From 132ed59d3f2e39a2a4a6669bc58ec657aa0a5ad1 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 29 May 2019 15:59:52 +0200
Subject: [PATCH] agent: Use SHA2 signatures also for RSA certificates

There is actually a bug in OpenSSH's ssh-agent of handling these
requests [1], but this change follows the way how OpenSSH clients
behave in regards to the communication with agent.

Without this change, the agent is asked to provide SHA1 signature
with certificates, which is not right if we negotiated SHA2 extensions.

[1] https://bugzilla.mindrot.org/show_bug.cgi?id=3016

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
 src/agent.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/agent.c b/src/agent.c
index 78be33e6..c34f3fc4 100644
--- a/src/agent.c
+++ b/src/agent.c
@@ -536,7 +536,7 @@ ssh_string ssh_agent_sign_data(ssh_session session,
     }
 
     /* Add Flags: SHA2 extension (RFC 8332) if negotiated */
-    if (pubkey->type == SSH_KEYTYPE_RSA) {
+    if (ssh_key_type_plain(pubkey->type) == SSH_KEYTYPE_RSA) {
         if (session->extensions & SSH_EXT_SIG_RSA_SHA512) {
             flags |= SSH_AGENT_RSA_SHA2_512;
         } else if (session->extensions & SSH_EXT_SIG_RSA_SHA256) {