diff options
author | djm@openbsd.org <djm@openbsd.org> | 2022-09-17 10:33:18 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2022-09-17 20:39:02 +1000 |
commit | 54b333d12e55e6560b328c737d514ff3511f1afd (patch) | |
tree | a146a4a4f3413d2003e573de1f7085823a2f306c /ssh.c | |
parent | 07d8771bacfefbcfb37fa8a6dc6103bcc097e0ab (diff) |
upstream: add a RequiredRSASize for checking RSA key length in
ssh(1). User authentication keys that fall beneath this limit will be
ignored. If a host presents a host key beneath this limit then the connection
will be terminated (unfortunately there are no fallbacks in the protocol for
host authentication).
feedback deraadt, Dmitry Belyavskiy; ok markus@
OpenBSD-Commit-ID: 430e339b2a79fa9ecc63f2837b06fdd88a7da13a
Diffstat (limited to 'ssh.c')
-rw-r--r-- | ssh.c | 27 |
1 files changed, 18 insertions, 9 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.575 2022/07/01 00:36:30 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.576 2022/09/17 10:33:18 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -516,14 +516,22 @@ resolve_canonicalize(char **hostp, int port) } /* - * Check the result of hostkey loading, ignoring some errors and - * fatal()ing for others. + * Check the result of hostkey loading, ignoring some errors and either + * discarding the key or fatal()ing for others. */ static void -check_load(int r, const char *path, const char *message) +check_load(int r, struct sshkey **k, const char *path, const char *message) { switch (r) { case 0: + /* Check RSA keys size and discard if undersized */ + if (k != NULL && *k != NULL && + (r = sshkey_check_rsa_length(*k, + options.required_rsa_size)) != 0) { + error_r(r, "load %s \"%s\"", message, path); + free(*k); + *k = NULL; + } break; case SSH_ERR_INTERNAL_ERROR: case SSH_ERR_ALLOC_FAIL: @@ -1578,7 +1586,7 @@ main(int ac, char **av) if ((o) >= sensitive_data.nkeys) \ fatal_f("pubkey out of array bounds"); \ check_load(sshkey_load_public(p, &(sensitive_data.keys[o]), NULL), \ - p, "pubkey"); \ + &(sensitive_data.keys[o]), p, "pubkey"); \ if (sensitive_data.keys[o] != NULL) \ debug2("hostbased key %d: %s key from \"%s\"", o, \ sshkey_ssh_name(sensitive_data.keys[o]), p); \ @@ -1586,7 +1594,8 @@ main(int ac, char **av) #define L_CERT(p,o) do { \ if ((o) >= sensitive_data.nkeys) \ fatal_f("cert out of array bounds"); \ - check_load(sshkey_load_cert(p, &(sensitive_data.keys[o])), p, "cert"); \ + check_load(sshkey_load_cert(p, &(sensitive_data.keys[o])), \ + &(sensitive_data.keys[o]), p, "cert"); \ if (sensitive_data.keys[o] != NULL) \ debug2("hostbased key %d: %s cert from \"%s\"", o, \ sshkey_ssh_name(sensitive_data.keys[o]), p); \ @@ -2265,7 +2274,7 @@ load_public_identity_files(const struct ssh_conn_info *cinfo) filename = default_client_percent_dollar_expand(cp, cinfo); free(cp); check_load(sshkey_load_public(filename, &public, NULL), - filename, "pubkey"); + &public, filename, "pubkey"); debug("identity file %s type %d", filename, public ? public->type : -1); free(options.identity_files[i]); @@ -2284,7 +2293,7 @@ load_public_identity_files(const struct ssh_conn_info *cinfo) continue; xasprintf(&cp, "%s-cert", filename); check_load(sshkey_load_public(cp, &public, NULL), - filename, "pubkey"); + &public, filename, "pubkey"); debug("identity file %s type %d", cp, public ? public->type : -1); if (public == NULL) { @@ -2315,7 +2324,7 @@ load_public_identity_files(const struct ssh_conn_info *cinfo) free(cp); check_load(sshkey_load_public(filename, &public, NULL), - filename, "certificate"); + &public, filename, "certificate"); debug("certificate file %s type %d", filename, public ? public->type : -1); free(options.certificate_files[i]); |