Provide correct signature type for SHA2 certificates in agent

2019-06-17 12:40:12 +02:00 · 2019-06-17 12:40:12 +02:00 · 50e2b60d3f
commit 50e2b60d3f
parent 56fdfa2a52
2 changed files with 34 additions and 0 deletions
--- a/openssh-8.0p1-agent-certs-sha2.patch
+++ b/openssh-8.0p1-agent-certs-sha2.patch
@ -0,0 +1,31 @@
+From 2317ce4b0ed7d8c4b0c684e2d47bff5006bd1178 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 14 Jun 2019 03:51:47 +0000
+Subject: [PATCH] upstream: process agent requests for RSA certificate private
+ keys using
+
+correct signature algorithm when requested. Patch from Jakub Jelen in bz3016
+ok dtucker markus
+
+OpenBSD-Commit-ID: 61f86efbeb4a1857a3e91298c1ccc6cf49b79624
+---
+ ssh-agent.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 034f31387..4669b679c 100644
+--- a/ssh-agent.c
+++ b/ssh-agent.c
+@@ -269,6 +269,11 @@ agent_decode_alg(struct sshkey *key, u_int flags)
+ 			return "rsa-sha2-256";
+ 		else if (flags & SSH_AGENT_RSA_SHA2_512)
+ 			return "rsa-sha2-512";
+	} else if (key->type == KEY_RSA_CERT) {
+		if (flags & SSH_AGENT_RSA_SHA2_256)
+			return "rsa-sha2-256-cert-v01@openssh.com";
+		else if (flags & SSH_AGENT_RSA_SHA2_512)
+			return "rsa-sha2-512-cert-v01@openssh.com";
+ 	}
+ 	return NULL;
+ }
+
--- a/openssh.spec
+++ b/openssh.spec
@ -216,6 +216,8 @@ Patch963: openssh-8.0p1-openssl-evp.patch
 Patch964: openssh-8.0p1-openssl-kdf.patch
 # Use new OpenSSL for PEM export to avoid MD5 dependency (#1712436)
 Patch965: openssh-8.0p1-openssl-pem.patch
+# Properly encode SHA2 certificate types in ssh-agent
+Patch966: openssh-8.0p1-agent-certs-sha2.patch

 License: BSD
 Requires: /sbin/nologin
@ -423,6 +425,7 @@ popd
 %patch963 -p1 -b .openssl-evp
 %patch964 -p1 -b .openssl-kdf
 %patch965 -p1 -b .openssl-pem
+%patch966 -p1 -b .agent-cert-sha2

 %patch200 -p1 -b .audit
 %patch201 -p1 -b .audit-race