Remove now-unused compat bit SSH_BUG_RSASIGMD5. The code to set this

was removed in OpenSSH 7.7 when support for SSH implementations dating
back to before RFC standardization were removed.  "burn it all" djm@

diff --git a/usr.bin/ssh/auth2-hostbased.c b/usr.bin/ssh/auth2-hostbased.c
index b709283..dd6b9a7 100644 (file)
--- a/usr.bin/ssh/auth2-hostbased.c
+++ b/usr.bin/ssh/auth2-hostbased.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-hostbased.c,v 1.50 2022/09/17 10:34:29 djm Exp $ */
+/* $OpenBSD: auth2-hostbased.c,v 1.51 2023/02/17 04:22:50 dtucker Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -100,12 +100,6 @@ userauth_hostbased(struct ssh *ssh, const char *method)
                    "(received %d, expected %d)", key->type, pktype);
                goto done;
        }
-       if (sshkey_type_plain(key->type) == KEY_RSA &&
-           (ssh->compat & SSH_BUG_RSASIGMD5) != 0) {
-               error("Refusing RSA key because peer uses unsafe "
-                   "signature format");
-               goto done;
-       }
        if (match_pattern_list(pkalg, options.hostbased_accepted_algos, 0) != 1) {
                logit_f("signature algorithm %s not in "
                    "HostbasedAcceptedAlgorithms", pkalg);

diff --git a/usr.bin/ssh/auth2-pubkey.c b/usr.bin/ssh/auth2-pubkey.c
index 7c9e61b..a507dca 100644 (file)
--- a/usr.bin/ssh/auth2-pubkey.c
+++ b/usr.bin/ssh/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.117 2022/09/17 10:34:29 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.118 2023/02/17 04:22:50 dtucker Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2010 Damien Miller.  All rights reserved.
@@ -150,12 +150,6 @@ userauth_pubkey(struct ssh *ssh, const char *method)
                    "(received %d, expected %d)", key->type, pktype);
                goto done;
        }
-       if (sshkey_type_plain(key->type) == KEY_RSA &&
-           (ssh->compat & SSH_BUG_RSASIGMD5) != 0) {
-               logit("Refusing RSA key because client uses unsafe "
-                   "signature scheme");
-               goto done;
-       }
        if (auth2_key_already_used(authctxt, key)) {
                logit("refusing previously-used %s key", sshkey_type(key));
                goto done;

diff --git a/usr.bin/ssh/compat.c b/usr.bin/ssh/compat.c
index 3e57abc..38108fc 100644 (file)
--- a/usr.bin/ssh/compat.c
+++ b/usr.bin/ssh/compat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: compat.c,v 1.124 2023/02/17 03:06:18 dtucker Exp $ */
+/* $OpenBSD: compat.c,v 1.125 2023/02/17 04:22:50 dtucker Exp $ */
 /*
  * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl.  All rights reserved.
  *
@@ -147,15 +147,7 @@ compat_cipher_proposal(struct ssh *ssh, char *cipher_prop)
 char *
 compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop)
 {
-       if (!(ssh->compat & SSH_BUG_RSASIGMD5))
-               return xstrdup(pkalg_prop);
-       debug2_f("original public key proposal: %s", pkalg_prop);
-       if ((pkalg_prop = match_filter_denylist(pkalg_prop, "ssh-rsa")) == NULL)
-               fatal("match_filter_denylist failed");
-       debug2_f("compat public key proposal: %s", pkalg_prop);
-       if (*pkalg_prop == '\0')
-               fatal("No supported PK algorithms found");
-       return pkalg_prop;
+       return xstrdup(pkalg_prop);
 }
 
 /* Always returns pointer to allocated memory, caller must free. */

diff --git a/usr.bin/ssh/compat.h b/usr.bin/ssh/compat.h
index 8d0ea2d..1da367e 100644 (file)
--- a/usr.bin/ssh/compat.h
+++ b/usr.bin/ssh/compat.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: compat.h,v 1.60 2023/02/17 03:06:18 dtucker Exp $ */
+/* $OpenBSD: compat.h,v 1.61 2023/02/17 04:22:50 dtucker Exp $ */
 
