From fd6d8a575ff14ec727afa81f4b201c239686a599 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 21 Jun 2023 05:10:26 +0000 Subject: [PATCH] better validate CASignatureAlgorithms in ssh_config and sshd_config. Previously this directive would accept certificate algorithm names, but these were unusable in practice as OpenSSH does not support CA chains. part of bz3577; ok dtucker@ --- usr.bin/ssh/readconf.c | 10 +++++++--- usr.bin/ssh/servconf.c | 10 ++++++++-- usr.bin/ssh/sshkey.c | 7 +++++-- usr.bin/ssh/sshkey.h | 4 ++-- 4 files changed, 22 insertions(+), 9 deletions(-) diff --git a/usr.bin/ssh/readconf.c b/usr.bin/ssh/readconf.c index 7c1b1b1f434..de70683e558 100644 --- a/usr.bin/ssh/readconf.c +++ b/usr.bin/ssh/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.376 2023/03/31 04:23:02 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.377 2023/06/21 05:10:26 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -931,7 +931,7 @@ process_config_line_depth(Options *options, struct passwd *pw, const char *host, char **cpptr, ***cppptr, fwdarg[256]; u_int i, *uintptr, uvalue, max_entries = 0; int r, oactive, negated, opcode, *intptr, value, value2, cmdline = 0; - int remotefwd, dynamicfwd; + int remotefwd, dynamicfwd, ca_only = 0; LogLevel *log_level_ptr; SyslogFacility *log_facility_ptr; long long val64; @@ -1427,6 +1427,7 @@ parse_int: case oHostKeyAlgorithms: charptr = &options->hostkeyalgorithms; + ca_only = 0; parse_pubkey_algos: arg = argv_next(&ac, &av); if (!arg || *arg == '\0') { @@ -1436,7 +1437,7 @@ parse_pubkey_algos: } if (*arg != '-' && !sshkey_names_valid2(*arg == '+' || *arg == '^' ? - arg + 1 : arg, 1)) { + arg + 1 : arg, 1, ca_only)) { error("%s line %d: Bad key types '%s'.", filename, linenum, arg ? arg : ""); goto out; @@ -1447,6 +1448,7 @@ parse_pubkey_algos: case oCASignatureAlgorithms: charptr = &options->ca_sign_algorithms; + ca_only = 1; goto parse_pubkey_algos; case oLogLevel: @@ -2103,10 +2105,12 @@ parse_pubkey_algos: case oHostbasedAcceptedAlgorithms: charptr = &options->hostbased_accepted_algos; + ca_only = 0; goto parse_pubkey_algos; case oPubkeyAcceptedAlgorithms: charptr = &options->pubkey_accepted_algos; + ca_only = 0; goto parse_pubkey_algos; case oAddKeysToAgent: diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c index 862b02068cb..1cf33162943 100644 --- a/usr.bin/ssh/servconf.c +++ b/usr.bin/ssh/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.394 2023/06/05 13:24:36 millert Exp $ */ +/* $OpenBSD: servconf.c,v 1.395 2023/06/21 05:10:26 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -1282,6 +1282,7 @@ process_server_config_line_depth(ServerOptions *options, char *line, { char *str, ***chararrayptr, **charptr, *arg, *arg2, *p, *keyword; int cmdline = 0, *intptr, value, value2, n, port, oactive, r, found; + int ca_only = 0; SyslogFacility *log_facility_ptr; LogLevel *log_level_ptr; ServerOpCodes opcode; @@ -1517,6 +1518,7 @@ process_server_config_line_depth(ServerOptions *options, char *line, case sHostbasedAcceptedAlgorithms: charptr = &options->hostbased_accepted_algos; + ca_only = 0; parse_pubkey_algos: arg = argv_next(&ac, &av); if (!arg || *arg == '\0') @@ -1524,7 +1526,7 @@ process_server_config_line_depth(ServerOptions *options, char *line, filename, linenum); if (*arg != '-' && !sshkey_names_valid2(*arg == '+' || *arg == '^' ? - arg + 1 : arg, 1)) + arg + 1 : arg, 1, ca_only)) fatal("%s line %d: Bad key types '%s'.", filename, linenum, arg ? arg : ""); if (*activep && *charptr == NULL) @@ -1533,18 +1535,22 @@ process_server_config_line_depth(ServerOptions *options, char *line, case sHostKeyAlgorithms: charptr = &options->hostkeyalgorithms; + ca_only = 0; goto parse_pubkey_algos; case sCASignatureAlgorithms: charptr = &options->ca_sign_algorithms; + ca_only = 1; goto parse_pubkey_algos; case sPubkeyAuthentication: intptr = &options->pubkey_authentication; + ca_only = 0; goto parse_flag; case sPubkeyAcceptedAlgorithms: charptr = &options->pubkey_accepted_algos; + ca_only = 0; goto parse_pubkey_algos; case sPubkeyAuthOptions: diff --git a/usr.bin/ssh/sshkey.c b/usr.bin/ssh/sshkey.c index eac9c866ebe..3b07c92de12 100644 --- a/usr.bin/ssh/sshkey.c +++ b/usr.bin/ssh/sshkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshkey.c,v 1.135 2023/03/31 03:22:49 djm Exp $ */ +/* $OpenBSD: sshkey.c,v 1.136 2023/06/21 05:10:26 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * Copyright (c) 2008 Alexander von Gernler. All rights reserved. @@ -319,7 +319,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) } int -sshkey_names_valid2(const char *names, int allow_wildcard) +sshkey_names_valid2(const char *names, int allow_wildcard, int plain_only) { char *s, *cp, *p; const struct sshkey_impl *impl; @@ -352,6 +352,9 @@ sshkey_names_valid2(const char *names, int allow_wildcard) } free(s); return 0; + } else if (plain_only && sshkey_type_is_cert(type)) { + free(s); + return 0; } } free(s); diff --git a/usr.bin/ssh/sshkey.h b/usr.bin/ssh/sshkey.h index e90a1eec8cb..2be16d19611 100644 --- a/usr.bin/ssh/sshkey.h +++ b/usr.bin/ssh/sshkey.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sshkey.h,v 1.61 2022/10/28 00:44:44 djm Exp $ */ +/* $OpenBSD: sshkey.h,v 1.62 2023/06/21 05:10:26 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -258,7 +258,7 @@ int sshkey_ec_validate_public(const EC_GROUP *, const EC_POINT *); int sshkey_ec_validate_private(const EC_KEY *); const char *sshkey_ssh_name(const struct sshkey *); const char *sshkey_ssh_name_plain(const struct sshkey *); -int sshkey_names_valid2(const char *, int); +int sshkey_names_valid2(const char *, int, int); char *sshkey_alg_list(int, int, int, char); int sshkey_from_blob(const u_char *, size_t, struct sshkey **); -- 2.20.1