diff options
| author |   djm <djm@openbsd.org> | 2019-01-21 10:07:22 +0000 |
|---|---|---|
| committer | djm <djm@openbsd.org> | 2019-01-21 10:07:22 +0000 |
| commit | 39992f4a3cbca6877328fab7bf86d3b0c09d2267 (patch) | |
| tree | 742e5a0db66963c06d9418e7610c8eb95935c93e | |
| parent | factor out kex_load_hostkey() - this is duplicated in both the client and (diff) | |
| download | wireguard-openbsd-39992f4a3cbca6877328fab7bf86d3b0c09d2267.tar.xz wireguard-openbsd-39992f4a3cbca6877328fab7bf86d3b0c09d2267.zip | |
factor out kex_verify_hostkey() - again, duplicated almost exactly
across client and server for several KEX methods.
from markus@ ok djm@
| -rw-r--r-- | usr.bin/ssh/kex.c | 18 | ||||
| -rw-r--r-- | usr.bin/ssh/kex.h | 3 | ||||
| -rw-r--r-- | usr.bin/ssh/kexc25519c.c | 17 | ||||
| -rw-r--r-- | usr.bin/ssh/kexdhc.c | 16 | ||||
| -rw-r--r-- | usr.bin/ssh/kexecdhc.c | 16 | ||||
| -rw-r--r-- | usr.bin/ssh/kexgexc.c | 16 |
6 files changed, 27 insertions, 59 deletions
diff --git a/usr.bin/ssh/kex.c b/usr.bin/ssh/kex.c index 068384a152d..1ec7cf69424 100644 --- a/usr.bin/ssh/kex.c +++ b/usr.bin/ssh/kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.145 2019/01/21 10:05:09 djm Exp $ */ +/* $OpenBSD: kex.c,v 1.146 2019/01/21 10:07:22 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * @@ -1058,6 +1058,22 @@ kex_load_hostkey(struct ssh *ssh, struct sshkey **pubp, struct sshkey **prvp) return 0; } +int +kex_verify_host_key(struct ssh *ssh, struct sshkey *server_host_key) +{ + struct kex *kex = ssh->kex; + + if (kex->verify_host_key == NULL) + return SSH_ERR_INVALID_ARGUMENT; + if (server_host_key->type != kex->hostkey_type || + (kex->hostkey_type == KEY_ECDSA && + server_host_key->ecdsa_nid != kex->hostkey_nid)) + return SSH_ERR_KEY_TYPE_MISMATCH; + if (kex->verify_host_key(server_host_key, ssh) == -1) + return SSH_ERR_SIGNATURE_INVALID; + return 0; +} + #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH) void dump_digest(char *msg, u_char *digest, int len) diff --git a/usr.bin/ssh/kex.h b/usr.bin/ssh/kex.h index 6f7964dfaf1..87b1e510b8d 100644 --- a/usr.bin/ssh/kex.h +++ b/usr.bin/ssh/kex.h @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.h,v 1.97 2019/01/21 10:05:09 djm Exp $ */ +/* $OpenBSD: kex.h,v 1.98 2019/01/21 10:07:22 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -169,6 +169,7 @@ int kex_buf2prop(struct sshbuf *, int *, char ***); int kex_prop2buf(struct sshbuf *, char *proposal[PROPOSAL_MAX]); void kex_prop_free(char **); int kex_load_hostkey(struct ssh *, struct sshkey **, struct sshkey **); +int kex_verify_host_key(struct ssh *, struct sshkey *); int kex_send_kexinit(struct ssh *); int kex_input_kexinit(int, u_int32_t, struct ssh *); diff --git a/usr.bin/ssh/kexc25519c.c b/usr.bin/ssh/kexc25519c.c index 23b029fac76..eb285b28111 100644 --- a/usr.bin/ssh/kexc25519c.c +++ b/usr.bin/ssh/kexc25519c.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexc25519c.c,v 1.11 2019/01/21 09:55:52 djm Exp $ */ +/* $OpenBSD: kexc25519c.c,v 1.12 2019/01/21 10:07:22 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -78,27 +78,14 @@ input_kex_c25519_reply(int type, u_int32_t seq, struct ssh *ssh) size_t slen, pklen, sbloblen, hashlen; int r; - if (kex->verify_host_key == NULL) { - r = SSH_ERR_INVALID_ARGUMENT; - goto out; - } - /* hostkey */ if ((r = sshpkt_get_string(ssh, &server_host_key_blob, &sbloblen)) != 0 || (r = sshkey_from_blob(server_host_key_blob, sbloblen, &server_host_key)) != 0) goto out; - if (server_host_key->type != kex->hostkey_type || - (kex->hostkey_type == KEY_ECDSA && - server_host_key->ecdsa_nid != kex->hostkey_nid)) { - r = SSH_ERR_KEY_TYPE_MISMATCH; + if ((r = kex_verify_host_key(ssh, server_host_key)) != 0) goto out; - } - if (kex->verify_host_key(server_host_key, ssh) == -1) { - r = SSH_ERR_SIGNATURE_INVALID; - goto out; - } /* Q_S, server public key */ /* signed H */ diff --git a/usr.bin/ssh/kexdhc.c b/usr.bin/ssh/kexdhc.c index 58d546f9183..ca81b2d9e3d 100644 --- a/usr.bin/ssh/kexdhc.c +++ b/usr.bin/ssh/kexdhc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexdhc.c,v 1.28 2019/01/21 10:03:37 djm Exp $ */ +/* $OpenBSD: kexdhc.c,v 1.29 2019/01/21 10:07:22 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -88,26 +88,14 @@ input_kex_dh(int type, u_int32_t seq, struct ssh *ssh) size_t slen, sbloblen, hashlen; int r; - if (kex->verify_host_key == NULL) { - r = SSH_ERR_INVALID_ARGUMENT; - goto out; - } /* key, cert */ if ((r = sshpkt_get_string(ssh, &server_host_key_blob, &sbloblen)) != 0 || (r = sshkey_from_blob(server_host_key_blob, sbloblen, &server_host_key)) != 0) goto out; - if (server_host_key->type != kex->hostkey_type || - (kex->hostkey_type == KEY_ECDSA && - server_host_key->ecdsa_nid != kex->hostkey_nid)) { - r = SSH_ERR_KEY_TYPE_MISMATCH; + if ((r = kex_verify_host_key(ssh, server_host_key)) != 0) goto out; - } - if (kex->verify_host_key(server_host_key, ssh) == -1) { - r = SSH_ERR_SIGNATURE_INVALID; - goto out; - } /* DH parameter f, server public DH key, signed H */ if ((r = sshpkt_get_bignum2(ssh, &dh_server_pub)) != 0 || (r = sshpkt_get_string(ssh, &signature, &slen)) != 0 || diff --git a/usr.bin/ssh/kexecdhc.c b/usr.bin/ssh/kexecdhc.c index af1d4b23160..ba1ff912b53 100644 --- a/usr.bin/ssh/kexecdhc.c +++ b/usr.bin/ssh/kexecdhc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexecdhc.c,v 1.15 2019/01/21 09:55:52 djm Exp $ */ +/* $OpenBSD: kexecdhc.c,v 1.16 2019/01/21 10:07:22 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -105,10 +105,6 @@ input_kex_ecdh_reply(int type, u_int32_t seq, struct ssh *ssh) size_t klen = 0, hashlen; int r; - if (kex->verify_host_key == NULL) { - r = SSH_ERR_INVALID_ARGUMENT; - goto out; - } group = kex->ec_group; client_key = kex->ec_client_key; @@ -118,16 +114,8 @@ input_kex_ecdh_reply(int type, u_int32_t seq, struct ssh *ssh) (r = sshkey_from_blob(server_host_key_blob, sbloblen, &server_host_key)) != 0) goto out; - if (server_host_key->type != kex->hostkey_type || - (kex->hostkey_type == KEY_ECDSA && - server_host_key->ecdsa_nid != kex->hostkey_nid)) { - r = SSH_ERR_KEY_TYPE_MISMATCH; + if ((r = kex_verify_host_key(ssh, server_host_key)) != 0) goto out; - } - if (kex->verify_host_key(server_host_key, ssh) == -1) { - r = SSH_ERR_SIGNATURE_INVALID; - goto out; - } /* Q_S, server public key */ /* signed H */ diff --git a/usr.bin/ssh/kexgexc.c b/usr.bin/ssh/kexgexc.c index 22509d8a1aa..c0f7febcded 100644 --- a/usr.bin/ssh/kexgexc.c +++ b/usr.bin/ssh/kexgexc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexgexc.c,v 1.32 2019/01/21 10:03:37 djm Exp $ */ +/* $OpenBSD: kexgexc.c,v 1.33 2019/01/21 10:07:22 djm Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -146,26 +146,14 @@ input_kex_dh_gex_reply(int type, u_int32_t seq, struct ssh *ssh) int r; debug("got SSH2_MSG_KEX_DH_GEX_REPLY"); - if (kex->verify_host_key == NULL) { - r = SSH_ERR_INVALID_ARGUMENT; - goto out; - } /* key, cert */ if ((r = sshpkt_get_string(ssh, &server_host_key_blob, &sbloblen)) != 0 || (r = sshkey_from_blob(server_host_key_blob, sbloblen, &server_host_key)) != 0) goto out; - if (server_host_key->type != kex->hostkey_type || - (kex->hostkey_type == KEY_ECDSA && - server_host_key->ecdsa_nid != kex->hostkey_nid)) { - r = SSH_ERR_KEY_TYPE_MISMATCH; + if ((r = kex_verify_host_key(ssh, server_host_key)) != 0) goto out; - } - if (kex->verify_host_key(server_host_key, ssh) == -1) { - r = SSH_ERR_SIGNATURE_INVALID; - goto out; - } /* DH parameter f, server public DH key, signed H */ if ((r = sshpkt_get_bignum2(ssh, &dh_server_pub)) != 0 || (r = sshpkt_get_string(ssh, &signature, &slen)) != 0 || |