("rsa-sha2-256-cert-v01@openssh.com",
1597	options.pubkey_key_types, 0) == 1)
1598	return 1;
1599	break;
1600	}
1601	return 0;
1602	}
1603
1604
1605	/*	1575	/*
1606	* try keys in the following order:	1576	* try keys in the following order:
1607	* 1. certificates listed in the config file	1577	* 1. certificates listed in the config file
Lines 1726-1732 pubkey_prepare(Authctxt *authctxt) Link Here
1726	}	1696	}
1727	/* finally, filter by PubkeyAcceptedKeyTypes */	1697	/* finally, filter by PubkeyAcceptedKeyTypes */
1728	TAILQ_FOREACH_SAFE(id, preferred, next, id2) {	1698	TAILQ_FOREACH_SAFE(id, preferred, next, id2) {
1729	if (id->key != NULL && !key_type_allowed_by_config(id->key)) {	1699	if (id->key != NULL && !sshkey_type_allowed_by_config(id->key,
		1700	options.pubkey_key_types)) {
1730	debug("Skipping %s key %s - "	1701	debug("Skipping %s key %s - "
1731	"not in PubkeyAcceptedKeyTypes",	1702	"not in PubkeyAcceptedKeyTypes",
1732	sshkey_ssh_name(id->key), id->filename);	1703	sshkey_ssh_name(id->key), id->filename);

Lines 4078-4083 sshkey_parse_private_fileblob(struct sshbuf buffer, const char passphrase, Link Here

(-)a/sshkey.c (+29 lines)
4078	passphrase, keyp, commentp);	4078	passphrase, keyp, commentp);
4079	}	4079	}
4080		4080
		4081	int
		4082	sshkey_type_allowed_by_config(const struct sshkey key, const char pubkey_types)
		4083	{
		4084	if (match_pattern_list(sshkey_ssh_name(key),
		4085	pubkey_types, 0) == 1)
		4086	return 1;
		4087
		4088	/* RSA keys/certs might be allowed by alternate signature types */
		4089	switch (key->type) {
		4090	case KEY_RSA:
		4091	if (match_pattern_list("rsa-sha2-512",
		4092	pubkey_types, 0) == 1)
		4093	return 1;
		4094	if (match_pattern_list("rsa-sha2-256",
		4095	pubkey_types, 0) == 1)
		4096	return 1;
		4097	break;
		4098	case KEY_RSA_CERT:
		4099	if (match_pattern_list("rsa-sha2-512-cert-v01@openssh.com",
		4100	pubkey_types, 0) == 1)
		4101	return 1;
		4102	if (match_pattern_list("rsa-sha2-256-cert-v01@openssh.com",
		4103	pubkey_types, 0) == 1)
		4104	return 1;
		4105	break;
		4106	}
		4107	return 0;
		4108	}
		4109
4081	#ifdef WITH_XMSS	4110	#ifdef WITH_XMSS
4082	/*	4111	/*
4083	* serialize the key with the current state and forward the state	4112	* serialize the key with the current state and forward the state