From ffc379c2ac09d21d9e02de3104c9f60f6b2f23f5 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 17 Feb 2023 04:22:50 +0000 Subject: [PATCH] Remove now-unused compat bit SSH_BUG_RSASIGMD5. The code to set this was removed in OpenSSH 7.7 when support for SSH implementations dating back to before RFC standardization were removed. "burn it all" djm@ --- usr.bin/ssh/auth2-hostbased.c | 8 +------- usr.bin/ssh/auth2-pubkey.c | 8 +------- usr.bin/ssh/compat.c | 12 ++---------- usr.bin/ssh/compat.h | 4 ++-- usr.bin/ssh/kex.c | 6 +----- usr.bin/ssh/monitor.c | 7 +------ usr.bin/ssh/sshconnect2.c | 20 +++----------------- 7 files changed, 11 insertions(+), 54 deletions(-) diff --git a/usr.bin/ssh/auth2-hostbased.c b/usr.bin/ssh/auth2-hostbased.c index b7092835fd4..dd6b9a7e63b 100644 --- a/usr.bin/ssh/auth2-hostbased.c +++ b/usr.bin/ssh/auth2-hostbased.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-hostbased.c,v 1.50 2022/09/17 10:34:29 djm Exp $ */ +/* $OpenBSD: auth2-hostbased.c,v 1.51 2023/02/17 04:22:50 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -100,12 +100,6 @@ userauth_hostbased(struct ssh *ssh, const char *method) "(received %d, expected %d)", key->type, pktype); goto done; } - if (sshkey_type_plain(key->type) == KEY_RSA && - (ssh->compat & SSH_BUG_RSASIGMD5) != 0) { - error("Refusing RSA key because peer uses unsafe " - "signature format"); - goto done; - } if (match_pattern_list(pkalg, options.hostbased_accepted_algos, 0) != 1) { logit_f("signature algorithm %s not in " "HostbasedAcceptedAlgorithms", pkalg); diff --git a/usr.bin/ssh/auth2-pubkey.c b/usr.bin/ssh/auth2-pubkey.c index 7c9e61be678..a507dca4b7e 100644 --- a/usr.bin/ssh/auth2-pubkey.c +++ b/usr.bin/ssh/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.117 2022/09/17 10:34:29 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.118 2023/02/17 04:22:50 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -150,12 +150,6 @@ userauth_pubkey(struct ssh *ssh, const char *method) "(received %d, expected %d)", key->type, pktype); goto done; } - if (sshkey_type_plain(key->type) == KEY_RSA && - (ssh->compat & SSH_BUG_RSASIGMD5) != 0) { - logit("Refusing RSA key because client uses unsafe " - "signature scheme"); - goto done; - } if (auth2_key_already_used(authctxt, key)) { logit("refusing previously-used %s key", sshkey_type(key)); goto done; diff --git a/usr.bin/ssh/compat.c b/usr.bin/ssh/compat.c index 3e57abc9dda..38108fc8aa7 100644 --- a/usr.bin/ssh/compat.c +++ b/usr.bin/ssh/compat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: compat.c,v 1.124 2023/02/17 03:06:18 dtucker Exp $ */ +/* $OpenBSD: compat.c,v 1.125 2023/02/17 04:22:50 dtucker Exp $ */ /* * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. * @@ -147,15 +147,7 @@ compat_cipher_proposal(struct ssh *ssh, char *cipher_prop) char * compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop) { - if (!