simon-git: putty (master): Simon Tatham
Commits to Tartarus hosted VCS
tartarus-commits at lists.tartarus.org
Tue Nov 20 21:14:48 GMT 2018
TL;DR:
74f792e0 Support flags word in SSH2_AGENTC_SIGN_REQUEST.
7d4a276f Pass flags from agent sign request to ssh_key_sign.
13b29008 Support SHA-256 and SHA-512 based RSA signatures.
Repository: https://git.tartarus.org/simon/putty.git
On the web: https://git.tartarus.org/?p=simon/putty.git
Branch updated: master
Committer: Simon Tatham <anakin at pobox.com>
Date: 2018-11-20 21:14:48
commit 74f792e00b4dbbfd80300a5fab412147d56ade11
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=74f792e00b4dbbfd80300a5fab412147d56ade11;hp=743bfac18ea2c5f74eb6e9a8156dd5dadefea7a6
Author: Simon Tatham <anakin at pobox.com>
Date: Mon Nov 19 20:20:00 2018 +0000
Support flags word in SSH2_AGENTC_SIGN_REQUEST.
A couple of people have mentioned to me recently that these days
OpenSSH is appending a uint32 flags word to the agent sign request,
with flags that ask for an RSA signature to be over a SHA-256 or
SHA-512 hash instead of the SHA-1 standardised in ssh-rsa.
This commit adds support for the mandatory part of this protocol: we
notice the flags word at all (previously we stopped parsing the packet
before even finding it there), and return failure to the signing
request if it has any flag set that we don't support, which currently
means if it has any flag set whatsoever.
While I'm here, I've also added an error check for an undecodable sign
request. (It seemed silly to be checking get_err(msg) _after_ trying
to read the flags word without also having checked it before.)
pageant.c | 39 +++++++++++++++++++++++++++++++++++++++
1 file changed, 39 insertions(+)
commit 7d4a276fc1e5441d265cf0b1de0ac477b92b2e1f
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=7d4a276fc1e5441d265cf0b1de0ac477b92b2e1f;hp=74f792e00b4dbbfd80300a5fab412147d56ade11
Author: Simon Tatham <anakin at pobox.com>
Date: Mon Nov 19 20:24:37 2018 +0000
Pass flags from agent sign request to ssh_key_sign.
Now each public-key algorithm gets to indicate what flags it supports,
and the ones it specifies support for may turn up in a call to its
sign() method.
We still don't actually support any flags yet, though.
pageant.c | 10 ++++++----
ssh.h | 7 +++++--
ssh2kex-server.c | 2 +-
ssh2userauth.c | 2 +-
sshdss.c | 3 ++-
sshecc.c | 6 +++++-
sshrsa.c | 3 ++-
7 files changed, 22 insertions(+), 11 deletions(-)
commit 13b29008b40249ded5af594b8c93ffb99d79b316
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=13b29008b40249ded5af594b8c93ffb99d79b316;hp=7d4a276fc1e5441d265cf0b1de0ac477b92b2e1f
Author: Simon Tatham <anakin at pobox.com>
Date: Mon Nov 19 20:46:59 2018 +0000
Support SHA-256 and SHA-512 based RSA signatures.
Now the RSA signing function supports the two flags defined in
draft-miller-ssh-agent-02, and uses them to generate RSA signatures
based on SHA-256 and SHA-512, which look exactly like the ordinary
kind of RSA SHA-1 signature except that the decoded signature integer
has a different hash at the bottom and an ASN.1 identifying prefix to
match, and also the signature-type string prefixing the integer
changes from "ssh-rsa" to "rsa-sha2-256" or "rsa-sha2-512" as
appropriate.
We don't _accept_ signatures of these new types - that would need an
entirely different protocol extension - and we don't generate them
under any circumstances other than Pageant receiving a sign request
with one of those flags set.
ssh.h | 6 ++++++
sshrsa.c | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++--------------
2 files changed, 62 insertions(+), 15 deletions(-)
More information about the tartarus-commits
mailing list