diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2024-11-26 22:23:35 +0100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2024-11-26 22:24:50 +0100 |
| commit | d1c1cfc5e4e9b43593d4642810ea8135e4c7db49 (patch) | |
| tree | c27990018d37e70ce180da5e8db7dae43cdc47f0 /sshsig.c | |
| parent | upstream: turn off CDIAGFLAGS and turn back on INSTALL_STRIP (diff) | |
| download | openssh-d1c1cfc5e4e9b43593d4642810ea8135e4c7db49.tar.xz openssh-d1c1cfc5e4e9b43593d4642810ea8135e4c7db49.zip | |
upstream: when using RSA keys to sign messages, select the
signature algorithm based on the requested hash algorithm ("-Ohashalg=xxx").
This allows using something other than rsa-sha2-512, which may not
be supported on all signing backends, e.g. some smartcards only
support SHA256.
Patch from Morten Linderud; ok markus@
OpenBSD-Commit-ID: 246353fac24e92629263996558c6788348363ad7
Diffstat (limited to '')
| -rw-r--r-- | sshsig.c | 9 |
1 files changed, 7 insertions, 2 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: sshsig.c,v 1.35 2024/03/08 22:16:32 djm Exp $ */ +/* $OpenBSD: sshsig.c,v 1.36 2024/11/26 21:23:35 djm Exp $ */ /* * Copyright (c) 2019 Google LLC * @@ -190,8 +190,13 @@ sshsig_wrap_sign(struct sshkey *key, const char *hashalg, } /* If using RSA keys then default to a good signature algorithm */ - if (sshkey_type_plain(key->type) == KEY_RSA) + if (sshkey_type_plain(key->type) == KEY_RSA) { sign_alg = RSA_SIGN_ALG; + if (strcmp(hashalg, "sha256") == 0) + sign_alg = "rsa-sha2-256"; + else if (strcmp(hashalg, "sha512") == 0) + sign_alg = "rsa-sha2-512"; + } if (signer != NULL) { if ((r = signer(key, &sig, &slen, |