diff options
| author | Werner Koch <wk@gnupg.org> | 2018-04-10 07:59:52 +0200 |
|---|---|---|
| committer | Werner Koch <wk@gnupg.org> | 2018-04-10 07:59:52 +0200 |
| commit | 9f69dbeb902ac447adbc92937cd451c4e909f234 (patch) | |
| tree | 742663d9a9ed6d7a68115932f6ef3cc8cee2baf0 /agent/command-ssh.c | |
| parent | agent: unknown flags on ssh signing requests cause an error. (diff) | |
| download | gnupg2-9f69dbeb902ac447adbc92937cd451c4e909f234.tar.xz gnupg2-9f69dbeb902ac447adbc92937cd451c4e909f234.zip | |
agent: Improve the unknown ssh flag detection.
* agent/command-ssh.c (ssh_handler_sign_request): Simplify detection
of flags.
--
Signed-off-by: Werner Koch <wk@gnupg.org>
Diffstat (limited to '')
| -rw-r--r-- | agent/command-ssh.c | 55 |
1 files changed, 31 insertions, 24 deletions
diff --git a/agent/command-ssh.c b/agent/command-ssh.c index ac67dd092..20dc3febe 100644 --- a/agent/command-ssh.c +++ b/agent/command-ssh.c @@ -2864,7 +2864,6 @@ ssh_handler_sign_request (ctrl_t ctrl, estream_t request, estream_t response) unsigned char *sig = NULL; size_t sig_n; u32 data_size; - u32 flags, known_flags = 0; gpg_error_t err; gpg_error_t ret_err; int hash_algo; @@ -2884,31 +2883,39 @@ ssh_handler_sign_request (ctrl_t ctrl, estream_t request, estream_t response) if (err) goto out; - err = stream_read_uint32 (request, &flags); - if (err) - goto out; - - if (spec.algo == GCRY_PK_RSA) - { - known_flags = SSH_AGENT_RSA_SHA2_256 | SSH_AGENT_RSA_SHA2_512; - if ((flags & SSH_AGENT_RSA_SHA2_256)) - { - spec.ssh_identifier = "rsa-sha2-256"; - spec.hash_algo = GCRY_MD_SHA256; - } - else if ((flags & SSH_AGENT_RSA_SHA2_512)) - { - spec.ssh_identifier = "rsa-sha2-512"; - spec.hash_algo = GCRY_MD_SHA512; - } - } + /* Flag processing. */ + { + u32 flags; - /* some flag is present that we do not know about. */ - if (flags & ~known_flags) - { - err = gpg_error (GPG_ERR_UNKNOWN_OPTION); + err = stream_read_uint32 (request, &flags); + if (err) goto out; - } + + if (spec.algo == GCRY_PK_RSA) + { + if ((flags & SSH_AGENT_RSA_SHA2_512)) + { + flags &= ~SSH_AGENT_RSA_SHA2_512; + spec.ssh_identifier = "rsa-sha2-512"; + spec.hash_algo = GCRY_MD_SHA512; + } + if ((flags & SSH_AGENT_RSA_SHA2_256)) + { + /* Note: We prefer SHA256 over SHA512. */ + flags &= ~SSH_AGENT_RSA_SHA2_256; + spec.ssh_identifier = "rsa-sha2-256"; + spec.hash_algo = GCRY_MD_SHA256; + } + } + + /* Some flag is present that we do not know about. Note that + * processed or known flags have been cleared at this point. */ + if (flags) + { + err = gpg_error (GPG_ERR_UNKNOWN_OPTION); + goto out; + } + } hash_algo = spec.hash_algo; if (!hash_algo) |