Request RSA-SHA2 signatures for corresponding cert algorithms

Closes: #923419
author: Colin Watson <cjwatson@debian.org> 2019-02-28 10:37:30 +0000
committer: Colin Watson <cjwatson@debian.org> 2019-02-28 10:37:50 +0000
commit: 4418a1e80ce0dcc010b4a6efa9ae6056fce99f8c (patch)
tree: 137c9d64fa8750ad13ba239472a1829bd1b240e1
parent: e321545f23ce308bc12d28d6975f75bdc8b7061e (diff)
parent: d94226d4fcefbc398c5583e12b5d07ca33884ba4 (diff)
5 files changed, 50 insertions, 5 deletions
diff --git a/authfd.c b/authfd.c
index ecdd869ab..62cbf8c19 100644
--- a/authfd.c
+++ b/authfd.c
@@ -327,10 +327,12 @@ ssh_free_identitylist(struct ssh_identitylist *idl)
 static u_int
 agent_encode_alg(const struct sshkey *key, const char *alg)
 {
-        if (alg != NULL && key->type == KEY_RSA) {
+        if (alg != NULL && sshkey_type_plain(key->type) == KEY_RSA) {
-                if (strcmp(alg, "rsa-sha2-256") == 0)
+                if (strcmp(alg, "rsa-sha2-256") == 0 ||
+                    strcmp(alg, "rsa-sha2-256-cert-v01@openssh.com") == 0)
                        return SSH_AGENT_RSA_SHA2_256;
-                else if (strcmp(alg, "rsa-sha2-512") == 0)
+                if (strcmp(alg, "rsa-sha2-512") == 0 ||
+                    strcmp(alg, "rsa-sha2-512-cert-v01@openssh.com") == 0)
                        return SSH_AGENT_RSA_SHA2_512;
        }
        return 0;
diff --git a/debian/.git-dpm b/debian/.git-dpm
index a45865db0..42208f2de 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-5e021158aa22cc64da4fca1618ee0bfd2d031049
+d94226d4fcefbc398c5583e12b5d07ca33884ba4
-5e021158aa22cc64da4fca1618ee0bfd2d031049
+d94226d4fcefbc398c5583e12b5d07ca33884ba4
 3d246f10429fc9a37b98eabef94fe8dc7c61002b
 3d246f10429fc9a37b98eabef94fe8dc7c61002b
 openssh_7.9p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index ce7ec26fe..75d338a73 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,9 @@ openssh (1:7.9p1-8) UNRELEASED; urgency=medium
  * Apply upstream patch to fix bug in HostbasedAcceptedKeyTypes and
    PubkeyAcceptedKeyTypes options in the case where only RSA-SHA2 signature
    types were specified.
+  * Apply upstream patch to request RSA-SHA2 signatures for
+    rsa-sha2-{256|512}-cert-v01@openssh.com cert algorithms (closes:
+    #923419).
 -- Colin Watson <cjwatson@debian.org>  Thu, 28 Feb 2019 10:33:32 +0000
diff --git a/debian/patches/request-rsa-sha2-cert-signatures.patch b/debian/patches/request-rsa-sha2-cert-signatures.patch
new file mode 100644
index 000000000..2c876be31
--- /dev/null
+++ b/debian/patches/request-rsa-sha2-cert-signatures.patch
@@ -0,0 +1,39 @@
+From d94226d4fcefbc398c5583e12b5d07ca33884ba4 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Thu, 27 Dec 2018 23:02:11 +0000
+Subject: upstream: Request RSA-SHA2 signatures for
+rsa-sha2-{256|512}-cert-v01@openssh.com cert algorithms; ok markus@
+OpenBSD-Commit-ID: afc6f7ca216ccd821656d1c911d2a3deed685033
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=f429c1b2ef631f2855e51a790cf71761d752bbca
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2944
+Bug-Debian: https://bugs.debian.org/923419
+Last-Update: 2019-02-28
+Patch-Name: request-rsa-sha2-cert-signatures.patch
+---
+ authfd.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+diff --git a/authfd.c b/authfd.c
+index ecdd869ab..62cbf8c19 100644
+--- a/authfd.c
+++ b/authfd.c
+@@ -327,10 +327,12 @@ ssh_free_identitylist(struct ssh_identitylist *idl)
+ static u_int
+ agent_encode_alg(const struct sshkey *key, const char *alg)
+ {
+-       if (alg != NULL && key->type == KEY_RSA) {
+-               if (strcmp(alg, "rsa-sha2-256") == 0)
+       if (alg != NULL && sshkey_type_plain(key->type) == KEY_RSA) {
+               if (strcmp(alg, "rsa-sha2-256") == 0 ||
+                   strcmp(alg, "rsa-sha2-256-cert-v01@openssh.com") == 0)
+                        return SSH_AGENT_RSA_SHA2_256;
+-               else if (strcmp(alg, "rsa-sha2-512") == 0)
+               if (strcmp(alg, "rsa-sha2-512") == 0 ||
+                   strcmp(alg, "rsa-sha2-512-cert-v01@openssh.com") == 0)
+                        return SSH_AGENT_RSA_SHA2_512;
+        }
+        return 0;
diff --git a/debian/patches/series b/debian/patches/series
index 12358dcf0..a95dccaa6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -29,3 +29,4 @@ sanitize-scp-filenames-via-snmprintf.patch
 have-progressmeter-force-update-at-beginning-and-end-transfer.patch
 check-filenames-in-scp-client.patch
 fix-key-type-check.patch
+request-rsa-sha2-cert-signatures.patch
author	Colin Watson <cjwatson@debian.org>	2019-02-28 10:37:30 +0000
committer	Colin Watson <cjwatson@debian.org>	2019-02-28 10:37:50 +0000
commit	4418a1e80ce0dcc010b4a6efa9ae6056fce99f8c (patch)
tree	137c9d64fa8750ad13ba239472a1829bd1b240e1
parent	e321545f23ce308bc12d28d6975f75bdc8b7061e (diff)
parent	d94226d4fcefbc398c5583e12b5d07ca33884ba4 (diff)