 /*
  * Copyright (c) 1999, 2000, 2001 Markus Friedl.  All rights reserved.
@@ -40,7 +40,7 @@
 /* #define unused              0x00000400 */
 #define SSH_BUG_SCANNER                0x00000800
 /* #define unused              0x00001000 */
-#define SSH_BUG_RSASIGMD5      0x00002000
+/* #define unused              0x00002000 */
 #define SSH_OLD_DHGEX          0x00004000
 #define SSH_BUG_NOREKEY                0x00008000
 /* #define unused              0x00010000 */

diff --git a/usr.bin/ssh/kex.c b/usr.bin/ssh/kex.c
index 3f31b97..146dec1 100644 (file)
--- a/usr.bin/ssh/kex.c
+++ b/usr.bin/ssh/kex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.c,v 1.173 2022/11/07 10:05:38 dtucker Exp $ */
+/* $OpenBSD: kex.c,v 1.174 2023/02/17 04:22:50 dtucker Exp $ */
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
  *
@@ -1387,10 +1387,6 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
                r = SSH_ERR_CONN_CLOSED; /* XXX */
                goto out;
        }
-       if ((ssh->compat & SSH_BUG_RSASIGMD5) != 0) {
-               logit("Remote version \"%.100s\" uses unsafe RSA signature "
-                   "scheme; disabling use of RSA keys", remote_version);
-       }
        /* success */
        r = 0;
  out:

diff --git a/usr.bin/ssh/monitor.c b/usr.bin/ssh/monitor.c
index 93d122e..ef824c3 100644 (file)
--- a/usr.bin/ssh/monitor.c
+++ b/usr.bin/ssh/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.234 2022/06/15 16:08:25 djm Exp $ */
+/* $OpenBSD: monitor.c,v 1.235 2023/02/17 04:22:50 dtucker Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -912,11 +912,6 @@ mm_answer_keyallowed(struct ssh *ssh, int sock, struct sshbuf *m)
                fatal_fr(r, "parse");
 
        if (key != NULL && authctxt->valid) {
-               /* These should not make it past the privsep child */
-               if (sshkey_type_plain(key->type) == KEY_RSA &&
-                   (ssh->compat & SSH_BUG_RSASIGMD5) != 0)
-                       fatal_f("passed a SSH_BUG_RSASIGMD5 key");
-
                switch (type) {
                case MM_USERKEY:
                        auth_method = "publickey";

diff --git a/usr.bin/ssh/sshconnect2.c b/usr.bin/ssh/sshconnect2.c
index 058ec7c..87793a0 100644 (file)
--- a/usr.bin/ssh/sshconnect2.c
+++ b/usr.bin/ssh/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.361 2022/09/17 10:33:18 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.362 2023/02/17 04:22:50 dtucker Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Damien Miller.  All rights reserved.
@@ -1867,20 +1867,6 @@ pubkey_reset(Authctxt *authctxt)
                id->tried = 0;
 }
 
-static int
-try_identity(struct ssh *ssh, Identity *id)
-{
-       if (!id->key)
-               return (0);
-       if (sshkey_type_plain(id->key->type) == KEY_RSA &&
-           (ssh->compat & SSH_BUG_RSASIGMD5) != 0) {
-               debug("Skipped %s key %s for RSA/MD5 server",
-                   sshkey_type(id->key), id->filename);
-               return (0);
-       }
-       return 1;
-}
-
 static int
 userauth_pubkey(struct ssh *ssh)
 {
@@ -1901,7 +1887,7 @@ userauth_pubkey(struct ssh *ssh)
                 * private key instead
                 */
                if (id->key != NULL) {
-                       if (try_identity(ssh, id)) {
+                       if (id->key != NULL) {
                                ident = format_identity(id);
                                debug("Offering public key: %s", ident);
                                free(ident);
@@ -1911,7 +1897,7 @@ userauth_pubkey(struct ssh *ssh)
                        debug("Trying private key: %s", id->filename);
                        id->key = load_identity_file(id);
                        if (id->key != NULL) {
-                               if (try_identity(ssh, id)) {
+                               if (id->key != NULL) {
                                        id->isprivate = 1;
                                        sent = sign_and_send_pubkey(ssh, id);
                                }