[Bug 2799] RSA Signatures using SHA2 provided by different ssh-agent are not properly verified

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sat Nov 25 01:39:52 AEDT 2017


https://bugzilla.mindrot.org/show_bug.cgi?id=2799

--- Comment #2 from Jakub Jelen <jjelen at redhat.com> ---
Created attachment 3092
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3092&action=edit
Check signature algorithm while verifying RSA signatures

Thank you for having a look into that. This is certainly an improvement
and client is doing what it is expected to do now.

I believe similar check should also come to the rsa signature
verification, which currently uses only the insides of signature, which
is wrong in case of other algorithm is negotiated in upper level (as in
authentication). Something as I just added as an attachment should do
the job.


After building your patch, I am getting missing symbols:

./libssh.a(authfd.o): In function `ssh_agent_sign':
/home/jjelen/devel/openssh-portable/authfd.c:406: undefined reference
to `freezero'
/home/jjelen/devel/openssh-portable/authfd.c:395: undefined reference
to `freezero'
collect2: error: ld returned 1 exit status
make: *** [Makefile:165: ssh] Error 1

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list