RepoMirrors/openssh
1
0
Fork 0
mirror of git://anongit.mindrot.org/openssh.git synced 2025-04-11 03:51:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

upstream: be more strict in parsing key type names. Only allow

Browse Source 
shortnames (e.g "rsa") in user-interface code and require full SSH protocol
names (e.g. "ssh-rsa") everywhere else.

Prompted by bz3725; ok markus@

OpenBSD-Commit-ID: b3d8de9dac37992eab78adbf84fab2fe0d84b187
This commit is contained in:
djm@openbsd.org 2024-09-04 05:33:34 +00:00 committed by Damien Miller
parent ef8472309a
commit 13cc78d016
No known key found for this signature in database
4 changed files with 28 additions and 13 deletions

10
ssh-keygen.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-keygen.c,v 1.473 2024/08/15 00:51:51 djm Exp $ */ /* $OpenBSD: ssh-keygen.c,v 1.474 2024/09/04 05:33:34 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -261,7 +261,7 @@ ask_filename(struct passwd *pw, const char *prompt)
if (key_type_name == NULL) if (key_type_name == NULL)
name = _PATH_SSH_CLIENT_ID_ED25519; name = _PATH_SSH_CLIENT_ID_ED25519;
else { else {
switch (sshkey_type_from_name(key_type_name)) { switch (sshkey_type_from_shortname(key_type_name)) {
#ifdef WITH_DSA #ifdef WITH_DSA
case KEY_DSA_CERT: case KEY_DSA_CERT:
case KEY_DSA: case KEY_DSA:
@ -1140,7 +1140,7 @@ do_gen_all_hostkeys(struct passwd *pw)
} }
printf("%s ", key_types[i].key_type_display); printf("%s ", key_types[i].key_type_display);
fflush(stdout); fflush(stdout);
type = sshkey_type_from_name(key_types[i].key_type); type = sshkey_type_from_shortname(key_types[i].key_type);
if ((fd = mkstemp(prv_tmp)) == -1) { if ((fd = mkstemp(prv_tmp)) == -1) {
error("Could not save your private key in %s: %s", error("Could not save your private key in %s: %s",
prv_tmp, strerror(errno)); prv_tmp, strerror(errno));
@ -1846,7 +1846,7 @@ do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent,
free(tmp); free(tmp);
if (key_type_name != NULL) { if (key_type_name != NULL) {
if (sshkey_type_from_name(key_type_name) != ca->type) { if (sshkey_type_from_shortname(key_type_name) != ca->type) {
fatal("CA key type %s doesn't match specified %s", fatal("CA key type %s doesn't match specified %s",
sshkey_ssh_name(ca), key_type_name); sshkey_ssh_name(ca), key_type_name);
} }
@ -3836,7 +3836,7 @@ main(int argc, char **argv)
if (key_type_name == NULL) if (key_type_name == NULL)
key_type_name = DEFAULT_KEY_TYPE_NAME; key_type_name = DEFAULT_KEY_TYPE_NAME;
type = sshkey_type_from_name(key_type_name); type = sshkey_type_from_shortname(key_type_name);
type_bits_valid(type, key_type_name, &bits); type_bits_valid(type, key_type_name, &bits);
if (!quiet) if (!quiet)

4
ssh-keyscan.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-keyscan.c,v 1.159 2024/09/02 12:13:56 djm Exp $ */ /* $OpenBSD: ssh-keyscan.c,v 1.160 2024/09/04 05:33:34 djm Exp $ */
/* /*
* Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
* *
@ -754,7 +754,7 @@ main(int argc, char **argv)
get_keytypes = 0; get_keytypes = 0;
tname = strtok(optarg, ","); tname = strtok(optarg, ",");
while (tname) { while (tname) {
int type = sshkey_type_from_name(tname); int type = sshkey_type_from_shortname(tname);
switch (type) { switch (type) {
#ifdef WITH_DSA #ifdef WITH_DSA

24
sshkey.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshkey.c,v 1.145 2024/08/20 11:10:04 djm Exp $ */ /* $OpenBSD: sshkey.c,v 1.146 2024/09/04 05:33:34 djm Exp $ */
/* /*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Alexander von Gernler. All rights reserved. * Copyright (c) 2008 Alexander von Gernler. All rights reserved.
@ -249,22 +249,36 @@ sshkey_ssh_name_plain(const struct sshkey *k)
k->ecdsa_nid); k->ecdsa_nid);
} }
int static int
sshkey_type_from_name(const char *name) type_from_name(const char *name, int allow_short)
{ {
int i; int i;
const struct sshkey_impl *impl; const struct sshkey_impl *impl;
for (i = 0; keyimpls[i] != NULL; i++) { for (i = 0; keyimpls[i] != NULL; i++) {
impl = keyimpls[i]; impl = keyimpls[i];
if (impl->name != NULL && strcmp(name, impl->name) == 0)
return impl->type;
/* Only allow shortname matches for plain key types */ /* Only allow shortname matches for plain key types */
if ((impl->name != NULL && strcmp(name, impl->name) == 0) || if (allow_short && !impl->cert && impl->shortname != NULL &&
(!impl->cert && strcasecmp(impl->shortname, name) == 0)) strcasecmp(impl->shortname, name) == 0)
return impl->type; return impl->type;
} }
return KEY_UNSPEC; return KEY_UNSPEC;
} }
int
sshkey_type_from_name(const char *name)
{
return type_from_name(name, 0);
}
int
sshkey_type_from_shortname(const char *name)
{
return type_from_name(name, 1);
}
static int static int
key_type_is_ecdsa_variant(int type) key_type_is_ecdsa_variant(int type)
{ {

3
sshkey.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshkey.h,v 1.64 2024/08/15 00:51:51 djm Exp $ */ /* $OpenBSD: sshkey.h,v 1.65 2024/09/04 05:33:34 djm Exp $ */
/* /*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@ -224,6 +224,7 @@ int sshkey_shield_private(struct sshkey *);
int sshkey_unshield_private(struct sshkey *); int sshkey_unshield_private(struct sshkey *);
int sshkey_type_from_name(const char *); int sshkey_type_from_name(const char *);
int sshkey_type_from_shortname(const char *);
int sshkey_is_cert(const struct sshkey *); int sshkey_is_cert(const struct sshkey *);
int sshkey_is_sk(const struct sshkey *); int sshkey_is_sk(const struct sshkey *);
int sshkey_type_is_cert(int); int sshkey_type_is_cert(int);