upstream: Client-side workaround for a bug in OpenSSH 7.4: this release

allows RSA/SHA2 signatures for public key authentication but fails to
advertise this correctly via SSH2_MSG_EXT_INFO. This causes clients of these
server to incorrectly match PubkeyAcceptedAlgorithms and potentially refuse
to offer valid keys.

Reported by and based on patch from Gordon Messmer via bz3213, thanks
also for additional analysis by Jakub Jelen. ok dtucker

OpenBSD-Commit-ID: d6d0b7351d5d44c45f3daaa26efac65847a564f7

diff --git a/compat.c b/compat.c
index 69befa96f057531d358b401f67cb61a0537fb314..3f153bd424f88ef15ae53fa619960b2d5d3e90db 100644 (file)
--- a/compat.c
+++ b/compat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: compat.c,v 1.117 2021/01/27 09:26:54 djm Exp $ */
+/* $OpenBSD: compat.c,v 1.118 2021/06/06 03:40:39 djm Exp $ */
 /*
  * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl.  All rights reserved.
  *
@@ -63,6 +63,8 @@ compat_banner(struct ssh *ssh, const char *version)
                { "OpenSSH_6.5*,"
                  "OpenSSH_6.6*",       SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD|
                                        SSH_BUG_SIGTYPE},
+               { "OpenSSH_7.4*",       SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE|
+                                       SSH_BUG_SIGTYPE74},
                { "OpenSSH_7.0*,"
                  "OpenSSH_7.1*,"
                  "OpenSSH_7.2*,"

diff --git a/compat.h b/compat.h
index c197fafc539c6e80dc1375bad10d0dc95e1848cd..167409b2bd3326ca74c579e9836dcaa059ef13ff 100644 (file)
--- a/compat.h
+++ b/compat.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: compat.h,v 1.56 2021/01/27 09:26:54 djm Exp $ */
+/* $OpenBSD: compat.h,v 1.57 2021/06/06 03:40:39 djm Exp $ */
 
 /*
  * Copyright (c) 1999, 2000, 2001 Markus Friedl.  All rights reserved.
@@ -29,7 +29,7 @@
 
 #define SSH_BUG_UTF8TTYMODE    0x00000001
 #define SSH_BUG_SIGTYPE                0x00000002
-/* #define unused              0x00000004 */
+#define SSH_BUG_SIGTYPE74      0x00000004
 /* #define unused              0x00000008 */
 #define SSH_OLD_SESSIONID      0x00000010
 /* #define unused              0x00000020 */

diff --git a/sshconnect2.c b/sshconnect2.c
index a53ab95dbb2f2938f2dcd75176b7659c32b5ab50..9b9a99b981bd0ffef94f295c2fe1a192010d5ba1 100644 (file)
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.347 2021/04/03 06:18:41 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.348 2021/06/06 03:40:39 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Damien Miller.  All rights reserved.
@@ -1175,6 +1175,7 @@ static char *
 key_sig_algorithm(struct ssh *ssh, const struct sshkey *key)
 {
        char *allowed, *oallowed, *cp, *tmp, *alg = NULL;
+       const char *server_sig_algs;
 
        /*
         * The signature algorithm will only differ from the key algorithm
@@ -1189,6 +1190,14 @@ key_sig_algorithm(struct ssh *ssh, const struct sshkey *key)
                    options.pubkey_accepted_algos, NULL);
        }
 
+       /*
+        * Workaround OpenSSH 7.4 bug: this version supports RSA/SHA-2 but
+        * fails to advertise it via SSH2_MSG_EXT_INFO.
+        */
+       server_sig_algs = ssh->kex->server_sig_algs;
+       if (key->type == KEY_RSA && (ssh->compat & SSH_BUG_SIGTYPE74))
+               server_sig_algs = "rsa-sha2-256,rsa-sha2-512";
+
        /*
         * For RSA keys/certs, since these might have a different sig type:
         * find the first entry in PubkeyAcceptedAlgorithms of the right type
@@ -1200,7 +1209,7 @@ key_sig_algorithm(struct ssh *ssh, const struct sshkey *key)
                if (sshkey_type_from_name(cp) != key->type)
                        continue;
                tmp = match_list(sshkey_sigalg_by_name(cp),
-                   ssh->kex->server_sig_algs, NULL);
+                   server_sig_algs, NULL);
                if (tmp != NULL)
                        alg = xstrdup(cp);
                free(tmp);