summaryrefslogtreecommitdiff
path: root/ssh-ecdsa-sk.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2019-11-25 00:51:37 +0000
committerDamien Miller <djm@mindrot.org>2019-11-25 12:23:33 +1100
commitb7e74ea072919b31391bc0f5ff653f80b9f5e84f (patch)
treeadb2a736c1b9f6346d342600877818631f9dbb3d /ssh-ecdsa-sk.c
parentd2b0f88178ec9e3f11b606bf1004ac2fe541a2c3 (diff)
upstream: Add new structure for signature options
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field. with and ok markus@ OpenBSD-Commit-ID: 338a1f0e04904008836130bedb9ece4faafd4e49
Diffstat (limited to 'ssh-ecdsa-sk.c')
-rw-r--r--ssh-ecdsa-sk.c21
1 files changed, 18 insertions, 3 deletions
diff --git a/ssh-ecdsa-sk.c b/ssh-ecdsa-sk.c
index f33fac714..b2f31ae2d 100644
--- a/ssh-ecdsa-sk.c
+++ b/ssh-ecdsa-sk.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-ecdsa-sk.c,v 1.3 2019/11/25 00:38:17 djm Exp $ */ 1/* $OpenBSD: ssh-ecdsa-sk.c,v 1.4 2019/11/25 00:51:37 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * Copyright (c) 2010 Damien Miller. All rights reserved. 4 * Copyright (c) 2010 Damien Miller. All rights reserved.
@@ -53,7 +53,8 @@
53int 53int
54ssh_ecdsa_sk_verify(const struct sshkey *key, 54ssh_ecdsa_sk_verify(const struct sshkey *key,
55 const u_char *signature, size_t signaturelen, 55 const u_char *signature, size_t signaturelen,
56 const u_char *data, size_t datalen, u_int compat) 56 const u_char *data, size_t datalen, u_int compat,
57 struct sshkey_sig_details **detailsp)
57{ 58{
58 ECDSA_SIG *sig = NULL; 59 ECDSA_SIG *sig = NULL;
59 BIGNUM *sig_r = NULL, *sig_s = NULL; 60 BIGNUM *sig_r = NULL, *sig_s = NULL;
@@ -63,10 +64,13 @@ ssh_ecdsa_sk_verify(const struct sshkey *key,
63 int ret = SSH_ERR_INTERNAL_ERROR; 64 int ret = SSH_ERR_INTERNAL_ERROR;
64 struct sshbuf *b = NULL, *sigbuf = NULL, *original_signed = NULL; 65 struct sshbuf *b = NULL, *sigbuf = NULL, *original_signed = NULL;
65 char *ktype = NULL; 66 char *ktype = NULL;
67 struct sshkey_sig_details *details = NULL;
66#ifdef DEBUG_SK 68#ifdef DEBUG_SK
67 char *tmp = NULL; 69 char *tmp = NULL;
68#endif 70#endif
69 71
72 if (detailsp != NULL)
73 *detailsp = NULL;
70 if (key == NULL || key->ecdsa == NULL || 74 if (key == NULL || key->ecdsa == NULL ||
71 sshkey_type_plain(key->type) != KEY_ECDSA_SK || 75 sshkey_type_plain(key->type) != KEY_ECDSA_SK ||
72 signature == NULL || signaturelen == 0) 76 signature == NULL || signaturelen == 0)
@@ -149,6 +153,12 @@ ssh_ecdsa_sk_verify(const struct sshkey *key,
149 if ((ret = ssh_digest_buffer(SSH_DIGEST_SHA256, original_signed, 153 if ((ret = ssh_digest_buffer(SSH_DIGEST_SHA256, original_signed,
150 sighash, sizeof(sighash))) != 0) 154 sighash, sizeof(sighash))) != 0)
151 goto out; 155 goto out;
156 if ((details = calloc(1, sizeof(*details))) == NULL) {
157 ret = SSH_ERR_ALLOC_FAIL;
158 goto out;
159 }
160 details->sk_counter = sig_counter;
161 details->sk_flags = sig_flags;
152#ifdef DEBUG_SK 162#ifdef DEBUG_SK
153 fprintf(stderr, "%s: signed buf:\n", __func__); 163 fprintf(stderr, "%s: signed buf:\n", __func__);
154 sshbuf_dump(original_signed, stderr); 164 sshbuf_dump(original_signed, stderr);
@@ -168,13 +178,18 @@ ssh_ecdsa_sk_verify(const struct sshkey *key,
168 ret = SSH_ERR_LIBCRYPTO_ERROR; 178 ret = SSH_ERR_LIBCRYPTO_ERROR;
169 goto out; 179 goto out;
170 } 180 }
171 181 /* success */
182 if (detailsp != NULL) {
183 *detailsp = details;
184 details = NULL;
185 }
172 out: 186 out:
173 explicit_bzero(&sig_flags, sizeof(sig_flags)); 187 explicit_bzero(&sig_flags, sizeof(sig_flags));
174 explicit_bzero(&sig_counter, sizeof(sig_counter)); 188 explicit_bzero(&sig_counter, sizeof(sig_counter));
175 explicit_bzero(msghash, sizeof(msghash)); 189 explicit_bzero(msghash, sizeof(msghash));
176 explicit_bzero(sighash, sizeof(msghash)); 190 explicit_bzero(sighash, sizeof(msghash));
177 explicit_bzero(apphash, sizeof(apphash)); 191 explicit_bzero(apphash, sizeof(apphash));
192 sshkey_sig_details_free(details);
178 sshbuf_free(original_signed); 193 sshbuf_free(original_signed);
179 sshbuf_free(sigbuf); 194 sshbuf_free(sigbuf);
180 sshbuf_free(b); 195 sshbuf_free(b);