Zoltan Fridrich abf032
diff --color -ru a/clientloop.c b/clientloop.c
Zoltan Fridrich abf032
--- a/clientloop.c	2022-06-29 16:35:06.677597259 +0200
Zoltan Fridrich abf032
+++ b/clientloop.c	2022-06-29 16:40:29.737926205 +0200
Zoltan Fridrich abf032
@@ -116,6 +116,9 @@
Zoltan Fridrich abf032
 #include "ssh-gss.h"
Zoltan Fridrich abf032
 #endif
Dmitry Belyavskiy 829ee6
 
Zoltan Fridrich abf032
+/* Permitted RSA signature algorithms for UpdateHostkeys proofs */
Zoltan Fridrich abf032
+#define HOSTKEY_PROOF_RSA_ALGS	"rsa-sha2-512,rsa-sha2-256"
Dmitry Belyavskiy 829ee6
+
Zoltan Fridrich abf032
 /* import options */
Zoltan Fridrich abf032
 extern Options options;
Zoltan Fridrich abf032
 
Zoltan Fridrich abf032
@@ -2110,8 +2113,10 @@
Zoltan Fridrich abf032
 	struct hostkeys_update_ctx *ctx = (struct hostkeys_update_ctx *)_ctx;
Zoltan Fridrich abf032
 	size_t i, ndone;
Zoltan Fridrich abf032
 	struct sshbuf *signdata;
Zoltan Fridrich abf032
-	int r, kexsigtype, use_kexsigtype;
Zoltan Fridrich abf032
+	int r, plaintype;
Zoltan Fridrich abf032
 	const u_char *sig;
Zoltan Fridrich abf032
+	const char *rsa_kexalg = NULL;
Zoltan Fridrich abf032
+	char *alg = NULL;
Zoltan Fridrich abf032
 	size_t siglen;
Zoltan Fridrich abf032
 
