From 41f334052ff924b5bc0348489c6f061984e84024 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 6 Jun 2021 03:40:39 +0000 Subject: [PATCH] Client-side workaround for a bug in OpenSSH 7.4: this release allows RSA/SHA2 signatures for public key authentication but fails to advertise this correctly via SSH2_MSG_EXT_INFO. This causes clients of these server to incorrectly match PubkeyAcceptedAlgorithms and potentially refuse to offer valid keys. Reported by and based on patch from Gordon Messmer via bz3213, thanks also for additional analysis by Jakub Jelen. ok dtucker --- usr.bin/ssh/compat.c | 4 +++- usr.bin/ssh/compat.h | 4 ++-- usr.bin/ssh/sshconnect2.c | 13 +++++++++++-- 3 files changed, 16 insertions(+), 5 deletions(-) diff --git a/usr.bin/ssh/compat.c b/usr.bin/ssh/compat.c index 8514e0a0775..2a67390a4b9 100644 --- a/usr.bin/ssh/compat.c +++ b/usr.bin/ssh/compat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: compat.c,v 1.117 2021/01/27 09:26:54 djm Exp $ */ +/* $OpenBSD: compat.c,v 1.118 2021/06/06 03:40:39 djm Exp $ */ /* * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. * @@ -61,6 +61,8 @@ compat_banner(struct ssh *ssh, const char *version) { "OpenSSH_6.5*," "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD| SSH_BUG_SIGTYPE}, + { "OpenSSH_7.4*", SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE| + SSH_BUG_SIGTYPE74}, { "OpenSSH_7.0*," "OpenSSH_7.1*," "OpenSSH_7.2*," diff --git a/usr.bin/ssh/compat.h b/usr.bin/ssh/compat.h index c197fafc539..167409b2bd3 100644 --- a/usr.bin/ssh/compat.h +++ b/usr.bin/ssh/compat.h @@ -1,4 +1,4 @@ -/* $OpenBSD: compat.h,v 1.56 2021/01/27 09:26:54 djm Exp $ */ +/* $OpenBSD: compat.h,v 1.57 2021/06/06 03:40:39 djm Exp $ */ /* * Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved. @@ -29,7 +29,7 @@ #define SSH_BUG_UTF8TTYMODE 0x00000001 #define SSH_BUG_SIGTYPE 0x00000002 -/* #define unused 0x00000004 */ +#define SSH_BUG_SIGTYPE74 0x00000004 /* #define unused 0x00000008 */ #define SSH_OLD_SESSIONID 0x00000010 /* #define unused 0x00000020 */ diff --git a/usr.bin/ssh/sshconnect2.c b/usr.bin/ssh/sshconnect2.c index 974a7c96f41..f1691bd6b93 100644 --- a/usr.bin/ssh/sshconnect2.c +++ b/usr.bin/ssh/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.347 2021/04/03 06:18:41 djm Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.348 2021/06/06 03:40:39 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -1168,6 +1168,7 @@ static char * key_sig_algorithm(struct ssh *ssh, const struct sshkey *key) { char *allowed, *oallowed, *cp, *tmp, *alg = NULL; + const char *server_sig_algs; /* * The signature algorithm will only differ from the key algorithm @@ -1182,6 +1183,14 @@ key_sig_algorithm(struct ssh *ssh, const struct sshkey *key) options.pubkey_accepted_algos, NULL); } + /* + * Workaround OpenSSH 7.4 bug: this version supports RSA/SHA-2 but + * fails to advertise it via SSH2_MSG_EXT_INFO. + */ + server_sig_algs = ssh->kex->server_sig_algs; + if (key->type == KEY_RSA && (ssh->compat & SSH_BUG_SIGTYPE74)) + server_sig_algs = "rsa-sha2-256,rsa-sha2-512"; + /* * For RSA keys/certs, since these might have a different sig type: * find the first entry in PubkeyAcceptedAlgorithms of the right type @@ -1193,7 +1202,7 @@ key_sig_algorithm(struct ssh *ssh, const struct sshkey *key) if (sshkey_type_from_name(cp) != key->type) continue; tmp = match_list(sshkey_sigalg_by_name(cp), - ssh->kex->server_sig_algs, NULL); + server_sig_algs, NULL); if (tmp != NULL) alg = xstrdup(cp); free(tmp); -- 2.20.1