Allow to disable RSA signatures with SHA-1
This commit is contained in:
Jakub Jelen
parent
3ae9c1b0c1
commit
57e280d1f4
62
openssh-7.9p1-disable-sha1.patch
Normal file
62
openssh-7.9p1-disable-sha1.patch
Normal file
@ -0,0 +1,62 @@
|
|||||||
|
diff --git a/monitor.c b/monitor.c
|
||||||
|
index 12b33e7..a1c3c97 100644
|
||||||
|
--- a/monitor.c
|
||||||
|
+++ b/monitor.c
|
||||||
|
@@ -875,6 +875,34 @@ mm_answer_bsdauthrespond(int sock, struct sshbuf *m)
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * Check that the key type appears in the supplied pattern list, ignoring
|
||||||
|
+ * mismastches in the signature algorithm. (Signature algorithm checks are
|
||||||
|
+ * performed in the unprivileged authentication code).
|
||||||
|
+ * Returns 1 on success, 0 otherwise.
|
||||||
|
+ */
|
||||||
|
+static int
|
||||||
|
+key_base_type_match(const struct sshkey *key, const char *list)
|
||||||
|
+{
|
||||||
|
+ char *s, *l, *ol = xstrdup(list);
|
||||||
|
+ int found = 0;
|
||||||
|
+
|
||||||
|
+ l = ol;
|
||||||
|
+ for ((s = strsep(&l, ",")); s && *s != '\0'; (s = strsep(&l, ","))) {
|
||||||
|
+ if (sshkey_type_from_name(s) == key->type) {
|
||||||
|
+ found = 1;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ if (!found) {
|
||||||
|
+ debug("key type %s does not appear in list %s",
|
||||||
|
+ sshkey_ssh_name(key), list);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ free(ol);
|
||||||
|
+ return found;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
int
|
||||||
|
mm_answer_keyallowed(int sock, struct sshbuf *m)
|
||||||
|
{
|
||||||
|
@@ -909,8 +937,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m)
|
||||||
|
break;
|
||||||
|
if (auth2_key_already_used(authctxt, key))
|
||||||
|
break;
|
||||||
|
- if (match_pattern_list(sshkey_ssh_name(key),
|
||||||
|
- options.pubkey_key_types, 0) != 1)
|
||||||
|
+ if (!key_base_type_match(key,
|
||||||
|
+ options.pubkey_key_types))
|
||||||
|
break;
|
||||||
|
allowed = user_key_allowed(ssh, authctxt->pw, key,
|
||||||
|
pubkey_auth_attempt, &opts);
|
||||||
|
@@ -921,8 +949,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m)
|
||||||
|
break;
|
||||||
|
if (auth2_key_already_used(authctxt, key))
|
||||||
|
break;
|
||||||
|
- if (match_pattern_list(sshkey_ssh_name(key),
|
||||||
|
- options.hostbased_key_types, 0) != 1)
|
||||||
|
+ if (!key_base_type_match(key,
|
||||||
|
+ options.hostbased_key_types))
|
||||||
|
break;
|
||||||
|
allowed = hostbased_key_allowed(authctxt->pw,
|
||||||
|
cuser, chost, key);
|
||||||
|
|
||||||
@ -223,6 +223,9 @@ Patch951: openssh-7.6p1-pkcs11-uri.patch
|
|||||||
Patch952: openssh-7.6p1-pkcs11-ecdsa.patch
|
Patch952: openssh-7.6p1-pkcs11-ecdsa.patch
|
||||||
# Unbreak scp between two IPv6 hosts (#1620333)
|
# Unbreak scp between two IPv6 hosts (#1620333)
|
||||||
Patch953: openssh-7.8p1-scp-ipv6.patch
|
Patch953: openssh-7.8p1-scp-ipv6.patch
|
||||||
|
# Allow to disable RSA signatures with SHA-1 in server
|
||||||
|
# https://bugzilla.mindrot.org/show_bug.cgi?id=2746
|
||||||
|
Patch954: openssh-7.9p1-disable-sha1.patch
|
||||||
|
|
||||||
License: BSD
|
License: BSD
|
||||||
Group: Applications/Internet
|
Group: Applications/Internet
|
||||||
@ -446,6 +449,7 @@ popd
|
|||||||
%patch952 -p1 -b .pkcs11-ecdsa
|
%patch952 -p1 -b .pkcs11-ecdsa
|
||||||
%patch953 -p1 -b .scp-ipv6
|
%patch953 -p1 -b .scp-ipv6
|
||||||
%patch808 -p1 -b .gsskex-method
|
%patch808 -p1 -b .gsskex-method
|
||||||
|
%patch954 -p1 -b .disable-sha1
|
||||||
|
|
||||||
%patch200 -p1 -b .audit
|
%patch200 -p1 -b .audit
|
||||||
%patch201 -p1 -b .audit-race
|
%patch201 -p1 -b .audit-race
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user