From 99fe8be9db07798899922f3d16c79636bf02db98 Mon Sep 17 00:00:00 2001
From: Zoltan Fridrich <zfridric@redhat.com>
Date: Tue, 14 Apr 2026 10:42:30 +0200
Subject: [PATCH] Fix CVE-2026-35387

Fix incomplete application of PubkeyAcceptedAlgorithms
and HostbasedAcceptedAlgorithms with regard to ECDSA keys

Resolves: RHEL-166235

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
---
 ...h-9.9p1-ecdsa-incomplete-application.patch | 103 ++++++++++++++++++
 openssh.spec                                  |   6 +
 2 files changed, 109 insertions(+)
 create mode 100644 openssh-9.9p1-ecdsa-incomplete-application.patch

diff --git a/openssh-9.9p1-ecdsa-incomplete-application.patch b/openssh-9.9p1-ecdsa-incomplete-application.patch
new file mode 100644
index 0000000..3b93ca4
--- /dev/null
+++ b/openssh-9.9p1-ecdsa-incomplete-application.patch
@@ -0,0 +1,103 @@
+diff --color -ruNp a/auth2-hostbased.c b/auth2-hostbased.c
+--- a/auth2-hostbased.c	2026-04-09 13:22:28.114045749 +0200
++++ b/auth2-hostbased.c	2026-04-09 14:34:44.876393822 +0200
+@@ -96,9 +96,10 @@ userauth_hostbased(struct ssh *ssh, cons
+ 		error_f("cannot decode key: %s", pkalg);
+ 		goto done;
+ 	}
+-	if (key->type != pktype) {
+-		error_f("type mismatch for decoded key "
+-		    "(received %d, expected %d)", key->type, pktype);
++	if (key->type != pktype || (sshkey_type_plain(pktype) == KEY_ECDSA &&
++	    sshkey_ecdsa_nid_from_name(pkalg) != key->ecdsa_nid)) {
++		error_f("key type mismatch for decoded key "
++		    "(received %s, expected %s)", sshkey_ssh_name(key), pkalg);
+ 		goto done;
+ 	}
+ 	if (match_pattern_list(pkalg, options.hostbased_accepted_algos, 0) != 1) {
+diff --color -ruNp a/auth2-pubkey.c b/auth2-pubkey.c
+--- a/auth2-pubkey.c	2026-04-09 13:22:28.157194118 +0200
++++ b/auth2-pubkey.c	2026-04-09 14:35:48.997689347 +0200
+@@ -152,9 +152,10 @@ userauth_pubkey(struct ssh *ssh, const c
+ 		error_f("cannot decode key: %s", pkalg);
+ 		goto done;
+ 	}
+-	if (key->type != pktype) {
+-		error_f("type mismatch for decoded key "
+-		    "(received %d, expected %d)", key->type, pktype);
++	if (key->type != pktype || (sshkey_type_plain(pktype) == KEY_ECDSA &&
++	    sshkey_ecdsa_nid_from_name(pkalg) != key->ecdsa_nid)) {
++		error_f("key type mismatch for decoded key "
++		    "(received %s, expected %s)", sshkey_ssh_name(key), pkalg);
+ 		goto done;
+ 	}
+ 	if (auth2_key_already_used(authctxt, key)) {
+diff --color -ruNp a/sshconnect2.c b/sshconnect2.c
+--- a/sshconnect2.c	2026-04-09 13:22:28.193412553 +0200
++++ b/sshconnect2.c	2026-04-09 14:42:37.644945762 +0200
+@@ -91,6 +91,7 @@ extern Options options;
+ static char *xxx_host;
+ static struct sockaddr *xxx_hostaddr;
+ static const struct ssh_conn_info *xxx_conn_info;
++static int key_type_allowed(struct sshkey *, const char *);
+ 
+ static int
+ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
+@@ -100,6 +101,10 @@ verify_host_key_callback(struct sshkey *
+ 	if ((r = sshkey_check_rsa_length(hostkey,
