tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

upstream: when signing a certificate with an RSA key, default to 

a safe signature algorithm (rsa-sha-512) if not is explicitly specified by
the user; ok markus@

OpenBSD-Commit-ID: e05f638f0be6c0266e1d3d799716b461011e83a9
This commit is contained in:
djm@openbsd.org 2020-01-24 00:27:04 +00:00 committed by Damien Miller
parent 8dfb6a202c
commit 4a41d245d6
1 changed files with 9 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
ssh-keygen.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-keygen.c,v 1.389 2020/01/24 00:00:31 djm Exp $ */ /* $OpenBSD: ssh-keygen.c,v 1.390 2020/01/24 00:27:04 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -1788,10 +1788,14 @@ do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent,
} }
free(tmp); free(tmp);
if (key_type_name != NULL && if (key_type_name != NULL) {
sshkey_type_from_name(key_type_name) != ca->type) { if (sshkey_type_from_name(key_type_name) != ca->type) {
fatal("CA key type %s doesn't match specified %s", fatal("CA key type %s doesn't match specified %s",
sshkey_ssh_name(ca), key_type_name); sshkey_ssh_name(ca), key_type_name);
}
} else if (ca->type == KEY_RSA) {
/* Default to a good signature algorithm */
key_type_name = "rsa-sha2-512";
} }
ca_fp = sshkey_fingerprint(ca, fingerprint_hash, SSH_FP_DEFAULT); ca_fp = sshkey_fingerprint(ca, fingerprint_hash, SSH_FP_DEFAULT);