Re: [PATCH] sshsig: check hashalg before selecting the RSA signature algorithm

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



good point - done :)

On Tue, 26 Nov 2024, Morten Linderud wrote:

> Thank you!
> 
> There is now two " XXX maybe make configurable " in the top of the file that is
> probably no longer relevant. Do you want a followup patch for that?
> 
> Cheers,
> Morten Linderud
> 
> On Wed, Nov 27, 2024 at 08:25:15AM +1100, Damien Miller wrote:
> > Sorry, this now been committed and will be in openssh-10.0
> > 
> > On Sat, 23 Nov 2024, Morten Linderud wrote:
> > 
> > > Hi,
> > > 
> > > I sent this patch back inn april and I still have a need for this. Would it be
> > > possible to get any pointers how we can have `hashalg` selectable by `ssh-keygen -Y`?
> > > 
> > > -- 
> > > Morten Linderud
> > > PGP: 9C02FF419FECBE16
> > > 
> > > On Thu, Apr 11, 2024 at 09:16:39PM +0200, Morten Linderud wrote:
> > > > `ssh-keygen -Y sign` only selects the signing algorithm `rsa-sha2-512`
> > > > and this prevents ssh-agent implementations that can't support sha512
> > > > from signing messages.
> > > > 
> > > > An example of this is TPMs which mostly only really supports sha256
> > > > widely.
> > > > 
> > > > This change enables `ssh-keygen -Y sign` to honor the `hashalg` option
> > > > for the signing algorithm.
> > > > 
> > > > Signed-off-by: Morten Linderud <morten@xxxxxxxxxxx>
> > > > ---
> > > >  sshsig.c | 10 ++++++++--
> > > >  1 file changed, 8 insertions(+), 2 deletions(-)
> > > > 
> > > > diff --git a/sshsig.c b/sshsig.c
> > > > index 470b286a3..033b43353 100644
> > > > --- a/sshsig.c
> > > > +++ b/sshsig.c
> > > > @@ -190,8 +190,14 @@ sshsig_wrap_sign(struct sshkey *key, const char *hashalg,
> > > >  	}
> > > >  
> > > >  	/* If using RSA keys then default to a good signature algorithm */
> > > > -	if (sshkey_type_plain(key->type) == KEY_RSA)
> > > > -		sign_alg = RSA_SIGN_ALG;
> > > > +	if (sshkey_type_plain(key->type) == KEY_RSA){
> > > > +		if (hashalg == NULL)
> > > > +			sign_alg = RSA_SIGN_ALG;
> > > > +		else if (strcmp(hashalg, "sha256") == 0)
> > > > +			sign_alg = "rsa-sha2-256";
> > > > +		else if (strcmp(hashalg, "sha512") == 0)
> > > > +			sign_alg = "rsa-sha2-512";
> > > > +	}
> > > >  
> > > >  	if (signer != NULL) {
> > > >  		if ((r = signer(key, &sig, &slen,
> > > > -- 
> > > > 2.44.0
> > > > _______________________________________________
> > > > openssh-unix-dev mailing list
> > > > openssh-unix-dev@xxxxxxxxxxx
> > > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> > > 
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev@xxxxxxxxxxx
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux