tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

upstream: make ssh-keysign use the requested signature algorithm 

and not the default for the keytype. Part of unbreaking hostbased auth for
RSA/SHA2 keys. ok markus@

OpenBSD-Commit-ID: b5639a14462948970da3a8020dc06f9a80ecccdc
This commit is contained in:
djm@openbsd.org 2022-01-06 22:00:18 +00:00 committed by Damien Miller
parent 291721bc7c
commit 7aa7b096cf
1 changed files with 20 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
ssh-keysign.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-keysign.c,v 1.69 2021/11/13 17:26:13 deraadt Exp $ */ /* $OpenBSD: ssh-keysign.c,v 1.70 2022/01/06 22:00:18 djm Exp $ */
/* /*
* Copyright (c) 2002 Markus Friedl. All rights reserved. * Copyright (c) 2002 Markus Friedl. All rights reserved.
* *
@ -62,7 +62,7 @@
extern char *__progname; extern char *__progname;
static int static int
valid_request(struct passwd *pw, char *host, struct sshkey **ret, valid_request(struct passwd *pw, char *host, struct sshkey **ret, char **pkalgp,
u_char *data, size_t datalen) u_char *data, size_t datalen)
{ {
struct sshbuf *b; struct sshbuf *b;
@ -75,6 +75,8 @@ valid_request(struct passwd *pw, char *host, struct sshkey **ret,
if (ret != NULL) if (ret != NULL)
*ret = NULL; *ret = NULL;
if (pkalgp != NULL)
*pkalgp = NULL;
fail = 0; fail = 0;
if ((b = sshbuf_from(data, datalen)) == NULL) if ((b = sshbuf_from(data, datalen)) == NULL)
@ -125,8 +127,6 @@ valid_request(struct passwd *pw, char *host, struct sshkey **ret,
fail++; fail++;
} else if (key->type != pktype) } else if (key->type != pktype)
fail++; fail++;
free(pkalg);
free(pkblob);
/* client host name, handle trailing dot */ /* client host name, handle trailing dot */
if ((r = sshbuf_get_cstring(b, &p, &len)) != 0) if ((r = sshbuf_get_cstring(b, &p, &len)) != 0)
@ -157,8 +157,19 @@ valid_request(struct passwd *pw, char *host, struct sshkey **ret,
if (fail) if (fail)
sshkey_free(key); sshkey_free(key);
else if (ret != NULL) else {
if (ret != NULL) {
*ret = key; *ret = key;
key = NULL;
}
if (pkalgp != NULL) {
*pkalgp = pkalg;
pkalg = NULL;
}
}
sshkey_free(key);
free(pkalg);
free(pkblob);
return (fail ? -1 : 0); return (fail ? -1 : 0);
} }
@ -173,7 +184,7 @@ main(int argc, char **argv)
struct passwd *pw; struct passwd *pw;
int r, key_fd[NUM_KEYTYPES], i, found, version = 2, fd; int r, key_fd[NUM_KEYTYPES], i, found, version = 2, fd;
u_char *signature, *data, rver; u_char *signature, *data, rver;
char *host, *fp; char *host, *fp, *pkalg;
size_t slen, dlen; size_t slen, dlen;
if (pledge("stdio rpath getpw dns id", NULL) != 0) if (pledge("stdio rpath getpw dns id", NULL) != 0)
@ -261,7 +272,7 @@ main(int argc, char **argv)
if ((r = sshbuf_get_string(b, &data, &dlen)) != 0) if ((r = sshbuf_get_string(b, &data, &dlen)) != 0)
fatal_r(r, "%s: buffer error", __progname); fatal_r(r, "%s: buffer error", __progname);
if (valid_request(pw, host, &key, data, dlen) < 0) if (valid_request(pw, host, &key, &pkalg, data, dlen) < 0)
fatal("%s: not a valid request", __progname); fatal("%s: not a valid request", __progname);
free(host); free(host);
@ -282,7 +293,7 @@ main(int argc, char **argv)
} }
if ((r = sshkey_sign(keys[i], &signature, &slen, data, dlen, if ((r = sshkey_sign(keys[i], &signature, &slen, data, dlen,
NULL, NULL, NULL, 0)) != 0) pkalg, NULL, NULL, 0)) != 0)
fatal_r(r, "%s: sshkey_sign failed", __progname); fatal_r(r, "%s: sshkey_sign failed", __progname);
free(data); free(data);