+ 	    options.required_rsa_size)) != 0)
+ 		fatal_r(r, "Bad server host key");
++	if (!key_type_allowed(hostkey, options.hostkeyalgorithms)) {
++		fatal("Server host key %s not in HostKeyAlgorithms",
++		    sshkey_ssh_name(hostkey));
++	}
+ 	if (verify_host_key(xxx_host, xxx_hostaddr, hostkey,
+ 	    xxx_conn_info) != 0)
+ 		fatal("Host key verification failed.");
+@@ -1776,34 +1781,37 @@ load_identity_file(Identity *id)
+ }
+ 
+ static int
+-key_type_allowed_by_config(struct sshkey *key)
++key_type_allowed(struct sshkey *key, const char *allowlist)
+ {
+-	if (match_pattern_list(sshkey_ssh_name(key),
+-	    options.pubkey_accepted_algos, 0) == 1)
++	if (match_pattern_list(sshkey_ssh_name(key), allowlist, 0) == 1)
+ 		return 1;
+ 
+ 	/* RSA keys/certs might be allowed by alternate signature types */
+ 	switch (key->type) {
+ 	case KEY_RSA:
+-		if (match_pattern_list("rsa-sha2-512",
+-		    options.pubkey_accepted_algos, 0) == 1)
++		if (match_pattern_list("rsa-sha2-512", allowlist, 0) == 1)
+ 			return 1;
+-		if (match_pattern_list("rsa-sha2-256",
+-		    options.pubkey_accepted_algos, 0) == 1)
++		if (match_pattern_list("rsa-sha2-256", allowlist, 0) == 1)
+ 			return 1;
+ 		break;
+ 	case KEY_RSA_CERT:
+ 		if (match_pattern_list("rsa-sha2-512-cert-v01@openssh.com",
+-		    options.pubkey_accepted_algos, 0) == 1)
++		    allowlist, 0) == 1)
+ 			return 1;
+ 		if (match_pattern_list("rsa-sha2-256-cert-v01@openssh.com",
+-		    options.pubkey_accepted_algos, 0) == 1)
++		    allowlist, 0) == 1)
+ 			return 1;
+ 		break;
+ 	}
+ 	return 0;
+ }
+ 
++static int
++key_type_allowed_by_config(struct sshkey *key)
++{
++	return key_type_allowed(key, options.pubkey_accepted_algos);
++}
++
+ /* obtain a list of keys from the agent */
+ static int
+ get_agent_identities(struct ssh *ssh, int *agent_fdp,
diff --git a/openssh.spec b/openssh.spec
index 1624478..34b97b1 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -253,6 +253,8 @@ Patch1040: openssh-9.9p1-fill-default-options-error.patch
 Patch1041: openssh-9.9p1-scp-clear-setuid.patch
 # upstream c805b97b67c774e0bf922ffb29dfbcda9d7b5add
 Patch1042: openssh-9.9p1-mux-askpass-check.patch
+# upstream fd1c7e131f331942d20f42f31e79912d570081fa
+Patch1043: openssh-9.9p1-ecdsa-incomplete-application.patch
 
 License: BSD
 Requires: /sbin/nologin
@@ -469,6 +471,7 @@ popd
 %patch1040 -p1 -b .fill-default-options-error
 %patch1041 -p1 -b .scp-clear-setuid
 %patch1042 -p1 -b .mux-askpass-check
+%patch1043 -p1 -b .ecdsa-incomplete-application
 
 %patch100 -p1 -b .coverity
 
@@ -770,6 +773,9 @@ test -f %{sysconfig_anaconda} && \
 - CVE-2026-35388: Add connection multiplexing confirmation for proxy-mode
   multiplexing sessions
   Resolves: RHEL-166251
+- CVE-2026-35387: Fix incomplete application of PubkeyAcceptedAlgorithms
+  and HostbasedAcceptedAlgorithms with regard to ECDSA keys
+  Resolves: RHEL-166235
 
 * Thu Mar 26 2026 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-7 + 0.10.4-9
 - Version bump