diff options
| author | Werner Koch <[email protected]> | 2018-04-10 08:14:30 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2018-04-10 08:14:30 +0000 |
| commit | 36373798c0955241288fb4aec103830106dd7e1f (patch) | |
| tree | fe0ed178d1aeda3847c9c8133a2ed8488a84644a /agent/command-ssh.c | |
| parent | Merge branch 'STABLE-BRANCH-2-2' into master (diff) | |
| parent | agent: Improve the unknown ssh flag detection. (diff) | |
| download | gnupg-36373798c0955241288fb4aec103830106dd7e1f.tar.gz gnupg-36373798c0955241288fb4aec103830106dd7e1f.zip | |
Merge branch 'STABLE-BRANCH-2-2' into master
--
Fixed conflicts:
NEWS - keep master
configure.ac - merge
g10/card-util.c - mostly 2.2
g10/sig-check.c - 2.2
Diffstat (limited to 'agent/command-ssh.c')
| -rw-r--r-- | agent/command-ssh.c | 46 |
1 files changed, 39 insertions, 7 deletions
diff --git a/agent/command-ssh.c b/agent/command-ssh.c index 38934f450..df63ed713 100644 --- a/agent/command-ssh.c +++ b/agent/command-ssh.c @@ -27,8 +27,10 @@ RFC-4253 - Transport Layer Protocol RFC-5656 - ECC support - The protocol for the agent is defined in OpenSSH's PROTOCL.agent - file. + The protocol for the agent is defined in: + + https://tools.ietf.org/html/draft-miller-ssh-agent + */ #include <config.h> @@ -83,6 +85,8 @@ /* Other constants. */ #define SSH_DSA_SIGNATURE_PADDING 20 #define SSH_DSA_SIGNATURE_ELEMS 2 +#define SSH_AGENT_RSA_SHA2_256 0x02 +#define SSH_AGENT_RSA_SHA2_512 0x04 #define SPEC_FLAG_USE_PKCS1V2 (1 << 0) #define SPEC_FLAG_IS_ECDSA (1 << 1) #define SPEC_FLAG_IS_EdDSA (1 << 2) /*(lowercase 'd' on purpose.)*/ @@ -2865,7 +2869,6 @@ ssh_handler_sign_request (ctrl_t ctrl, estream_t request, estream_t response) unsigned char *sig = NULL; size_t sig_n; u32 data_size; - u32 flags; gpg_error_t err; gpg_error_t ret_err; int hash_algo; @@ -2885,10 +2888,39 @@ ssh_handler_sign_request (ctrl_t ctrl, estream_t request, estream_t response) if (err) goto out; - /* FIXME? */ - err = stream_read_uint32 (request, &flags); - if (err) - goto out; + /* Flag processing. */ + { + u32 flags; + + err = stream_read_uint32 (request, &flags); + if (err) + goto out; + + if (spec.algo == GCRY_PK_RSA) + { + if ((flags & SSH_AGENT_RSA_SHA2_512)) + { + flags &= ~SSH_AGENT_RSA_SHA2_512; + spec.ssh_identifier = "rsa-sha2-512"; + spec.hash_algo = GCRY_MD_SHA512; + } + if ((flags & SSH_AGENT_RSA_SHA2_256)) + { + /* Note: We prefer SHA256 over SHA512. */ + flags &= ~SSH_AGENT_RSA_SHA2_256; + spec.ssh_identifier = "rsa-sha2-256"; + spec.hash_algo = GCRY_MD_SHA256; + } + } + + /* Some flag is present that we do not know about. Note that + * processed or known flags have been cleared at this point. */ + if (flags) + { + err = gpg_error (GPG_ERR_UNKNOWN_OPTION); + goto out; + } + } hash_algo = spec.hash_algo; if (!hash_algo) |