(ssh->compat & SSH_BUG_RSASIGMD5)) - return xstrdup(pkalg_prop); - debug2_f("original public key proposal: %s", pkalg_prop); - if ((pkalg_prop = match_filter_denylist(pkalg_prop, "ssh-rsa")) == NULL) - fatal("match_filter_denylist failed"); - debug2_f("compat public key proposal: %s", pkalg_prop); - if (*pkalg_prop == '\0') - fatal("No supported PK algorithms found"); - return pkalg_prop; + return xstrdup(pkalg_prop); } /* Always returns pointer to allocated memory, caller must free. */ diff --git a/usr.bin/ssh/compat.h b/usr.bin/ssh/compat.h index 8d0ea2d688f..1da367e84f7 100644 --- a/usr.bin/ssh/compat.h +++ b/usr.bin/ssh/compat.h @@ -1,4 +1,4 @@ -/* $OpenBSD: compat.h,v 1.60 2023/02/17 03:06:18 dtucker Exp $ */ +/* $OpenBSD: compat.h,v 1.61 2023/02/17 04:22:50 dtucker Exp $ */ /* * Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved. @@ -40,7 +40,7 @@ /* #define unused 0x00000400 */ #define SSH_BUG_SCANNER 0x00000800 /* #define unused 0x00001000 */ -#define SSH_BUG_RSASIGMD5 0x00002000 +/* #define unused 0x00002000 */ #define SSH_OLD_DHGEX 0x00004000 #define SSH_BUG_NOREKEY 0x00008000 /* #define unused 0x00010000 */ diff --git a/usr.bin/ssh/kex.c b/usr.bin/ssh/kex.c index 3f31b97c28f..146dec105fd 100644 --- a/usr.bin/ssh/kex.c +++ b/usr.bin/ssh/kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.173 2022/11/07 10:05:38 dtucker Exp $ */ +/* $OpenBSD: kex.c,v 1.174 2023/02/17 04:22:50 dtucker Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * @@ -1387,10 +1387,6 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms, r = SSH_ERR_CONN_CLOSED; /* XXX */ goto out; } - if ((ssh->compat & SSH_BUG_RSASIGMD5) != 0) { - logit("Remote version \"%.100s\" uses unsafe RSA signature " - "scheme; disabling use of RSA keys", remote_version); - } /* success */ r = 0; out: diff --git a/usr.bin/ssh/monitor.c b/usr.bin/ssh/monitor.c index 93d122e98f0..ef824c3d8c2 100644 --- a/usr.bin/ssh/monitor.c +++ b/usr.bin/ssh/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.234 2022/06/15 16:08:25 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.235 2023/02/17 04:22:50 dtucker Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -912,11 +912,6 @@ mm_answer_keyallowed(struct ssh *ssh, int sock, struct sshbuf *m) fatal_fr(r, "parse"); if (key != NULL && authctxt->valid) { - /* These should not make it past the privsep child */ - if (sshkey_type_plain(key->type) == KEY_RSA && - (ssh->compat & SSH_BUG_RSASIGMD5) != 0) - fatal_f("passed a SSH_BUG_RSASIGMD5 key"); - switch (type) { case MM_USERKEY: auth_method = "publickey"; diff --git a/usr.bin/ssh/sshconnect2.c b/usr.bin/ssh/sshconnect2.c index 058ec7cfb67..87793a04024 100644 --- a/usr.bin/ssh/sshconnect2.c +++ b/usr.bin/ssh/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.361 2022/09/17 10:33:18 djm Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.362 2023/02/17 04:22:50 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -1867,20 +1867,6 @@ pubkey_reset(Authctxt *authctxt) id->tried = 0; } -static int -try_identity(struct ssh *ssh, Identity *id) -{ - if (!id->key) - return (0); - if (sshkey_type_plain(id->key->type) == KEY_RSA && - (ssh->compat & SSH_BUG_RSASIGMD5) != 0) { - debug("Skipped %s key %s for RSA/MD5 server", - sshkey_type(id->key), id->filename); - return (0); - } - return 1; -} - static int userauth_pubkey(struct ssh *ssh) { @@ -1901,7 +1887,7 @@ userauth_pubkey(struct ssh *ssh) * private key instead */ if (id->key != NULL) { - if (try_identity(ssh, id)) { + if (id->key != NULL) { ident = format_identity(id); debug("Offering public key: %s", ident); free(ident); @@ -1911,7 +1897,7 @@ userauth_pubkey(struct ssh *ssh) debug("Trying private key: %s", id->filename); id->key = load_identity_file(id); if (id->key != NULL) { - if (try_identity(ssh, id)) { + if (id->key != NULL) { id->isprivate = 1; sent = sign_and_send_pubkey(ssh, id); } -- 2.20.1