diff options
author | djm@openbsd.org <djm@openbsd.org> | 2019-11-25 00:51:37 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2019-11-25 12:23:33 +1100 |
commit | b7e74ea072919b31391bc0f5ff653f80b9f5e84f (patch) | |
tree | adb2a736c1b9f6346d342600877818631f9dbb3d /ssh-ecdsa-sk.c | |
parent | d2b0f88178ec9e3f11b606bf1004ac2fe541a2c3 (diff) |
upstream: Add new structure for signature options
This is populated during signature verification with additional fields
that are present in and covered by the signature. At the moment, it is
only used to record security key-specific options, especially the flags
field.
with and ok markus@
OpenBSD-Commit-ID: 338a1f0e04904008836130bedb9ece4faafd4e49
Diffstat (limited to 'ssh-ecdsa-sk.c')
-rw-r--r-- | ssh-ecdsa-sk.c | 21 |
1 files changed, 18 insertions, 3 deletions
diff --git a/ssh-ecdsa-sk.c b/ssh-ecdsa-sk.c index f33fac714..b2f31ae2d 100644 --- a/ssh-ecdsa-sk.c +++ b/ssh-ecdsa-sk.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-ecdsa-sk.c,v 1.3 2019/11/25 00:38:17 djm Exp $ */ | 1 | /* $OpenBSD: ssh-ecdsa-sk.c,v 1.4 2019/11/25 00:51:37 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * Copyright (c) 2010 Damien Miller. All rights reserved. | 4 | * Copyright (c) 2010 Damien Miller. All rights reserved. |
@@ -53,7 +53,8 @@ | |||
53 | int | 53 | int |
54 | ssh_ecdsa_sk_verify(const struct sshkey *key, | 54 | ssh_ecdsa_sk_verify(const struct sshkey *key, |
55 | const u_char *signature, size_t signaturelen, | 55 | const u_char *signature, size_t signaturelen, |
56 | const u_char *data, size_t datalen, u_int compat) | 56 | const u_char *data, size_t datalen, u_int compat, |
57 | struct sshkey_sig_details **detailsp) | ||
57 | { | 58 | { |
58 | ECDSA_SIG *sig = NULL; | 59 | ECDSA_SIG *sig = NULL; |
59 | BIGNUM *sig_r = NULL, *sig_s = NULL; | 60 | BIGNUM *sig_r = NULL, *sig_s = NULL; |
@@ -63,10 +64,13 @@ ssh_ecdsa_sk_verify(const struct sshkey *key, | |||
63 | int ret = SSH_ERR_INTERNAL_ERROR; | 64 | int ret = SSH_ERR_INTERNAL_ERROR; |
64 | struct sshbuf *b = NULL, *sigbuf = NULL, *original_signed = NULL; | 65 | struct sshbuf *b = NULL, *sigbuf = NULL, *original_signed = NULL; |
65 | char *ktype = NULL; | 66 | char *ktype = NULL; |
67 | struct sshkey_sig_details *details = NULL; | ||
66 | #ifdef DEBUG_SK | 68 | #ifdef DEBUG_SK |
67 | char *tmp = NULL; | 69 | char *tmp = NULL; |
68 | #endif | 70 | #endif |
69 | 71 | ||
72 | if (detailsp != NULL) | ||
73 | *detailsp = NULL; | ||
70 | if (key == NULL || key->ecdsa == NULL || | 74 | if (key == NULL || key->ecdsa == NULL || |
71 | sshkey_type_plain(key->type) != KEY_ECDSA_SK || | 75 | sshkey_type_plain(key->type) != KEY_ECDSA_SK || |
72 | signature == NULL || signaturelen == 0) | 76 | signature == NULL || signaturelen == 0) |
@@ -149,6 +153,12 @@ ssh_ecdsa_sk_verify(const struct sshkey *key, | |||
149 | if ((ret = ssh_digest_buffer(SSH_DIGEST_SHA256, original_signed, | 153 | if ((ret = ssh_digest_buffer(SSH_DIGEST_SHA256, original_signed, |
150 | sighash, sizeof(sighash))) != 0) | 154 | sighash, sizeof(sighash))) != 0) |
151 | goto out; | 155 | goto out; |
156 | if ((details = calloc(1, sizeof(*details))) == NULL) { | ||
157 | ret = SSH_ERR_ALLOC_FAIL; | ||
158 | goto out; | ||
159 | } | ||
160 | details->sk_counter = sig_counter; | ||
161 | details->sk_flags = sig_flags; | ||
152 | #ifdef DEBUG_SK | 162 | #ifdef DEBUG_SK |
153 | fprintf(stderr, "%s: signed buf:\n", __func__); | 163 | fprintf(stderr, "%s: signed buf:\n", __func__); |
154 | sshbuf_dump(original_signed, stderr); | 164 | sshbuf_dump(original_signed, stderr); |
@@ -168,13 +178,18 @@ ssh_ecdsa_sk_verify(const struct sshkey *key, | |||
168 | ret = SSH_ERR_LIBCRYPTO_ERROR; | 178 | ret = SSH_ERR_LIBCRYPTO_ERROR; |
169 | goto out; | 179 | goto out; |
170 | } | 180 | } |
171 | 181 | /* success */ | |
182 | if (detailsp != NULL) { | ||
183 | *detailsp = details; | ||
184 | details = NULL; | ||
185 | } | ||
172 | out: | 186 | out: |
173 | explicit_bzero(&sig_flags, sizeof(sig_flags)); | 187 | explicit_bzero(&sig_flags, sizeof(sig_flags)); |
174 | explicit_bzero(&sig_counter, sizeof(sig_counter)); | 188 | explicit_bzero(&sig_counter, sizeof(sig_counter)); |
175 | explicit_bzero(msghash, sizeof(msghash)); | 189 | explicit_bzero(msghash, sizeof(msghash)); |
176 | explicit_bzero(sighash, sizeof(msghash)); | 190 | explicit_bzero(sighash, sizeof(msghash)); |
177 | explicit_bzero(apphash, sizeof(apphash)); | 191 | explicit_bzero(apphash, sizeof(apphash)); |
192 | sshkey_sig_details_free(details); | ||
178 | sshbuf_free(original_signed); | 193 | sshbuf_free(original_signed); |
179 | sshbuf_free(sigbuf); | 194 | sshbuf_free(sigbuf); |
180 | sshbuf_free(b); | 195 | sshbuf_free(b); |