[openssh-commits] [openssh] branch master updated: upstream: bit of webauthn support missed in previous commit

[git+noreply at mindrot.org]

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

The following commit(s) were added to refs/heads/master by this push:
     new 15fe1ceb2 upstream: bit of webauthn support missed in previous commit
15fe1ceb2 is described below

commit 15fe1ceb29760d72398c6ac7df5a403416cba207
Author: djm at openbsd.org <djm at openbsd.org>
AuthorDate: Sat Feb 7 02:02:00 2026 +0000

    upstream: bit of webauthn support missed in previous commit
    
    OpenBSD-Commit-ID: 9768454543ded01b7c61567fc5b3e78664346be2
---
 authfd.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/authfd.c b/authfd.c
index 2bbe646e3..9b103b524 100644
--- a/authfd.c
+++ b/authfd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfd.c,v 1.136 2025/08/29 03:50:38 djm Exp $ */
+/* $OpenBSD: authfd.c,v 1.137 2026/02/07 02:02:00 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -437,8 +437,15 @@ ssh_agent_sign(int sock, const struct sshkey *key,
 	}
 	if ((r = sshbuf_get_string(msg, &sig, &len)) != 0)
 		goto out;
-	/* Check what we actually got back from the agent. */
-	if ((r = sshkey_check_sigtype(sig, len, alg)) != 0)
+	/*
+	 * Check what we actually got back from the agent, in case it returned
+	 * an incorrect RSA signature algorithm (e.g. "ssh-rsa" (RSA/SHA1) vs.
+	 * "rsa-sha2-256").
+	 * We don't do this for FIDO signatures as webauthn vs plain are just
+	 * different signature formats and not entirely different algorithms.
+	 */
+	if (!sshkey_is_sk(key) &&
+	    (r = sshkey_check_sigtype(sig, len, alg)) != 0)
 		goto out;
 	/* success */
 	*sigp = sig;

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.