diff options
author | djm@openbsd.org <djm@openbsd.org> | 2019-11-25 00:51:37 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2019-11-25 12:23:33 +1100 |
commit | b7e74ea072919b31391bc0f5ff653f80b9f5e84f (patch) | |
tree | adb2a736c1b9f6346d342600877818631f9dbb3d /ssh-keygen.c | |
parent | d2b0f88178ec9e3f11b606bf1004ac2fe541a2c3 (diff) |
upstream: Add new structure for signature options
This is populated during signature verification with additional fields
that are present in and covered by the signature. At the moment, it is
only used to record security key-specific options, especially the flags
field.
with and ok markus@
OpenBSD-Commit-ID: 338a1f0e04904008836130bedb9ece4faafd4e49
Diffstat (limited to 'ssh-keygen.c')
-rw-r--r-- | ssh-keygen.c | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c index e869989d7..08dd7cb8a 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-keygen.c,v 1.369 2019/11/18 23:16:49 naddy Exp $ */ | 1 | /* $OpenBSD: ssh-keygen.c,v 1.370 2019/11/25 00:51:37 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -584,7 +584,7 @@ do_convert_private_ssh2(struct sshbuf *b) | |||
584 | if (sshkey_sign(key, &sig, &slen, data, sizeof(data), | 584 | if (sshkey_sign(key, &sig, &slen, data, sizeof(data), |
585 | NULL, NULL, 0) != 0 || | 585 | NULL, NULL, 0) != 0 || |
586 | sshkey_verify(key, sig, slen, data, sizeof(data), | 586 | sshkey_verify(key, sig, slen, data, sizeof(data), |
587 | NULL, 0) != 0) { | 587 | NULL, 0, NULL) != 0) { |
588 | sshkey_free(key); | 588 | sshkey_free(key); |
589 | free(sig); | 589 | free(sig); |
590 | return NULL; | 590 | return NULL; |
@@ -2657,7 +2657,9 @@ verify(const char *signature, const char *sig_namespace, const char *principal, | |||
2657 | struct sshbuf *sigbuf = NULL, *abuf = NULL; | 2657 | struct sshbuf *sigbuf = NULL, *abuf = NULL; |
2658 | struct sshkey *sign_key = NULL; | 2658 | struct sshkey *sign_key = NULL; |
2659 | char *fp = NULL; | 2659 | char *fp = NULL; |
2660 | struct sshkey_sig_details *sig_details = NULL; | ||
2660 | 2661 | ||
2662 | memset(&sig_details, 0, sizeof(sig_details)); | ||
2661 | if ((abuf = sshbuf_new()) == NULL) | 2663 | if ((abuf = sshbuf_new()) == NULL) |
2662 | fatal("%s: sshbuf_new() failed", __func__); | 2664 | fatal("%s: sshbuf_new() failed", __func__); |
2663 | 2665 | ||
@@ -2675,13 +2677,17 @@ verify(const char *signature, const char *sig_namespace, const char *principal, | |||
2675 | return r; | 2677 | return r; |
2676 | } | 2678 | } |
2677 | if ((r = sshsig_verify_fd(sigbuf, STDIN_FILENO, sig_namespace, | 2679 | if ((r = sshsig_verify_fd(sigbuf, STDIN_FILENO, sig_namespace, |
2678 | &sign_key)) != 0) | 2680 | &sign_key, &sig_details)) != 0) |
2679 | goto done; /* sshsig_verify() prints error */ | 2681 | goto done; /* sshsig_verify() prints error */ |
2680 | 2682 | ||
2681 | if ((fp = sshkey_fingerprint(sign_key, fingerprint_hash, | 2683 | if ((fp = sshkey_fingerprint(sign_key, fingerprint_hash, |
2682 | SSH_FP_DEFAULT)) == NULL) | 2684 | SSH_FP_DEFAULT)) == NULL) |
2683 | fatal("%s: sshkey_fingerprint failed", __func__); | 2685 | fatal("%s: sshkey_fingerprint failed", __func__); |
2684 | debug("Valid (unverified) signature from key %s", fp); | 2686 | debug("Valid (unverified) signature from key %s", fp); |
2687 | if (sig_details != NULL) { | ||
2688 | debug2("%s: signature details: counter = %u, flags = 0x%02x", | ||
2689 | __func__, sig_details->sk_counter, sig_details->sk_flags); | ||
2690 | } | ||
2685 | free(fp); | 2691 | free(fp); |
2686 | fp = NULL; | 2692 | fp = NULL; |
2687 | 2693 | ||
@@ -2726,6 +2732,7 @@ done: | |||
2726 | sshbuf_free(sigbuf); | 2732 | sshbuf_free(sigbuf); |
2727 | sshbuf_free(abuf); | 2733 | sshbuf_free(abuf); |
2728 | sshkey_free(sign_key); | 2734 | sshkey_free(sign_key); |
2735 | sshkey_sig_details_free(sig_details); | ||
2729 | free(fp); | 2736 | free(fp); |
2730 | return ret; | 2737 | return ret; |
2731 | } | 2738 | } |