version 1.341, 2021/01/08 02:57:24 |
version 1.342, 2021/01/22 02:44:58 |
|
|
(key->type == KEY_RSA_CERT && (datafellows & SSH_BUG_SIGTYPE))) { |
(key->type == KEY_RSA_CERT && (datafellows & SSH_BUG_SIGTYPE))) { |
/* Filter base key signature alg against our configuration */ |
/* Filter base key signature alg against our configuration */ |
return match_list(sshkey_ssh_name(key), |
return match_list(sshkey_ssh_name(key), |
options.pubkey_key_types, NULL); |
options.pubkey_accepted_algos, NULL); |
} |
} |
|
|
/* |
/* |
* For RSA keys/certs, since these might have a different sig type: |
* For RSA keys/certs, since these might have a different sig type: |
* find the first entry in PubkeyAcceptedKeyTypes of the right type |
* find the first entry in PubkeyAcceptedAlgorithms of the right type |
* that also appears in the supported signature algorithms list from |
* that also appears in the supported signature algorithms list from |
* the server. |
* the server. |
*/ |
*/ |
oallowed = allowed = xstrdup(options.pubkey_key_types); |
oallowed = allowed = xstrdup(options.pubkey_accepted_algos); |
while ((cp = strsep(&allowed, ",")) != NULL) { |
while ((cp = strsep(&allowed, ",")) != NULL) { |
if (sshkey_type_from_name(cp) != key->type) |
if (sshkey_type_from_name(cp) != key->type) |
continue; |
continue; |
|
|
key_type_allowed_by_config(struct sshkey *key) |
key_type_allowed_by_config(struct sshkey *key) |
{ |
{ |
if (match_pattern_list(sshkey_ssh_name(key), |
if (match_pattern_list(sshkey_ssh_name(key), |
options.pubkey_key_types, 0) == 1) |
options.pubkey_accepted_algos, 0) == 1) |
return 1; |
return 1; |
|
|
/* RSA keys/certs might be allowed by alternate signature types */ |
/* RSA keys/certs might be allowed by alternate signature types */ |
switch (key->type) { |
switch (key->type) { |
case KEY_RSA: |
case KEY_RSA: |
if (match_pattern_list("rsa-sha2-512", |
if (match_pattern_list("rsa-sha2-512", |
options.pubkey_key_types, 0) == 1) |
options.pubkey_accepted_algos, 0) == 1) |
return 1; |
return 1; |
if (match_pattern_list("rsa-sha2-256", |
if (match_pattern_list("rsa-sha2-256", |
options.pubkey_key_types, 0) == 1) |
options.pubkey_accepted_algos, 0) == 1) |
return 1; |
return 1; |
break; |
break; |
case KEY_RSA_CERT: |
case KEY_RSA_CERT: |
if (match_pattern_list("rsa-sha2-512-cert-v01@openssh.com", |
if (match_pattern_list("rsa-sha2-512-cert-v01@openssh.com", |
options.pubkey_key_types, 0) == 1) |
options.pubkey_accepted_algos, 0) == 1) |
return 1; |
return 1; |
if (match_pattern_list("rsa-sha2-256-cert-v01@openssh.com", |
if (match_pattern_list("rsa-sha2-256-cert-v01@openssh.com", |
options.pubkey_key_types, 0) == 1) |
options.pubkey_accepted_algos, 0) == 1) |
return 1; |
return 1; |
break; |
break; |
} |
} |
|
|
} |
} |
/* append remaining keys from the config file */ |
/* append remaining keys from the config file */ |
TAILQ_CONCAT(preferred, &files, next); |
TAILQ_CONCAT(preferred, &files, next); |
/* finally, filter by PubkeyAcceptedKeyTypes */ |
/* finally, filter by PubkeyAcceptedAlgorithms */ |
TAILQ_FOREACH_SAFE(id, preferred, next, id2) { |
TAILQ_FOREACH_SAFE(id, preferred, next, id2) { |
if (id->key != NULL && !key_type_allowed_by_config(id->key)) { |
if (id->key != NULL && !key_type_allowed_by_config(id->key)) { |
debug("Skipping %s key %s - " |
debug("Skipping %s key %s - " |
"not in PubkeyAcceptedKeyTypes", |
"corresponding algo not in PubkeyAcceptedAlgorithms", |
sshkey_ssh_name(id->key), id->filename); |
sshkey_ssh_name(id->key), id->filename); |
TAILQ_REMOVE(preferred, id, next); |
TAILQ_REMOVE(preferred, id, next); |
sshkey_free(id->key); |
sshkey_free(id->key); |