summaryrefslogtreecommitdiffstats
path: root/sshconnect.c
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-08-26 07:43:00 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-08-26 07:43:00 +0000
commitc7042a16e2e4aac1030d8785c2c874d6a309b06a (patch)
tree5cc2a7944ee7d0073ecb2ae03b28fdbc4630a484 /sshconnect.c
parentAdding upstream version 1:9.7p1. (diff)
downloadopenssh-c7042a16e2e4aac1030d8785c2c874d6a309b06a.tar.xz
openssh-c7042a16e2e4aac1030d8785c2c874d6a309b06a.zip
Adding upstream version 1:9.8p1.upstream/1%9.8p1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'sshconnect.c')
-rw-r--r--sshconnect.c34
1 files changed, 32 insertions, 2 deletions
diff --git a/sshconnect.c b/sshconnect.c
index d8efc50..7cf6b63 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.c,v 1.366 2024/01/11 01:45:36 djm Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.368 2024/04/30 02:10:49 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -57,6 +57,7 @@
#include "sshkey.h"
#include "sshconnect.h"
#include "log.h"
+#include "match.h"
#include "misc.h"
#include "readconf.h"
#include "atomicio.h"
@@ -647,7 +648,7 @@ get_hostfile_hostname_ipaddr(char *hostname, struct sockaddr *hostaddr,
if (options.proxy_command == NULL) {
if (getnameinfo(hostaddr, addrlen,
ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST) != 0)
- fatal_f("getnameinfo failed");
+ fatal_f("getnameinfo failed");
*hostfile_ipaddr = put_host_port(ntop, port);
} else {
*hostfile_ipaddr = xstrdup("<no hostip for proxy "
@@ -717,6 +718,29 @@ try_tilde_unexpand(const char *path)
return ret;
}
+/*
+ * Returns non-zero if the key is accepted by HostkeyAlgorithms.
+ * Made slightly less trivial by the multiple RSA signature algorithm names.
+ */
+int
+hostkey_accepted_by_hostkeyalgs(const struct sshkey *key)
+{
+ const char *ktype = sshkey_ssh_name(key);
+ const char *hostkeyalgs = options.hostkeyalgorithms;
+
+ if (key->type == KEY_UNSPEC)
+ return 0;
+ if (key->type == KEY_RSA &&
+ (match_pattern_list("rsa-sha2-256", hostkeyalgs, 0) == 1 ||
+ match_pattern_list("rsa-sha2-512", hostkeyalgs, 0) == 1))
+ return 1;
+ if (key->type == KEY_RSA_CERT &&
+ (match_pattern_list("rsa-sha2-512-cert-v01@openssh.com", hostkeyalgs, 0) == 1 ||
+ match_pattern_list("rsa-sha2-256-cert-v01@openssh.com", hostkeyalgs, 0) == 1))
+ return 1;
+ return match_pattern_list(ktype, hostkeyalgs, 0) == 1;
+}
+
static int
hostkeys_find_by_key_cb(struct hostkey_foreach_line *l, void *_ctx)
{
@@ -1017,6 +1041,12 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo,
}
retry:
+ if (!hostkey_accepted_by_hostkeyalgs(host_key)) {
+ error("host key %s not permitted by HostkeyAlgorithms",
+ sshkey_ssh_name(host_key));
+ goto fail;
+ }
+
/* Reload these as they may have changed on cert->key downgrade */
want_cert = sshkey_is_cert(host_key);
type = sshkey_type(host_key);