diff options
author | djm@openbsd.org <djm@openbsd.org> | 2018-07-03 11:39:54 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2018-07-03 23:26:36 +1000 |
commit | 4ba0d54794814ec0de1ec87987d0c3b89379b436 (patch) | |
tree | b8d904880f8927374b377b2e4d5661213c1138b6 /sshkey.h | |
parent | 95344c257412b51199ead18d54eaed5bafb75617 (diff) |
upstream: Improve strictness and control over RSA-SHA2 signature
In ssh, when an agent fails to return a RSA-SHA2 signature when
requested and falls back to RSA-SHA1 instead, retry the signature to
ensure that the public key algorithm sent in the SSH_MSG_USERAUTH
matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the
SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and
HostbasedAcceptedKeyTypes options control accepted signature algorithms
(previously they selected supported key types). This allows these
options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and
"rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures
with certificate keys.
feedback and ok markus@
OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde
Diffstat (limited to 'sshkey.h')
-rw-r--r-- | sshkey.h | 4 |
1 files changed, 2 insertions, 2 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshkey.h,v 1.24 2018/02/23 15:58:38 markus Exp $ */ | 1 | /* $OpenBSD: sshkey.h,v 1.25 2018/07/03 11:39:54 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. | 4 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
@@ -191,11 +191,11 @@ int sshkey_puts_opts(const struct sshkey *, struct sshbuf *, | |||
191 | int sshkey_plain_to_blob(const struct sshkey *, u_char **, size_t *); | 191 | int sshkey_plain_to_blob(const struct sshkey *, u_char **, size_t *); |
192 | int sshkey_putb_plain(const struct sshkey *, struct sshbuf *); | 192 | int sshkey_putb_plain(const struct sshkey *, struct sshbuf *); |
193 | 193 | ||
194 | int sshkey_sigtype(const u_char *, size_t, char **); | ||
195 | int sshkey_sign(const struct sshkey *, u_char **, size_t *, | 194 | int sshkey_sign(const struct sshkey *, u_char **, size_t *, |
196 | const u_char *, size_t, const char *, u_int); | 195 | const u_char *, size_t, const char *, u_int); |
197 | int sshkey_verify(const struct sshkey *, const u_char *, size_t, | 196 | int sshkey_verify(const struct sshkey *, const u_char *, size_t, |
198 | const u_char *, size_t, const char *, u_int); | 197 | const u_char *, size_t, const char *, u_int); |
198 | int sshkey_check_sigtype(const u_char *, size_t, const char *); | ||
199 | 199 | ||
200 | /* for debug */ | 200 | /* for debug */ |
201 | void sshkey_dump_ec_point(const EC_GROUP *, const EC_POINT *); | 201 | void sshkey_dump_ec_point(const EC_GROUP *, const EC_POINT *); |