=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/sshconnect.c,v retrieving revision 1.367 retrieving revision 1.368 diff -u -r1.367 -r1.368 --- src/usr.bin/ssh/sshconnect.c 2024/04/23 13:34:50 1.367 +++ src/usr.bin/ssh/sshconnect.c 2024/04/30 02:10:49 1.368 @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.367 2024/04/23 13:34:50 jsg Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.368 2024/04/30 02:10:49 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -45,6 +45,7 @@ #include "sshconnect.h" #include "hostfile.h" #include "log.h" +#include "match.h" #include "misc.h" #include "readconf.h" #include "atomicio.h" @@ -679,6 +680,29 @@ return ret; } +/* + * Returns non-zero if the key is accepted by HostkeyAlgorithms. + * Made slightly less trivial by the multiple RSA signature algorithm names. + */ +int +hostkey_accepted_by_hostkeyalgs(const struct sshkey *key) +{ + const char *ktype = sshkey_ssh_name(key); + const char *hostkeyalgs = options.hostkeyalgorithms; + + if (key->type == KEY_UNSPEC) + return 0; + if (key->type == KEY_RSA && + (match_pattern_list("rsa-sha2-256", hostkeyalgs, 0) == 1 || + match_pattern_list("rsa-sha2-512", hostkeyalgs, 0) == 1)) + return 1; + if (key->type == KEY_RSA_CERT && + (match_pattern_list("rsa-sha2-512-cert-v01@openssh.com", hostkeyalgs, 0) == 1 || + match_pattern_list("rsa-sha2-256-cert-v01@openssh.com", hostkeyalgs, 0) == 1)) + return 1; + return match_pattern_list(ktype, hostkeyalgs, 0) == 1; +} + static int hostkeys_find_by_key_cb(struct hostkey_foreach_line *l, void *_ctx) { @@ -979,6 +1003,12 @@ } retry: + if (!hostkey_accepted_by_hostkeyalgs(host_key)) { + error("host key %s not permitted by HostkeyAlgorithms", + sshkey_ssh_name(host_key)); + goto fail; + } + /* Reload these as they may have changed on cert->key downgrade */ want_cert = sshkey_is_cert(host_key); type = sshkey_type(host_key);