Zoltan Fridrich abf032
 	if (ctx->nnew == 0)
Zoltan Fridrich abf032
@@ -2122,9 +2127,9 @@
Zoltan Fridrich abf032
 		hostkeys_update_ctx_free(ctx);
Zoltan Fridrich abf032
 		return;
Zoltan Fridrich abf032
 	}
Zoltan Fridrich abf032
-	kexsigtype = sshkey_type_plain(
Zoltan Fridrich abf032
-	    sshkey_type_from_name(ssh->kex->hostkey_alg));
Zoltan Fridrich abf032
-
Zoltan Fridrich abf032
+	if (sshkey_type_plain(sshkey_type_from_name(
Zoltan Fridrich abf032
+	    ssh->kex->hostkey_alg)) == KEY_RSA)
Zoltan Fridrich abf032
+		rsa_kexalg = ssh->kex->hostkey_alg;
Zoltan Fridrich abf032
 	if ((signdata = sshbuf_new()) == NULL)
Zoltan Fridrich abf032
 		fatal_f("sshbuf_new failed");
Zoltan Fridrich abf032
 	/*
Zoltan Fridrich abf032
@@ -2135,6 +2140,7 @@
Zoltan Fridrich abf032
 	for (ndone = i = 0; i < ctx->nkeys; i++) {
Zoltan Fridrich abf032
 		if (ctx->keys_match[i])
Zoltan Fridrich abf032
 			continue;
Zoltan Fridrich abf032
+		plaintype = sshkey_type_plain(ctx->keys[i]->type);
Zoltan Fridrich abf032
 		/* Prepare data to be signed: session ID, unique string, key */
Zoltan Fridrich abf032
 		sshbuf_reset(signdata);
Zoltan Fridrich abf032
 		if ( (r = sshbuf_put_cstring(signdata,
Zoltan Fridrich abf032
@@ -2148,19 +2154,33 @@
Zoltan Fridrich abf032
 			error_fr(r, "parse sig");
Zoltan Fridrich abf032
 			goto out;
Zoltan Fridrich abf032
 		}
Zoltan Fridrich abf032
+		if ((r = sshkey_get_sigtype(sig, siglen, &alg)) != 0) {
Zoltan Fridrich abf032
+			error_fr(r, "server gave unintelligible signature "
Zoltan Fridrich abf032
+				"for %s key %zu", sshkey_type(ctx->keys[i]), i);
Zoltan Fridrich abf032
+			goto out;
Dmitry Belyavskiy 829ee6
+		}
Zoltan Fridrich abf032
 		/*
Zoltan Fridrich abf032
-		 * For RSA keys, prefer to use the signature type negotiated
Zoltan Fridrich abf032
-		 * during KEX to the default (SHA1).
Zoltan Fridrich abf032
+		 * Special case for RSA keys: if a RSA hostkey was negotiated,
Zoltan Fridrich abf032
+		 * then use its signature type for verification of RSA hostkey
Zoltan Fridrich abf032
+		 * proofs. Otherwise, accept only RSA-SHA256/512 signatures.
Zoltan Fridrich abf032
 		 */
Zoltan Fridrich abf032
-		use_kexsigtype = kexsigtype == KEY_RSA &&
Zoltan Fridrich abf032
-		    sshkey_type_plain(ctx->keys[i]->type) == KEY_RSA;
Zoltan Fridrich abf032
-		debug3_f("verify %s key %zu using %s sigalg",
Zoltan Fridrich abf032
-		    sshkey_type(ctx->keys[i]), i,
Zoltan Fridrich abf032
-		    use_kexsigtype ? ssh->kex->hostkey_alg : "default");
Zoltan Fridrich abf032
+		if (plaintype == KEY_RSA && rsa_kexalg == NULL &&
Zoltan Fridrich abf032
+		    match_pattern_list(alg, HOSTKEY_PROOF_RSA_ALGS, 0) != 1) {
Zoltan Fridrich abf032
+			debug_f("server used untrusted RSA signature algorithm "
Zoltan Fridrich abf032
+				"%s for key %zu, disregarding", alg, i);
Zoltan Fridrich abf032
+			free(alg);
Zoltan Fridrich abf032
+			/* zap the key from the list */
Zoltan Fridrich abf032
+			sshkey_free(ctx->keys[i]);
Zoltan Fridrich abf032
+			ctx->keys[i] = NULL;
Zoltan Fridrich abf032
+			ndone++;
Zoltan Fridrich abf032
+			continue;
Dmitry Belyavskiy 829ee6
+		}
Zoltan Fridrich abf032
+		debug3_f("verify %s key %zu using sigalg %s",
Zoltan Fridrich abf032
+			sshkey_type(ctx->keys[i]), i, alg);
Zoltan Fridrich abf032
+		free(alg);
Zoltan Fridrich abf032
 		if ((r = sshkey_verify(ctx->keys[i], sig, siglen,
Zoltan Fridrich abf032
 		    sshbuf_ptr(signdata), sshbuf_len(signdata),
Zoltan Fridrich abf032
-		    use_kexsigtype ? ssh->kex->hostkey_alg : NULL, 0,
Zoltan Fridrich abf032
-		    NULL)) != 0) {
Zoltan Fridrich abf032
+		    plaintype == KEY_RSA ? rsa_kexalg : NULL, 0, NULL)) != 0) {
Zoltan Fridrich abf032
 			error_fr(r, "server gave bad signature for %s key %zu",
Zoltan Fridrich abf032
 			    sshkey_type(ctx->keys[i]), i);
Zoltan Fridrich abf032
 			goto out;
Dmitry Belyavskiy a0db6b
diff --git a/hostfile.c b/hostfile.c
Dmitry Belyavskiy a0db6b
index a035b381..bd49e3ac 100644
Dmitry Belyavskiy a0db6b
--- a/hostfile.c
Dmitry Belyavskiy a0db6b
+++ b/hostfile.c
Dmitry Belyavskiy a0db6b
@@ -642,7 +642,7 @@ hostfile_replace_entries(const char *filename, const char *host, const char *ip,
Dmitry Belyavskiy a0db6b
 	/* Re-add the requested keys */
Dmitry Belyavskiy a0db6b
 	want = HKF_MATCH_HOST | (ip == NULL ? 0 : HKF_MATCH_IP);
Dmitry Belyavskiy a0db6b
 	for (i = 0; i < nkeys; i++) {
Dmitry Belyavskiy a0db6b
-		if ((want & ctx.match_keys[i]) == want)
Dmitry Belyavskiy a0db6b
+		if (keys[i] == NULL || (want & ctx.match_keys[i]) == want)
Dmitry Belyavskiy a0db6b
 			continue;
Dmitry Belyavskiy a0db6b
 		if ((fp = sshkey_fingerprint(keys[i], hash_alg,
Dmitry Belyavskiy a0db6b
 		    SSH_FP_DEFAULT)) == NULL) {
Zoltan Fridrich abf032
diff --color -ru a/kex.c b/kex.c
Zoltan Fridrich abf032
--- a/kex.c	2022-06-29 16:35:06.775599179 +0200
Zoltan Fridrich abf032
+++ b/kex.c	2022-06-29 16:42:00.839710940 +0200
Zoltan Fridrich abf032
@@ -959,6 +959,18 @@
Zoltan Fridrich abf032
 	return (1);
Zoltan Fridrich abf032
 }
Zoltan Fridrich abf032
 
