upstream: Add new structure for signature options

This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field. with and ok markus@ OpenBSD-Commit-ID: 338a1f0e04904008836130bedb9ece4faafd4e49
author: djm@openbsd.org <djm@openbsd.org> 2019-11-25 00:51:37 +0000
committer: Damien Miller <djm@mindrot.org> 2019-11-25 12:23:33 +1100
commit: b7e74ea072919b31391bc0f5ff653f80b9f5e84f (patch)
tree: adb2a736c1b9f6346d342600877818631f9dbb3d /monitor_wrap.c
parent: d2b0f88178ec9e3f11b606bf1004ac2fe541a2c3 (diff)
1 files changed, 19 insertions, 4 deletions
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 5b42c0e56..06599e3b1 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor_wrap.c,v 1.115 2019/11/18 16:10:05 naddy Exp $ */
+/* $OpenBSD: monitor_wrap.c,v 1.116 2019/11/25 00:51:37 djm Exp $ */
 /*
 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -495,15 +495,19 @@ mm_key_allowed(enum mm_keytype type, const char *user, const char *host,
 int
 mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen,
-    const u_char *data, size_t datalen, const char *sigalg, u_int compat)
+    const u_char *data, size_t datalen, const char *sigalg, u_int compat,
+    struct sshkey_sig_details **sig_detailsp)
 {
        struct sshbuf *m;
        u_int encoded_ret = 0;
        int r;
+        u_char sig_details_present, flags;
+        u_int counter;
        debug3("%s entering", __func__);
+        if (sig_detailsp != NULL)
+                *sig_detailsp = NULL;
        if ((m = sshbuf_new()) == NULL)
                fatal("%s: sshbuf_new failed", __func__);
        if ((r = sshkey_puts(key, m)) != 0 ||
@@ -518,8 +522,19 @@ mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen,
        mm_request_receive_expect(pmonitor->m_recvfd,
            MONITOR_ANS_KEYVERIFY, m);
-        if ((r = sshbuf_get_u32(m, &encoded_ret)) != 0)
+        if ((r = sshbuf_get_u32(m, &encoded_ret)) != 0 ||
+            (r = sshbuf_get_u8(m, &sig_details_present)) != 0)
                fatal("%s: buffer error: %s", __func__, ssh_err(r));
+        if (sig_details_present && encoded_ret == 0) {
+                if ((r = sshbuf_get_u32(m, &counter)) != 0 ||
+                    (r = sshbuf_get_u8(m, &flags)) != 0)
+                        fatal("%s: buffer error: %s", __func__, ssh_err(r));
+                if (sig_detailsp != NULL) {
+                        *sig_detailsp = xcalloc(1, sizeof(**sig_detailsp));
+                        (*sig_detailsp)->sk_counter = counter;
+                        (*sig_detailsp)->sk_flags = flags;
+                }
+        }
        sshbuf_free(m);
author	djm@openbsd.org <djm@openbsd.org>	2019-11-25 00:51:37 +0000
committer	Damien Miller <djm@mindrot.org>	2019-11-25 12:23:33 +1100
commit	b7e74ea072919b31391bc0f5ff653f80b9f5e84f (patch)
tree	adb2a736c1b9f6346d342600877818631f9dbb3d /monitor_wrap.c
parent	d2b0f88178ec9e3f11b606bf1004ac2fe541a2c3 (diff)

diff --git a/monitor_wrap.c b/monitor_wrap.c index 5b42c0e56..06599e3b1 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: monitor_wrap.c,v 1.115 2019/11/18 16:10:05 naddy Exp $ */	1	/* $OpenBSD: monitor_wrap.c,v 1.116 2019/11/25 00:51:37 djm Exp $ */
2	/*	2	/*
3	* Copyright 2002 Niels Provos <provos@citi.umich.edu>	3	* Copyright 2002 Niels Provos <provos@citi.umich.edu>
4	* Copyright 2002 Markus Friedl <markus@openbsd.org>	4	* Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -495,15 +495,19 @@ mm_key_allowed(enum mm_keytype type, const char user, const char host,
495		495
496	int	496	int
497	mm_sshkey_verify(const struct sshkey key, const u_char sig, size_t siglen,	497	mm_sshkey_verify(const struct sshkey key, const u_char sig, size_t siglen,
498	const u_char data, size_t datalen, const char sigalg, u_int compat)	498	const u_char data, size_t datalen, const char sigalg, u_int compat,
		499	struct sshkey_sig_details **sig_detailsp)
499	{	500	{
500	struct sshbuf *m;	501	struct sshbuf *m;
501	u_int encoded_ret = 0;	502	u_int encoded_ret = 0;
502	int r;	503	int r;
		504	u_char sig_details_present, flags;
		505	u_int counter;
503		506
504	debug3("%s entering", __func__);	507	debug3("%s entering", __func__);
505		508
506		509	if (sig_detailsp != NULL)
		510	*sig_detailsp = NULL;
507	if ((m = sshbuf_new()) == NULL)	511	if ((m = sshbuf_new()) == NULL)
508	fatal("%s: sshbuf_new failed", __func__);	512	fatal("%s: sshbuf_new failed", __func__);
509	if ((r = sshkey_puts(key, m)) != 0 \|\|	513	if ((r = sshkey_puts(key, m)) != 0 \|\|
@@ -518,8 +522,19 @@ mm_sshkey_verify(const struct sshkey key, const u_char sig, size_t siglen,
518	mm_request_receive_expect(pmonitor->m_recvfd,	522	mm_request_receive_expect(pmonitor->m_recvfd,
519	MONITOR_ANS_KEYVERIFY, m);	523	MONITOR_ANS_KEYVERIFY, m);
520		524
521	if ((r = sshbuf_get_u32(m, &encoded_ret)) != 0)	525	if ((r = sshbuf_get_u32(m, &encoded_ret)) != 0 \|\|
		526	(r = sshbuf_get_u8(m, &sig_details_present)) != 0)
522	fatal("%s: buffer error: %s", __func__, ssh_err(r));	527	fatal("%s: buffer error: %s", __func__, ssh_err(r));
		528	if (sig_details_present && encoded_ret == 0) {
		529	if ((r = sshbuf_get_u32(m, &counter)) != 0 \|\|
		530	(r = sshbuf_get_u8(m, &flags)) != 0)
		531	fatal("%s: buffer error: %s", __func__, ssh_err(r));
		532	if (sig_detailsp != NULL) {
		533	sig_detailsp = xcalloc(1, sizeof(*sig_detailsp));
		534	(*sig_detailsp)->sk_counter = counter;
		535	(*sig_detailsp)->sk_flags = flags;
		536	}
		537	}
523		538
524	sshbuf_free(m);	539	sshbuf_free(m);
525		540