From 1a4a9cf80f5b92b9d1dadd0bfa8867c04d195391 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Thu, 11 Oct 2018 03:48:04 +0000
Subject: upstream: don't send new-style rsa-sha2-*-cert-v01@openssh.com names
 to

older OpenSSH that can't handle them. spotted by Adam Eijdenberg; ok dtucker

OpenBSD-Commit-ID: 662bbc402e3d7c9b6c322806269698106a6ae631
---
 sshconnect2.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/sshconnect2.c b/sshconnect2.c
index 86a0254be..1675f3935 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.287 2018/09/14 05:26:27 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.288 2018/10/11 03:48:04 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Damien Miller.  All rights reserved.
@@ -1088,7 +1088,8 @@ key_sig_algorithm(struct ssh *ssh, const struct sshkey *key)
 	 * newer (SHA2) algorithms.
 	 */
 	if (ssh == NULL || ssh->kex->server_sig_algs == NULL ||
-	    (key->type != KEY_RSA && key->type != KEY_RSA_CERT)) {
+	    (key->type != KEY_RSA && key->type != KEY_RSA_CERT) ||
+	    (key->type == KEY_RSA_CERT && (datafellows & SSH_BUG_SIGTYPE))) {
 		/* Filter base key signature alg against our configuration */
 		return match_list(sshkey_ssh_name(key),
 		    options.pubkey_key_types, NULL);
-- 
cgit v1.2.3