File gnupg-gpg-agent-ssh-agent.patch of Package gpg2.15272
Index: gnupg-2.2.5/agent/command-ssh.c
===================================================================
--- gnupg-2.2.5.orig/agent/command-ssh.c
+++ gnupg-2.2.5/agent/command-ssh.c
@@ -27,8 +27,8 @@
RFC-4253 - Transport Layer Protocol
RFC-5656 - ECC support
- The protocol for the agent is defined in OpenSSH's PROTOCL.agent
- file.
+ The protocol for the agent is defined in:
+ https://tools.ietf.org/html/draft-miller-ssh-agent
*/
#include <config.h>
@@ -83,6 +83,8 @@
/* Other constants. */
#define SSH_DSA_SIGNATURE_PADDING 20
#define SSH_DSA_SIGNATURE_ELEMS 2
+#define SSH_AGENT_RSA_SHA2_256 0x02
+#define SSH_AGENT_RSA_SHA2_512 0x04
#define SPEC_FLAG_USE_PKCS1V2 (1 << 0)
#define SPEC_FLAG_IS_ECDSA (1 << 1)
#define SPEC_FLAG_IS_EdDSA (1 << 2) /*(lowercase 'd' on purpose.)*/
@@ -2860,7 +2862,6 @@ ssh_handler_sign_request (ctrl_t ctrl, e
unsigned char *sig = NULL;
size_t sig_n;
u32 data_size;
- u32 flags;
gpg_error_t err;
gpg_error_t ret_err;
int hash_algo;
@@ -2880,10 +2881,39 @@ ssh_handler_sign_request (ctrl_t ctrl, e
if (err)
goto out;
- /* FIXME? */
- err = stream_read_uint32 (request, &flags);
- if (err)
- goto out;
+ /* Flag processing. */
+ {
+ u32 flags;
+
+ err = stream_read_uint32 (request, &flags);
+ if (err)
+ goto out;
+
+ if (spec.algo == GCRY_PK_RSA)
+ {
+ if ((flags & SSH_AGENT_RSA_SHA2_512))
+ {
+ flags &= ~SSH_AGENT_RSA_SHA2_512;
+ spec.ssh_identifier = "rsa-sha2-512";
+ spec.hash_algo = GCRY_MD_SHA512;
+ }
+ if ((flags & SSH_AGENT_RSA_SHA2_256))
+ {
+ /* Note: We prefer SHA256 over SHA512. */
+ flags &= ~SSH_AGENT_RSA_SHA2_256;
+ spec.ssh_identifier = "rsa-sha2-256";
+ spec.hash_algo = GCRY_MD_SHA256;
+ }
+ }
+
+ /* Some flag is present that we do not know about. Note that
+ * processed or known flags have been cleared at this point. */
+ if (flags)
+ {
+ err = gpg_error (GPG_ERR_UNKNOWN_OPTION);
+ goto out;
+ }
+ }
hash_algo = spec.hash_algo;
if (!hash_algo)
