mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-22 10:19:57 +01:00
agent: unknown flags on ssh signing requests cause an error.
* agent/command-ssh.c (ssh_handler_sign_request): if a flag is passed during an signature request that we do not know how to apply, return GPG_ERR_UNKNOWN_OPTION. -- https://tools.ietf.org/html/draft-miller-ssh-agent-02#section-4.5 says: If the agent does not support the requested flags, or is otherwise unable or unwilling to generate the signature (e.g. because it doesn't have the specified key, or the user refused confirmation of a constrained key), it must reply with a SSH_AGENT_FAILURE message. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> GnuPG-bug-id: 3880
This commit is contained in:
parent
55435cdd4f
commit
381c46818f
@ -2864,7 +2864,7 @@ ssh_handler_sign_request (ctrl_t ctrl, estream_t request, estream_t response)
|
|||||||
unsigned char *sig = NULL;
|
unsigned char *sig = NULL;
|
||||||
size_t sig_n;
|
size_t sig_n;
|
||||||
u32 data_size;
|
u32 data_size;
|
||||||
u32 flags;
|
u32 flags, known_flags = 0;
|
||||||
gpg_error_t err;
|
gpg_error_t err;
|
||||||
gpg_error_t ret_err;
|
gpg_error_t ret_err;
|
||||||
int hash_algo;
|
int hash_algo;
|
||||||
@ -2890,6 +2890,7 @@ ssh_handler_sign_request (ctrl_t ctrl, estream_t request, estream_t response)
|
|||||||
|
|
||||||
if (spec.algo == GCRY_PK_RSA)
|
if (spec.algo == GCRY_PK_RSA)
|
||||||
{
|
{
|
||||||
|
known_flags = SSH_AGENT_RSA_SHA2_256 | SSH_AGENT_RSA_SHA2_512;
|
||||||
if ((flags & SSH_AGENT_RSA_SHA2_256))
|
if ((flags & SSH_AGENT_RSA_SHA2_256))
|
||||||
{
|
{
|
||||||
spec.ssh_identifier = "rsa-sha2-256";
|
spec.ssh_identifier = "rsa-sha2-256";
|
||||||
@ -2902,6 +2903,13 @@ ssh_handler_sign_request (ctrl_t ctrl, estream_t request, estream_t response)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* some flag is present that we do not know about. */
|
||||||
|
if (flags & ~known_flags)
|
||||||
|
{
|
||||||
|
err = gpg_error (GPG_ERR_UNKNOWN_OPTION);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
hash_algo = spec.hash_algo;
|
hash_algo = spec.hash_algo;
|
||||||
if (!hash_algo)
|
if (!hash_algo)
|
||||||
hash_algo = GCRY_MD_SHA1; /* Use the default. */
|
hash_algo = GCRY_MD_SHA1; /* Use the default. */
|
||||||
|
Loading…
x
Reference in New Issue
Block a user