summaryrefslogtreecommitdiff
path: root/sshsig.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2019-11-25 00:51:37 +0000
committerDamien Miller <djm@mindrot.org>2019-11-25 12:23:33 +1100
commitb7e74ea072919b31391bc0f5ff653f80b9f5e84f (patch)
treeadb2a736c1b9f6346d342600877818631f9dbb3d /sshsig.c
parentd2b0f88178ec9e3f11b606bf1004ac2fe541a2c3 (diff)
upstream: Add new structure for signature options
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field. with and ok markus@ OpenBSD-Commit-ID: 338a1f0e04904008836130bedb9ece4faafd4e49
Diffstat (limited to 'sshsig.c')
-rw-r--r--sshsig.c22
1 files changed, 14 insertions, 8 deletions
diff --git a/sshsig.c b/sshsig.c
index 8c7aba1b9..abba3f67b 100644
--- a/sshsig.c
+++ b/sshsig.c
@@ -286,7 +286,7 @@ sshsig_peek_hashalg(struct sshbuf *signature, char **hashalgp)
286static int 286static int
287sshsig_wrap_verify(struct sshbuf *signature, const char *hashalg, 287sshsig_wrap_verify(struct sshbuf *signature, const char *hashalg,
288 const struct sshbuf *h_message, const char *expect_namespace, 288 const struct sshbuf *h_message, const char *expect_namespace,
289 struct sshkey **sign_keyp) 289 struct sshkey **sign_keyp, struct sshkey_sig_details **sig_details)
290{ 290{
291 int r = SSH_ERR_INTERNAL_ERROR; 291 int r = SSH_ERR_INTERNAL_ERROR;
292 struct sshbuf *buf = NULL, *toverify = NULL; 292 struct sshbuf *buf = NULL, *toverify = NULL;
@@ -296,6 +296,8 @@ sshsig_wrap_verify(struct sshbuf *signature, const char *hashalg,
296 size_t siglen; 296 size_t siglen;
297 297
298 debug("%s: verify message length %zu", __func__, sshbuf_len(h_message)); 298 debug("%s: verify message length %zu", __func__, sshbuf_len(h_message));
299 if (sig_details != NULL)
300 *sig_details = NULL;
299 if (sign_keyp != NULL) 301 if (sign_keyp != NULL)
300 *sign_keyp = NULL; 302 *sign_keyp = NULL;
301 303
@@ -361,7 +363,7 @@ sshsig_wrap_verify(struct sshbuf *signature, const char *hashalg,
361 } 363 }
362 } 364 }
363 if ((r = sshkey_verify(key, sig, siglen, sshbuf_ptr(toverify), 365 if ((r = sshkey_verify(key, sig, siglen, sshbuf_ptr(toverify),
364 sshbuf_len(toverify), NULL, 0)) != 0) { 366 sshbuf_len(toverify), NULL, 0, sig_details)) != 0) {
365 error("Signature verification failed: %s", ssh_err(r)); 367 error("Signature verification failed: %s", ssh_err(r));
366 goto done; 368 goto done;
367 } 369 }
@@ -453,15 +455,17 @@ sshsig_signb(struct sshkey *key, const char *hashalg, const char *sk_provider,
453 455
454int 456int
455sshsig_verifyb(struct sshbuf *signature, const struct sshbuf *message, 457sshsig_verifyb(struct sshbuf *signature, const struct sshbuf *message,
456 const char *expect_namespace, struct sshkey **sign_keyp) 458 const char *expect_namespace, struct sshkey **sign_keyp,
459 struct sshkey_sig_details **sig_details)
457{ 460{
458 struct sshbuf *b = NULL; 461 struct sshbuf *b = NULL;
459 int r = SSH_ERR_INTERNAL_ERROR; 462 int r = SSH_ERR_INTERNAL_ERROR;
460 char *hashalg = NULL; 463 char *hashalg = NULL;
461 464
465 if (sig_details != NULL)
466 *sig_details = NULL;
462 if (sign_keyp != NULL) 467 if (sign_keyp != NULL)
463 *sign_keyp = NULL; 468 *sign_keyp = NULL;
464
465 if ((r = sshsig_peek_hashalg(signature, &hashalg)) != 0) 469 if ((r = sshsig_peek_hashalg(signature, &hashalg)) != 0)
466 return r; 470 return r;
467 debug("%s: signature made with hash \"%s\"", __func__, hashalg); 471 debug("%s: signature made with hash \"%s\"", __func__, hashalg);
@@ -470,7 +474,7 @@ sshsig_verifyb(struct sshbuf *signature, const struct sshbuf *message,
470 goto out; 474 goto out;
471 } 475 }
472 if ((r = sshsig_wrap_verify(signature, hashalg, b, expect_namespace, 476 if ((r = sshsig_wrap_verify(signature, hashalg, b, expect_namespace,
473 sign_keyp)) != 0) 477 sign_keyp, sig_details)) != 0)
474 goto out; 478 goto out;
475 /* success */ 479 /* success */
476 r = 0; 480 r = 0;
@@ -579,15 +583,17 @@ sshsig_sign_fd(struct sshkey *key, const char *hashalg, const char *sk_provider,
579 583
580int 584int
581sshsig_verify_fd(struct sshbuf *signature, int fd, 585sshsig_verify_fd(struct sshbuf *signature, int fd,
582 const char *expect_namespace, struct sshkey **sign_keyp) 586 const char *expect_namespace, struct sshkey **sign_keyp,
587 struct sshkey_sig_details **sig_details)
583{ 588{
584 struct sshbuf *b = NULL; 589 struct sshbuf *b = NULL;
585 int r = SSH_ERR_INTERNAL_ERROR; 590 int r = SSH_ERR_INTERNAL_ERROR;
586 char *hashalg = NULL; 591 char *hashalg = NULL;
587 592
593 if (sig_details != NULL)
594 *sig_details = NULL;
588 if (sign_keyp != NULL) 595 if (sign_keyp != NULL)
589 *sign_keyp = NULL; 596 *sign_keyp = NULL;
590
591 if ((r = sshsig_peek_hashalg(signature, &hashalg)) != 0) 597 if ((r = sshsig_peek_hashalg(signature, &hashalg)) != 0)
592 return r; 598 return r;
593 debug("%s: signature made with hash \"%s\"", __func__, hashalg); 599 debug("%s: signature made with hash \"%s\"", __func__, hashalg);
@@ -596,7 +602,7 @@ sshsig_verify_fd(struct sshbuf *signature, int fd,
596 goto out; 602 goto out;
597 } 603 }
598 if ((r = sshsig_wrap_verify(signature, hashalg, b, expect_namespace, 604 if ((r = sshsig_wrap_verify(signature, hashalg, b, expect_namespace,
599 sign_keyp)) != 0) 605 sign_keyp, sig_details)) != 0)
600 goto out; 606 goto out;
601 /* success */ 607 /* success */
602 r = 0; 608 r = 0;