Zoltan Fridrich abf032
+/* returns non-zero if proposal contains any algorithm from algs */
Zoltan Fridrich abf032
+static int
Zoltan Fridrich abf032
+has_any_alg(const char *proposal, const char *algs)
Zoltan Fridrich abf032
+{
Zoltan Fridrich abf032
+	char *cp;
Dmitry Belyavskiy 829ee6
+
Zoltan Fridrich abf032
+	if ((cp = match_list(proposal, algs, NULL)) == NULL)
Zoltan Fridrich abf032
+		return 0;
Zoltan Fridrich abf032
+	free(cp);
Zoltan Fridrich abf032
+	return 1;
Zoltan Fridrich abf032
+}
Dmitry Belyavskiy 829ee6
+
Zoltan Fridrich abf032
 static int
Zoltan Fridrich abf032
 kex_choose_conf(struct ssh *ssh)
Zoltan Fridrich abf032
 {
Zoltan Fridrich abf032
@@ -994,6 +1006,16 @@
Zoltan Fridrich abf032
 		free(ext);
Zoltan Fridrich abf032
 	}
Zoltan Fridrich abf032
 
Zoltan Fridrich abf032
+	/* Check whether client supports rsa-sha2 algorithms */
Zoltan Fridrich abf032
+	if (kex->server && (kex->flags & KEX_INITIAL)) {
Zoltan Fridrich abf032
+		if (has_any_alg(peer[PROPOSAL_SERVER_HOST_KEY_ALGS],
Zoltan Fridrich abf032
+		    "rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com"))
Zoltan Fridrich abf032
+			kex->flags |= KEX_RSA_SHA2_256_SUPPORTED;
Zoltan Fridrich abf032
+		if (has_any_alg(peer[PROPOSAL_SERVER_HOST_KEY_ALGS],
Zoltan Fridrich abf032
+		    "rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com"))
Dmitry Belyavskiy 829ee6
+			kex->flags |= KEX_RSA_SHA2_512_SUPPORTED;
Dmitry Belyavskiy 829ee6
+	}
Dmitry Belyavskiy 829ee6
+
Dmitry Belyavskiy 829ee6
 	/* Algorithm Negotiation */
Dmitry Belyavskiy 829ee6
 	if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS],
Dmitry Belyavskiy 829ee6
 	    sprop[PROPOSAL_KEX_ALGS])) != 0) {
Zoltan Fridrich abf032
diff --color -ru a/kex.h b/kex.h
Zoltan Fridrich abf032
--- a/kex.h	2022-06-29 16:35:06.766599003 +0200
Zoltan Fridrich abf032
+++ b/kex.h	2022-06-29 16:42:24.199168567 +0200
Zoltan Fridrich abf032
@@ -116,6 +116,8 @@
Dmitry Belyavskiy 829ee6
 
Dmitry Belyavskiy 829ee6
 #define KEX_INIT_SENT	0x0001
Dmitry Belyavskiy 829ee6
 #define KEX_INITIAL	0x0002
Zoltan Fridrich abf032
+#define KEX_RSA_SHA2_256_SUPPORTED      0x0008 /* only set in server for now */
Zoltan Fridrich abf032
+#define KEX_RSA_SHA2_512_SUPPORTED      0x0010 /* only set in server for now */
Dmitry Belyavskiy 829ee6
 
Dmitry Belyavskiy 829ee6
 struct sshenc {
Dmitry Belyavskiy 829ee6
 	char	*name;
Zoltan Fridrich abf032
diff --color -ru a/serverloop.c b/serverloop.c
Zoltan Fridrich abf032
--- a/serverloop.c	2021-08-20 06:03:49.000000000 +0200
Zoltan Fridrich abf032
+++ b/serverloop.c	2022-06-29 16:45:05.902336428 +0200
Zoltan Fridrich abf032
@@ -684,16 +684,18 @@
Dmitry Belyavskiy 829ee6
 	struct sshbuf *resp = NULL;
Dmitry Belyavskiy 829ee6
 	struct sshbuf *sigbuf = NULL;
Dmitry Belyavskiy 829ee6
 	struct sshkey *key = NULL, *key_pub = NULL, *key_prv = NULL;
Dmitry Belyavskiy 829ee6
-	int r, ndx, kexsigtype, use_kexsigtype, success = 0;
Dmitry Belyavskiy 829ee6
+	int r, ndx, success = 0;
Dmitry Belyavskiy 829ee6
 	const u_char *blob;
Zoltan Fridrich abf032
+	const char *sigalg, *kex_rsa_sigalg = NULL;
Dmitry Belyavskiy 829ee6
 	u_char *sig = 0;
Dmitry Belyavskiy 829ee6
 	size_t blen, slen;
Zoltan Fridrich abf032
 
