upstream: revert kex->flags cert hostkey downgrade back to a plain

key (commitid VtF8vozGOF8DMKVg). We now do this a simpler way that needs less
plumbing.

ok markus@

OpenBSD-Commit-ID: fb92d25b216bff8c136da818ac2221efaadf18ed

diff --git a/clientloop.c b/clientloop.c
index de13adab9e54afc563d49e954a8810fbad12dcbe..975a85ef985015f4723788f74d84204a6ebfe169 100644 (file)
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.347 2020/10/03 08:12:59 djm Exp $ */
+/* $OpenBSD: clientloop.c,v 1.348 2020/10/07 02:22:23 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -2227,12 +2227,6 @@ client_input_hostkeys(struct ssh *ssh)
                debug("%s: wildcard known hosts name found, "
                    "skipping UserKnownHostsFile update", __func__);
                goto out;
-       } else if (sshkey_type_is_cert(ssh->kex->hostkey_type) &&
-           ctx->ca_available &&
-           (ssh->kex->flags & KEX_HOSTCERT_CONVERT) == 0) {
-               debug("%s: server offered certificate host key, "
-                   "skipping UserKnownHostsFile update", __func__);
-               goto out;
        } else if (ctx->nnew == 0 && ctx->nold != 0) {
                /* We have some keys to remove. Just do it. */
                update_known_hosts(ctx);

diff --git a/kex.h b/kex.h
index 07cec477f1bdca7e1559e872224e10dd4f508748..0c405e33c95b8988d16497a95f6994792741620c 100644 (file)
--- a/kex.h
+++ b/kex.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.h,v 1.110 2020/10/03 08:11:28 djm Exp $ */
+/* $OpenBSD: kex.h,v 1.111 2020/10/07 02:22:23 djm Exp $ */
 
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@@ -105,10 +105,8 @@ enum kex_exchange {
        KEX_MAX
 };
 
-/* kex->flags values */
-#define KEX_INIT_SENT          0x0001 /* KEXINIT sent */
-#define KEX_INITIAL            0x0002 /* Initial KEX, not rekey */
-#define KEX_HOSTCERT_CONVERT   0x0004 /* Client downgraded hostcert->plain */
+#define KEX_INIT_SENT  0x0001
+#define KEX_INITIAL    0x0002
 
 struct sshenc {
        char    *name;

diff --git a/sshconnect.c b/sshconnect.c
index ba07a5ff3a1de47cdbcdd04094295b27479c1f1c..4591e6a6ead8837e42030abd5ed465b23d6b4249 100644 (file)
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.c,v 1.336 2020/10/07 02:20:35 djm Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.337 2020/10/07 02:22:23 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -694,10 +694,6 @@ get_hostfile_hostname_ipaddr(char *hostname, struct sockaddr *hostaddr,
 /*
  * check whether the supplied host key is valid, return -1 if the key
  * is not valid. user_hostfile[0] will not be updated if 'readonly' is true.
- *
- * If cert_fallbackp is not NULL then will attempt to convert certificate host
- * keys to plain keys if no certificate match was found and will return
- * non-zero via *cert_fallbackp if this fall-back was used.
  */
 #define RDRW   0
 #define RDONLY 1
@@ -706,7 +702,7 @@ static int
 check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
     struct sshkey *host_key, int readonly,
     char **user_hostfiles, u_int num_user_hostfiles,
-    char **system_hostfiles, u_int num_system_hostfiles, int *cert_fallbackp)
+    char **system_hostfiles, u_int num_system_hostfiles)
 {
        HostStatus host_status;
        HostStatus ip_status;
@@ -717,15 +713,12 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
        const char *type;
        const struct hostkey_entry *host_found, *ip_found;
        int len, cancelled_forwarding = 0, confirmed;
-       int local = sockaddr_is_local(hostaddr), cert_fallback = 0;
+       int local = sockaddr_is_local(hostaddr);
        int r, want_cert = sshkey_is_cert(host_key), host_ip_differ = 0;
        int hostkey_trusted = 0; /* Known or explicitly accepted by user */
        struct hostkeys *host_hostkeys, *ip_hostkeys;
        u_int i;
 
-       if (cert_fallbackp != NULL)
-               *cert_fallbackp = 0;
-
        /*
         * Force accepting of the host key for loopback/localhost. The
         * problem is that if the home directory is NFS-mounted to multiple
@@ -841,15 +834,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
                if (options.host_key_alias == NULL && port != 0 &&
                    port != SSH_DEFAULT_PORT) {
                        debug("checking without port identifier");
-                       /*
-                        * NB. do not perform cert->key fallback in this
-                        * recursive call. Fallback will only be performed in
-                        * the top-level call.
-                        */
                        if (check_host_key(hostname, hostaddr, 0, host_key,
                            ROQUIET, user_hostfiles, num_user_hostfiles,
-                           system_hostfiles, num_system_hostfiles,
-                           NULL) == 0) {
+                           system_hostfiles, num_system_hostfiles) == 0) {
                                debug("found matching key w/out port");
                                break;
                        }
@@ -1126,13 +1113,10 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
                free_hostkeys(host_hostkeys);
        if (ip_hostkeys != NULL)
                free_hostkeys(ip_hostkeys);
-       if (cert_fallbackp != NULL)
-               *cert_fallbackp = cert_fallback;
        return 0;
 
