[PATCH] sshsig: check hashalg before selecting the RSA signature algorithm

Ron Frederick ronf at timeheart.net
Sun Nov 24 02:55:17 AEDT 2024 

There is no hash algorithm associated with SSH keys. The key format for RSA keys is always ’ssh-rsa’, and it is capable of being used with any of the available signature algorithms (ssh-rsa for SHA-1 and rsa-sha2-256 or rsa-sha2-512 for SHA-2).

See section 3 in https://www.rfc-editor.org/rfc/rfc8332:

     rsa-sha2-256        RECOMMENDED    sign    Raw RSA key
     rsa-sha2-512        OPTIONAL       sign    Raw RSA key

   These algorithms are suitable for use both in the SSH transport layer
   [RFC4253 <https://www.rfc-editor.org/rfc/rfc4253>] for server authentication and in the authentication layer
   [RFC4252 <https://www.rfc-editor.org/rfc/rfc4252>] for client authentication.

   Since RSA keys are not dependent on the choice of hash function, the
   new public key algorithms reuse the "ssh-rsa" public key format as
   defined in [RFC4253 <https://www.rfc-editor.org/rfc/rfc4253>]:

   string    "ssh-rsa"
   mpint     e
   mpint     n

It is only RSA signature blobs that will show the new signature algorithm names.


On Nov 23, 2024, at 7:37 AM, Morten Linderud <morten at linderud.pw> wrote:
> I sent this patch back inn april and I still have a need for this. Would it be
> possible to get any pointers how we can have `hashalg` selectable by `ssh-keygen -Y`?
> 
> -- 
> Morten Linderud
> PGP: 9C02FF419FECBE16
> 
> On Thu, Apr 11, 2024 at 09:16:39PM +0200, Morten Linderud wrote:
>> `ssh-keygen -Y sign` only selects the signing algorithm `rsa-sha2-512`
>> and this prevents ssh-agent implementations that can't support sha512
>> from signing messages.
>> 
>> An example of this is TPMs which mostly only really supports sha256
>> widely.
>> 
>> This change enables `ssh-keygen -Y sign` to honor the `hashalg` option
>> for the signing algorithm.
>> 
>> Signed-off-by: Morten Linderud <morten at linderud.pw>
>> ---
>> sshsig.c | 10 ++++++++--
>> 1 file changed, 8 insertions(+), 2 deletions(-)
>> 
>> diff --git a/sshsig.c b/sshsig.c
>> index 470b286a3..033b43353 100644
>> --- a/sshsig.c
>> +++ b/sshsig.c
>> @@ -190,8 +190,14 @@ sshsig_wrap_sign(struct sshkey *key, const char *hashalg,
>> 	}
>> 
>> 	/* If using RSA keys then default to a good signature algorithm */
>> -	if (sshkey_type_plain(key->type) == KEY_RSA)
>> -		sign_alg = RSA_SIGN_ALG;
>> +	if (sshkey_type_plain(key->type) == KEY_RSA){
>> +		if (hashalg == NULL)
>> +			sign_alg = RSA_SIGN_ALG;
>> +		else if (strcmp(hashalg, "sha256") == 0)
>> +			sign_alg = "rsa-sha2-256";
>> +		else if (strcmp(hashalg, "sha512") == 0)
>> +			sign_alg = "rsa-sha2-512";
>> +	}
>> 
>> 	if (signer != NULL) {
>> 		if ((r = signer(key, &sig, &slen,
>> -- 
>> 2.44.0

-- 
Ron Frederick
ronf at timeheart.net

More information about the openssh-unix-dev mailing list