agent: Use SHA2 signatures also for RSA certificates

There is actually a bug in OpenSSH's ssh-agent of handling these requests [1], but this change follows the way how OpenSSH clients behave in regards to the communication with agent. Without this change, the agent is asked to provide SHA1 signature with certificates, which is not right if we negotiated SHA2 extensions. [1] https://bugzilla.mindrot.org/show_bug.cgi?id=3016 Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2026-02-04 12:20:42 +09:00 · 2019-05-29 15:59:52 +02:00
parent f91a5fce6e
commit 132ed59d3f
1 changed files with 1 additions and 1 deletions
--- a/src/agent.c
+++ b/src/agent.c
@@ -536,7 +536,7 @@ ssh_string ssh_agent_sign_data(ssh_session session,
    }

    /* Add Flags: SHA2 extension (RFC 8332) if negotiated */
-    if (pubkey->type == SSH_KEYTYPE_RSA) {
+    if (ssh_key_type_plain(pubkey->type) == SSH_KEYTYPE_RSA) {
        if (session->extensions & SSH_EXT_SIG_RSA_SHA512) {
            flags |= SSH_AGENT_RSA_SHA2_512;
        } else if (session->extensions & SSH_EXT_SIG_RSA_SHA256) {