Add new structure for signature options

This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field. with and ok markus@
author: djm <djm@openbsd.org> 2019-11-25 00:51:37 +0000
committer: djm <djm@openbsd.org> 2019-11-25 00:51:37 +0000
commit: 493ad5b0cda90d3335585277887b26e978bef3b6 (patch)
tree: d56576bd7393accdc91415a6ce55a1cbd4a4b573 /usr.bin/ssh/ssh-ecdsa-sk.c
parent: memleak in error path (diff)
download: wireguard-openbsd-493ad5b0cda90d3335585277887b26e978bef3b6.tar.xz
wireguard-openbsd-493ad5b0cda90d3335585277887b26e978bef3b6.zip
1 files changed, 18 insertions, 3 deletions
diff --git a/usr.bin/ssh/ssh-ecdsa-sk.c b/usr.bin/ssh/ssh-ecdsa-sk.c
index 0b943f45ec8..c75db2acb1c 100644
--- a/usr.bin/ssh/ssh-ecdsa-sk.c
+++ b/usr.bin/ssh/ssh-ecdsa-sk.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-ecdsa-sk.c,v 1.3 2019/11/25 00:38:17 djm Exp $ */
+/* $OpenBSD: ssh-ecdsa-sk.c,v 1.4 2019/11/25 00:51:37 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2010 Damien Miller.  All rights reserved.
@@ -47,7 +47,8 @@
 int
 ssh_ecdsa_sk_verify(const struct sshkey *key,
     const u_char *signature, size_t signaturelen,
-    const u_char *data, size_t datalen, u_int compat)
+    const u_char *data, size_t datalen, u_int compat,
+    struct sshkey_sig_details **detailsp)
 {
 	ECDSA_SIG *sig = NULL;
 	BIGNUM *sig_r = NULL, *sig_s = NULL;
@@ -57,10 +58,13 @@ ssh_ecdsa_sk_verify(const struct sshkey *key,
 	int ret = SSH_ERR_INTERNAL_ERROR;
 	struct sshbuf *b = NULL, *sigbuf = NULL, *original_signed = NULL;
 	char *ktype = NULL;
+	struct sshkey_sig_details *details = NULL;
 #ifdef DEBUG_SK
 	char *tmp = NULL;
 #endif
 
+	if (detailsp != NULL)
+		*detailsp = NULL;
 	if (key == NULL || key->ecdsa == NULL ||
 	    sshkey_type_plain(key->type) != KEY_ECDSA_SK ||
 	    signature == NULL || signaturelen == 0)
@@ -143,6 +147,12 @@ ssh_ecdsa_sk_verify(const struct sshkey *key,
 	if ((ret = ssh_digest_buffer(SSH_DIGEST_SHA256, original_signed,
 	    sighash, sizeof(sighash))) != 0)
 		goto out;
+	if ((details = calloc(1, sizeof(*details))) == NULL) {
+		ret = SSH_ERR_ALLOC_FAIL;
+		goto out;
+	}
+	details->sk_counter = sig_counter;
+	details->sk_flags = sig_flags;
 #ifdef DEBUG_SK
 	fprintf(stderr, "%s: signed buf:\n", __func__);
 	sshbuf_dump(original_signed, stderr);
@@ -162,13 +172,18 @@ ssh_ecdsa_sk_verify(const struct sshkey *key,
 		ret = SSH_ERR_LIBCRYPTO_ERROR;
 		goto out;
 	}
-
+	/* success */
+	if (detailsp != NULL) {
+		*detailsp = details;
+		details = NULL;
+	}
  out:
 	explicit_bzero(&sig_flags, sizeof(sig_flags));
 	explicit_bzero(&sig_counter, sizeof(sig_counter));
 	explicit_bzero(msghash, sizeof(msghash));
 	explicit_bzero(sighash, sizeof(msghash));
 	explicit_bzero(apphash, sizeof(apphash));
+	sshkey_sig_details_free(details);
 	sshbuf_free(original_signed);
 	sshbuf_free(sigbuf);
 	sshbuf_free(b);
author	djm <djm@openbsd.org>	2019-11-25 00:51:37 +0000
committer	djm <djm@openbsd.org>	2019-11-25 00:51:37 +0000
commit	493ad5b0cda90d3335585277887b26e978bef3b6 (patch)
tree	d56576bd7393accdc91415a6ce55a1cbd4a4b573 /usr.bin/ssh/ssh-ecdsa-sk.c
parent	memleak in error path (diff)
download	wireguard-openbsd-493ad5b0cda90d3335585277887b26e978bef3b6.tar.xz wireguard-openbsd-493ad5b0cda90d3335585277887b26e978bef3b6.zip