diff options
| -rw-r--r-- | auth2-hostbased.c | 8 | ||||
| -rw-r--r-- | auth2-pubkey.c | 8 | ||||
| -rw-r--r-- | compat.c | 12 | ||||
| -rw-r--r-- | compat.h | 4 | ||||
| -rw-r--r-- | kex.c | 6 | ||||
| -rw-r--r-- | monitor.c | 7 | ||||
| -rw-r--r-- | sshconnect2.c | 20 |
7 files changed, 11 insertions, 54 deletions
diff --git a/auth2-hostbased.c b/auth2-hostbased.c index 6b517db41..cdfe7fd85 100644 --- a/auth2-hostbased.c +++ b/auth2-hostbased.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-hostbased.c,v 1.50 2022/09/17 10:34:29 djm Exp $ */ +/* $OpenBSD: auth2-hostbased.c,v 1.51 2023/02/17 04:22:50 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -101,12 +101,6 @@ userauth_hostbased(struct ssh *ssh, const char *method) "(received %d, expected %d)", key->type, pktype); goto done; } - if (sshkey_type_plain(key->type) == KEY_RSA && - (ssh->compat & SSH_BUG_RSASIGMD5) != 0) { - error("Refusing RSA key because peer uses unsafe " - "signature format"); - goto done; - } if (match_pattern_list(pkalg, options.hostbased_accepted_algos, 0) != 1) { logit_f("signature algorithm %s not in " "HostbasedAcceptedAlgorithms", pkalg); diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 5d59febc3..b4f1f6384 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.117 2022/09/17 10:34:29 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.118 2023/02/17 04:22:50 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -153,12 +153,6 @@ userauth_pubkey(struct ssh *ssh, const char *method) "(received %d, expected %d)", key->type, pktype); goto done; } - if (sshkey_type_plain(key->type) == KEY_RSA && - (ssh->compat & SSH_BUG_RSASIGMD5) != 0) { - logit("Refusing RSA key because client uses unsafe " - "signature scheme"); - goto done; - } if (auth2_key_already_used(authctxt, key)) { logit("refusing previously-used %s key", sshkey_type(key)); goto done; @@ -1,4 +1,4 @@ -/* $OpenBSD: compat.c,v 1.124 2023/02/17 03:06:18 dtucker Exp $ */ +/* $OpenBSD: compat.c,v 1.125 2023/02/17 04:22:50 dtucker Exp $ */ /* * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. * @@ -149,15 +149,7 @@ compat_cipher_proposal(struct ssh *ssh, char *cipher_prop) char * compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop) { - if (!(ssh->compat & SSH_BUG_RSASIGMD5)) - return xstrdup(pkalg_prop); - debug2_f("original public key proposal: %s", pkalg_prop); - if ((pkalg_prop = match_filter_denylist(pkalg_prop, "ssh-rsa")) == NULL) - fatal("match_filter_denylist failed"); - debug2_f("compat public key proposal: %s", pkalg_prop); - if (*pkalg_prop == '\0') - fatal("No supported PK algorithms found"); - return pkalg_prop; + return xstrdup(pkalg_prop); } /* Always returns pointer to allocated memory, caller must free. */ @@ -1,4 +1,4 @@ -/* $OpenBSD: compat.h,v 1.60 2023/02/17 03:06:18 dtucker Exp $ */ +/* $OpenBSD: compat.h,v 1.61 2023/02/17 04:22:50 dtucker Exp $ */ /* * Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved. @@ -40,7 +40,7 @@ /* #define unused 0x00000400 */ #define SSH_BUG_SCANNER 0x00000800 /* #define unused 0x00001000 */ -#define SSH_BUG_RSASIGMD5 0x00002000 +/* #define unused 0x00002000 */ #define SSH_OLD_DHGEX 0x00004000 #define SSH_BUG_NOREKEY 0x00008000 /* #define unused 0x00010000 */ @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.173 2022/11/07 10:05:38 dtucker Exp $ */ +/* $OpenBSD: kex.c,v 1.174 2023/02/17 04:22:50 dtucker Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * @@ -1404,10 +1404,6 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms, r = SSH_ERR_CONN_CLOSED; /* XXX */ goto out; } - if ((ssh->compat & SSH_BUG_RSASIGMD5) != 0) { - logit("Remote version \"%.100s\" uses unsafe RSA signature " - "scheme; disabling use of RSA keys", remote_version); - } /* success */ r = 0; out: @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.234 2022/06/15 16:08:25 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.235 2023/02/17 04:22:50 dtucker Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * Copyright 2002 Markus Friedl <markus@openbsd.org> @@ -1161,11 +1161,6 @@ mm_answer_keyallowed(struct ssh *ssh, int sock, struct sshbuf *m) fatal_fr(r, "parse"); if (key != NULL && authctxt->valid) { - /* These should not make it past the privsep child */ - if (sshkey_type_plain(key->type) == KEY_RSA && - (ssh->compat & SSH_BUG_RSASIGMD5) != 0) - fatal_f("passed a SSH_BUG_RSASIGMD5 key"); - switch (type) { case MM_USERKEY: auth_method = "publickey"; diff --git a/sshconnect2.c b/sshconnect2.c index 58fe98db2..f0e6e6623 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.361 2022/09/17 10:33:18 djm Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.362 2023/02/17 04:22:50 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -1875,20 +1875,6 @@ pubkey_reset(Authctxt *authctxt) } static int -try_identity(struct ssh *ssh, Identity *id) -{ - if (!id->key) - return (0); - if (sshkey_type_plain(id->key->type) == KEY_RSA && - (ssh->compat & SSH_BUG_RSASIGMD5) != 0) { - debug("Skipped %s key %s for RSA/MD5 server", - sshkey_type(id->key), id->filename); - return (0); - } - return 1; -} - -static int userauth_pubkey(struct ssh *ssh) { Authctxt *authctxt = (Authctxt *)ssh->authctxt; @@ -1908,7 +1894,7 @@ userauth_pubkey(struct ssh *ssh) * private key instead */ if (id->key != NULL) { - if (try_identity(ssh, id)) { + if (id->key != NULL) { ident = format_identity(id); debug("Offering public key: %s", ident); free(ident); @@ -1918,7 +1904,7 @@ userauth_pubkey(struct ssh *ssh) debug("Trying private key: %s", id->filename); id->key = load_identity_file(id); if (id->key != NULL) { - if (try_identity(ssh, id)) { + if (id->key != NULL) { id->isprivate = 1; sent = sign_and_send_pubkey(ssh, id); } |