rcolebaugh / rpms / openssh

Forked from rpms/openssh 2 years ago
Clone
Source Code
GIT

Blame SOURCES/openssh-8.0p1-keygen-sha2.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   b85a86ac9183af5dea288d2e393768c89852f734
  2.   SOURCES
  3.   openssh-8.0p1-keygen-sha2.patch
Blob History Raw
aedd00 
From 4a41d245d6b13bd3882c8dc058dbd2e2b39a9f67 Mon Sep 17 00:00:00 2001
aedd00 
From: "djm@openbsd.org" <djm@openbsd.org>
aedd00 
Date: Fri, 24 Jan 2020 00:27:04 +0000
aedd00 
Subject: [PATCH] upstream: when signing a certificate with an RSA key, default
aedd00 
 to
aedd00
aedd00 
a safe signature algorithm (rsa-sha-512) if not is explicitly specified by
aedd00 
the user; ok markus@
aedd00
aedd00 
OpenBSD-Commit-ID: e05f638f0be6c0266e1d3d799716b461011e83a9
aedd00 
---
aedd00 
 ssh-keygen.c | 14 +++++++++-----
aedd00 
 1 file changed, 9 insertions(+), 5 deletions(-)
aedd00
aedd00 
diff --git a/ssh-keygen.c b/ssh-keygen.c
aedd00 
index 564c3c481..f2192edb9 100644
aedd00 
--- a/ssh-keygen.c
aedd00 
+++ b/ssh-keygen.c
aedd00 
@@ -1788,10 +1788,14 @@ do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent,
aedd00 
 	}
aedd00 
 	free(tmp);
aedd00
aedd00 
-	if (key_type_name != NULL &&
aedd00 
-	    sshkey_type_from_name(key_type_name) != ca->type)  {
aedd00 
-		fatal("CA key type %s doesn't match specified %s",
aedd00 
-		    sshkey_ssh_name(ca), key_type_name);
aedd00 
+	if (key_type_name != NULL) {
aedd00 
+		if (sshkey_type_from_name(key_type_name) != ca->type) {
aedd00 
+			fatal("CA key type %s doesn't match specified %s",
aedd00 
+			    sshkey_ssh_name(ca), key_type_name);
aedd00 
+		}
aedd00 
+	} else if (ca->type == KEY_RSA) {
aedd00 
+		/* Default to a good signature algorithm */
aedd00 
+		key_type_name = "rsa-sha2-512";
aedd00 
 	}
aedd00
aedd00 
 	for (i = 0; i < argc; i++) {
aedd00
aedd00 
From 476e3551b2952ef73acc43d995e832539bf9bc4d Mon Sep 17 00:00:00 2001
aedd00 
From: "djm@openbsd.org" <djm@openbsd.org>
aedd00 
Date: Mon, 20 May 2019 00:20:35 +0000
aedd00 
Subject: [PATCH] upstream: When signing certificates with an RSA key, default
aedd00 
 to
aedd00
aedd00 
using the rsa-sha2-512 signature algorithm. Certificates signed by RSA keys
aedd00 
will therefore be incompatible with OpenSSH < 7.2 unless the default is
aedd00 
overridden.
aedd00
aedd00 
Document the ability of the ssh-keygen -t flag to override the
aedd00 
signature algorithm when signing certificates, and the new default.
aedd00
aedd00 
ok deraadt@
aedd00
aedd00 
OpenBSD-Commit-ID: 400c9c15013978204c2cb80f294b03ae4cfc8b95
aedd00 
---
aedd00 
 ssh-keygen.1 | 13 +++++++++++--
aedd00 
 sshkey.c     |  9 ++++++++-
aedd00 
 2 files changed, 19 insertions(+), 3 deletions(-)
aedd00
aedd00 
diff --git a/ssh-keygen.1 b/ssh-keygen.1
aedd00 
index f29774249..673bf6e2f 100644
aedd00 
--- a/ssh-keygen.1
aedd00 
+++ b/ssh-keygen.1
aedd00 
@@ -35,7 +35,7 @@
aedd00 
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
aedd00 
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
aedd00 
 .\"
aedd00 
-.Dd $Mdocdate: March 5 2019 $
aedd00 
+.Dd $Mdocdate: May 20 2019 $
aedd00 
 .Dt SSH-KEYGEN 1
aedd00 
 .Os
aedd00 
 .Sh NAME
aedd00 
@@ -577,6 +577,15 @@ The possible values are
aedd00 
 .Dq ed25519 ,
aedd00 
 or
aedd00 
 .Dq rsa .
aedd00 
+.Pp
aedd00 
+This flag may also be used to specify the desired signature type when
aedd00 
+signing certificates using a RSA CA key.
aedd00 
+The available RSA signature variants are
aedd00 
+.Dq ssh-rsa
aedd00 
+(SHA1 signatures, not recommended),
aedd00 
+.Dq rsa-sha2-256
aedd00 
+.Dq rsa-sha2-512
aedd00 
+(the default).
aedd00 
 .It Fl U
aedd00 
 When used in combination with
aedd00 
 .Fl s ,
aedd00 
diff --git a/sshkey.c b/sshkey.c
aedd00 
index 9849cb237..379a579cf 100644
aedd00 
--- a/sshkey.c
aedd00 
+++ b/sshkey.c
aedd00 
@@ -2528,6 +2528,13 @@ sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg,
aedd00 
 	    strcmp(alg, k->cert->signature_type) != 0)
aedd00 
 		return SSH_ERR_INVALID_ARGUMENT;
aedd00
aedd00 
+	/*
aedd00 
+	 * If no signing algorithm or signature_type was specified and we're
aedd00 
+	 * using a RSA key, then default to a good signature algorithm.
aedd00 
+	 */
aedd00 
+	if (alg == NULL && ca->type == KEY_RSA)
aedd00 
+		alg = "rsa-sha2-512";
aedd00 
+
aedd00 
 	if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0)
aedd00 
 		return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
aedd00
aedd00

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation