[PATCH] sshsig: check hashalg before selecting the RSA signature algorithm

Morten Linderud morten at linderud.pw
Sun Nov 24 03:15:48 AEDT 2024 

On Sat, Nov 23, 2024 at 07:55:17AM -0800, Ron Frederick wrote:
> There is no hash algorithm associated with SSH keys. The key format for RSA keys is always ’ssh-rsa’, and it is capable of being used with any of the available signature algorithms (ssh-rsa for SHA-1 and rsa-sha2-256 or rsa-sha2-512 for SHA-2).
> 
> See section 3 in https://www.rfc-editor.org/rfc/rfc8332:
> 
>      rsa-sha2-256        RECOMMENDED    sign    Raw RSA key
>      rsa-sha2-512        OPTIONAL       sign    Raw RSA key
> 
>    These algorithms are suitable for use both in the SSH transport layer
>    [RFC4253 <https://www.rfc-editor.org/rfc/rfc4253>] for server authentication and in the authentication layer
>    [RFC4252 <https://www.rfc-editor.org/rfc/rfc4252>] for client authentication.
> 
>    Since RSA keys are not dependent on the choice of hash function, the
>    new public key algorithms reuse the "ssh-rsa" public key format as
>    defined in [RFC4253 <https://www.rfc-editor.org/rfc/rfc4253>]:
> 
>    string    "ssh-rsa"
>    mpint     e
>    mpint     n
> 
> It is only RSA signature blobs that will show the new signature algorithm names.


I think this misunderstands the problem? The issue here is that for `ssh-keygen
-Y` signatures with RSA keys the hashing algorithm is hardcoded to sha512
without any possibility to change this.


> On Nov 23, 2024, at 7:37 AM, Morten Linderud <morten at linderud.pw> wrote:
> > I sent this patch back inn april and I still have a need for this. Would it be
> > possible to get any pointers how we can have `hashalg` selectable by `ssh-keygen -Y`?
> > 
> > -- 
> > Morten Linderud
> > PGP: 9C02FF419FECBE16
> > 
> > On Thu, Apr 11, 2024 at 09:16:39PM +0200, Morten Linderud wrote:
> >> `ssh-keygen -Y sign` only selects the signing algorithm `rsa-sha2-512`
> >> and this prevents ssh-agent implementations that can't support sha512
> >> from signing messages.
> >> 
> >> An example of this is TPMs which mostly only really supports sha256
> >> widely.
> >> 
> >> This change enables `ssh-keygen -Y sign` to honor the `hashalg` option
> >> for the signing algorithm.
> >> 
> >> Signed-off-by: Morten Linderud <morten at linderud.pw>
> >> ---
> >> sshsig.c | 10 ++++++++--
> >> 1 file changed, 8 insertions(+), 2 deletions(-)
> >> 
> >> diff --git a/sshsig.c b/sshsig.c
> >> index 470b286a3..033b43353 100644
> >> --- a/sshsig.c
> >> +++ b/sshsig.c
> >> @@ -190,8 +190,14 @@ sshsig_wrap_sign(struct sshkey *key, const char *hashalg,
> >> 	}
> >> 
> >> 	/* If using RSA keys then default to a good signature algorithm */
> >> -	if (sshkey_type_plain(key->type) == KEY_RSA)
> >> -		sign_alg = RSA_SIGN_ALG;
> >> +	if (sshkey_type_plain(key->type) == KEY_RSA){
> >> +		if (hashalg == NULL)
> >> +			sign_alg = RSA_SIGN_ALG;
> >> +		else if (strcmp(hashalg, "sha256") == 0)
> >> +			sign_alg = "rsa-sha2-256";
> >> +		else if (strcmp(hashalg, "sha512") == 0)
> >> +			sign_alg = "rsa-sha2-512";
> >> +	}
> >> 
> >> 	if (signer != NULL) {
> >> 		if ((r = signer(key, &sig, &slen,
> >> -- 
> >> 2.44.0
> 
> -- 
> Ron Frederick
> ronf at timeheart.net
> 
> 
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

More information about the openssh-unix-dev mailing list