Attachment 3562 Details for Bug 3375 – client side

[patch] client side

bz3375-client.diff (text/plain), 3.87 KB, created by Damien Miller on 2022-01-05 18:44:15 AEDT

(hide)

Description:

Filename:

MIME Type:

Creator: Damien Miller

Created: 2022-01-05 18:44:15 AEDT

Size: 3.87 KB

patch

obsolete

>commit d3b123f809d6467db1026b774cf274a1d5a64dcd
>Author: Damien Miller <djm@mindrot.org>
>Date:   Wed Jan 5 18:24:26 2022 +1100
>
>    accept only rsa-sha2 for hostkey proofs
>
>diff --git a/clientloop.c b/clientloop.c
>index 94b2c94..df35032 100644
>--- a/clientloop.c
>+++ b/clientloop.c
>@@ -105,6 +105,9 @@
> #include "ssherr.h"
> #include "hostfile.h"
> 
>+/* Permitted RSA signature algorithms for UpdateHostkeys proofs */
>+#define HOSTKEY_PROOF_RSA_ALGS	"rsa-sha2-512,rsa-sha2-256"
>+
> /* import options */
> extern Options options;
> 
>@@ -2090,8 +2093,10 @@ client_global_hostkeys_private_confirm(struct ssh *ssh, int type,
> 	struct hostkeys_update_ctx *ctx = (struct hostkeys_update_ctx *)_ctx;
> 	size_t i, ndone;
> 	struct sshbuf *signdata;
>-	int r, kexsigtype, use_kexsigtype;
>+	int r, plaintype;
> 	const u_char *sig;
>+	const char *rsa_kexalg = NULL;
>+	char *alg = NULL;
> 	size_t siglen;
> 
> 	if (ctx->nnew == 0)
>@@ -2102,9 +2107,9 @@ client_global_hostkeys_private_confirm(struct ssh *ssh, int type,
> 		hostkeys_update_ctx_free(ctx);
> 		return;
> 	}
>-	kexsigtype = sshkey_type_plain(
>-	    sshkey_type_from_name(ssh->kex->hostkey_alg));
>-
>+	if (sshkey_type_plain(sshkey_type_from_name(
>+	    ssh->kex->hostkey_alg)) == KEY_RSA)
>+		rsa_kexalg = ssh->kex->hostkey_alg;
> 	if ((signdata = sshbuf_new()) == NULL)
> 		fatal_f("sshbuf_new failed");
> 	/*
>@@ -2115,6 +2120,7 @@ client_global_hostkeys_private_confirm(struct ssh *ssh, int type,
> 	for (ndone = i = 0; i < ctx->nkeys; i++) {
> 		if (ctx->keys_match[i])
> 			continue;
>+		plaintype = sshkey_type_plain(ctx->keys[i]->type);
> 		/* Prepare data to be signed: session ID, unique string, key */
> 		sshbuf_reset(signdata);
> 		if ( (r = sshbuf_put_cstring(signdata,
>@@ -2128,19 +2134,33 @@ client_global_hostkeys_private_confirm(struct ssh *ssh, int type,
> 			error_fr(r, "parse sig");
> 			goto out;
> 		}
>+		if ((r = sshkey_get_sigtype(sig, siglen, &alg)) != 0) {
>+			error_fr(r, "server gave unintelligible signature "
>+			    "for %s key %zu", sshkey_type(ctx->keys[i]), i);
>+			goto out;
>+		}
> 		/*
>-		 * For RSA keys, prefer to use the signature type negotiated
>-		 * during KEX to the default (SHA1).
>+		 * Special case for RSA keys: if a RSA hostkey was negotiated,
>+		 * then use its signature type for verification of RSA hostkey
>+		 * proofs. Otherwise, accept only RSA-SHA256/512 signatures.
> 		 */
>-		use_kexsigtype = kexsigtype == KEY_RSA &&
>-		    sshkey_type_plain(ctx->keys[i]->type) == KEY_RSA;
>-		debug3_f("verify %s key %zu using %s sigalg",
>-		    sshkey_type(ctx->keys[i]), i,
>-		    use_kexsigtype ? ssh->kex->hostkey_alg : "default");
>+		if (plaintype == KEY_RSA && rsa_kexalg == NULL &&
>+		    match_pattern_list(alg, HOSTKEY_PROOF_RSA_ALGS, 0) != 1) {
>+			debug_f("server used untrusted RSA signature algorithm "
>+			    "%s for key %zu, disregarding", alg, i);
>+			free(alg);
>+			/* zap the key from the list */
>+			sshkey_free(ctx->keys[i]);
>+			ctx->keys[i] = NULL;
>+			ndone++;
>+			continue;
>+		}
>+		debug3_f("verify %s key %zu using sigalg %s",
>+		    sshkey_type(ctx->keys[i]), i, alg);
>+		free(alg);
> 		if ((r = sshkey_verify(ctx->keys[i], sig, siglen,
> 		    sshbuf_ptr(signdata), sshbuf_len(signdata),
>-		    use_kexsigtype ? ssh->kex->hostkey_alg : NULL, 0,
>-		    NULL)) != 0) {
>+		    plaintype == KEY_RSA ? rsa_kexalg : NULL, 0, NULL)) != 0) {
> 			error_fr(r, "server gave bad signature for %s key %zu",
> 			    sshkey_type(ctx->keys[i]), i);
> 			goto out;
>diff --git a/hostfile.c b/hostfile.c
>index 7736a98..6980bc6 100644
>--- a/hostfile.c
>+++ b/hostfile.c
>@@ -635,7 +635,7 @@ hostfile_replace_entries(const char *filename, const char *host, const char *ip,
> 	/* Re-add the requested keys */
> 	want = HKF_MATCH_HOST | (ip == NULL ? 0 : HKF_MATCH_IP);
> 	for (i = 0; i < nkeys; i++) {
>-		if ((want & ctx.match_keys[i]) == want)
>+		if (keys[i] == NULL || (want & ctx.match_keys[i]) == want)
> 			continue;
> 		if ((fp = sshkey_fingerprint(keys[i], hash_alg,
> 		    SSH_FP_DEFAULT)) == NULL) {

Actions: View | Diff

Attachments on bug 3375: 3559 | 3561 | 3562