mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-10 01:48:00 +00:00
userauth: fix replacement of embedded with detached RSA cert.
If you specify a detached certificate, it's supposed to completely replace any certificate that might have been embedded in the input PPK file. But one thing wasn't working: if the key was RSA, and the server was using new SHA-2 based RSA, and the user provided both an embedded _and_ detached certificate, then the initial call to ssh2_userauth_signflags would upgrade the ssh-rsa-cert-... key type to rsa-sha2-NNN-cert-..., which ssh2_userauth_add_alg_and_publickey's call to ssh_keyalg_related_alg would not recognise as any of the base RSA types while trying to decide on the key algorithm string _after_ replacing the certificate. Fixed by reverting to the the uncertified base algorithm before calling ssh_keyalg_related_alg.
This commit is contained in:
parent
70aabdc67c
commit
cfe6fd95a7
@ -2373,7 +2373,18 @@ static void ssh2_userauth_add_alg_and_publickey(
|
||||
ppl_logevent("Sending public key with certificate from \"%s\"",
|
||||
filename_to_str(s->detached_cert_file));
|
||||
}
|
||||
put_stringz(pkt, ssh_keyalg_related_alg(certalg, pkalg)->ssh_id);
|
||||
{
|
||||
/* Strip off any existing certificate-nature from pkalg,
|
||||
* for the case where we're replacing a cert embedded in
|
||||
* the key with the detached one. The second argument of
|
||||
* ssh_keyalg_related_alg is expected to be one of the
|
||||
* bare key algorithms, or nothing useful will happen. */
|
||||
const ssh_keyalg *pkalg_base =
|
||||
pkalg->base_alg ? pkalg->base_alg : pkalg;
|
||||
const ssh_keyalg *output_alg =
|
||||
ssh_keyalg_related_alg(certalg, pkalg_base);
|
||||
put_stringz(pkt, output_alg->ssh_id);
|
||||
}
|
||||
put_stringpl(pkt, ptrlen_from_strbuf(s->detached_cert_blob));
|
||||
done = true;
|
||||
goto out;
|
||||
|
Loading…
Reference in New Issue
Block a user