[openssh-commits] [openssh] 02/02: upstream: when using RSA keys to sign messages, select the

[git+noreply at mindrot.org]

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit d1c1cfc5e4e9b43593d4642810ea8135e4c7db49
Author: djm at openbsd.org <djm at openbsd.org>
AuthorDate: Tue Nov 26 21:23:35 2024 +0000

    upstream: when using RSA keys to sign messages, select the
    
    signature algorithm based on the requested hash algorithm ("-Ohashalg=xxx").
    
    This allows using something other than rsa-sha2-512, which may not
    be supported on all signing backends, e.g. some smartcards only
    support SHA256.
    
    Patch from Morten Linderud; ok markus@
    
    OpenBSD-Commit-ID: 246353fac24e92629263996558c6788348363ad7
---
 sshsig.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/sshsig.c b/sshsig.c
index 470b286a..289f3e72 100644
--- a/sshsig.c
+++ b/sshsig.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshsig.c,v 1.35 2024/03/08 22:16:32 djm Exp $ */
+/* $OpenBSD: sshsig.c,v 1.36 2024/11/26 21:23:35 djm Exp $ */
 /*
  * Copyright (c) 2019 Google LLC
  *
@@ -190,8 +190,13 @@ sshsig_wrap_sign(struct sshkey *key, const char *hashalg,
 	}
 
 	/* If using RSA keys then default to a good signature algorithm */
-	if (sshkey_type_plain(key->type) == KEY_RSA)
+	if (sshkey_type_plain(key->type) == KEY_RSA) {
 		sign_alg = RSA_SIGN_ALG;
+		if (strcmp(hashalg, "sha256") == 0)
+			sign_alg = "rsa-sha2-256";
+		else if (strcmp(hashalg, "sha512") == 0)
+			sign_alg = "rsa-sha2-512";
+	}
 
 	if (signer != NULL) {
 		if ((r = signer(key, &sig, &slen,

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.