 fail:
-       if (cert_fallbackp != NULL && want_cert &&
-           host_status != HOST_REVOKED) {
+       if (want_cert && host_status != HOST_REVOKED) {
                /*
                 * No matching certificate. Downgrade cert to raw key and
                 * search normally.
@@ -1144,7 +1128,6 @@ fail:
                if ((r = sshkey_drop_cert(raw_key)) != 0)
                        fatal("Couldn't drop certificate: %s", ssh_err(r));
                host_key = raw_key;
-               cert_fallback = 1;
                goto retry;
        }
        sshkey_free(raw_key);
@@ -1157,24 +1140,15 @@ fail:
        return -1;
 }
 
-/*
- * returns 0 if key verifies or -1 if key does NOT verify.
- *
- * If the host key was a certificate that was downgraded to a plain key in
- * the process of matching, then cert_fallbackp will be non-zero.
- */
+/* returns 0 if key verifies or -1 if key does NOT verify */
 int
-verify_host_key(char *host, struct sockaddr *hostaddr, struct sshkey *host_key,
-    int *cert_fallbackp)
+verify_host_key(char *host, struct sockaddr *hostaddr, struct sshkey *host_key)
 {
        u_int i;
-       int r = -1, flags = 0, cert_fallback = 0;
+       int r = -1, flags = 0;
        char valid[64], *fp = NULL, *cafp = NULL;
        struct sshkey *plain = NULL;
 
-       if (cert_fallbackp != NULL)
-               *cert_fallbackp = 0;
-
        if ((fp = sshkey_fingerprint(host_key,
            options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {
                error("%s: fingerprint host key: %s", __func__, ssh_err(r));
@@ -1265,20 +1239,15 @@ verify_host_key(char *host, struct sockaddr *hostaddr, struct sshkey *host_key,
        }
        r = check_host_key(host, hostaddr, options.port, host_key, RDRW,
            options.user_hostfiles, options.num_user_hostfiles,
-           options.system_hostfiles, options.num_system_hostfiles,
-           &cert_fallback);
+           options.system_hostfiles, options.num_system_hostfiles);
 
 out:
        sshkey_free(plain);
        free(fp);
        free(cafp);
-       if (r == 0) {
-               if (host_key != NULL) {
-                       sshkey_free(previous_host_key);
-                       r = sshkey_from_private(host_key, &previous_host_key);
-               }
-               if (r == 0 && cert_fallbackp != NULL)
-                       *cert_fallbackp = cert_fallback;
+       if (r == 0 && host_key != NULL) {
+               sshkey_free(previous_host_key);
+               r = sshkey_from_private(host_key, &previous_host_key);
        }
 
        return r;

diff --git a/sshconnect.h b/sshconnect.h
index 6d63075e9638b7286e85fbe7d9bca808bb6e318a..b2fbf157915b45035e032c5185328bed824e7676 100644 (file)
--- a/sshconnect.h
+++ b/sshconnect.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.h,v 1.41 2020/10/03 08:11:28 djm Exp $ */
+/* $OpenBSD: sshconnect.h,v 1.42 2020/10/07 02:22:23 djm Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -41,7 +41,7 @@ void   ssh_kill_proxy_command(void);
 void    ssh_login(struct ssh *, Sensitive *, const char *,
     struct sockaddr *, u_short, struct passwd *, int);
 
-int     verify_host_key(char *, struct sockaddr *, struct sshkey *, int *);
+int     verify_host_key(char *, struct sockaddr *, struct sshkey *);
 
 void    get_hostfile_hostname_ipaddr(char *, struct sockaddr *, u_short,
     char **, char **);

diff --git a/sshconnect2.c b/sshconnect2.c
index ec539afb3ea0807365f28c8a4d4265310e6d49df..6da2248f59dd71ca174d7347b7e6c3dcfd1e4771 100644 (file)
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.328 2020/10/04 09:45:01 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.329 2020/10/07 02:22:23 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Damien Miller.  All rights reserved.
@@ -97,13 +97,8 @@ struct sockaddr *xxx_hostaddr;
 static int
 verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
 {
-       int cert_downgraded = 0;
-
-       if (verify_host_key(xxx_host, xxx_hostaddr, hostkey,
-           &cert_downgraded) == -1)
+       if (verify_host_key(xxx_host, xxx_hostaddr, hostkey) == -1)
                fatal("Host key verification failed.");
-       if (cert_downgraded)
-               ssh->kex->flags |= KEX_HOSTCERT_CONVERT;
        return 0;
 }