diff options
author | Anderson Toshiyuki Sasaki <ansasaki@redhat.com> | 2019-06-25 19:47:36 +0200 |
---|---|---|
committer | Anderson Toshiyuki Sasaki <ansasaki@redhat.com> | 2019-06-26 17:36:46 +0200 |
commit | 4b7ce75e1fe4bec8d7d645516a1f9f31a4a31ba5 (patch) | |
tree | 92b2d82a4be47bfbd74a501c05723576ca4dcb26 /src/pki.c | |
parent | c8f49becfde6777aa73cea3c8aa58a752d2adce4 (diff) | |
download | libssh-4b7ce75e1fe4bec8d7d645516a1f9f31a4a31ba5.tar.gz libssh-4b7ce75e1fe4bec8d7d645516a1f9f31a4a31ba5.tar.xz libssh-4b7ce75e1fe4bec8d7d645516a1f9f31a4a31ba5.zip |
pki: Add workarounds for old OpenSSH
When we are talking to old OpenSSH versions which does not support
rsa-sha2-{256,512}-cert-v01@openssh.com or SHA2 in certificates,
fallback to old supported values.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Diffstat (limited to 'src/pki.c')
-rw-r--r-- | src/pki.c | 28 |
1 files changed, 28 insertions, 0 deletions
@@ -388,6 +388,19 @@ enum ssh_digest_e ssh_key_type_to_hash(ssh_session session, case SSH_KEYTYPE_DSS: return SSH_DIGEST_SHA1; case SSH_KEYTYPE_RSA_CERT01: + /* If we are talking to an old OpenSSH version which does not support + * SHA2 in certificates */ + if ((session->openssh > 0) && + (session->openssh < SSH_VERSION_INT(7, 2, 0))) + { + SSH_LOG(SSH_LOG_DEBUG, + "We are talking to an old OpenSSH (%x); " + "returning SSH_DIGEST_SHA1", + session->openssh); + + return SSH_DIGEST_SHA1; + } + FALL_THROUGH; case SSH_KEYTYPE_RSA: if (ssh_key_algorithm_allowed(session, "rsa-sha2-512") && (session->extensions & SSH_EXT_SIG_RSA_SHA512)) { @@ -441,6 +454,21 @@ ssh_key_get_signature_algorithm(ssh_session session, { enum ssh_digest_e hash_type; + if (type == SSH_KEYTYPE_RSA_CERT01) { + /* If we are talking to an old OpenSSH version which does not support + * rsa-sha2-{256,512}-cert-v01@openssh.com */ + if ((session->openssh > 0) && + (session->openssh < SSH_VERSION_INT(7, 8, 0))) + { + SSH_LOG(SSH_LOG_DEBUG, + "We are talking to an old OpenSSH (%x); " + "using old cert format", + session->openssh); + + return "ssh-rsa-cert-v01@openssh.com"; + } + } + hash_type = ssh_key_type_to_hash(session, type); return ssh_key_signature_to_char(type, hash_type); |