diff options
| author | markus@openbsd.org <markus@openbsd.org> | 2015-12-04 16:41:28 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2015-12-07 12:38:58 +1100 |
| commit | 76c9fbbe35aabc1db977fb78e827644345e9442e (patch) | |
| tree | e7c85e7e1471f1bd00b3a50a58e315c055f40b86 /sshd.c | |
| parent | 6064a8b8295cb5a17b5ebcfade53053377714f40 (diff) | |
upstream commit
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures
(user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and
draft-ssh-ext-info-04.txt; with & ok djm@
Upstream-ID: cf82ce532b2733e5c4b34bb7b7c94835632db309
Diffstat (limited to 'sshd.c')
| -rw-r--r-- | sshd.c | 18 |
1 files changed, 13 insertions, 5 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.460 2015/11/16 22:51:05 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.461 2015/12/04 16:41:28 markus Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -816,6 +816,12 @@ list_hostkey_types(void) buffer_append(&b, ",", 1); p = key_ssh_name(key); buffer_append(&b, p, strlen(p)); + + /* for RSA we also support SHA2 signatures */ + if (key->type == KEY_RSA) { + p = ",rsa-sha2-512,rsa-sha2-256"; + buffer_append(&b, p, strlen(p)); + } break; } /* If the private key has a cert peer, then list that too */ @@ -2507,24 +2513,26 @@ do_ssh1_kex(void) int sshd_hostkey_sign(Key *privkey, Key *pubkey, u_char **signature, size_t *slen, - const u_char *data, size_t dlen, u_int flag) + const u_char *data, size_t dlen, const char *alg, u_int flag) { int r; u_int xxx_slen, xxx_dlen = dlen; if (privkey) { - if (PRIVSEP(key_sign(privkey, signature, &xxx_slen, data, xxx_dlen) < 0)) + if (PRIVSEP(key_sign(privkey, signature, &xxx_slen, data, xxx_dlen, + alg) < 0)) fatal("%s: key_sign failed", __func__); if (slen) *slen = xxx_slen; } else if (use_privsep) { - if (mm_key_sign(pubkey, signature, &xxx_slen, data, xxx_dlen) < 0) + if (mm_key_sign(pubkey, signature, &xxx_slen, data, xxx_dlen, + alg) < 0) fatal("%s: pubkey_sign failed", __func__); if (slen) *slen = xxx_slen; } else { if ((r = ssh_agent_sign(auth_sock, pubkey, signature, slen, - data, dlen, datafellows)) != 0) + data, dlen, alg, datafellows)) != 0) fatal("%s: ssh_agent_sign failed: %s", __func__, ssh_err(r)); } |