version 1.347, 2021/04/03 06:18:41 |
version 1.348, 2021/06/06 03:40:39 |
|
|
key_sig_algorithm(struct ssh *ssh, const struct sshkey *key) |
key_sig_algorithm(struct ssh *ssh, const struct sshkey *key) |
{ |
{ |
char *allowed, *oallowed, *cp, *tmp, *alg = NULL; |
char *allowed, *oallowed, *cp, *tmp, *alg = NULL; |
|
const char *server_sig_algs; |
|
|
/* |
/* |
* The signature algorithm will only differ from the key algorithm |
* The signature algorithm will only differ from the key algorithm |
|
|
} |
} |
|
|
/* |
/* |
|
* Workaround OpenSSH 7.4 bug: this version supports RSA/SHA-2 but |
|
* fails to advertise it via SSH2_MSG_EXT_INFO. |
|
*/ |
|
server_sig_algs = ssh->kex->server_sig_algs; |
|
if (key->type == KEY_RSA && (ssh->compat & SSH_BUG_SIGTYPE74)) |
|
server_sig_algs = "rsa-sha2-256,rsa-sha2-512"; |
|
|
|
/* |
* For RSA keys/certs, since these might have a different sig type: |
* For RSA keys/certs, since these might have a different sig type: |
* find the first entry in PubkeyAcceptedAlgorithms of the right type |
* find the first entry in PubkeyAcceptedAlgorithms of the right type |
* that also appears in the supported signature algorithms list from |
* that also appears in the supported signature algorithms list from |
|
|
if (sshkey_type_from_name(cp) != key->type) |
if (sshkey_type_from_name(cp) != key->type) |
continue; |
continue; |
tmp = match_list(sshkey_sigalg_by_name(cp), |
tmp = match_list(sshkey_sigalg_by_name(cp), |
ssh->kex->server_sig_algs, NULL); |
server_sig_algs, NULL); |
if (tmp != NULL) |
if (tmp != NULL) |
alg = xstrdup(cp); |
alg = xstrdup(cp); |
free(tmp); |
free(tmp); |