upstream commit
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures
(user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and
draft-ssh-ext-info-04.txt; with & ok djm@
Upstream-ID: cf82ce532b2733e5c4b34bb7b7c94835632db309
diff --git a/sshd.c b/sshd.c
index a823999..2f3f5b5 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.460 2015/11/16 22:51:05 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.461 2015/12/04 16:41:28 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -816,6 +816,12 @@
buffer_append(&b, ",", 1);
p = key_ssh_name(key);
buffer_append(&b, p, strlen(p));
+
+ /* for RSA we also support SHA2 signatures */
+ if (key->type == KEY_RSA) {
+ p = ",rsa-sha2-512,rsa-sha2-256";
+ buffer_append(&b, p, strlen(p));
+ }
break;
}
/* If the private key has a cert peer, then list that too */
@@ -2507,24 +2513,26 @@
int
sshd_hostkey_sign(Key *privkey, Key *pubkey, u_char **signature, size_t *slen,
- const u_char *data, size_t dlen, u_int flag)
+ const u_char *data, size_t dlen, const char *alg, u_int flag)
{
int r;
u_int xxx_slen, xxx_dlen = dlen;
if (privkey) {
- if (PRIVSEP(key_sign(privkey, signature, &xxx_slen, data, xxx_dlen) < 0))
+ if (PRIVSEP(key_sign(privkey, signature, &xxx_slen, data, xxx_dlen,
+ alg) < 0))
fatal("%s: key_sign failed", __func__);
if (slen)
*slen = xxx_slen;
} else if (use_privsep) {
- if (mm_key_sign(pubkey, signature, &xxx_slen, data, xxx_dlen) < 0)
+ if (mm_key_sign(pubkey, signature, &xxx_slen, data, xxx_dlen,
+ alg) < 0)
fatal("%s: pubkey_sign failed", __func__);
if (slen)
*slen = xxx_slen;
} else {
if ((r = ssh_agent_sign(auth_sock, pubkey, signature, slen,
- data, dlen, datafellows)) != 0)
+ data, dlen, alg, datafellows)) != 0)
fatal("%s: ssh_agent_sign failed: %s",
__func__, ssh_err(r));
}