aboutsummaryrefslogtreecommitdiff
path: root/src/pki.c
diff options
context:
space:
mode:
authorAnderson Toshiyuki Sasaki <ansasaki@redhat.com>2019-06-25 19:47:36 +0200
committerAnderson Toshiyuki Sasaki <ansasaki@redhat.com>2019-06-26 17:36:46 +0200
commit4b7ce75e1fe4bec8d7d645516a1f9f31a4a31ba5 (patch)
tree92b2d82a4be47bfbd74a501c05723576ca4dcb26 /src/pki.c
parentc8f49becfde6777aa73cea3c8aa58a752d2adce4 (diff)
downloadlibssh-4b7ce75e1fe4bec8d7d645516a1f9f31a4a31ba5.tar.gz
libssh-4b7ce75e1fe4bec8d7d645516a1f9f31a4a31ba5.tar.xz
libssh-4b7ce75e1fe4bec8d7d645516a1f9f31a4a31ba5.zip
pki: Add workarounds for old OpenSSH
When we are talking to old OpenSSH versions which does not support rsa-sha2-{256,512}-cert-v01@openssh.com or SHA2 in certificates, fallback to old supported values. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Diffstat (limited to 'src/pki.c')
-rw-r--r--src/pki.c28
1 files changed, 28 insertions, 0 deletions
diff --git a/src/pki.c b/src/pki.c
index a1650ae1..482c58c2 100644
--- a/src/pki.c
+++ b/src/pki.c
@@ -388,6 +388,19 @@ enum ssh_digest_e ssh_key_type_to_hash(ssh_session session,
case SSH_KEYTYPE_DSS:
return SSH_DIGEST_SHA1;
case SSH_KEYTYPE_RSA_CERT01:
+ /* If we are talking to an old OpenSSH version which does not support
+ * SHA2 in certificates */
+ if ((session->openssh > 0) &&
+ (session->openssh < SSH_VERSION_INT(7, 2, 0)))
+ {
+ SSH_LOG(SSH_LOG_DEBUG,
+ "We are talking to an old OpenSSH (%x); "
+ "returning SSH_DIGEST_SHA1",
+ session->openssh);
+
+ return SSH_DIGEST_SHA1;
+ }
+ FALL_THROUGH;
case SSH_KEYTYPE_RSA:
if (ssh_key_algorithm_allowed(session, "rsa-sha2-512") &&
(session->extensions & SSH_EXT_SIG_RSA_SHA512)) {
@@ -441,6 +454,21 @@ ssh_key_get_signature_algorithm(ssh_session session,
{
enum ssh_digest_e hash_type;
+ if (type == SSH_KEYTYPE_RSA_CERT01) {
+ /* If we are talking to an old OpenSSH version which does not support
+ * rsa-sha2-{256,512}-cert-v01@openssh.com */
+ if ((session->openssh > 0) &&
+ (session->openssh < SSH_VERSION_INT(7, 8, 0)))
+ {
+ SSH_LOG(SSH_LOG_DEBUG,
+ "We are talking to an old OpenSSH (%x); "
+ "using old cert format",
+ session->openssh);
+
+ return "ssh-rsa-cert-v01@openssh.com";
+ }
+ }
+
hash_type = ssh_key_type_to_hash(session, type);
return ssh_key_signature_to_char(type, hash_type);