[openssh-commits] [openssh] 01/01: upstream commit

git+noreply at mindrot.org git+noreply at mindrot.org
Thu Dec 21 15:40:25 AEDT 2017


This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit d45d69f2a937cea215c7f0424e5a4677b6d8c7fe
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Thu Dec 21 00:00:28 2017 +0000

    upstream commit
    
    revert stricter key type / signature type checking in
    userauth path; too much software generates inconsistent messages, so we need
    a better plan.
    
    OpenBSD-Commit-ID: 4a44ddc991c803c4ecc8f1ad40e0ab4d22e1c519
---
 auth2-pubkey.c | 4 ++--
 monitor.c      | 9 ++++++++-
 monitor_wrap.c | 4 ++--
 3 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index eac79cc3..0713a9de 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.73 2017/12/19 00:24:34 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.74 2017/12/21 00:00:28 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -214,7 +214,7 @@ userauth_pubkey(struct ssh *ssh)
 		authenticated = 0;
 		if (PRIVSEP(user_key_allowed(authctxt->pw, key, 1)) &&
 		    PRIVSEP(sshkey_verify(key, sig, slen, sshbuf_ptr(b),
-		    sshbuf_len(b), pkalg, ssh->compat)) == 0) {
+		    sshbuf_len(b), NULL, ssh->compat)) == 0) {
 			authenticated = 1;
 		}
 		sshbuf_free(b);
diff --git a/monitor.c b/monitor.c
index 5b8f0ef6..b0227eee 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.176 2017/12/18 02:25:15 djm Exp $ */
+/* $OpenBSD: monitor.c,v 1.177 2017/12/21 00:00:28 djm Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos at citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus at openbsd.org>
@@ -1353,6 +1353,12 @@ mm_answer_keyverify(int sock, struct sshbuf *m)
 	  !monitor_allowed_key(blob, bloblen))
 		fatal("%s: bad key, not previously allowed", __func__);
 
+	/* Empty signature algorithm means NULL. */
+	if (*sigalg == '\0') {
+		free(sigalg);
+		sigalg = NULL;
+	}
+
 	/* XXX use sshkey_froms here; need to change key_blob, etc. */
 	if ((r = sshkey_from_blob(blob, bloblen, &key)) != 0)
 		fatal("%s: bad public key blob: %s", __func__, ssh_err(r));
@@ -1383,6 +1389,7 @@ mm_answer_keyverify(int sock, struct sshbuf *m)
 	free(blob);
 	free(signature);
 	free(data);
+	free(sigalg);
 
 	monitor_reset_key_state();
 
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 502d4168..7471e454 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor_wrap.c,v 1.96 2017/12/18 02:25:15 djm Exp $ */
+/* $OpenBSD: monitor_wrap.c,v 1.97 2017/12/21 00:00:28 djm Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos at citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus at openbsd.org>
@@ -458,7 +458,7 @@ mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen,
 	buffer_put_string(&m, blob, len);
 	buffer_put_string(&m, sig, siglen);
 	buffer_put_string(&m, data, datalen);
-	buffer_put_cstring(&m, sigalg);
+	buffer_put_cstring(&m, sigalg == NULL ? "" : sigalg);
 	free(blob);
 
 	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYVERIFY, &m);

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list