Dmitry Belyavskiy 829ee6
 	if ((resp = sshbuf_new()) == NULL || (sigbuf = sshbuf_new()) == NULL)
Dmitry Belyavskiy 829ee6
 		fatal_f("sshbuf_new");
Dmitry Belyavskiy 829ee6
 
Dmitry Belyavskiy 829ee6
-	kexsigtype = sshkey_type_plain(
Dmitry Belyavskiy 829ee6
-	    sshkey_type_from_name(ssh->kex->hostkey_alg));
Zoltan Fridrich abf032
+	if (sshkey_type_plain(sshkey_type_from_name(
Zoltan Fridrich abf032
+	    ssh->kex->hostkey_alg)) == KEY_RSA)
Zoltan Fridrich abf032
+		kex_rsa_sigalg = ssh->kex->hostkey_alg;
Dmitry Belyavskiy 829ee6
 	while (ssh_packet_remaining(ssh) > 0) {
Dmitry Belyavskiy 829ee6
 		sshkey_free(key);
Dmitry Belyavskiy 829ee6
 		key = NULL;
Zoltan Fridrich abf032
@@ -726,16 +728,24 @@
Dmitry Belyavskiy 829ee6
 		 * For RSA keys, prefer to use the signature type negotiated
Dmitry Belyavskiy 829ee6
 		 * during KEX to the default (SHA1).
Dmitry Belyavskiy 829ee6
 		 */
Dmitry Belyavskiy 829ee6
-		use_kexsigtype = kexsigtype == KEY_RSA &&
Dmitry Belyavskiy 829ee6
-		    sshkey_type_plain(key->type) == KEY_RSA;
Zoltan Fridrich abf032
+		sigalg = NULL;
Dmitry Belyavskiy 829ee6
+		if (sshkey_type_plain(key->type) == KEY_RSA) {
Zoltan Fridrich abf032
+			if (kex_rsa_sigalg != NULL)
Zoltan Fridrich abf032
+				sigalg = kex_rsa_sigalg;
Zoltan Fridrich abf032
+			else if (ssh->kex->flags & KEX_RSA_SHA2_512_SUPPORTED)
Zoltan Fridrich abf032
+				sigalg = "rsa-sha2-512";
Zoltan Fridrich abf032
+			else if (ssh->kex->flags & KEX_RSA_SHA2_256_SUPPORTED)
Zoltan Fridrich abf032
+				sigalg = "rsa-sha2-256";
Dmitry Belyavskiy 829ee6
+		}
Zoltan Fridrich abf032
+		debug3_f("sign %s key (index %d) using sigalg %s",
Zoltan Fridrich abf032
+		sshkey_type(key), ndx, sigalg == NULL ? "default" : sigalg);
Dmitry Belyavskiy 829ee6
 		if ((r = sshbuf_put_cstring(sigbuf,
Dmitry Belyavskiy 829ee6
 		    "hostkeys-prove-00@openssh.com")) != 0 ||
Dmitry Belyavskiy 829ee6
 		    (r = sshbuf_put_stringb(sigbuf,
Zoltan Fridrich abf032
 		    ssh->kex->session_id)) != 0 ||
Dmitry Belyavskiy 829ee6
 		    (r = sshkey_puts(key, sigbuf)) != 0 ||
Dmitry Belyavskiy 829ee6
 		    (r = ssh->kex->sign(ssh, key_prv, key_pub, &sig, &slen,
Zoltan Fridrich abf032
-		    sshbuf_ptr(sigbuf), sshbuf_len(sigbuf),
Dmitry Belyavskiy 829ee6
-		    use_kexsigtype ? ssh->kex->hostkey_alg : NULL)) != 0 ||
Zoltan Fridrich abf032
+		    sshbuf_ptr(sigbuf), sshbuf_len(sigbuf), sigalg)) != 0 ||
Dmitry Belyavskiy 829ee6
 		    (r = sshbuf_put_string(resp, sig, slen)) != 0) {
Dmitry Belyavskiy 829ee6
 			error_fr(r, "assemble signature");
Dmitry Belyavskiy 829ee6
 			goto out;