From 661a795ce3c4e4c6f33de3f542701e7c54ad7d17 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 6 Jan 2022 22:05:42 +0000 Subject: [PATCH] add a helper function to match a key type to a list of signature algorithms. RSA keys can make signatures with multiple algorithms, so some special handling is required. ok markus@ --- usr.bin/ssh/sshkey.c | 25 ++++++++++++++++++++++++- usr.bin/ssh/sshkey.h | 6 +++++- 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/usr.bin/ssh/sshkey.c b/usr.bin/ssh/sshkey.c index 193f6ec11ff..cdc29e586a4 100644 --- a/usr.bin/ssh/sshkey.c +++ b/usr.bin/ssh/sshkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshkey.c,v 1.119 2021/07/23 03:37:52 djm Exp $ */ +/* $OpenBSD: sshkey.c,v 1.120 2022/01/06 22:05:42 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * Copyright (c) 2008 Alexander von Gernler. All rights reserved. @@ -234,6 +234,29 @@ sshkey_ecdsa_nid_from_name(const char *name) return -1; } +int +sshkey_match_keyname_to_sigalgs(const char *keyname, const char *sigalgs) +{ + int ktype; + + if (sigalgs == NULL || *sigalgs == '\0' || + (ktype = sshkey_type_from_name(keyname)) == KEY_UNSPEC) + return 0; + else if (ktype == KEY_RSA) { + return match_pattern_list("ssh-rsa", sigalgs, 0) == 1 || + match_pattern_list("rsa-sha2-256", sigalgs, 0) == 1 || + match_pattern_list("rsa-sha2-512", sigalgs, 0) == 1; + } else if (ktype == KEY_RSA_CERT) { + return match_pattern_list("ssh-rsa-cert-v01@openssh.com", + sigalgs, 0) == 1 || + match_pattern_list("rsa-sha2-256-cert-v01@openssh.com", + sigalgs, 0) == 1 || + match_pattern_list("rsa-sha2-512-cert-v01@openssh.com", + sigalgs, 0) == 1; + } else + return match_pattern_list(keyname, sigalgs, 0) == 1; +} + char * sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) { diff --git a/usr.bin/ssh/sshkey.h b/usr.bin/ssh/sshkey.h index ecae86e8eb7..125cadb64df 100644 --- a/usr.bin/ssh/sshkey.h +++ b/usr.bin/ssh/sshkey.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sshkey.h,v 1.50 2021/07/23 03:37:52 djm Exp $ */ +/* $OpenBSD: sshkey.h,v 1.51 2022/01/06 22:05:42 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -186,6 +186,10 @@ int sshkey_is_cert(const struct sshkey *); int sshkey_is_sk(const struct sshkey *); int sshkey_type_is_cert(int); int sshkey_type_plain(int); + +/* Returns non-zero if key name match sigalgs pattern list. (handles RSA) */ +int sshkey_match_keyname_to_sigalgs(const char *, const char *); + int sshkey_to_certified(struct sshkey *); int sshkey_drop_cert(struct sshkey *); int sshkey_cert_copy(const struct sshkey *, struct sshkey *); -- 2.20.1