diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2018-03-03 03:01:51 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2018-03-03 03:01:51 +0000 |
| commit | de70294ccc3c4f3bf0bf5336930fdb47ef501502 (patch) | |
| tree | 79ef92ab8c6abc608c45ea3005b168856247e971 /usr.bin | |
| parent | ef9f249ffd324bc2ddf0fe52b8dc6bd67bef1cc6 (diff) | |
warn when the agent returns a signature type that was different to
what was requested. This might happen when an old/non-OpenSSH agent
is asked to make a rsa-sha2-256/512 signature but only supports
ssh-rsa. bz#2799 feedback and ok markus@
Diffstat (limited to 'usr.bin')
| -rw-r--r-- | usr.bin/ssh/sshconnect2.c | 41 |
1 files changed, 34 insertions, 7 deletions
diff --git a/usr.bin/ssh/sshconnect2.c b/usr.bin/ssh/sshconnect2.c index 5d330494e4b..bf0b7297621 100644 --- a/usr.bin/ssh/sshconnect2.c +++ b/usr.bin/ssh/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.268 2018/02/07 22:52:45 dtucker Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.269 2018/03/03 03:01:50 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -994,17 +994,44 @@ key_sign_encode(const struct sshkey *key) return key_ssh_name(key); } +/* + * Some agents will return ssh-rsa signatures when asked to make a + * rsa-sha2-* signature. Check what they actually gave back and warn the + * user if the agent has returned an unexpected type. + */ +static int +check_sigtype(const struct sshkey *key, const u_char *sig, size_t len) +{ + int r; + char *sigtype = NULL; + const char *alg = key_sign_encode(key); + + if ((r = sshkey_sigtype(sig, len, &sigtype)) != 0) + return r; + if (strcmp(sigtype, alg) != 0) { + logit("warning: agent returned different signature type %s " + "(expected %s)", sigtype, alg); + } + free(sigtype); + /* Incorrect signature types aren't an error ... yet */ + return 0; +} + static int identity_sign(struct identity *id, u_char **sigp, size_t *lenp, const u_char *data, size_t datalen, u_int compat) { struct sshkey *prv; - int ret; + int r; /* the agent supports this key */ - if (id->key != NULL && id->agent_fd != -1) - return ssh_agent_sign(id->agent_fd, id->key, sigp, lenp, - data, datalen, key_sign_encode(id->key), compat); + if (id->key != NULL && id->agent_fd != -1) { + if ((r = ssh_agent_sign(id->agent_fd, id->key, sigp, lenp, + data, datalen, key_sign_encode(id->key), compat)) != 0 || + (r = check_sigtype(id->key, *sigp, *lenp)) != 0) + return r; + return 0; + } /* * we have already loaded the private key or @@ -1023,10 +1050,10 @@ identity_sign(struct identity *id, u_char **sigp, size_t *lenp, __func__, id->filename); return SSH_ERR_KEY_NOT_FOUND; } - ret = sshkey_sign(prv, sigp, lenp, data, datalen, + r = sshkey_sign(prv, sigp, lenp, data, datalen, key_sign_encode(prv), compat); sshkey_free(prv); - return (ret); + return r; } static int |