Bugzilla – Attachment 3559 Details for
Bug 3375
SHA1 is used as a proof of possession for the RSA key
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Here is the proposed solution
3375.diff (text/plain), 3.47 KB, created by
Dmitry Belyavskiy
on 2021-12-21 22:17:48 AEDT
(
hide
)
Description:
Here is the proposed solution
Filename:
MIME Type:
Creator:
Dmitry Belyavskiy
Created:
2021-12-21 22:17:48 AEDT
Size:
3.47 KB
patch
obsolete
>diff --git a/kex.c b/kex.c >index 29733cc0..e7d718e2 100644 >--- a/kex.c >+++ b/kex.c >@@ -935,6 +935,35 @@ kex_choose_conf(struct ssh *ssh) > free(ext); > } > >+ /* Check whether client supports rsa-sha2 algorithms */ >+ if (kex->server && (kex->flags & KEX_INITIAL)) { >+ char *ext; >+ >+ ext = match_list("rsa-sha2-256", peer[PROPOSAL_SERVER_HOST_KEY_ALGS], NULL); >+ if (ext) { >+ kex->flags |= KEX_RSA_SHA2_256_SUPPORTED; >+ free(ext); >+ } >+ >+ ext = match_list("rsa-sha2-512", peer[PROPOSAL_SERVER_HOST_KEY_ALGS], NULL); >+ if (ext) { >+ kex->flags |= KEX_RSA_SHA2_512_SUPPORTED; >+ free(ext); >+ } >+ >+ ext = match_list("rsa-sha2-256-cert-v01@openssh.com", peer[PROPOSAL_SERVER_HOST_KEY_ALGS], NULL); >+ if (ext) { >+ kex->flags |= KEX_RSA_SHA2_256_SUPPORTED; >+ free(ext); >+ } >+ >+ ext = match_list("rsa-sha2-512-cert-v01@openssh.com", peer[PROPOSAL_SERVER_HOST_KEY_ALGS], NULL); >+ if (ext) { >+ kex->flags |= KEX_RSA_SHA2_512_SUPPORTED; >+ free(ext); >+ } >+ } >+ > /* Algorithm Negotiation */ > if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], > sprop[PROPOSAL_KEX_ALGS])) != 0) { >diff --git a/kex.h b/kex.h >index f644e599..d4b7a367 100644 >--- a/kex.h >+++ b/kex.h >@@ -109,6 +109,8 @@ enum kex_exchange { > #define KEX_INIT_SENT 0x0001 > #define KEX_INITIAL 0x0002 > #define KEX_HAS_PUBKEY_HOSTBOUND 0x0004 >+#define KEX_RSA_SHA2_256_SUPPORTED 0x0008 >+#define KEX_RSA_SHA2_512_SUPPORTED 0x0010 > > struct sshenc { > char *name; >diff --git a/serverloop.c b/serverloop.c >index e8cfb920..358c6842 100644 >--- a/serverloop.c >+++ b/serverloop.c >@@ -684,7 +684,7 @@ server_input_hostkeys_prove(struct ssh *ssh, struct sshbuf **respp) > struct sshbuf *resp = NULL; > struct sshbuf *sigbuf = NULL; > struct sshkey *key = NULL, *key_pub = NULL, *key_prv = NULL; >- int r, ndx, kexsigtype, use_kexsigtype, success = 0; >+ int r, ndx, success = 0; > const u_char *blob; > u_char *sig = 0; > size_t blen, slen; >@@ -692,9 +692,11 @@ server_input_hostkeys_prove(struct ssh *ssh, struct sshbuf **respp) > if ((resp = sshbuf_new()) == NULL || (sigbuf = sshbuf_new()) == NULL) > fatal_f("sshbuf_new"); > >- kexsigtype = sshkey_type_plain( >- sshkey_type_from_name(ssh->kex->hostkey_alg)); > while (ssh_packet_remaining(ssh) > 0) { >+ const char *pkexstr = NULL; >+ const char *rsa_sha2_256 = "rsa-sha2-256"; >+ const char *rsa_sha2_512 = "rsa-sha2-512"; >+ > sshkey_free(key); > key = NULL; > if ((r = sshpkt_get_string_direct(ssh, &blob, &blen)) != 0 || >@@ -726,8 +728,13 @@ server_input_hostkeys_prove(struct ssh *ssh, struct sshbuf **respp) > * For RSA keys, prefer to use the signature type negotiated > * during KEX to the default (SHA1). > */ >- use_kexsigtype = kexsigtype == KEY_RSA && >- sshkey_type_plain(key->type) == KEY_RSA; >+ if (sshkey_type_plain(key->type) == KEY_RSA) { >+ if (ssh->kex->flags & KEX_RSA_SHA2_512_SUPPORTED) >+ pkexstr = rsa_sha2_512; >+ else if (ssh->kex->flags & KEX_RSA_SHA2_256_SUPPORTED) >+ pkexstr = rsa_sha2_256; >+ } >+ > if ((r = sshbuf_put_cstring(sigbuf, > "hostkeys-prove-00@openssh.com")) != 0 || > (r = sshbuf_put_stringb(sigbuf, >@@ -735,7 +742,7 @@ server_input_hostkeys_prove(struct ssh *ssh, struct sshbuf **respp) > (r = sshkey_puts(key, sigbuf)) != 0 || > (r = ssh->kex->sign(ssh, key_prv, key_pub, &sig, &slen, > sshbuf_ptr(sigbuf), sshbuf_len(sigbuf), >- use_kexsigtype ? ssh->kex->hostkey_alg : NULL)) != 0 || >+ pkexstr)) != 0 || > (r = sshbuf_put_string(resp, sig, slen)) != 0) { > error_fr(r, "assemble signature"); > goto out;
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 3375
:
3559
|
3561
|
3562