diff --git a/authfd.c b/authfd.c index ecdd869ab..62cbf8c19 100644 --- a/authfd.c +++ b/authfd.c
@@ -327,10 +327,12 @@ ssh_free_identitylist(struct ssh_identitylist *idl)
327	static u_int	327	static u_int
328	agent_encode_alg(const struct sshkey key, const char alg)	328	agent_encode_alg(const struct sshkey key, const char alg)
329	{	329	{
330	if (alg != NULL && key->type == KEY_RSA) {	330	if (alg != NULL && sshkey_type_plain(key->type) == KEY_RSA) {
331	if (strcmp(alg, "rsa-sha2-256") == 0)	331	if (strcmp(alg, "rsa-sha2-256") == 0 \|\|
		332	strcmp(alg, "rsa-sha2-256-cert-v01@openssh.com") == 0)
332	return SSH_AGENT_RSA_SHA2_256;	333	return SSH_AGENT_RSA_SHA2_256;
333	else if (strcmp(alg, "rsa-sha2-512") == 0)	334	if (strcmp(alg, "rsa-sha2-512") == 0 \|\|
		335	strcmp(alg, "rsa-sha2-512-cert-v01@openssh.com") == 0)
334	return SSH_AGENT_RSA_SHA2_512;	336	return SSH_AGENT_RSA_SHA2_512;
335	}	337	}
336	return 0;	338	return 0;


diff --git a/debian/.git-dpm b/debian/.git-dpm index a45865db0..42208f2de 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
1	# see git-dpm(1) from git-dpm package	1	# see git-dpm(1) from git-dpm package
2	5e021158aa22cc64da4fca1618ee0bfd2d031049	2	d94226d4fcefbc398c5583e12b5d07ca33884ba4
3	5e021158aa22cc64da4fca1618ee0bfd2d031049	3	d94226d4fcefbc398c5583e12b5d07ca33884ba4
4	3d246f10429fc9a37b98eabef94fe8dc7c61002b	4	3d246f10429fc9a37b98eabef94fe8dc7c61002b
5	3d246f10429fc9a37b98eabef94fe8dc7c61002b	5	3d246f10429fc9a37b98eabef94fe8dc7c61002b
6	openssh_7.9p1.orig.tar.gz	6	openssh_7.9p1.orig.tar.gz


