rpms/openssh
7
0
Fork 2
Code Issues Pull Requests Releases Activity
c8s
openssh/openssh-8.0p1-ecdsa-incomplete-application.patch
Zoltan Fridrich b0d3fc6ef1 Fix CVE-2026-35387 
Fix incomplete application of PubkeyAcceptedAlgorithms
and HostbasedAcceptedAlgorithms with regard to ECDSA keys

Resolves: RHEL-166224

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
2026-04-15 13:02:47 +02:00

100 lines
3.4 KiB
Diff
Raw Permalink Blame History

diff --color -ruNp a/auth2-hostbased.c b/auth2-hostbased.c
--- a/auth2-hostbased.c 2026-04-15 12:41:41.506985043 +0200
+++ b/auth2-hostbased.c 2026-04-15 12:55:55.039916421 +0200
@@ -96,9 +96,10 @@ userauth_hostbased(struct ssh *ssh)
error("%s: cannot decode key: %s", __func__, pkalg);
goto done;
}
- if (key->type != pktype) {
- error("%s: type mismatch for decoded key "
- "(received %d, expected %d)", __func__, key->type, pktype);
+ if (key->type != pktype || (sshkey_type_plain(pktype) == KEY_ECDSA &&
+ sshkey_ecdsa_nid_from_name(pkalg) != key->ecdsa_nid)) {
+ error("%s: key type mismatch for decoded key "
+ "(received %s, expected %s)", __func__, sshkey_ssh_name(key), pkalg);
goto done;
}
if (sshkey_type_plain(key->type) == KEY_RSA &&
diff --color -ruNp a/auth2-pubkey.c b/auth2-pubkey.c
--- a/auth2-pubkey.c 2026-04-15 12:41:41.507225986 +0200
+++ b/auth2-pubkey.c 2026-04-15 12:55:06.559875789 +0200
@@ -136,9 +136,10 @@ userauth_pubkey(struct ssh *ssh)
error("%s: cannot decode key: %s", __func__, pkalg);
goto done;
}
- if (key->type != pktype) {
- error("%s: type mismatch for decoded key "
- "(received %d, expected %d)", __func__, key->type, pktype);
+ if (key->type != pktype || (sshkey_type_plain(pktype) == KEY_ECDSA &&
+ sshkey_ecdsa_nid_from_name(pkalg) != key->ecdsa_nid)) {
+ error("%s: key type mismatch for decoded key "
+ "(received %s, expected %s)", __func__, sshkey_ssh_name(key), pkalg);
goto done;
}
if (sshkey_type_plain(key->type) == KEY_RSA &&
diff --color -ruNp a/sshconnect2.c b/sshconnect2.c
--- a/sshconnect2.c 2026-04-15 12:41:41.546573648 +0200
+++ b/sshconnect2.c 2026-04-15 12:47:56.862867930 +0200
@@ -91,10 +91,15 @@ u_int session_id2_len = 0;
char *xxx_host;
struct sockaddr *xxx_hostaddr;
+static int key_type_allowed(struct sshkey *, const char *);
static int
verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
{
+ if (!key_type_allowed(hostkey, options.hostkeyalgorithms)) {
+ fatal("Server host key %s not in HostKeyAlgorithms",
+ sshkey_ssh_name(hostkey));
+ }
if (verify_host_key(xxx_host, xxx_hostaddr, hostkey) != 0)
fatal("Host key verification failed.");
return 0;
@@ -1662,34 +1667,36 @@ load_identity_file(Identity *id)
}
static int
-key_type_allowed_by_config(struct sshkey *key)
+key_type_allowed(struct sshkey *key, const char *allowlist)
{
- if (match_pattern_list(sshkey_ssh_name(key),
- options.pubkey_key_types, 0) == 1)
+ if (match_pattern_list(sshkey_ssh_name(key), allowlist, 0) == 1)
return 1;
/* RSA keys/certs might be allowed by alternate signature types */
switch (key->type) {
case KEY_RSA:
- if (match_pattern_list("rsa-sha2-512",
- options.pubkey_key_types, 0) == 1)
+ if (match_pattern_list("rsa-sha2-512", allowlist, 0) == 1)
return 1;
- if (match_pattern_list("rsa-sha2-256",
- options.pubkey_key_types, 0) == 1)
+ if (match_pattern_list("rsa-sha2-256", allowlist, 0) == 1)
return 1;
break;
case KEY_RSA_CERT:
if (match_pattern_list("rsa-sha2-512-cert-v01@openssh.com",
- options.pubkey_key_types, 0) == 1)
+ allowlist, 0) == 1)
return 1;
if (match_pattern_list("rsa-sha2-256-cert-v01@openssh.com",
- options.pubkey_key_types, 0) == 1)
+ allowlist, 0) == 1)
return 1;
break;
}
return 0;
}
+static int
+key_type_allowed_by_config(struct sshkey *key)
+{
+ return key_type_allowed(key, options.pubkey_key_types);
+}
/*
* try keys in the following order:
Reference in New Issue View Git Blame Copy Permalink