[openssh-commits] [openssh] 04/05: upstream: some finesse to fix RSA-SHA2 certificate authentication

git+noreply at mindrot.org git+noreply at mindrot.org
Tue Jul 3 23:39:41 AEST 2018


This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit b4d4eda633af433d20232cbf7e855ceac8b83fe5
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Tue Jul 3 13:20:25 2018 +0000

    upstream: some finesse to fix RSA-SHA2 certificate authentication
    
    for certs hosted in ssh-agent
    
    OpenBSD-Commit-ID: e5fd5edd726137dda2d020e1cdebc464110a010f
---
 sshconnect2.c | 9 ++++++---
 sshkey.c      | 8 ++++----
 sshkey.h      | 3 ++-
 3 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/sshconnect2.c b/sshconnect2.c
index ff3b0bed..db95cb21 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.273 2018/07/03 13:07:58 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.274 2018/07/03 13:20:25 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Damien Miller.  All rights reserved.
@@ -996,7 +996,7 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, struct ssh *ssh)
 static char *
 key_sig_algorithm(struct ssh *ssh, const struct sshkey *key)
 {
-	char *allowed, *oallowed, *cp, *alg = NULL;
+	char *allowed, *oallowed, *cp, *tmp, *alg = NULL;
 
 	/*
 	 * The signature algorithm will only differ from the key algorithm
@@ -1020,7 +1020,10 @@ key_sig_algorithm(struct ssh *ssh, const struct sshkey *key)
 	while ((cp = strsep(&allowed, ",")) != NULL) {
 		if (sshkey_type_from_name(cp) != key->type)
 			continue;
-		alg = match_list(cp, ssh->kex->server_sig_algs, NULL);
+		tmp = match_list(sshkey_sigalg_by_name(cp), ssh->kex->server_sig_algs, NULL);
+		if (tmp != NULL)
+			alg = xstrdup(cp);
+		free(tmp);
 		if (alg != NULL)
 			break;
 	}
diff --git a/sshkey.c b/sshkey.c
index 455cf3d6..72c08c7e 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey.c,v 1.65 2018/07/03 11:39:54 djm Exp $ */
+/* $OpenBSD: sshkey.c,v 1.66 2018/07/03 13:20:25 djm Exp $ */
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Alexander von Gernler.  All rights reserved.
@@ -2244,8 +2244,8 @@ get_sigtype(const u_char *sig, size_t siglen, char **sigtypep)
 /*
  * Returns the expected signature algorithm for a given public key algorithm.
  */
-static const char *
-sigalg_by_name(const char *name)
+const char *
+sshkey_sigalg_by_name(const char *name)
 {
 	const struct keytype *kt;
 
@@ -2276,7 +2276,7 @@ sshkey_check_sigtype(const u_char *sig, size_t siglen,
 
 	if (requested_alg == NULL)
 		return 0;
-	if ((expected_alg = sigalg_by_name(requested_alg)) == NULL)
+	if ((expected_alg = sshkey_sigalg_by_name(requested_alg)) == NULL)
 		return SSH_ERR_INVALID_ARGUMENT;
 	if ((r = get_sigtype(sig, siglen, &sigtype)) != 0)
 		return r;
diff --git a/sshkey.h b/sshkey.h
index 0baf989f..9060b2ec 100644
--- a/sshkey.h
+++ b/sshkey.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey.h,v 1.25 2018/07/03 11:39:54 djm Exp $ */
+/* $OpenBSD: sshkey.h,v 1.26 2018/07/03 13:20:25 djm Exp $ */
 
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@@ -196,6 +196,7 @@ int	 sshkey_sign(const struct sshkey *, u_char **, size_t *,
 int	 sshkey_verify(const struct sshkey *, const u_char *, size_t,
     const u_char *, size_t, const char *, u_int);
 int	 sshkey_check_sigtype(const u_char *, size_t, const char *);
+const char *sshkey_sigalg_by_name(const char *);
 
 /* for debug */
 void	sshkey_dump_ec_point(const EC_GROUP *, const EC_POINT *);

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list