openssh bugs - May 2019 - [Bug 3016] New: (still) not generating correct RSA SHA2 signatures from certificate files loaded in ssh-agent

https://bugzilla.mindrot.org/show_bug.cgi?id=3016

            Bug ID: 3016
           Summary: (still) not generating correct RSA SHA2 signatures
                    from certificate files loaded in ssh-agent
           Product: Portable OpenSSH
           Version: 8.0p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh-agent
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jjelen at redhat.com

Created attachment 3288
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3288&action=edit
use correct algorithm identification in ssh-agent

If I read the certkeys specification [1] and the source code correctly,
the ssh-agent does not generate correct signatures when the certificate
is loaded in agent.

The agent_decode_alg() function [2] looks only on the actual key type
and for certificate key types, does not generate correct alg argument
for the sshkey_sign() function (ending with raw ssh-rsa signature).

This is not the same what happens in sshconnect2.c in
key_sig_algorithm() [3], where also the certificate types are taken
into the account and the alg argument to sshkey_sign() is properly
formatted.

I do not have separate reproducer inside of OpenSSH since I was using
OpenSSH agent, libssh client and openSSH server, which failed to verify
these signatures (when the base rsa-ssh algorithms were disabled).

The attached patch resolved the issue for me in the above setup. I am
not sure whether there is some more elegant way how to achieve the
same.

[1]
https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys#L41
[2]
https://github.com/openssh/openssh-portable/blob/master/ssh-agent.c#L265
[3]
https://github.com/openssh/openssh-portable/blob/master/sshconnect2.c#L1102

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3016

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |2915
                 CC|                            |djm at mindrot.org


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2915
[Bug 2915] Tracking bug for 8.0 release
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3016

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|2915                        |2988


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2915
[Bug 2915] Tracking bug for 8.0 release
https://bugzilla.mindrot.org/show_bug.cgi?id=2988
[Bug 2988] Tracking bug for 8.1 release
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3016

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Looks correct (sigh); I'll get it committed

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3016

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net
   Attachment #3288|                            |ok?(dtucker at dtucker.net)
              Flags|                            |

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3016

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3288|ok?(dtucker at dtucker.net)    |ok+
              Flags|                            |

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3016

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Committed in 2317ce4b0ed7d and will be available in OpenSSH 8.1. I'll
also cherry-pick this to the V_8_0 stable branch.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3016

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.