diff --git a/debian/changelog b/debian/changelog index ce7ec26fe..75d338a73 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -3,6 +3,9 @@ openssh (1:7.9p1-8) UNRELEASED; urgency=medium
3	* Apply upstream patch to fix bug in HostbasedAcceptedKeyTypes and	3	* Apply upstream patch to fix bug in HostbasedAcceptedKeyTypes and
4	PubkeyAcceptedKeyTypes options in the case where only RSA-SHA2 signature	4	PubkeyAcceptedKeyTypes options in the case where only RSA-SHA2 signature
5	types were specified.	5	types were specified.
		6	* Apply upstream patch to request RSA-SHA2 signatures for
		7	rsa-sha2-{256\|512}-cert-v01@openssh.com cert algorithms (closes:
		8	#923419).
6		9
7	-- Colin Watson <cjwatson@debian.org> Thu, 28 Feb 2019 10:33:32 +0000	10	-- Colin Watson <cjwatson@debian.org> Thu, 28 Feb 2019 10:33:32 +0000
8		11


diff --git a/debian/patches/request-rsa-sha2-cert-signatures.patch b/debian/patches/request-rsa-sha2-cert-signatures.patch new file mode 100644 index 000000000..2c876be31 --- /dev/null +++ b/debian/patches/request-rsa-sha2-cert-signatures.patch
@@ -0,0 +1,39 @@
		1	From d94226d4fcefbc398c5583e12b5d07ca33884ba4 Mon Sep 17 00:00:00 2001
		2	From: "djm@openbsd.org" <djm@openbsd.org>
		3	Date: Thu, 27 Dec 2018 23:02:11 +0000
		4	Subject: upstream: Request RSA-SHA2 signatures for
		5
		6	rsa-sha2-{256\|512}-cert-v01@openssh.com cert algorithms; ok markus@
		7
		8	OpenBSD-Commit-ID: afc6f7ca216ccd821656d1c911d2a3deed685033
		9
		10	Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=f429c1b2ef631f2855e51a790cf71761d752bbca
		11	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2944
		12	Bug-Debian: https://bugs.debian.org/923419
		13	Last-Update: 2019-02-28
		14
		15	Patch-Name: request-rsa-sha2-cert-signatures.patch
		16	---
		17	authfd.c \| 8 +++++---
		18	1 file changed, 5 insertions(+), 3 deletions(-)
		19
		20	diff --git a/authfd.c b/authfd.c
		21	index ecdd869ab..62cbf8c19 100644
		22	--- a/authfd.c
		23	+++ b/authfd.c
		24	@@ -327,10 +327,12 @@ ssh_free_identitylist(struct ssh_identitylist *idl)
		25	static u_int
		26	agent_encode_alg(const struct sshkey key, const char alg)
		27	{
		28	- if (alg != NULL && key->type == KEY_RSA) {
		29	- if (strcmp(alg, "rsa-sha2-256") == 0)
		30	+ if (alg != NULL && sshkey_type_plain(key->type) == KEY_RSA) {
		31	+ if (strcmp(alg, "rsa-sha2-256") == 0 \|\|
		32	+ strcmp(alg, "rsa-sha2-256-cert-v01@openssh.com") == 0)
		33	return SSH_AGENT_RSA_SHA2_256;
		34	- else if (strcmp(alg, "rsa-sha2-512") == 0)
		35	+ if (strcmp(alg, "rsa-sha2-512") == 0 \|\|
		36	+ strcmp(alg, "rsa-sha2-512-cert-v01@openssh.com") == 0)
		37	return SSH_AGENT_RSA_SHA2_512;
		38	}
		39	return 0;


diff --git a/debian/patches/series b/debian/patches/series index 12358dcf0..a95dccaa6 100644 --- a/debian/patches/series +++ b/debian/patches/series
@@ -29,3 +29,4 @@ sanitize-scp-filenames-via-snmprintf.patch
29	have-progressmeter-force-update-at-beginning-and-end-transfer.patch	29	have-progressmeter-force-update-at-beginning-and-end-transfer.patch
30	check-filenames-in-scp-client.patch	30	check-filenames-in-scp-client.patch
31	fix-key-type-check.patch	31	fix-key-type-check.patch
		32	request-rsa-sha2-cert-signatures.patch